With the first six months of 2015 behind us and unsolicited email volume data for the first half of the year available in the Threat Report for June 2015, this is a good opportunity to see what the data and threats of the year-to-date can tell us about the evolving threat landscape.
Cybersecurity and data breaches have continued to dominate the press: the high-profile breach at the Office of Personnel Management (OPM) exposed extensive personal data of up to 21 million individuals but it was hardly the only one, as banks, retailers, insurance companies and a variety of other public and private organizations. While cybercrime remains the prevalent driver for many of these, state actors are widely suspected behind some
At the same time, exploits and tools have also been very visible: in addition to the usual parade of new patched vulnerabilities and zero-day exploits, the first half of the year saw rapid changes in the exploit kit (EK) landscape, as the Angler EK and then others included zero-day exploits, demonstrating the increasing sophistication and value-add of EK’s as part of a cybercrime infrastructure.
Several of the trends we described in the Proofpoint cybersecurity predictions for 2015 have developed as expected, from the targeting of PII by presumed state actors (OPM) and the advancement of Federal cybersecurity legislation (in addition to executive orders), to the continued growth of malvertising and ransomware. Social media threats and legislation have yet to make the same impact in 2015, but trends in social media activity show that threat actors and legislators alike are discovering this vector and will focus more on it during the second half of 2015.
Reviewing the first six months of 2015, four main trends emerge:
Shift to attachment-based campaigns
Change in phishing techniques target business users
Social media increasing as a source of brand and compliance risk
Continued decrease in the overall volume of unsolicited messages
Shift to attachment-based campaigns
The most striking development of the first six months of 2015 was a massive shift of threat activity from the URL-based campaigns that had dominated 2014, to campaigns that relied on malicious document attachments to deliver malware payloads. (Fig. 5)
Figure 5: Frequency of threats by volume, URLs vs attachments, January-June 2015
As the chart shows, malicious attachments have dominated the campaigns of 2015 to date, driven by the massive volumes of attachments and messages delivered by the Dridex campaigners as well as other botnets. First emerging in late October 2014, this trend was in full force by the beginning of the 2015 and represented a major change in the threat landscape. The attachments were predominantly Microsoft Word documents bearing malicious macros that required user interaction in order to execute. (Fig. 6)
Figure 64: Example of document attachment with malicious macro
By combining a variety of obfuscation techniques with document templates that entice the end-user to enable the malicious macro, these campaigns applied social engineering to high-volume threats that were very successful at avoiding detection by antivirus solutions.
Proofpoint researchers detected and analyzed these campaigns from their early days, and the Proofpoint Threat Insight blog captured our findings and chronicled the evolution of these campaigns as the more actors joined in and the techniques increased in sophistication and reach.
January: Massive surge of document attachments carrying malicious macros designed to deliver the Dridex banking Trojan.
February: Malicious macro document campaign dropping a new Dridex botnet shows an actor in the process of defining tools and techniques for future campaigns.
March: Malicious macros add features designed to evade analysis in automated malware sandboxes.
May: Addition of success-tracking features being by some malicious macro developers shows the increasing maturity of this technique.
June: Malicious document campaigns add MIME/OLE formats and focus on European targets, hitting France with particularly ferocity by the end of June.
One question that arose from the earliest days of these campaigns had to do with why cybercriminals would resurrect a masking technique that largely vanished from the threat landscape in 2006. To answer this question, Proofpoint researchers combined technical analysis of malware samples with research on the actors themselves through underground forums frequented by Russian cybercriminals and determined that, from a cost perspective, malicious macros deliver the most ‘bang for the buck’ because they combine lower up-front and maintenance costs with higher effectiveness to create a ‘killer app’ for cybercriminals. Technical analysis and threat intelligence allow us to identify the cause behind the explosive return of malicious macros as an exploit technique featuring daily in massive campaigns:
Highly successful at evading not only traditional signature- and reputation-based defenses, but also newer behavioral sandboxes
Able to be frequently updated easily and at low cost
Cross-platform and “unpatchable,” because it is not limited by vulnerabilities on a specific operating system or application version
Reliance on end-user interaction leverages “the human factor” to bypass automated defenses
Low up-front and maintenance costs increase return on investment (ROI)
Combined in a single solution, it is no surprise that malicious macro attachment campaigns have grown so rapidly in both size and frequency, and we can expect that they will only begin to subside when this equation changes and either their cost increases or effectiveness decreases to the point that they can no longer deliver the same ROI. The complete report was published in June and is available from:
And what of the extensive cybercrime infrastructure erected to support the URL-based campaigns that had been so prevalent in 2013 and 2014? It still exists and is arguably more extensive and effective, but it relies much less on high-volume unsolicited email campaigns to draw in users. Instead, Proofpoint and other researchers have observed Angler, RIG, Magnitude and other exploit kits behind compromised web servers and infected ad networks (i.e., malvertising), leveraging known and zero-day vulnerabilities to deliver primarily CryptoWall and other varieties of ransomware. In late June, Proofpoint researchers detected Sundown, a relatively new EK, dropping an unusual remote access Trojan (RAT), demonstrating that the market for these capabilities remains strong enough to draw new EKs into the market despite increased pressure from law enforcement and seeming dominance of a small number of higher-profile EKs. As new exploit kits attempt to establish a foothold, expect attackers to look for novel ways to leverage the flexibility and power of this piece of the cybercriminal’s toolkit.
