Human exploitation overtakes machine exploits in 2015

Cyber security firm Proofpoint has released its annual Human Factor Report this week, which looks at the latest cyber security issues in email, social media and mobile apps, and one of the key findings from the study is that everybody, everywhere clicks.

The report also revealed that 2015 was the year that attackers put a massive emphasis on techniques that tricked people to do the work of automated malware. From email to social media to mobile apps, attackers focused on integrating social engineering tricks to convince people to run malicious code, hand over their credentials, and transfer funds directly to the bad guys.

Essentially, 2015 was the year machine exploits were replaced by human exploitation. Rather than purchasing expensive technical exploit kits, attackers opted for high volume attachment-based campaigns and relied on social engineering to trick users into running malicious macros in Word and Excel on their machines.

“Attackers moved from technical exploits to human exploitation in 2015,” said Kevin Epstein, vice president of Threat Operations Centre for Proofpoint. “People’s natural curiosity and gullibility is now targeted at an unprecedented scale. Attackers largely did not rely on sophisticated, expensive technical exploits. They ran simple, high-volume campaigns that hinged on social engineering. People were used as unwitting pawns to infect themselves with malware, hand over key credentials, and fraudulently wire money on the attackers’ behalf.”

The report analysed trends across the top vectors for targeting people – email, mobile apps, and social media – and some of the key findings include:

  • People willingly downloaded more than 2 billion mobile apps that steal their personal data - Attackers used social media threats and mobile apps, not just email, to trick users into infecting their own systems. Proofpoint analysis of authorised Android app stores discovered more than 12,000 malicious mobile apps - apps capable of stealing information, creating backdoors, and other functions - accounting for more than 2 billion downloads.
  • Phishing is 10 times more common than malware in social media posts - The ease of creating fraudulent social media accounts for known brands drives a clear preference for phishing in social media-based attacks. Distinguishing fraudulent social media accounts from legitimate ones is difficult: we found that 40 per cent of Facebook accounts and 20 per cent of Twitter accounts claiming to represent a Fortune 100 brand are unauthorised, and for Fortune 100 companies unauthorised accounts on both Facebook and Twitter make up 55 per cent and 25 per cent of accounts, respectively. It's no wonder then that we have seen the rise of fraudulent customer service account phishing, which uses social engineering to trick users to divulge personal information and logins.
  • Hackers served malware for breakfast and spam for lunch - In 2015, attackers timed email and social media campaigns to align with the times that people are most distracted by other legitimate uses of those vectors. For example, malicious email messages are delivered at the start of the business day (9-10 a.m.), while social media spam posting times mirror the peak usage times for legitimate social media activity.
  • In 2015, banking Trojans were the most popular type of malicious document attachment payload - They accounted for 74 per cent of all payloads, and Dridex message volume was almost 10 times greater than the next most-used payload in attacks that used malicious document attachments. The documents themselves used malicious macros extensively and relied on social engineering to trick the user into running the malicious code to infect their computer.
  • People are replacing automated exploits as attackers' preferred entry tactic - In 2015 attackers overwhelmingly infected computers by tricking people into doing it themselves instead of using automated exploits. 99.7 per cent of documents used in attachment-based campaigns relied on social engineering and macros, rather than automated exploits. 98 per cent of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive. Hosted malicious archive and executables files require tricking the user into infecting themselves by double-clicking on the malware.
  • Dangerous mobile apps from rogue marketplaces affect two out of five enterprises - Our researchers identified rogue app stores from which users could download malicious apps onto iOS devices - even those not "jailbroken," or configured to run apps not offered through Apple's iTunes store. Lured in by "free" clones of popular games and banned apps, users who download apps from rogue marketplaces - and bypass multiple security warnings in the process - are four times more likely to download an app that is malicious. These apps will steal personal information, passwords or data.
  • 2015 was the year that mobile attack vectors came of age - The fourth quarter in particular saw a surge of "riskware." These are mobile apps that aren't necessarily malicious but transmit sensitive data to servers that may be compromised or that reside in foreign countries. Malicious mobile apps alone communicate data to 57 countries, and 19 per cent of these apps send data to China. After the US, China is the number one destination for data from malicious applications

Image Credit: Shutterstock / wk1003mike