Archive for category: Blog

It’s not the user’s job to provide phishing protection for your company

Finally, we have a blog from a reputable source (the UK’s NCSC) stating the true facts about users clicking on links.

“Users frequently need to click on links from unfamiliar domains to do their job and being able to spot a phish is not their job.” That is so true.

No matter how much cyber awareness training we have had or how regular it’s reinforced, most of us are time pressed, caught unawares and will click on something that merits a further look. Even the links that are scrutinised to the nth degree can hide something malicious. The best browser security solutions recognize this fact.

See below – Can you tell me which is the malicious one? Hovering over the links – both look like they point to the Computer Associates site. But clicking on the wrong one will place you at risk of being infected.

Spoiler alert: It’s the first one. Even on hover over it looks like it will take you to the genuine site. It won’t and that’s because the destination domain name’s characters are not ASCII and are Cyrillic. Humans would be hard pressed to tell them apart. The browser knows they are not the same domain and hence will take you where you did not intend to go. Good luck trying to avoid that.

Though not entirely obvious from the NCSC’s blog post, it is worth mentioning those malicious links crop up not just in emails, they can be shared over Linkedin, Slack, social media, adverts hosted on highly popular content. All the places targets are likely to access to do their jobs.

Remember for an attack to work, as pointed out in NCSC’s blog, they only need one person to click on the link in whatever form it took: Office365, Zendesk, Slack, Salesforce etc. Whatever applications your staff need to work with, the links they access can harbour a huge risk to your company.

How does ConcealBrowse take over the responsibility for phishing security?

We at Conceal looked at this problem and produced a novel solution: ConcealBrowse. It’s a browser extension that converts your browser into a secure browser. We made the same assumption as the NCSC at the outset of formulating our solution, that users will follow their noses and click to follow content as they need to, not always mindful of where that may take them.

ConcealBrowse takes away the implicit trust and makes the decision to isolate anything being accessed via any application that is known bad or unknown. For example, short links, QR codes and IP addresses which reveal nothing about where they will eventually take you. Misspelled domain names like shown above or subdomains of more trusted domains

Why does it protect you when you are using other applications like Slack, etc.? Quite simply these applications will connect the user to the Internet using the default browser. The ConcealBrowse extension is engaged. When opened with our dynamic remote browser isolation, the user can still work with the web site. The users simply see a rendering of the website as if the web page had opened locally. It has not. It has been opened in the cloud, air-gapped from the user.

Entering credentials into phishing pages and attempting to download malicious files are blocked and thus the risk from users having to access content has been managed. To be honest, most web pages that users visit have no need to be isolated – so they are not. ConcealBrowse makes the decision as to whether to isolate based on its gathered intelligence and threat intelligence feeds you may have access to. Because of this, 99% of web pages are not isolated. The experience to the user is seamless. The ConcealBrowse solution is completely independent of any other security controls and works with all common operating systems and virtual desktop environments.

You, too, can enjoy the benefits of zero trust browser protection. Just click here to sign up for a free ConcealBrowse account.

DarkReading recently summarized a Fortinet analysis of three new ransomware variants that were added to the exponentially growing list that pose a threat to businesses of all sizes. The report analyzed three new ransomware tools new in 2022: Vohuk, ScareCrow, and AESRT. While none of them introduced anything new or novel, they nevertheless contributed to the growing financial cost and reputational harm that is the hallmark of the ongoing ransomware plague.   

The first, Vohuk, has primarily targeted users in Germany and India, according to Fortinet. The ransomware encrypts the user’s data and replaces their desktop background with a message pointing them to a readme.txt file. That file contains instructions for submitting a payment to unlock the data via an email message.

ScareCrow similarly encrypts user data and provides instructions in a readme file, but in this case, the contact link is via Telegram channels. This ransomware family targets users around the world, and appears to have similarities to – and substantial improvements on – the Conti ransomware that was reportedly leaked earlier this year.

The AESRT ransomware variant does essentially the same thing, but provides data-unlocking instructions via a popup menu. The similarity between each of these unrelated ransomware families is evidence that attackers have found a formula that works and is repeatable.

