JRB - Fotolia

Malicious email spikes in Q2, reports Proofpoint

Malicious email campaigns saw a spike in volume and increased variety in the second quarter of 2017, a cyber security report reveals

Malicious email campaigns were up 250% in the second quarter of the year compared with the first three months, according to the latest threat report from email security firm Proofpoint.

Although the volume of malicious emails in the quarter did not reach record levels of the second half of 2016, the report said there was a greater variety, with new attachment types and malware.

There was also an increased use of malicious attachments rather than malicious links, which marked another change compared with campaigns seen in the first quarter.

Exploit kits and web-based attacks

Exploit kit (EK) activity held steady at dramatically reduced levels compared with the first half of 2016, the report said.

However, even at these reduced levels of activity, according to Proofpoint, EK threats continued to become more sophisticated, incorporating smarter targeting and filtering to avoid detection and improve infection rates.

The quarter was dominated by the WannaCry and a new Petya variant spreading via leaked NSA exploits and backdoors, which the report said created a new class of malware that Proofpoint dubbed “ransomworms” whose propagation mechanisms suggested that threat actors were more focused on disruption than profit.

“They infected systems faster than the ransomware authors would have been able to collect and process ransom payments and unlock victims’ files. In these cases, the focus may have been pure disruption rather than the ransom money.

“It is too early to say whether attackers’ payment infrastructure simply has not caught up with their ability to spread ransomware – or whether ransomworms represent a new, destructive attack,” the report said.


Pure ransomware, however, remains the most popular form of malware, with 68% of all malicious messages bearing some variant of ransomware.

The threat actor Proofpoint calls TA505 vastly surpassed all other actors in terms of volume with Locky and Jaff ransomware.

The group switched from Locky to Jaff in Q2 and then back to Locky as soon as a decryptor was released, underscoring how easily attackers can adjust to changing conditions and defences.

Email fraud

In the second quarter, Proofpoint said there was some correlation between company size and the likelihood of an email fraud attempt.

Data from the quarter suggests that email fraudsters are refining their techniques and targeting businesses more deliberately.

While business email compromise (BEC), also known as whaling and CEO fraud, continues to occur across all industries, the report said some appear to be disproportionately targeted, with increased rates of email fraud attempts in Q2 compared to one year ago in the technology, telecommunications, automotive, and education sectors.

Social Media

Social media continues to grow as a threat vector, the report said. The number of phishing links in social channels grew 70% from the previous quarter, and fake customer-support accounts used for angler phishing jumped 300%.

Attackers used compromised apps on social platforms and took advantage of “the human factor” that is so readily exploited in social media.

In light of the second quarter findings, Proofpoint recommends that enterprises:

1. Review patching practices

WannaCry ransomware is another example of an advanced threat that takes advantage of legacy systems that are unpatched or poorly configured, the report said.

As these attacks become more frequent, the best bet is to install the latest patches, validate the security setup and test backup processes to ensure that individual machines and company-wide data can be restored.

2. Deploy advanced email gateway analysis

To detect and stop new attack tools, tactics and techniques, and deploy advanced analysis at the email gateway.

Read more about CEO fraud

  • Corvid secures email, takes users out of firing line.
  • Whaling attacks take phishing to the next level with much bigger targets.
  • Business email compromise accounted for $3bn in losses in the US alone in the first six months of 2016.
  • A Brentwood-based recruitment firm wanted to solve its email archiving problems but ended up with better security, including new anti-whaling protection in the wake of an attack.

The gateway should draw on advanced threat intelligence to inspect the entire attack chain using static and dynamic techniques, the report said, and it should constantly adapt to new threats as they emerge with fast, continual updates.

3. Use DMarc authentication

The domain-based message authentication, reporting and conformance (Dmarc) protocol can instantly stop email fraud that uses domain spoofing.

With Dmarc, organisations can be sure that email using the organisation’s domain is really from that organisation.

4. Get visibility into geo-targeted threats

Full visibility in the flow of email can make all the difference in a targeted attack.

Visibility means being able to distinguish broad attack campaigns from targeted threats. This will enable organisations to see attacks directed at their executive leadership and other high-value employees.

5. Secure all channels from digital fraud

If an organisation uses social media to support or collaborate with customers and partners, the report said it is time to bring social media channels into the fold of the security program:

“To protect your brand and the people who trust it, consider solutions that can find and mitigate risks across all the digital channels that matter.”

Read more about the Dmarc protocol

  • NCSC rolls out four measures to boost public sector cyber security.
  • HMRC geared up to block 500 million phishing emails a year.
  • How can a Dmarc policy improve email security?
  • Slow adoption of DMARC policy can leave email vulnerable.

Read more on Hackers and cybercrime prevention

Data Center
Data Management