Phishing techniques change to target business users
In April, Proofpoint published the second edition of our Human Factor research report, which identified and analyzed the other major trend in the threat landscape of 2015 to date: a shift by cybercriminals to targeting business users. This change began over the latter half of 2014, and in the first six months of 2015 was visible in every aspect of the unsolicited email campaigns attackers launched, from the users they targeted and the times they sent the messages to the delivery techniques.
This shift was perhaps nowhere more apparent than in the message templates attackers used in 2014, and a year-over-year comparison highlights the new focus on business users. The Human Factor report for 2014 described the most commonly used phishing lures in the previous year:
Social network communication, such as invitations and connection requests.
Financial account warnings, such as balance and transaction notices, account status updates, etc
Order confirmation messages
Of these templates, fake LinkedIn connection requests had been the dominant favorite, outnumbering other social media phishing lure templates by 2-to-1. Data into the first half of 2015 show that attackers didn’t just shift from these lures, they almost ran from them, resulting in a 94% decrease in the use of social media invitation lures.
In their place, attackers pivoted rapidly to communication notification templates, and corporate and personal financial communication lures. The communication message took a variety of forms, with voicemail and fax notifications being the most common. (Fig. 7)
Figure 7: Example of email voice message notification phishing template
This shift to more business-themed phishing lures was also visible in the corporate financial message templates, which focused more on wire transfer, purchase orders, and business-type transactions than on simple personal account status updates. (Figs. 8-9)
Figure 8: Example of corporate financial notification phishing template
Figure 9: Example of corporate financial notification phishing template
The corporate financial phishing templates also included targeted wire transfer or ACH phish sent to a specific user and with a spoofed “From” line that included the name an executive from the recipient’s company, often the CFO or CEO. These messages sometimes even had no links or attachments; combined with their relatively low volume this made them effective at evading defenses. In general, they had the lowest click rate of the top phishing templates, but conversely often delivered the biggest returns, as the numerous reports in 2014 of losses from fraudulent transfers demonstrated.
The most commonly used phishing templates in 2014 were also the most clicked. (Fig. 10)
Figure 10: Most clicked phishing lures in 2014
This rapid shift is another example of threat actors’ ability to rapidly adjust to changing defenses and new target opportunities, whether it is to target new countries or different user roles within organizations. Attackers continually adjust their techniques to adapt to changing defenses, whether such defenses are technical or psychological. While an important tool, user education cannot be the last line of defense: organizations should deploy automated defenses capable of detecting and blocking threats that do not look or behave like previously known threats.
The complete The Human Factor for 2015, including additional analysis and recommendations, is available at:
Social Media Attackers Target Largest Audiences
During the first six months of 2016, Proofpoint Nexgate social media security researchers found that the efficiencies gained in distributing malicious content via social media continue to make it an attractive channel for hackers and scammers. A single phishing lure, malware link or spam message posted to a high profile corporate social media destination may be viewed by ten thousand or more potential victims.
To reach the largest possible audiences, attackers often target branded social media destinations linked to high-profile current events. During the first half of this year we analyzed branded social media destinations linked to several such events including the NFL Playoffs/Super Bowl, Valentine’s Day, and March Madness. In each case Proofpoint researchers detected malicious content customized specifically for delivery to the massive audiences drawn to these events. The Super Bowl offered a representative example: the NFL team with the largest audience, the Dallas Cowboys, exhibited 192 security incidents (malware, phishing, scams, etc.) during our research window – more than any other team. In the case of a malware lure posted to an NFL Facebook page, social media provides context that allows the attacker to engineer lures designed for the specific interests of the audience, such as professional football. (Fig. 11)
Figure 11: Social media post with malicious link
In this example, the link leads to a classic malware download prompt disguised as a Flash Player update. (Fig. 12)
Figure 12: Fake software update that installs malware
These social media security trends were not limited to North America and North American sporting events: social media is a massive international phenomenon, and during the first half of this year we looked at how corporate social media threats in the United Kingdom (UK) compare to social media threats in the United States (US). What we found was somewhat surprising: top UK brands were 20% more active in social, exhibited twice as many unauthorized accounts, and suffered from 60% more spam than top US brands. To learn more and see a few examples of fake accounts, malware lures, and spam plaguing UK brands check out the full post.
