Q2 2019 Security Update: It May Be Time to Revise Cybersecurity Best Practices

Malicious URL identification, cryptojacking blocking, and blacklisting processes may need a refresh based on new attack strategies.

If you started the year thinking you had a pretty good handle on the cyberthreat landscape and that you are advising your clients on the most up-to-date cybersecurity best practices, it may now be time to think again.

Tyler Moffitt, Senior Threat Research Analyst for Webroot, shares data from the 2019 Webroot Threat Report, and provides recommendations on how to keep your clients and businesses secure in the evolving cybersecurity landscape.

40 percent of malicious URLs are on good domains

Phishing continues to be a prevalent form of attack. Cybercriminals know if they can deceive a user into making a mistake, they can gain access to information such as account credentials and monetizable data.

You’ve probably advised your clients that a cybersecurity best practice is to check the domain of an email or a link to make sure it matches the company the sender claims to be affiliated with. “It’s a mental check a lot of people have,” says Moffitt. “But criminals know that.” He says it’s become common for bad actors to compromise a subdomain or a page of a legitimate website. The link looks fine, so people who are accustomed to checking the URL may still click.

Action Items:

  • Advise users to bookmark sites they use to make payments, update accounts, etc. If they receive a request for information that they think is legitimate, use the bookmark to go to the site, rather than clicking the link in an email.
  • Don’t rely on Google to give you a safe click. Cybercriminals may pay to display their phishing sites as one of the “promoted” results at the top.
  • Implement a real-time antiphishing solution that will automatically block malicious sites for users if they accidentally click.

Lock Down Data in the Cloud

It’s also important to make users aware of which companies are most often impersonated in phishing attacks. In addition, for payment companies and banks, criminals are looking for login credentials for cloud storage. Top impersonated companies and the percentage of phishing attempts that use them are:

  • Google, 15.6 percent
  • Microsoft, 10 percent
  • Dropbox, 9.8 percent

Moffitt explains that if cybercriminals can get access to corporate Dropbox or a cloud drive, there is the potential to have a much better return for their effort through access to things like client’s payment accounts, employee’s social security numbers, and valuable, mission-critical data.

Moffitt comments that this is one of the reasons technology service providers are targeted — if the criminal can get the login to your cloud, they could find a way to access all of your client’s networks.

Action Items:

  • Make sure sensitive information is stored in password-protected zip files or encrypted in the cloud.
  • Update your own cybersecurity best practices to strictly enforce who has credentials to cloud storage accounts and train those users not to disclose it.

Security Training is Effective

You probably know that educating users about phishing, malicious URLs, and other cyberattack tactics is important, but did you know the frequency of security awareness training can play a role in keeping your clients safe? Webroot data shows that when training on cybersecurity best practices is an annual or semi-annual event at a business or organization, 35 percent of users still click on suspicious links in a controlled exercise.

When businesses train users with phishing simulators once per month, the number drops by 70 percent.

Action Items:

  • Provide your clients with regular security awareness training.
  • Take advantage of resources such as the free trial of Webroot’s Security Awareness Training.

Operating System Can Play a Big Role in Security

Webroot also studied malware infections by Windows OS, comparing Windows 7, Windows 8, and Windows 10. Their data reveals that devices that use Windows 10 are at least twice as secure as those running Windows 7.

Moffitt explains that Windows 10, which forces updates, is generally a safer OS than Windows 7. “People that were hit by the WannaCry and Petya outbreak weren’t patched. If you did the updates, you were safe. Windows 10 updates are on their terms, not yours,” he comments. “It’s clear that migrating to the latest OS is the most secure. It reduces the infection rate by 50 percent.”

Action Items:

  • Update your clients to the latest operating system.
  • Work through problems with incompatibility and BYOD environments to facilitate the update.

Browser Add-Ons Won’t be Effective at Blocking Cryptojacking

To protect an endpoint’s CPU from being used in cryptojacking, users may have installed browser add-ons, but those tools only block known cryptojacking or cryptomining domains. Cybercriminals have now started hosting cryptojacking operations on random domains that add-ons won’t block.

Moffitt says cryptojacking and cryptomining, which use victims’ hardware and power to steal cryptocurrency, require little to no investment from the criminal. As long as cryptocurrency is worth something, these attacks are likely to continue.

Action Items:

  • The only effective solution is to implement a real-time threat intelligence solution to find and block obfuscated cryptojacking domains.

Know Where Malware Likes to Hide

In this year’s threat report, Webroot included information on where malware most commonly attempts to install itself. The most likely folders and how often malware is installed there are:

  • %appdata%, 29.4 percent
  • %temp%, 24.5 percent
  • %cache%, 17.5 percent

Action Items:

  • Consider monitoring or blanket blacklisting anything out of Temp or Cache folders.
  • Implement a real-time threat detection solution for your clients.

Malicious IP Addresses

Webroot also studied malicious IP addresses by geographic area and found that 60 percent of all malicious IP addresses are from:

  • China, 28 percent
  • US, 21 percent
  • Vietnam, 13 percent

Moffitt explains, however, this list may be somewhat deceiving. Cybercriminals in other parts of the world know that companies may be blacklisting communications from their countries. As a result, they use VPNs to communicate through servers in Vietnam, which may be vulnerable due to aging infrastructure, older, less-secure operating systems, and less stringent law enforcement, or in other locations.

Action Item:

  • In addition to blacklisting communications from certain countries, use security solutions that detect attacks regardless of origin.


For information and insights from Webroot’s study, download the 2019 Webroot Threat Report.

For more security news and insights, visit DevPro Journal’s Security resources page. 

Jay McCall

Jay McCall is an editor and journalist with 20 years of writing experience for B2B IT solution providers. Jay is co-founder of XaaS Journal and DevPro Journal.

Jay McCall

Jay McCall is an editor and journalist with 20 years of writing experience for B2B IT solution providers. Jay is co-founder of XaaS Journal and DevPro Journal.