James Thew - Fotolia
According to Proofpoint’s latest annual Human Factor report, attackers shifted away from automated exploits in 2015. Instead, attackers engaged people through email, social media and mobile apps to do the dirty work of infecting systems, stealing credentials and transferring funds.
Researchers found that machine exploits were replaced by human exploitation, with attackers opting for attachment-based social engineering campaigns rather than purchasing expensive technical exploit kits.
Across attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.
Attackers typically use people as “enablers” by tricking them into ignoring or disabling security to install malware, and as “facilitators” by tricking people into handing over valuable system credentials.
Attackers also use people as “gofers”, in which victims are tricked into thinking they are following orders from higher-ups to make wire transfers to fraudulent bank accounts – or even redirect shipments of valuable goods.
The researchers found that 99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than automated exploits. Some 98% of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive.
Hosted malicious archive and executables files require tricking the user into infecting themselves by double-clicking on the malware.
Social media phishing
The ease of creating fraudulent social media accounts for known brands drives a clear preference for phishing in social media-based attacks, the report said.
Distinguishing fraudulent social media accounts from legitimate ones is difficult. Proofpoint researchers found 40% of Facebook accounts and 20% of Twitter accounts claiming to represent a Global 100 brand are unauthorised.
“It’s no wonder we have seen the rise of fraudulent customer service account phishing, which uses social engineering to trick users to divulge personal information and log-ins,” the report said.
Read more about social engineering
- Implement simple checks to reduce the risk of the main types of social engineering attacks.
- Social engineering scams are abundant – proper preparation and training are key to avoiding the danger.
- Expert warns attackers are starting to use increasingly sophisticated ways to get people in organisations to help them circumvent security controls.
The report said that defences must adapt to detect and stop attacks that do not depend on automated exploits to carry out infections. It recommends building capacity to detect obscured code embedded in a document and URLs that link to phishing sites.
“Dynamic analysis and predictive analytics are essential to identifying phishing pages. Organisations must combine these capabilities with real-time detection of clicks that showed an employee followed a link and potentially put both their and the company’s data at risk,” the report said.
Researchers found that dangerous mobile apps from rogue marketplaces affect two out of five enterprises.
Lured in by “free” clones of popular games and banned apps, users who download apps from rogue marketplaces – and bypass multiple security warnings in the process – are four times more likely to download an app designed to steal personal information, passwords or data.
Researchers found 40% of large enterprises sampled had malicious apps sourced from rogue app stores.
Proofpoint analysis of authorised Android app stores discovered more than 12,000 malicious mobile apps capable of stealing information, creating backdoors and other functions – accounting for more than 2 billion downloads.
Organisations must adopt security systems capable of protecting across all vectors that target users, the report said. They must have the ability to non-intrusively assess the mobile apps running on their employees’ phones and tablets and identify apps that pose a risk to the data of the individual or the organisation, it continued.
Infected emails and document downloads
Banking Trojans were the most popular type of malicious document attachment payload, accounting for 74% of all payloads. Dridex message volume was almost 10 times greater than the next most-used payload in attacks that used malicious document attachments.
The documents themselves used malicious macros extensively and relied on social engineering to trick the user into running the malicious code to infect their computer.
Proofpoint recommends that organisations apply defences that can identify campaigns as they occur and connect them to threat actors, using intelligence about known and new techniques and payloads to both stop threats and improve incident response.
Researchers found that attackers timed email and social media campaigns to align with the times that people are most distracted by other legitimate uses. For example, malicious email messages are delivered at the start of the business day, while social media spam posting times mirror the peak usage times.
“Advanced threat defence must protect people around the clock, wherever they may be working, while providing effective protection at peak usage when most are likely to blend in with legitimate email traffic and social media activity,” the report said.
Organisations need to take action to defend themselves against this wide range of threats, the report said.
Recommended, immediate actions include:
- Adopt advanced threat systems to identify and block targeted attacks that travel over email – the top threat vector. These systems must take into account the increasing sophistication of emerging threats and socially engineered attacks.
- Deploy automated incident response capabilities to rapidly identify and mitigate infections, including detecting and blocking command and control communication of infected systems.
- Patch client systems for all known operating system and application vulnerabilities to protect against aggressive exploit kits that reach clients via email, malvertising and drive-by downloads.
- Update both email gateway rules and internal financial controls to improve resistance against wire transfer fraud scams.
- Police social media activity for potentially fraudulent accounts that can hijack conversations with customers, steal personal and financial information, and inflict damage on brands increasingly reliant on social channels.