Cybercriminals View People as the Best Exploit: Report

Cybercriminals are increasingly focusing on tricking humans into becoming their unwitting accomplices in attempts to steal information and money, a new report from Proofpoint reveals.

While attacking the human element is by no means a new tactic, according to the recently released Proofpoint Human Factor 2016 report, social engineering has become the most used attack technique as attackers trick people into infecting their computers themselves and are less reliant on automated exploit technology. Proofpoint found that 99.7 percent of attachment documents and 98 percent of URLs in malicious email campaigns required human interaction to infect the target.

The report also reveals a trend among attackers who served phishing emails in the morning and social media spam at noon, riming their attacks to ensure optimal distraction. Tuesday mornings between 9-10 a.m. was the most popular time frame for phishing campaigns, while most social media spam hit in the afternoon.

As was the case in 2014, Tuesday remained the preferred day of the week for delivering malicious messages, though the difference compared to other days of the week was less pronounced. In fact, the report shows that attackers were most active from Monday to Wednesday and that click counts by day of the week followed a similar trend, with days toward the end of the work week showing decrease in clicks.

Malicious Microsoft Office macros, which first appeared in late 90s, started fading out when Office 2007 turned macros off by default. However, cybercriminals began using them again in late 2014 and early 2015, and increased the volume of spam emails containing attached documents with malicious macros by the end of last year, aggressively targeting organizations in the UK and Europe.

Proofpoint researchers also note that social media phishing scams became 10 times more common compared to social media malware. They also found that 40 percent of accounts on Facebook and 20 percent of accounts on Twitter claiming to represent a global 100 brand were unauthorized.

The report (PDF) also reveals that ransomware was highly popular in exploit kit campaigns in 2015, and that it continues to be the case in 2016 as well. Banking Trojans were the most popular threats used in malicious email campaigns, with Dridex message volume almost 10 times greater than the next most-used threat, Proofpoint researchers explain.

According to the report, people willingly downloaded more than two billion mobile applications designed to steal data, and the security company has found over 12,000 malicious mobile apps in authorized Android app stores. Many of these were built to steal user information, create backdoors on the compromised devices, and perform other nefarious functions.

Proofpoint researchers also explain that dangerous mobile applications from rogue marketplaces affect 2 in 5 enterprises. Additionally, 40 percent of large enterprises sampled by the security firm had malicious apps from rogue app stores on mobile devices, with these programs capable of stealing personal information, passwords or data.

The report suggests that 2015 was the year during which attackers considered people as making the best exploits and focused on building social engineering into their lures and their vectors to trick people into clicking and opening an attachment, downloading an app, or handing over their credentials. Moving forward, attackers are expected to continue using a threat framework that has proven to be flexible, adaptable, and resilient, and which consists of five elements: actor, vector, hosts, payload, and command-and-control channel.

“Attackers moved from technical exploits to human exploitation in 2015,” said Kevin Epstein, vice president of Threat Operations for Proofpoint. “People’s natural curiosity and gullibility is now targeted at an unprecedented scale. Attackers largely did not rely on sophisticated, expensive technical exploits. They ran simple, high-volume campaigns that hinged on social engineering. People were used as unwitting pawns to infect themselves with malware, hand over key credentials, and fraudulently wire money on the attackers’ behalf.”