How can remote browser isolation and phishing protection protect your workforce?

This research doesn’t address the methods that are being used with these specific malware families, but does note that phishing is the most-used delivery vector for ransomware in general. We’ve discussed several social engineering techniques in previous Threat Alerts that are used to abuse users’ trust and get them to visit malicious sites. These types of attacks almost always take place in the browser. So, while browser-based protection isn’t a silver bullet to block every possible delivery vector, it does address the most common and the one that is best for social engineering attacks.

ConcealBrowse can play a key role in any company’s anti-ransomware security posture. With more and more of each employee’s work taking place in the browser, moving zero-trust principles to the edge of your network can have a massive impact on your organization’s overall security. While ConcealBrowse can play a key role on machines within your network, it also provides an easy-to-manage and affordable option to deploy to every member of your distributed workforce. Because ConcealBrowse works at the endpoint, it can protect your assets even from threats to devices connecting to your network and services remotely.

If you’re interested in finding out more about how ConcealBrowse can protect your organization from malware, click here to schedule a demo today.

Krebs on Security recently reported on a financial crimes group that calls itself “Disneyland Team” using a relatively uncommon phishing technique. The technique relies on a little-known feature built into most web browsers that renders domain names with non-Latin characters. Called Punycode, the feature takes a URL that uses special character strings and renders it using non-Latin characters.

The upshot is that attackers can register domain names that contain these special strings and the browser will render them in a way that can be used to deceive. All major web browsers will render these URLs with the associated characters, many of which closely resemble Latin ones. One domain used by the Disneyland Team attackers – https://xn--clientchwb-zxd5678f[.]com – will be rendered as cliẹntșchwab[.]com, which closely resembles a legitimate Charles Schwab client portal. Clicking on a link to that URL will present the user with a page that appears to be legitimate, down to the appearance of the URL if the user is attempting to use the techniques taught in standard phishing protection training.

Remote Browser Isolation and Phishing Protection to the Rescue

While this technique varies slightly from others we’ve previously posted on, at its core it still preys on users’ inherent trust of the brands and businesses they interact with every day. It’s especially dangerous, however, because it renders ineffective one of the key phishing protection measures that many users are taught: Checking the URL bar or hovering over a link to see the true URL it points at to verify that it’s legitimate. As in the case of the Charles Schwab example above, the differences between the legitimate domain and the exploitative one can be as small as a tiny dot below one of the characters.

These are the type of user trust attacks that ConcealBrowse defeats. Instead of allowing users to make decisions based on their own trust and ability to spot suspicious sites, ConcealBrowse relies on advanced phishing identification and an intelligence-fed decision engine to identify and block these attacks.

ConcealBrowse stops these deceptive domains from tricking users two ways. First, if the site contains logos for the brands the attackers are attempting to subvert, ConcealBrowse will identify the logo using AI algorithms and recognize that the domain is not legitimately tied to the company represented by the logo, blocking the user from entering their credentials. Second, if the site is not being used for phishing the URL is identified by the ConcealBrowse decision engine and opened in a remote browser isolation session. This allows users to continue to interact with the site while their identity is hidden, and all code is executed on a throw-away isolated browser instance in the cloud where it can’t affect your network. 

The Best Browser Security is Zero Trust at the Edge

Let us show you how ConcealBrowse can stop attacks that abuse users’ trust. Schedule a demo today and we’ll walk you through how your business can be protected from attacks like this one.

Another week, another piece of credential-stealing malware abusing trust to infect devices via the browser. Just before Thanksgiving, cybersecurity solution provider, Sekoia released a report on a recently discovered piece of malware dubbed “Aurora” by its developer. According to the report, Aurora is advertised as a malware-as-a-service that can be hired to steal credentials for cryptocurrency wallets and sensitive websites. Criminal groups wasted no time in developing social engineering and phishing approaches to distribute the malware.

While Aurora itself does not contain a delivery vector, enterprising criminal groups have put together at least one very professional-looking website designed to mimic the Exodus Wallet website and lure victims into downloading the malware with the promise of a crypto reward. Another delivery vector used by at least one group is YouTube videos posted on compromised accounts on how to download cracked software, and then providing a link to Aurora malware on a legitimate file-sharing platform. In both cases, the Aurora software then immediately connects to a C2 server allowing the attacker to steal data from the victim.

