Cyber criminals go ‘corporate,’ employ new ‘marketing’ ploys
By Rodika Tollefson, Third Certainty
Business marketing intelligence, analytics and campaign optimization—once the stuff of effective marketing techniques—are increasingly becoming the tools of choice for cyber criminals.
No longer just equipped with technical sophistication, the bad guys are becoming experts at manipulating the human factor—often the weakest link in cyber crime.
Last year saw a move to more optimized, high-end corporate targeting, according to a report by Proofpoint, a security and compliance company that offers threat protection, incident response and other cloud-based security solutions.
In its Human Factor Report 2015, Proofpoint found that attackers are using new ways to psychologically exploit end users. They especially view middle management workers as the perfect target because those employees have valuable access and are easily distracted due to information overload.
Infographic: Phishers cast lures inside corporate networks
“Humans are infinitely deceivable,” said Kevin Epstein, Proofpoint’s vice president of advanced security and governance. “We have moments of weakness. And we’re curious and fallible.”
In its previous report, Proofpoint found that a social media invitation with malicious links was the most-popular attack vector. But as users became more educated about that type of threat, cyber criminals have shifted tactics, according to the 2015 report.
The most popular email lures in 2014 were malicious attachments with a communication message (such as an eFax or voicemail) and corporate financial emails, such as ACH and wire-transfer fraud.
Proofpoint also found that cyber criminals are using popular websites and whitelisted communications, such as legitimate enewsletters, to send users to malware links, instead of embedding their own malicious URLs.
New methods of attack
“The attack chain several years ago was simple. Someone would compromise the server, send a blast of emails out, people would click on the email, and bad things would happen,” Epstein said.
Now, he said, the chain includes multiple layers, and filters and redirects through several compromised sites. Some of the techniques are not unlike the filtering system used by legitimate behavioral-based advertisements.
Proofpoint analyzed aggregated, anonymized data based on its customers’ actual clicks. It found that no matter how many or few malicious emails a company received, the average click rate was about the same, one in 25 emails.
A nearly 4 percent click rate—which would be the envy of any marketer—is stunning, Epstein said.
“The click rate is quite a scathing indictment of how effective their lures and tactics are. It’s impressive in a negative way,” he said.
The bad guys, of course, don’t have to play by the same rules as marketers. So they can make their lures more attractive.
But it’s obvious they’ve been studying the business habits of corporate managers. For example, they’ve adapted email distribution times to blend in with periods of high email activity, with Tuesday and Thursday mornings as the peak times.
They’ve also shifted to targeting corporate financial credentials, using a mix of both high-volume, longtail campaigns and more targeted attacks that have a lower click rate but higher yield.
Cash exfiltration is becoming more prominent, Proofpoint found. Epstein said that attackers used both a technical and social approach to go beyond simply harvesting credentials.
For example, they would install a keylogger on a manager’s computer and observe transactions protocol and account numbers, then access the account to authorize transfers. Or they would go a step further, getting control of an executive’s email accounts in order to authorize a transaction and ask the appropriate employee to perform it.
- Emails were optimized so users clicked sooner—96 percent of the clicks occurred by the end of the week; 66 percent occurred in the first 24 hours, compared to 39 percent in 2013.
- The use of attachments has increased significantly. Attackers returned to old tactics that users were defending against several years ago but are not as sensitized to now.
- Banking and finance companies received 41 percent more malicious messages, but all industries were targeted. Previously “uninteresting” sectors such as construction and manufacturing are now being targeted because of their intellectual property assets.
Epstein said that the biggest takeaway from the analysis is that every organization is going to be attacked.
“You need a layered, modern security defense system—the latest security gateway, targeted attack protection, and automated threat response—because everybody clicks,” he said.
He said that small and medium-size businesses often think they’re much less likely to be targeted than larger enterprises, but in reality they are more vulnerable.
“It’s worse for them because they don’t have the same degree of sophisticated protection,” he said.
Plus, he added, a big company may have more leverage to deal with a significant loss of cash due to a rogue transfer. But for SMBs, the loss of tens or hundreds of thousands of dollars could be devastating.
Epstein cautioned that people shouldn’t be paranoid, but should think of cybersecurity like living in a big city where crime is a part of life. You would take basic precautions like having modern locks on the door and avoiding certain parts of town after dark.
“If you live in a big city, you don’t leave the front door open,” he said. “Too many companies are effectively doing that.”