grandeduc - stock.adobe.com
Cyber attacks are increasingly targeting people within organisations rather than technology, the latest report from security firm Proofpoint reveals.
These attacks cannot be mitigated by software security updates because they are aimed at tricking employees into doing things to aid the attackers using various forms of social engineering, according to the Protecting people report based on the analysis of data gathered from customer deployments in the second quarter of 2018.
The study involved the analysis of more than 600 million emails, seven million mobile apps, and hundreds of thousands of social media accounts.
The report states that “human nature is the ultimate vulnerability” and that protecting against today’s cyber threats starts with knowing who in an organisation is being attacked and why they might be targeted, which includes knowing their roles, what data they might have access to and their potential exposure.
The key finding of the data analysis is that individual contributors and lower-level management account for about 60% of highly targeted malware and credential phishing attacks. Workers in operations and production functions are the most exposed, representing 23% of highly targeted malware and credential phishing attacks. Management was the second-most exposed job function. Following closely by the R&D and engineering departments.
But executives and upper-level managers, which are a smaller proportion of the total workforce, received a disproportionately large share of attacks.
Protecting people also means understanding how they’re being attacked. This includes the volume of attacks, who is attacking, and what techniques and tools they use.
Email fraud attacks
The report shows the number of email fraud attacks per targeted company rose 85%, compared with the second quarter of 2017, while phishing links sent through social media shot up 30%. The spike reversed months of decline as attackers found ways around automated remediation tools put in place by platforms like Twitter, Facebook and Instagram.
The report also identified a rebound in ransomware, which accounted for nearly 11% of all malicious emails. However, most malware was aimed at stealing money from online banking applications (42%), followed by malicious downloaders (25%) and credential stealers (17%).
The data shows that email fraudsters use a range of techniques to trick recipients into opening the email and acting on it. These include subject lines, spoofing trusted senders and choosing the right targets.
In the second quarter, the report said there was a spate of attacks in which the attacker referenced a file or document, but otherwise, the subject lines appeared at roughly the same ratios as in previous quarters, with scams using the words “payment” or “request” in the subject line remaining the most popular.
Nearly two-thirds of targeted companies saw some level of abuse of their domains. This includes fraudsters sending attacks that spoofed the recipient’s own employer.
No matter what other tactics they use, the report said most attackers spoof the sender display name in fraudulent emails. In display name spoofing, the attacker uses a familiar name and email address to gain the recipient’s trust.
Email authentication technologies
At the same time, the report said domain spoofing appears to be falling as more companies deploy email authentication technologies such as domain-based message authentication, reporting and conformance (Dmarc).
“The display name is the easiest email identifier to spoof and the most visible to recipients. It’s easy to see why most email fraud attacks spoof the display name, even when they’re not spoofing the email domain,” the report said.
Both types of spoofing are used in CEO fraud, which is becoming increasingly popular, according to other recent reports by security suppliers. There was an 80% increase in the number of CEO fraud attacks in the second quarter of 2018 compared with the first quarter, according to a recent report by email management firm Mimecast, while a report from Barracuda Networks shows that tricking recipients into transferring money into accounts controlled by cyber criminals is the top objective of such attacks.
On social media, the report said customer support fraud (angler phishing) rose sharply. Angler phishing occurs when an attacker creates a social media account designed to mimic customer support accounts of trusted brands. When a customer asks for help on social media, the attacker sweeps in using the fake customer-support account, sending the customer to a fake login site to steal credentials or asking for the credentials directly.
Read more about social engineering
The number of fake support accounts targeting Poofpoint’s global customer base rose 37% from the previous quarter, while the number of phishing links sent through these accounts rose 30%.
People-centred threats require a people-centred approach to keeping them safe, the report said, recommending that organisations:
- Adopt a people-centred security posture by gaining visibility into who is being attacked and how, and then consider how to reduce the individual risk of each user.
- Train users to spot and report malicious email using simulationts that mimic real-world attack techniques.
- Assume users will click some threats and implement a system that blocks inbound email threats before they reach employees.
- Build a robust email fraud defence capability with a system that can manage email based on custom quarantine and blocking policies.
- Protect your brand reputation and customers by deploying a system that scans all social networks and reports fraudulent activity.
- Partner with an threat intelligence supplier to combine static and dynamic techniques to detect new attacks tools, tactics and targets.