Proofpoint Threat Report: Banking Trojans dominate the malware landscape in the first months of 2018

Share with your network!


The first months of 2018 were marked by increasing diversity in the threat landscape even as ransomware stopped appearing in the massive campaigns that characterized much of 2016 and 2017. Without the disproportionately large ransomware campaigns of the last two years, banking Trojans, information stealers, downloaders, remote access Trojans (RATS), and more filled the void in the email space. Social engineering was pervasive, with email fraud attacks continuing to grow and evolve while the vast majority of web-based threats included social engineering techniques as well. Social media support fraud, also known as “angler phishing,” exploded, even as social platforms doubled down on efforts to algorithmically stop link spam.

Among the key takeways from Proofpoint’s Q1 Threat Report:


For the first time since Q2 2016, banking Trojans displaced ransomware as the top malware in email, accounting for almost 59% of all malicious email payloads in Q1. Emotet was the most widely distributed banking Trojan, accounting for 57% of all bankers and 33% of all malicious payloads. The bulk of the remaining malicious payloads included credential stealers and downloaders, comprising 19% and 18% of malicious email, respectively.

Relative distribution of malicious payloads, Q1 2018

Figure 1: Relative distribution of malicious payloads, Q1 2018

Email fraud increased globally, with more organizations receiving more attacks. 40% of organizations targeted by email fraud received between 10 and 50 attacks in Q1 2018 while the number of companies receiving more than 50 attacks rose 20% compared to the last quarter of 2017.

Exploit Kits and Web-Based Attacks

Exploit kit (EK) traffic continued to decline, falling 71% from the previous quarter. However, where EKs once dominated, roughly 95% of web-based attacks now redirect into social engineering schemes instead.

Social Media

Social media support fraud, or “angler phishing,” exploded in Q1 2018, increasing 200% from the previous quarter (Figure 2).

Increased support fraud, aka 'angler phishing,' incidence since July 2016

Figure 2: Increased support fraud, aka “angler phishing,” incidence since July 2016

Beyond fraud and spam, social media remained a breeding ground for other types of criminal activity. 84% of Fortune 500 CEOs were victims of threats and hate speech on Twitter and the dark web in February 2018.

Proofpoint Recommendations

The Q1 Threat Report provides insight into the shifting threat landscape that can inform your cybersecurity strategy. Here are our top recommendations for how you can protect your company and brand in the coming months:

Assume  users  will  click.  Social  engineering  is  increasingly  the  most  popular  way  to  launch email attacks, and criminals continue to find new ways to exploit the human factor. Leverage a solution that identifies and quarantines both inbound email threats targeting employees and outbound threats targeting customers before they reach the inbox.

Build a robust email fraud defense. Highly targeted, low-volume email fraud attacks often have no payload at all and are thus difficult to detect. Preventing email fraud requires a multilayered solution that includes email authentication and domain discovery, as well as dynamic classification that can analyze the content and context of emails, stopping display-name and lookalike-domain spoofing at the email gateway.

Protect your brand reputation and customers. Fight attacks targeting your customers over social media, email, and mobile—especially fraudulent accounts that piggyback on your brand. Look for a comprehensive social media security solution that scans all social networks and reports fraudulent activity.


For more information, download the complete Q1 2018 Threat Report.