Jen A. Miller
The more things change, the more things stay the same -- at least for hackers. That's one of the finding in Proofpoint's mid-year threat report on the attacks of choice for the first half of 2015.
In addition to the return of an old friend, the
cybersecurity company also found more targeted attacks towards
businesses, heightened activity around social media and a shift in the
volume and accuracy of the bad stuff that ends up in your inbox, looking
to take your money.
Click the attachment
They're baaaaaack – email attachments that infect a computer once clicked upon, that is.
"Human beings have short memories," says Kevin Epstein, vice
president of advance security and governance at Proofpoint. "It's fresh
again."
Attachments
were last an issue in 2006, according to Proofpoint. Users today have
been drilled to avoid clicking on unknowing URLs, putting attachments in
the back of our minds.
"No one remembers a few years ago when it was 'don't click
on attachments.' What's old is new again, and unfortunately from a
security perspective, that's bad," he adds.
[Related: The Web's 10 most dangerous neighborhoods]
Proofpoint found that malicious attachments started popping
up again in October 2014, and then hit full force in the beginning of
2015. Most attachments have been Microsoft Word documents with malicious
macros that required user interaction in order to execute.
Target the bean counters
Hackers aren't sending attachments to everyone, though. The
difference in this reincarnation of a tried-and-true tactic is that
cybercriminals are targeting businesses, and sometimes masking as
requests or files coming from within the company. They’re even sending
them at a time when you'd expect to receive such a missive. "We see the
highest point of entry on Tuesday at 10 a.m. local time, when everyone
is really busy," Epstein says.
Clay Calvert, director of cybersecurity for MetroStar Systems,
says that hackers are often searching for the names of comptrollers or
CFOs from company websites – typically available on "about us" pages –
and then sending them emails pretending to be from a higher up in the
company. They're the targets because they control the money.
Epstein likens this trend to why bank robbers rob banks: because that's where the money is.
"As an individual consumer, if I raid your bank account, I
might strike it rich and get away with $10,000. With a small business
payroll, I might get $100,000, $200,000, $300,000," says Epstein.
"If I hit something bigger, all I need is for one" attachment to work, he adds.
Proofpoint also found that in 2014, hackers tried to get at
these accountants through fake LinkedIn connect requests and other
social media lures – and attack that has virtually disappeared in 2015.
Instead, the vehicle of choice is communication notification templates,
and corporate and personal financial communication lures – things like
voicemail and fax notifications.
More companies should avoid their CFOs being easily
searchable, Calvert says, by making sure those "about us" pages are not
indexed, or making the names of their personnel graphics instead of text
on a page.
Mind the social media gap
Big event coming up? Something that people will tweet about obsessively? Hackers will show up, too.
"The bigger the event, the more people following it on social media, thus the more potential victims," says Epstein.
[Related: Who can stop malware? It starts with advertisers]
Proofpoint analyzed branded social media destinations linked
to events like the NFL playoffs/Super Bowl, Valentine's Day and March
Madness. They found malicious content customized specifically for
delivery to the events' massive audiences.
Sometimes these lures are posted on a brand's Facebook page.
That happened on the National Football League's Facebook page during
the Superbowl. Proofpoint also found more attacks on top U.K. brands,
which are 20 percent more active than those in the U.S. but also
suffered 60 percent more spam.
This just isn't bad for a brand's image, but could also make
a brand liable for any attacks posted to their pages, no matter who
posted them.
"Online is a microcosm of the real world," says Epstein.
"If you're in the real world, you're responsible for the safety of
people in your store or building. The same is true online. You are
responsible for your visitors."
Less is more (more effective, that is)
While attacks are getting more specific and targeted,
Proofpoint found that the overall volume of messages was down in the
first half of 2015. Media daily volume of unsolicited messages dropped
over 30 percent from January to June 2015.
This isn't something to celebrate, though. What's still
making it through is much more efficient at getting what it wants than
all those messages promising to wire you money or improve the function a
certain part of your anatomy.
"Follow the money," says Epstein. "If I can make a couple of
bucks off each person I get to click on an ad for fake drugs or what
have you, that's much less profitable than simple stealing money."
Post a Comment