It is one thing for a bad guy to sit down for hours upon hours and days upon days to create code to break into a system to achieve a goal.
Or they can focus on taking advantage of security’s weakest link: People. This way they can get the keys to the kingdom and walk right in and bypass security measures.
That is why attackers are increasing people-centered threats, increasingly using social engineering, said researchers in a report from Proofpoint.
While awareness levels of some people on social engineering attacks is on the rise, attackers have found new ways to trick victims into becoming unwitting accomplices, said researchers in Proofpoint’s “The Human Factor 2018” report.
Email remained the most popular attack vector, while the rise of crypto-currency drove innovations in phishing and cybercrime.
Attackers “have found new ways to exploit ‘the human factor’ — the instincts of curiosity and trust that lead well-intentioned people to click, download, install, move funds, and more every day,” Proofpoint researchers said in the report.
The largest numbers of email fraud attacks hit education, management consulting, entertainment, and media firms, while construction, manufacturing, and technology were the most phished industries.
In addition, manufacturing, healthcare, and technology firms were targeted the most by crimeware.
Proofpoint saw attacks that include large, multimillion-message malicious campaigns distributing malware such as ransomware (the biggest email-borne threat of 2017) and targeted assaults orchestrated by state-sponsored groups and financially motivated fraudsters.
“Whether they are broad-based or targeted; whether delivered via email, social media, the web, cloud apps, or other vectors; whether they are motivated by financial gain or national interests, the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, downloaded unsafe files, installed malware, transferred funds, and disclosed sensitive information at scale,” Proofpoint researchers said.
Last year, suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1, according to the report.
Social engineering underpins the Human Factor, researchers said. Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click.
• Suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1. That means targets of phishing attacks are more likely to mistake typosquatted and suspicious domains for their legitimate counterparts.
• Fake browser and plugin updates appeared in massive malvertising campaigns affecting millions of users. As many as 95 percent of observed web-based attacks like these, including those involving exploit kits, incorporated social engineering to trick users into installing malware rather than relying on exploits with short shelf lives. Two years ago, social engineering in web-based attacks was much less widely deployed.
• About 55 percent of social media attacks that impersonated customer-support accounts—a trend known as “angler phishing”—targeted customers of financial services companies.
• 35 percent of social media scams that used links and “clickbait” brought users to video streaming and movie download sites. In-browser coin mining, in which attackers hijack victims’ computers to generate cryptocurrency, also went mainstreams. These attacks converged largely around pirated video streaming sites; users’ long viewing sessions gave the miners extended access to victims’ PCs, netting more income for their operators.
Dropbox phishing was the top lure for phishing attacks, but click rates for Docusign lures were the highest. Network traffic of coin mining bots jumped almost 90% between September and November, while ransomware and banking Trojans accounted for more than 82 percent of all malicious email messages. Although used often in email campaigns, Microsoft Office exploits usually came in short bursts.
“Social engineering is at the heart of most attacks today,” Proofpoint researchers said. “It can come through something as simple as a bogus invoice lure in a multimillion message malicious spam campaign. It may appear as an intricate fake chain of emails and out-of-band communications in email fraud. Even web-based attacks — which once depended almost exclusively on exploit kits and drive-by downloads — are now built around social engineering templates. People willingly download bogus software updates or fake anti-malware software.”
“Regardless of the vector or approach attackers use, defenders in security operations must understand threat actors and how they operate,” the researchers said. “Threats may come from what appear to be legitimate sources. They may not involve easily recognized malware. And they will frequently leverage channels ranging from social media to web-based attack chains.