The headline story of 2016 threat landscape was the explosive growth of ransomware and the massive email campaigns that delivered it to organisations of all sizes around the world. These attacks added up to billions of dollars in direct financial losses.
Cyber criminals relied less on automated attacks and exploits, shifting instead to social engineering. The change increased the impact and effectiveness of these campaigns. From email to software as a service, from social media to mobile apps, cyber criminals carried out social engineering at scale. They combined sophisticated, targeted lures and persuasive tricks with broad distribution. They employed new and improved techniques.
The tactics worked. Attackers tricked people into installing malware, handing over their credentials, disclosing sensitive information and transferring funds.
Key Findings
Highly personalised, targeted email campaigns focus on exploiting people, not just their technology.
Spear-phishing email campaigns, which target specific people rather than indiscriminately seeking victims, were automated to operate at scale. Despite their large numbers, many included multiple personal details specific to the targeted recipient. Social engineering campaigns used documents with malicious macros and other techniques that tricked users into installing malware.
Recommendation: Deploy solutions that can detect and block sophisticated phishing messages before they reach the intended targets.
Mobile threats eschew exploits and use fraudulent mobile apps and next-generation SMS phishing to target customers of major banks and other consumer brands.
Attackers mimicked trusted brands, published apps with misleading names, and employed other ruses to convince users to download malware on their mobile devices. Users willingly downloaded and installed fraudulent apps that steal personal information and in some cases can take full control of mobile devices. SMS phishing, in which attackers use text messages to trick users into providing login credentials and other sensitive information, also increased. This trend reflects attackers’ growing efforts to target users on devices they use the most, circumventing established network- and PC-based defences.
Recommendation: Adopt and deploy mobile security solutions that work for company and employee-owned devices. These solutions should be able to detect and stop next-generation SMS phishing attacks; detect, track, and block user clicks; and detect the presence of fraudulent, risky, and malicious apps on smartphones and tablets. At the same time, banks, telecom companies, retailers, and other organisations should adopt solutions that enable them to detect apps that misuse their brand to target their customers for theft, fraud, and other forms of abuse.
Social media fraudulent support account phishing increased 150% in 2016.
“Angler phishing” attacked customers of banks, social media, and other services using targeted responses to customer posts on brands’ legitimate social media channels. Angler phishing is a term we use to describe attacks in which the attacker creates a lookalike social-media account posing as the customer-service account of a trusted brand. When someone tweets to a company looking for help, the attacker swoops in. Victims are often directed to realistic-looking landing pages and tricked into handing over their account credentials.
Recommendation: Protect your brand reputation and customers. Fight attacks targeting your customers over social media, email, and mobile—especially fraudulent accounts that piggyback on your brand. Look for a robust social media security solution that scans all social networks and reports fraudulent activity…Click HERE to read full report.
