Hackers went old school during the first half of 2015, resurrecting the use of malicious attachments and also began targeting businesses with a new stream of phishing attacks, according to Proofpoint's first half threat report.
Proofpoint researchers said that malicious attachments have become the go-to method for hackers as they pulled away from the URL-based campaigns that were preferred in 2014. The majority of the messages were mainly Microsoft Word documents bearing malicious macros delivered by the Dridex botnet.
"In 2015, at times the volume of emails with malicious attachments has ranged as high as 4x-5x emails with malicious URLs, while overall malicious email has periodically spiked as high as 30-40 percent of all unsolicited email,” said Kevin Epstein, Proofpoint's vice president of threat operations, in an email to SCMagazine.com today.
While Proofpoint thought it was odd that criminals opted for an older form of attack, the report pointed out several strong reasons they made the switch. Primarily, malicious attachments avoid traditional defenses, are cheap to set up and operate, can't be patched and can leverage human fallibility.
Epstein noted, though, that technology can be used to counter the human urge to just open an attachment.
“Modern systems go beyond the gateway, both preemptively (pre-gateway) and retroactively (post-gateway). Preemptively, modern systems are able to examine patterns in incoming email, and isolate attachments for deeper analysis in virtual environments before end-users have an opportunity to click,” he said.
The other major change seen by Proofpoint was the full implementation of business-targeted phishing campaigns, which was first noticed rising late in 2014, but blossomed during the first half of this year and continues to rise. The company noted that the number of phishing attempts had doubled between January and June of this year, while URL-type attacks were at about two-thirds of that level.
The schemes had three general themes - using social media by asking for invitations and connection requests; account warnings where the recipient would be told that low balance or account updates were needed; and order confirmation messages.
LinkedIn became a favorite avenue of approach with fake requests using it twice as often as other social media sites.
Leveraging the human weak point in a company's defenses meant the organization needed to work on its retroactive response.
“Spending should be directed towards modern technologies, which assume clicks will happen, and implement defensive targeted attack protection and threat response systems accordingly,” Epstein said.