Proofpoint findings on these trends in social media security enables us to highlight several key takeaways:
- Success in social media is a double-edged sword. Success in social media means larger audiences which translate to range of powerful benefits for the business. On the other hand, success also translates to greater risk - not only because attackers are attracted to larger audiences, but because more is on the line. When a successful social media property is attacked, a vital link with customers risks being damaged or denied.
- Social Media Security Threats are an international Phenomenon. It appears from our comparisons of UK and US branded social media properties that security is no less a concern internationally than it is in the US.
- Brands Committed to Social Need to Manage Risk. If your brand is committed to leveraging social media as primary communication channel, it’s important to manage the risk (per points 1-2 above). Best practices controls are emerging to prevent hacks, filter malicious content, and ensure compliance.
With these lessons and the right tools, organizations will be well-positioned to identify and respond to social media threats, especially as they follow a path that brings them closer to an intersection point with the tools and techniques of phishing and other ‘traditional’ cybersecurity threats.
Decreasing overall volume of unsolicited messages
In the Proofpoint 2014 Threat Report we observed that the overall the volume of unsolicited messages decreased in 2014 compared to the previous year, driven down in part by the several high-profile botnet takedowns. (Fig. 1)
Figure 1: Indexed daily unsolicited email message volume, January-December 2014
As we noted in our 2014 Threat Report, the 2014 net decrease in message volume seems counterintuitive in light of the number and severity of data breaches and compromises that were made public in the second half of 2014; however, what was lost in volume was more than made up for in maliciousness. This is represented not only by the increasing use of ransomware and other cyberextortion techniques, but also by the fact that an ever-greater portion of malware delivered by unsolicited email are able to evade detection by antivirus solutions.
The first six months of 2015 have seen a continuation of this downward trend, with average daily volumes reaching levels not seen since 2012. (Fig. 2)
Figure 2: Indexed daily unsolicited email message volume, January-June 2015
Despite occasional spikes and a short-lived increase during the month of March, median daily volume of unsolicited messages dropped over 30% during from January to June 2015. As daily volume drops, the portion of URLs that are malicious in these messages remained fairly consistent through the first half of the year, consistently ranging from 10% to 20% of URLs in unsolicited emails.
And who was sending these messages? Looking back at the December 2013 Proofpoint Threat Report, we see that the top-five countries sending unsolicited email were very consistent over the second half of the year. (Fig. 3)
Figure 3: Top-5 sending countries, unsolicited email, January-December 2014
As in 2014, the volume from each country as a percentage of total unsolicited email was relatively constant, with the EU consistently accounting for around 15% of total unsolicited email, and the others accounting for single-digit percentages except for brief. This picture changed somewhat when compared to 2014. (Fig. 4)
Figure 4: Top-5 sending countries, unsolicited email, January-June 2015
The first half of 2015 finished with Germany and Spain atop the charts of sending countries within the EU; below them the rankings tend to fluctuate as the relative differences are small between other sending countries in the EU.
In short, the volume of unsolicited email continues its downward trend, with no significant changes to source countries. Conversely, more of these messages appear to be malicious in nature, with attackers making greater use of smaller campaigns with more malicious payloads, as highlighted by the shift to attachment-based campaigns.
To combat these trends as well as new threats, Proofpoint recommends that organizations:
- Adopt advanced threat solutions that utilize dynamic malware analysis and predictive analysis and can detect and stop the new generations of sophisticated threats that are able to easily evade traditional signature- and reputation-based defenses
- Automate your threat response in order to reduce the time from detection to containment: Modern threats are more destructive, fast-acting and numerous than most organizations expect, and it is essential to be able to rapidly identify genuine, actionable incidents and respond quickly.
- Incorporate robust, comprehensive threat intelligence into your digital forensics and incident response (DFIR) tools and processes in order to more quickly and accurately trace incidents and discrete events to actors and campaigns. Do so provides more accurate information about IOCs for verification as well as measures for identifying and blocking similar campaigns in the future.
- Integrate security, content enforcement (encryption, DLP, etc) and archiving for email and social media in order to protect the two most valuable communication channels in every organization, and to defend the most-used and most-effective attack vector for cybercriminals and state-sponsored actors.