Proofpoint is releasing its annual Human Factor Report, which looks at the latest cyber security issues in email, social media and mobile apps.
One of the most significant findings from the study is that in 2015 people were the targets: from email and web to social media and mobile apps, rather than relying on expensive exploit kits, attackers relied on human frailty to carry out their dirty work.
Essentially, 2015 was the year Machine Exploits were replaced by Human Exploitation. Rather than purchasing expensive technical exploit kits, attackers opted for high volume attachment-based campaigns and relied on social engineering to trick users into running malicious macros in word and excel on their machines.
The bottom line is everyone clicks, and the bad news is you can’t patch people, so as hackers continue to reap the rewards, this trend is likely to continue.
This year’s report analyses trends across the top vectors for targeting people – email, mobile apps, and social media – and some of the key findings include:
- People are replacing automated exploits as attackers’ preferred entry tactic
In 2015 attackers overwhelmingly infected computers by tricking people into doing it themselves instead of using automated exploits. 99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than automated exploits. 98% of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive. Hosted malicious archive and executables files require tricking the user into infecting themselves by double-clicking on the malware.
- Phishing is 10 times more common than malware in social media posts
The ease of creating fraudulent social media accounts for known brands drives a clear preference for phishing in social media-based attacks. Distinguishing fraudulent social media accounts from legitimate ones is difficult: we found that 40% of Facebook accounts and 20% of Twitter accounts claiming to represent a Global 100 brand are unauthorized, and for Global 100 companies unauthorized accounts on both Facebook and Twitter make up 55% and 25% of accounts, respectively. It’s no wonder then that we have seen the rise of fraudulent customer service account phishing, which uses social engineering to trick users to divulge personal information and logins.
- Dangerous mobile apps from rogue marketplaces affect two out of five enterprises
Our researchers identified rogue app stores from which users could download malicious apps onto iOS devices – even those not “jailbroken,” or configured to run apps not offered through Apple’s iTunes store. Lured in by “free” clones of popular games and banned apps, users who download apps from rogue marketplaces – and bypass multiple security warnings in the process – are four times more likely to download an app that is malicious. These apps will steal personal information, passwords or data. 40% of large enterprises sampled by Proofpoint TAP Mobile Defense researchers had malicious apps from DarkSideLoader marketplaces – that is, rogue app stores – on them.
- People willingly downloaded more than 2 billion mobile apps that steal their personal data
Attackers used social media threats and mobile apps, not just email, to trick users into infecting their own systems. Proofpoint analysis of authorized Android app stores discovered more than 12,000 malicious mobile apps – apps capable of stealing information, creating backdoors, and other functions – accounting for more than 2 billion downloads.
- Banking Trojans were the most popular type of malicious document attachment payload In 2015
Banking Trojans were the most popular type of malicious document attachment payload. They accounted for 74% of all payloads, and Dridex message volume was almost 10 times greater than the next most-used payload in attacks that used malicious document attachments. The documents themselves used malicious macros extensively and relied on social engineering to trick the user into running the malicious code to infect their computer.
- Hackers served phish for breakfast and social media spam for lunch In 2015
Attackers timed email and social media campaigns to align with the times that people are most distracted by other legitimate uses of those vectors. For example, malicious email messages are delivered at the start of the business day (9-10 am) while social media spam posting times mirror the peak usage times for legitimate social media activity.