Attackers are increasingly exploiting social engineering tactics to lure in naive targets.
Attackers are increasingly exploiting social engineering tactics to lure in naive targets.

Last year, criminals leveraged human vulnerabilities to launch more malicious email campaigns than ever before, according to a just released report.

Proofpoint's "Q4 Threat Summary and Year in Review," determined that attacks across mobile and social media platforms increased, while exploit kits declined, ransomware exploded, and targeted attacks grew more sophisticated.

Humans are the biggest risk, the report found, as miscreants increasingly exploit social engineering tactics to lure in naive targets. And, criminals are becoming more efficient in switching tactics to increase their ROI, particularly with malware. The number of new ransomware variants grew by 30 times over Q4 2016, the report found.

As well, cyberthieves are transplanting their strategies to mobile and social platforms. These two areas experienced sharp increases in malicious activity, exploiting major events and eye-grabbing headlines. Fraudulent social accounts increased by 100 percent from the third to fourth quarter of 2016.

Recommendations:

Proofpoint's top recommendations for protecting your company in 2017:
             
Assume users will click.
 Leverage a solution that identifies and quarantines both inbound email threats targeting employees and outbound threats targeting customers before they reach the inbox.
             
Build a robust BEC defense.
Invest in a solution that has dynamic classification capabilities that you can use to build quarantine and blocking policies.
             
Protect your brand reputation and customers.
Look for a robust social media security solution that scans all social networks and reports fraudulent activity.
             
Lock down mobile app environments.
 Invest in a data-driven solution that works with your mobile device management (MDM) to reveal the behavior of apps in your environment.
             
Partner with a threat intelligence vendor.
 Leverage a solution that combines static and dynamic techniques to detect new attack tools, tactics and targets – and then learns from them.

Email continued as a primary route for criminals to penetrate enterprise networks where they can access confidential corporate data, the report found. In fact, malicious email campaign volumes spiked in 2016 with the fourth quarter's largest campaign nearly seven times the size of Q3's largest.

Ransomware gained prominence with variants multiplying 30 times over last year, the study found. 

"The fourth quarter of 2016 saw substantial variation in payloads, timing and techniques used to deliver malware and attack businesses and consumers even beyond the volume and variety we observed throughout 2016," the study found.

In the mobile arena, hundreds of thousands of devices were used in attacks that redirected users to malicious websites through the DNSChanger exploit kit. DNSChanger EK, however, exploited vulnerable SOHO routers instead of mobile and desktop devices. As well, a number of mobile risks gained prominence beyond the growth of malware, including risks from malicious clones of popular apps like Pokémon GO, the increased use of side-loading to distribute unauthorized apps, and the availability of targeted attack tools, like Pegasus, for mobile devices.

The increasing popularity of social media platforms attracted a lot of attention from criminal elements. Phony social media accounts doubled from the third to the fourth quarter of 2016, the report found, and social media phishing attacks increased 500 percent year-over-year.

When asked how criminals are leveraging susceptible workers to click on malicious links, Patrick Wheeler, director, threat intelligence at Proofpoint, told SC Media on Wednesday that his team is seeing increasingly sophisticated social engineering in both the emails and documents sent to organizations and their employees.

"Whereas in previous years attackers could rely on both browser and document exploits that installed malware with no user intervention, rigorous patching by both businesses and software vendors have rendered many of these techniques obsolete or difficult to monetize," Wheeler said. "In 2016 and the first part of this year, lures are designed to convince users to open documents, enable macros, and bypass Windows User Access Controls."

By presenting reasonable explanations for the errors and dialogs users see, attackers can successfully use macros and other software to deliver malware, he added.

As far as what threats are most concerning, Wheeler said every threat carries its own unique risks, many of which depend on a business's practices, infrastructure, or industry. However, when pressed, he explained that the ongoing proliferation of ransomware demonstrates that attackers are finding continued success generating easy return on their investments. 

As well, BEC attackers are refining their techniques and are also continuing to successfully carry out attacks, often targeting midsized businesses that may not be able to recover from losses as easily as larger enterprises, he said. Further, high degrees of personalization and social engineering are also increasing success rates for attackers. "Simply put, regardless of the specific threat, the bad guys are getting smarter and following the money to deliver threats that have the greatest ROI.”

And, what about threats to come? Wheeler said his team expected that “small will be the new big.” Targeted, personalized attacks at scale will allow threat actors to successfully establish beachheads within a larger number of victim organizations while still flying below the radar of many defenses, he explained. "We also expect to see more turnkey tools like mobile attack kits or specialized exploit kits (such as DNSChanger EK) that attack IoT and vulnerable infrastructure devices as PC and mobile software vendors increase their security.”