 How can you stop this abuse of trust?

The criminals who developed the social engineering pathways to move users to download the Aurora malware utilize interesting tricks to deceive users into downloading the malware. In the case of the Exodus wallet, the phishing page is built to target one of the more lucrative use cases for Aurora: its ability to steal crypto wallets. The “cracked software” infection chain targets individuals who are already showing an elevated risk tolerance by searching for information on cracked software in the first place, as such sites are notoriously prone to malware.

We have previously discussed a case where the social engineering aspect of the attack was designed to target an audience with a specific set of characteristics. In that case, Dropbox engineers were fooled into providing their GitHub credentials by an attacker that was savvy enough to know about a specific tool. By masquerading as that tool, the engineers lowered their guard and provided their credentials to the site.

In all these cases, clever attackers identified specific characteristics of their prime targets and crafted attack chains that appealed to the very characteristics they were targeting. This type of social engineering regularly overcomes the mistrust that security awareness training attempts to instill in users. No matter how good an awareness program is, it is vital to provide a software-enforced zero-trust barrier between users and the Internet.

How can a user’s trust be made irrelevant? 

ConcealBrowse is one option for ensuring that no matter how good a social engineering technique is, and no matter how real a phishing website looks, a user’s decisions and actions cannot result in a successful attack on your organization’s network. ConcealBrowse works silently in the background, checking every website, app, and resource loaded in your browser to determine if it is safe, risky, or malicious. ConcealBrowse then takes the necessary steps to make sure your organization remains secure. 

Set up a call with us today to find out how ConcealBrowse can keep your organization safe from phishing, ransomware, and all other types of malware delivered through the browser.

Back in February, Mandiant reported on the discovery of a new piece of malware they called “BATLOADER”. The malware is delivered via malicious web sites that are disguised as download sites for legitimate consumer software. To increase the reach of the web sites, the attackers utilized search advertising to drive users who were looking to download certain types of software. A recent blog post by researchers at VMWare Carbon Black indicates that the tool continues to be widely distributed.

The tool can be used to deliver several different payloads and is structured so that the early stages of an attack are difficult to detect by traditional means. Once the loader is executed on a system, it utilizes built-in operating system tools to establish itself without creating an easily detectable signature. In other words, it’s extremely important to stop this malware and the web sites that distribute it before it is executed on a targeted machine, because it is unlikely to be detected during the initial stages of infection.

Unlike some malware that takes advantage of zero-day vulnerabilities to compromise a system without user interaction, BATLOADER requires the user to download and execute the malicious file. The attackers use social engineering and misleading web sites to lead users to believe they are downloading legitimate software.

In one case documented in the Mandiant report, the attackers posted a question in a forum asking where to find a copy of Microsoft Visual Studio 2015. The actor then used a second forum account to post a link to one of their malware delivery pages as the “only” location the downloader could be found. While the page linked from the forum post was made to look like a typical download site and the file had a legitimate-sounding name, the installer instead loaded the malware onto the user’s system.

This attack abuses user trust at several levels. First, by posing as legitimate software in paid advertising and in forum conversations, users may view the source as legitimate. Next, once they click on the links that are posted in seemingly legitimate places like Google search results, the files they download have names of legitimate software, making it more likely users will run them.

Fortunately, ConcealBrowse protects against this attack by making decisions about what to load and how to load it based on facts and data, not on trust. Regardless of where a user might come across the links used by the attackers behind BATLOADER – whether a forum they trust or Google search results – ConcealBrowse scans every URL and opens risky sites in a protected cloud environment, not on a user’s device. This prevents sites from automatically downloading files to the user’s machine and ensures that any files downloaded in the protected environment are scanned and, if necessary, blocked before they ever enter your network.

Because the file never makes it onto the user’s machine, the attack is stopped before it can start. This means that the malware never enters your organization’s network, and your cyber security teams never have to track down and remove the malware, repair damaged systems, or deal with lost data.

Click here to try ConcealBrowse today.