So, when a security investigative report named “The Human Factor 2016” comes out, the chances are pretty good we’ll want to take a closer look. The report, published by cybersecurity firm ProofPoint, brings into sharp focus all the weaknesses “the human factor” can entail.
Using reams of data collected from ProofPoint’s threat protection and security products, the report authors analyze just how much social engineering impacts cybersecurity.
Short answer: a lot.
The report authors call out social engineering as the number one attack vector for cyber attacks in 2015. Cyber attackers are evolving beyond intricate ways to break through a secure firewall or other technical safeguard. Instead, they’re going for the weak spot: the human.
“Attackers shifted away from automated exploits and instead engaged people to do the dirty work—infecting systems, stealing credentials, and transferring funds,” the authors write. “Across all vectors and in attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.”
Can You Download this For Me?
ProofPoint discusses three main ways hackers comprise the human, rather than the machine, to gain access to sensitive data or outright siphon funds from bank accounts:
- Getting users to run malware for them
- Tricking users into handing over their credentials
- Spoofing company executives and ordering users to transfer company funds
The first tactic provided some of the more striking statistics in the entire report. According to ProofPoint’s own data, 99.7% of documents used in phishing campaigns relied on macros or other user-initiated tactics to do their dirty work. What’s more, 98% of bad links in phishy emails lead to executable malware files, meaning attackers had to turn on the charm to get users to click.
Malicious document attachments topped email links as attackers’ favored method for 2015. Microsoft Word documents were the most popular vehicle for malware, though Excel spreadsheets became more popular as the year went on.
“The dominance of malicious documents attests to their effectiveness at getting users to click,” the report authors write.
Username and Password, Please
The second main attack method the report discusses is credential phishing, in which users are tricked into entering login information into a phony site. No malware needed; just an official-looking page asking for your email/username and password.
The researchers found that 74% of malicious links in email campaigns lead to credential phishing pages. The most effect lures were links to fake file-sharing sites, such as Google Drive and DropBox.
Another tool in the attacker’s credential-phishing tool box? Fake social media pages. Phishing was found to be 10 times more common than direct links to malware in spam social media posts.
The most common tactic here was fake customer service phishing, in which hackers using spoofed Facebook or Twitter pages for major brands replied to users’ questions with requests for account login information. Unsurprisingly, fake bank customer services accounts were found to be particularly common.
“Social media gives attackers an edge—customers are usually initiating the contact and often need help with their account,” the authors write. “Social media enables them to craft a highly convincing phishing lure that the target expects to receive.”
Wire Transfer Now
The third attack method ProofPoint calls out is “CEO phishing,” or when hackers pose as company CEOs via email and ask their finance departments to transfer money to an outside account. Unlike the other two attack vectors ProofPoint discusses, CEO phishing campaigns are highly targeted affairs, going after one particular higher up in an organization.
“These attacks embrace a ‘blockbuster’ approach on the part of the attackers,” the authors write. “While many of these messages will be quickly recognized by recipients as phishing, the small few that succeed can yield millions of dollars in fraudulent transfers.”
Attacks like this are collectively known as “business email compromises” and mean big business for cyber attackers. According to an FBI alert released this month, 17,000 people fell victim to BEC scams between Oct. 2013 and Feb. 2016. This amounted to more than $2.3 billion in losses.
A Broader Cybersecurity Understanding
What stands out to us the most about this report is the variety of social engineering attacks seen in the wild. While phishing emails still seem to be the granddaddy of such attacks, the emergence of credential-collecting fake social media pages shows that employees have to be knowledgeable in multiple fronts when it comes to security awareness.
To this end, we were glad to see ProofPoint preach the benefits of training in one of their recommendations:
“To address the ‘human factor’ of attacks, make users aware of the latest social engineering and credential-phishing schemes through regular training,” the report authors write. “Done right, ‘phishing’ your own employees can also be a useful test of how effective your user-awareness efforts are.”
But awareness shouldn’t stop at simulated phishing attacks. Looking beyond the phish is vital for any cybersecurity awareness program.
As we’ve discussed before, falling victim to phishing attacks is likely a symptom of a larger organizational problem. Susceptibility to phishing can represent a fundamental misunderstanding of security best practices at an organization-wide level. If an employee falls for a phishy email or fake social media page asking for credentials, chances are security best practices are not top of mind.
While important, anti-phishing training should not be the sole topic of focus for any employee awareness program. A broader concept of security awareness must be advocated to truly safeguard the ever-vulnerable human factor in your organization.
Want to learn more about MediaPro’s comprehensive security awareness offerings, designed to expertly address the human factor? Contact us today to learn more.