Life imitated art in 2015 as real-world cyber criminals every day applied the mantra of the anti-hero hacker of the cable TV series Mr. Robot: “People make the best exploits.” Social engineering became the No. 1 attack technique as attackers shifted away from automated exploits and instead engaged people to do the dirty work—infecting systems, stealing credentials, and transferring funds. Across all vectors and in attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.
Attackers used people in three progressively controlling ways:
- Running attackers’ code for them: These attacks comprised mainly high-volume campaigns distributed to broad groups of users. They used a variety of ruses to evade technical detection and convinced people to disable or ignore security, click links, open documents, or download files that installed malware on laptops, tablets, and smart phones.
- Handing over credentials to them: These attacks appeared frequently in medium-volume campaigns. They targeted key people who had valued credentials, such as usernames and passwords to crucial systems or useful services, tricking them into turning over their “keys to the castle.”
- Directly working for them, transferring funds to them: These attacks were narrow and highly targeted. They aimed for users with the right job duties and ability act directly on behalf of attackers. These users, thinking they were following orders from higher-ups, most often made wire transfers to fraudulent bank accounts.
These attacks differed in scale and volume, but they all shared one common thread: using social engineering to persuade people to do the work of malware—and deliver big dividends for the attackers.
The Proofpoint Human Factor Report 2016 presents original field research using data gathered by Proofpoint products deployed in customer settings around the world. It covers the latest trends in the top vectors for targeting people: email, social media, and mobile apps. Key findings from The Human Factor 2016 report include:
- Attackers infected computers by tricking people into doing it themselves rather than using automated exploit technology. More than 99 percent of all documents used in attachment-based malicious email campaigns relied on human interaction. However, ransomware was very popular in 2015 exploit kit campaigns and has continued its reign in 2016.
- Banking Trojans were the most popular type of malicious document payload in email campaigns. Dridex message volume was almost 10 times greater than the next most-used payload. The documents themselves used malicious macros extensively and relied on social engineering to trick the user into running malicious code.
- Hackers served phishing emails for breakfast and social media spam for lunch. Cybercriminals timed attacks to ensure optimum distraction. For example, Tuesday mornings between 9-10 a.m. were the most popular for phishing campaigns and social media spam hit a high in the afternoon.
- Social media phishing scams are 10 times more common than social media malware. Fraudulent social media accounts, pretending to represent known brands, spiked last year. Forty percent of Facebook accounts and 20 percent of Twitter accounts, claiming to represent a global 100 brand, were unauthorized.
- Dangerous mobile apps from rogue marketplaces affect forty percent of enterprises. Users who download apps from rogue marketplaces – and bypass multiple security warnings in the process – are four times more likely to download a malicious app. These apps steal personal information, passwords, and data.
- People willingly downloaded more than two billion mobile apps that steal personal data. Proofpoint discovered more than 12,000 malicious mobile apps in authorized Android app stores. Many were capable of stealing information, creating backdoors and other nefarious functions.
The Human Factor reveals not just who is clicking what, but how threat actors are using social engineering to get people to perform the work of automated exploits. Because as the data make clear, the weakest link in security is all of us. To download a copy of The Human Factor Report 2016, please visit www.proofpoint.com/human-factor-2016.