Cybercriminals Attack Corporate Personnel
The 2015 Human Factor Report revealed that last year, cyberattackers “went corporate” by focusing on businesses rather than consumers, exploiting middle managers’ overload of information sharing, and trading off attack volume for sophistication.
Proofpoint, Inc., a security and compliance company in Sunnyvale, Calif., released the results of its second annual report detailing cybercriminals’ shifting social engineering tactics to corporate targets. The Proofpoint findings emphasize how human behavior, not simply system or software vulnerabilities, significantly impacts enterprise security, and details what defenses are necessary in a world where everyone clicks.
On select days in 2014, Proofpoint saw a 1,000% increase in messages with malicious attachments over the usual volume. The most popular email lures in 2014 included e-fax and voicemail notifications, and corporate and personal financial alerts.
“The human element is one of the most critical aspects of your security program, yet it's often the most neglected,” a December 2014 Forrester Research report titled “Reinvent Security Awareness to Engage the Human Firewall” read. “However, this is the problem, security technologies that are critical to protecting your environment are often rendered useless due to easily avoidable human factors.”
Yet many organizations still rely solely on legacy, gateway-only technologies for protection, rather than utilizing a layered defense strategy of blocking, detection and threat response technologies, which are focused on people rather than infrastructure.
The 2015 Human Factor Report revealed that on average, users click one of every 25 malicious messages delivered. No organization observed was able to eliminate clicking on malicious links.
Also, in 2014, managers effectively doubled their click rates compared to the previous year. Additionally, managers and staff clicked on links in malicious messages two times more frequently than executives did.
The report uncovered that sales, finance and procurement department personnel are the worst offenders for clicking on links in malicious messages – they click 50-80% more frequently than the average department personnel do.
In addition, organizations no longer have weeks or even days to find and stop malicious emails. Attackers are luring two out of three end-users into clicking on the first day, and by the end of the first week, 96% of all clicks have already occurred. Only 39% of bogus email clicking occurred in the first 24 hours In 2013. However, in 2014, that number increased to 66%.
The majority of malicious messages arrived during business hours, peaking on Tuesday and Thursday mornings. Tuesday is the most active day for clicking, with 17% more clicks than on the other weekdays.
The use of social media invitation lures, which were the most popular and effective type of email bait in 2013, decreased by 94% in 2014. Email lures that employ attachments rather than URLs, such as message notification and corporate financial alerts, increased significantly as a vector.
"The Human Factor research validates the critical value of threat information – and provides insight into how, when and where attacks are taking place," Kevin Epstein, Proofpoint's vice president of advanced security and governance, said. "The only effective defense is a layered defense, a defense that acknowledges and plans for the fact that some threats will penetrate the perimeter.
In April, IBM revealed a sophisticated bank funds transfer scheme that uses a mixture of phishing, malware and phone calls to appropriate large sums of money from U.S. companies. According to IBM, the attackers have been targeting people working in companies since last year by sending spam email with unsafe attachments in order to inject a variation of Dyre malware into as many computers as possible.