Social engineering is the new malware.
In 2015, this type of cyber attack where people replace automated exploits to trick victims into doing things, became the number one attack technique online.
The findings, published in security firm Proofpoint’s annual Human Factor 2016 report, also reveals the three different tactics attackers use to target unsuspecting people.
The first, enablers, uses a variety of ruses to evade technical detection, convincing people to disable or ignore security, click links, open documents, or download files that install malware on laptops, tablets, and cell phones.
The second, facilitators, persuades people to hand over their credentials such as usernames and passwords.
The last, gofers, works by making users directly transfer funds or goods by letting them think it is part of their job.
As part of the report, Proofpoint compiled a list of the nine biggest cyber security trends, and defensive recommendations to ensure that you won’t fall victim to such attacks.
Here they are.
1. People are replacing automated exploits as attackers’ preferred entry tactic
In 2015 attackers overwhelmingly infected computers by tricking people into doing it themselves instead of using automated exploits.
99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than automated exploits. 98% of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive. Hosted malicious archive and executables files require tricking the user into infecting themselves by double-clicking on the malware.
Recommendation: Defenses must adapt to detect and stop attacks that do not depend on automated exploits to carry out infections. From detecting obscured code embedded in a document to URLs that link to phishing sites, advanced threat solutions must be able to reduce opportunities for attackers to exploit people.
2. Dridex banking Trojan campaigns were the dominant attack vector at making people central to the infection chain
Banking Trojans were the most popular type of malicious document attachment payload, accounting for 74% of all payloads. Dridex message volume was almost 10 times greater than the next most-used payload in such attacks. The documents themselves used malicious macros extensively and relied on social engineering to trick the user into running the code to infect their computer.
Recommendation: Organizations must apply defenses that can identify campaigns as they occur and connect them to threat actors, leveraging intelligence about known and new techniques and payloads to both stop threats and improve incident response.
3. Attackers timed email and social media campaigns to align with the times that people are most engaged
To replace malware exploits with clicks by humans, attackers optimized campaign delivery times to match the times when people click. Email messages are delivered at the start of the business day (9-10 a.m.) in the target regions. Social media spam posting times likewise mirror the peak usage times for legitimate social media activity. Even so, there was no time of day or day of week when malicious content was not being sent to people – or being clicked by them.
Recommendation: Advanced threat defense must be able to protect people around the clock, wherever they may be working, while also providing effective protection at peak usage when are most likely to blend in with legitimate email traffic and social media activity.
4. People willingly downloaded more than 2 billion mobile apps that steal their personal data
Attackers used social media threats and mobile apps, not just email, to trick users into infecting their own systems. One in five clicks on malicious URLs occurred off the network, many of them from social media and mobile apps. No longer corner cases but real-world threats, Proofpoint analysis of authorized Android app stores discovered more than 12,000 malicious mobile apps – apps capable of stealing information, creating backdoors, and other functions – accounting for more than 2 billion downloads.
Recommendation: Organizations must adopt solutions capable of protecting across all vectors that target users: email, social media, and mobile.
5. URLs linking to credential phishing pages were almost 3 times more common than links to pages hosting malware
Our researchers found that on average 74% of URLs used in phishing campaigns linked to credential phishing pages, rather than to sites hosting malware. In URL-based campaigns, attackers link to pages designed to entice people to provide their logins and other personal information. In effect, the victim does the work of keyloggers and other automated malware designed to steal this information.
Recommendation: Dynamic analysis and predictive analytics are essential to identifying phishing pages, and organizations must combine these capabilities with real-time detection of clicks that showed an employee followed a link and potentially put both their and the company’s data at risk.
6. Accounts used to share files and images – such as Google Drive, Adobe, and Dropbox – are the most effective lures for credential theft
Google Drive phishing links were the most clicked credential-phishing lures. Using these brands can trick the user into clicking, especially if the victim receives the message from someone in their contacts list. This is because these services are familiar, and the user is accustomed to the click-to-sign-in action required to view shared content.
Recommendation: While an important tool, user education cannot be the last line of defense: organizations should deploy automated defenses capable of detecting and blocking threats that do not look or behave like previously known threats.
7. Phishing is 10 times more common than malware in social media posts
The ease of creating fraudulent social media accounts for known brands drives a clear preference for phishing in social media-based attacks. Distinguishing fraudulent social media accounts from legitimate ones is difficult: we found that 40% of Facebook accounts and 20% of Twitter accounts claiming to represent a Fortune 100 brand are unauthorized, and for Fortune 100 companies unauthorized accounts on both Facebook and Twitter make up 55% and 25% of accounts, respectively. It’s no wonder then that we have seen the rise of fraudulent customer service account phishing, which uses social engineering to trick users to divulge personal information and logins.
Recommendation: A comprehensive approach to advanced threat defense must include the ability to detect brand risk and protect users on a range of social media channels.
8. Dangerous mobile apps from rogue marketplaces affect two out of five enterprises
Our researchers identified rogue app stores from which users could download malicious apps onto iOS devices – even those not “jailbroken,” or configured to run apps not offered through Apple’s iTunes store. Lured in by “free” clones of popular games and banned apps, users who download apps from rogue marketplaces – and bypass multiple security warnings in the process – are four times more likely to download an app that is malicious. These apps will steal personal information, passwords or data. 40% of large enterprises sampled by Proofpoint TAP Mobile Defense researchers had malicious apps from DarkSideLoader marketplaces – that is, rogue app stores – on them.
Recommendation: Enterprises must have the ability to assess non-intrusively the mobile apps running on their employees’ phones and tablets and identify apps that pose a risk to the data of the individual or the organization.
9. Low-volume campaigns of highly targeted phishing emails focused on one or two individuals within an organization to transfer funds directly to attackers
Highly targeted phishing messages to people with access to wire transfers struck organizations of every size across all industries. Often called “wire transfer phishing” or “CEO phishing,” these scams involve deep background research by the attackers. These emails have spoofed senders so they appear to be from the CEO, CFO, or other executive; they rarely have links or attachments; and they include urgent instructions to the recipient to transfer funds to a designated account.
Recommendations: To stop this threat, organizations must employ a combination of technology solutions and procedural controls. They need an email gateway solution that supports advanced configuration options for flagging suspicious messages based on attributes (such as direction and Subject line) and email authentication techniques.