- Jun 24, 2016
- 636
THE HUMAN FACTOR: Proofpoint Research Report 2016.
Today’s advanced attacks focus more on exploiting human flaws than system flaws. Proofpoint developed The Human Factor to explore this under-reported aspect of enterprise threats.
This paper presents original field research using data gathered by Proofpoint products deployed in customer settings around the world. It covers the latest trends in the top vectors for targeting people: email, social media, and mobile apps. The Human Factor reveals not just who is clicking what, but how threat actors are using social engineering to get people to perform the work of automated exploits. Because as the data make clear, the weakest link in security is all of us.
Executive Summary
Life imitated art in 2015 as real-world cyber criminals every day applied the mantra of the anti-hero hacker of the cable TV series Mr. Robot: “People make the best exploits.” Social engineering became the No. 1 attack technique. Attackers shifted away from automated exploits and instead engaged people to do the dirty work—infecting systems, stealing credentials, and transferring funds. Across all vectors and in attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.
Attackers use people in three progressively controlling ways:
Running attackers’ code for them.
These attacks comprised mainly high-volume campaigns distributed to broad groups of users. They used a variety of ruses to evade technical detection and convinced people to disable or ignore security, click links, open documents, or download files that installed malware on laptops, tablets, and smart phones.
Handing over credentials to them.
These attacks appeared frequently in medium-volume campaigns. They targeted key people who had valued credentials, such as usernames and passwords to crucial systems or useful services, tricking them into turning over their “keys to the castle.”
Directly working for them, transferring funds to them.
These attacks were narrow and highly targeted. They aimed for users with the right job duties and ability act directly on behalf of attackers. These users, thinking they were following orders from higher-ups, most often made wire transfers to fraudulent bank accounts.
These attacks differed in scale and volume. But they all shared one common thread: using social engineering to persuade people to do the work of malware—and deliver big dividends for the attackers.
TABLE OF CONTENTS:
Key Findings & Defensive Recommendations
Section 1: By the Numbers;
Threat Targeting by Geographic Region
Email Threat Targeting by Day of Week
Email Threat Targeting by Hour of Day
Social Media Threat Targeting by Hour
Threat Targeting Malicious Mobile Apps
Section 2: Exploiting People;
People Running Attackers’ Code for Them
Email Threat Vector Trends: URL vs. Attachments
Threat Types: Attachment Malware Payloads
Threat Vector Tactics: Most Used Email Lures
Threat Types: Malicious Attachment Document Formats
People Handing Over Credentials to Attackers
Threat Vector Tactics: Credential Phishing
Mobile App Threats Come of Age
Phishing Dominates Social Media Attacks
People Transferring Funds Directly to Attackers
Conclusion
Understanding advanced threats
Recommendations
READ THE FULL REPORT AT THE LINK AT THE TOP OF THE PAGE.
Today’s advanced attacks focus more on exploiting human flaws than system flaws. Proofpoint developed The Human Factor to explore this under-reported aspect of enterprise threats.
This paper presents original field research using data gathered by Proofpoint products deployed in customer settings around the world. It covers the latest trends in the top vectors for targeting people: email, social media, and mobile apps. The Human Factor reveals not just who is clicking what, but how threat actors are using social engineering to get people to perform the work of automated exploits. Because as the data make clear, the weakest link in security is all of us.
Executive Summary
Life imitated art in 2015 as real-world cyber criminals every day applied the mantra of the anti-hero hacker of the cable TV series Mr. Robot: “People make the best exploits.” Social engineering became the No. 1 attack technique. Attackers shifted away from automated exploits and instead engaged people to do the dirty work—infecting systems, stealing credentials, and transferring funds. Across all vectors and in attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.
Attackers use people in three progressively controlling ways:
Running attackers’ code for them.
These attacks comprised mainly high-volume campaigns distributed to broad groups of users. They used a variety of ruses to evade technical detection and convinced people to disable or ignore security, click links, open documents, or download files that installed malware on laptops, tablets, and smart phones.
Handing over credentials to them.
These attacks appeared frequently in medium-volume campaigns. They targeted key people who had valued credentials, such as usernames and passwords to crucial systems or useful services, tricking them into turning over their “keys to the castle.”
Directly working for them, transferring funds to them.
These attacks were narrow and highly targeted. They aimed for users with the right job duties and ability act directly on behalf of attackers. These users, thinking they were following orders from higher-ups, most often made wire transfers to fraudulent bank accounts.
These attacks differed in scale and volume. But they all shared one common thread: using social engineering to persuade people to do the work of malware—and deliver big dividends for the attackers.
TABLE OF CONTENTS:
Key Findings & Defensive Recommendations
Section 1: By the Numbers;
Threat Targeting by Geographic Region
Email Threat Targeting by Day of Week
Email Threat Targeting by Hour of Day
Social Media Threat Targeting by Hour
Threat Targeting Malicious Mobile Apps
Section 2: Exploiting People;
People Running Attackers’ Code for Them
Email Threat Vector Trends: URL vs. Attachments
Threat Types: Attachment Malware Payloads
Threat Vector Tactics: Most Used Email Lures
Threat Types: Malicious Attachment Document Formats
People Handing Over Credentials to Attackers
Threat Vector Tactics: Credential Phishing
Mobile App Threats Come of Age
Phishing Dominates Social Media Attacks
People Transferring Funds Directly to Attackers
Conclusion
Understanding advanced threats
Recommendations
READ THE FULL REPORT AT THE LINK AT THE TOP OF THE PAGE.