Phishing threats continue to evolve and stay one step ahead of enterprise defenses, according to new research from Proofpoint.
Proofpoint’s report, titled “The Human Factor 2018,” revealed several trends and techniques for social engineering attacks, including phishing threats, observed in 2017 based on data from more than 1 billion email messages a day. The email security vendor’s report revealed shifts in targeted attacks and techniques used by a variety of threat actors last year.
Overall, the report also claimed that social engineering attacks still dominate the threat landscape. “As many as 95% of observed web-based attacks like these, including those involving exploit kits, incorporated social engineering to trick users into installing malware rather than relying on exploits with short shelf lives,” Proofpoint researchers wrote. “Two years ago, social engineering in web-based attacks was much less widely deployed.”
Ryan Kalember, Proofpoint’s senior vice president of cybersecurity strategy, said just 1% of the targeted attacks the vendor saw in 2017 used a vulnerability to gain a foothold in the organization. “Attackers just go on Google or LinkedIn for the person who has access to the things they want then they email them something targeted toward those specific people,” Kalember said. “They’re all relying on the human target to do the work for them.”
The phishing research also showed evolving techniques and approaches to the time-honored attack. For example, Proofpoint said the biggest change from 2016 was an increase in fraudulent Dropbox emails; those emails were the “top lure” for phishing threats over the last year, representing more than twice as many attacks as the next most popular lure. The report didn’t say why Dropbox phishing emails increased so much but did say that “isolated instances of extremely large campaign activity” drove the increase.
However, the report noted that DocuSign-related phishing emails had the highest click-through rates. The digital signature service suffered a breach last May, followed by a surge in phishing emails targeting DocuSign users.
The data regarding cloud-related threats was also troubling; Proofpoint said nearly 25% of all suspicious logins for cloud services were successful in 2017. In addition, the report stated suspicious domain names for large enterprises outnumbered legitimate corporate-owned domains by approximately 20 to 1.
More steps, same success
Kalember said one of the most significant trends revealed in the Human Factor 2018 report was that phishing threats haven’t been slowed down even as they are forced to bypass more security measures and get users to make more clicks. “As these workflows have gotten more complex and required the recipients to take more steps, we haven’t really seen the success rates go down,” he said.
As an example, Proofpoint detailed how phishing emails containing malicious documents that abused the Dynamic Data Exchange (DDE) protocol, which saw a surge in October, still relied heavily on human users to be successfully exploited.
“Schemes like this underscore the human factor’s status as the richest vulnerability targeted by cybercriminals,” the report stated. “That held true even in the case of attacks that use DDE, the most abused Office feature in 2017. Recipients had to — and did — click through multiple security warnings to run the exploit and infect their PCs with malware.”
Kalember said targeted spear phishing campaigns that go after “VIPs” within an organization, such as C-level executives and network administrators, are particularly effective at getting recipients to take several actions to execute the attack. The more customized and well researched the phishing lure is, he said, the more clicks threat actors can get away with.
An example of an effective spear phishing campaign, Kalember said, was the Carbanak/FIN7 threat actor group’s effort last year regarding the U.S. Securities and Exchange Commission (SEC). “They went after a very specific title — ‘financial filing analyst’ — within different companies,” he said. “We found out that these are the people that file non-public financials with the SEC, and they were targeting these people to obtain those filings and use them to commit securities fraud.”
Along with the phishing research in the report, Kalember shared other trends Proofpoint has seen recently. “We started seeing a ton of encrypted ZIP files with the password in the email,” he said. “Those are hard for antimalware programs to detect. The answer is to brute force every word in the email body to try to open the file.”
In addition, Kalember said that when companies move to Office 365, Proofpoint typically starts to see a significant increase in phishing emails targeting network admins with credential harvesting attacks. Those increases coincide with other data contained in the Human Factor 2018 report, which show that as more companies move to different cloud services, threat actors follow.