Watch your emails and apps – Key findings from Webroot’s threat trends update

We saw a litany of high profile cyber breaches in 2016, from LinkedIn and Yahoo to Tesco and Sage. At times it felt like a new breach was reported every other day, but this is just the tip of the proverbial iceberg. For every successful attack reported there will be many more that are not for reasons like protecting brand image, but most likely because they were unaware that they have even been breached.  It’s now not a case of if an organisation will be breached, but how long until it’s discovered. Once discovered will it be thanks internal security systems and practices in place, or due to external entities and third parties, such as millions of confidential customer records being put up for sale on the dark web.

Webroot has visibility of the drivers behind these breaches through the continuously gathered data it collects. Correlating activity from millions of endpoints and internet sensors, threat trends can be identified as they emerge. The latest version of our Annual Threat Trends Report found a number of key security developments in 2016, including phishing campaigns against large tech and finance firms, and an explosion of new malicious Android apps. 

Phishing – still plenty of targets in the sea

Over the past few years, we’ve noticed a dangerous trend: the shortening of phishing attack lifecycles. That is, the length of time each phishing site is active. The average phishing site was online for less than 15 hours, which means anti-phishing technologies based on a static blacklist won’t be able to keep up with the short life cycles, making them ineffective at stopping attacks.

Phishing attacks usually impersonate the websites of legitimate companies in order to trick a user into providing personal information. Typically, technology companies and financial services firms are the most impersonated. The chart below highlights the relative number of phishing URLs for each of the technology and financial services firms in the top 20 most impersonated companies.

Android anxiety – malicious apps skyrocket 

It’s no secret that smartphones are practically a lifeline for consumers. Sensitive behavioural, financial and personal data is accessed and stored on mobile devices every day. Attackers are aware of this and have been developing malicious apps to target mobile devices. 

Last year Webroot analysed about 20 million new and updated iOS and Android apps. Of those found to be malicious, most were created for Android operating systems and located in Asian app stores. Android operating systems exist on roughly two-thirds of global devices, making it a lucrative target for hackers. Add to this the fact that regulations in many Asian countries has allowed the emergence of app stores that don’t have the same security criteria as the Apple Store or Google Play, making it far easier for attackers to push them through.

It is worth noting that many of these new malicious mobile apps are targeting Version 4 or earlier of the Android operating system, so those with older devices are at greatest risk from new malicious mobile apps.

The top five categories of apps containing malware are tools, games, entertainment, productivity and personalisation. While it may seem surprising that more malicious apps would be tools users are more likely to accept permission requests from these types of apps rather than games or other categories. 

The most common threat type present in these malicious apps is the Trojan attack, which gives an attacker access to, and control of, the victim’s device. As the chart below indicates, this category dominates malicious threats, although has been slowly conceding to other attacks like spyware and adware over the last couple of years.

The many faces of malware – Polymorphic files and Potentially Unwanted Applications (PUAs)

Each year, Webroot encounters hundreds of millions of unique executable files for the first time, and a sizable percentage of these were identified as malware or potentially unwanted applications (PUAs).  Attackers generate polymorphic malware and PUAs, in ways that make each instance unique. This is designed to go around traditional security which works off a blacklist of malicious executables.

In 2016, 94% of the malware and PUA executables Webroot observed were only seen once, highlighting the prevalence of polymorphism. Organisations looking to defend against these types of malicious files must employ a threat intelligence and detection platform that is able to identify and stop polymorphic executables before they have a chance to reach the network. 

Looking through 2016 data, approximately one in every 40 new executable files observed was malware. These files are highly targeted, often for specific individuals, and cannot be stopped by traditional malware detection technologies. Organisations must be vigilant against this threat to protect their IP, customer data and any other critical information from being accessed by cyber criminals.

Not the Yellow Pages – the blacklist of malicious IP addresses 

At any given time, there are millions of IP addresses associated with malicious activity. Automatically blocking traffic from these IP addresses can prevent many attacks from reaching their targets. 

Organisations can leverage blacklists of malicious IP addresses to establish proactive security measures in line with their risk tolerance and business needs. For example, an organisation which stands to lose a great deal from a compromise might elect to limit all activity from IP addresses in the higher-risk tiers. An organisation with lesser security concerns might allow activity from all IP addresses, but limit system administration from those which might present a risk.

Approximately 92 per cent of malicious IP addresses are associated primarily with spam generation. When this is omitted, the most prevalent threat types are scanners (55 per cent) and proxies (42 per cent), with phishing, web attacks, and other types of threats only comprising a total of 3 per cent. 

The Good, the Bad, and the Malicious – categorising URLs 

Webroot continuously monitors URLs and assesses their reputations, having analysed over 27 billion URLs to date. These are then assigned to a risk category based on numerous factors, including the website’s history, age, rank, location, networks, links, real-time performance, and behavioural information. 

The chart below shows the ten countries that hosted the most high-risk URLs during 2016. Although the percentages change from year to year, the top ten usually remain pretty consistent – and the USA is always first. 

The most likely explanation for the US dominating malicious URL hosting is that it’s unlikely to be targeted by geofiltering services. Such services are configured to block network traffic involving certain geographic regions, but the USA hosts so many legitimate websites that it would be counterproductive to try and block all traffic. This highlights the importance of using both URL reputation filtering and IP address filtering.

Continued vigilance 

Reports of spiralling security threats can be overwhelming, but simple steps can be taken to make sure that your organisation doesn’t join the ranks of victims. Firms must ensure that their security teams adopt a proactive approach to threat hunting as malware behaviours are continuously updating and evolving. While deploying security tools that can adapt and predict malware behaviours as they evolve is important, companies must educate their staff on best practice security and ensure they have the right processes in place to support them.

Awareness, planning, implementation, controls and monitoring allow IT security to reach its full potential. Having the right processes in place, and ensuring that users are regularly trained and up to date on key developments allows an organisation to adopt a proactive stance and hunt threats before they are hacked – hopefully this overview of the latest threats will provide some forewarning.

David Kennerley, Director of Threat Research, Webroot
Image source: Shutterstock/Bloomicon