Cyber criminals go ‘corporate,’ employ new ‘marketing’ ploys

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rodi­ka Tollef­son, Third Certainty

Busi­ness mar­ket­ing intel­li­gence, ana­lyt­ics and cam­paign optimization—once the stuff of effec­tive mar­ket­ing techniques—are increas­ing­ly becom­ing the tools of choice for cyber criminals.

No longer just equipped with tech­ni­cal sophis­ti­ca­tion, the bad guys are becom­ing experts at manip­u­lat­ing the human factor—often the weak­est link in cyber crime.

Last year saw a move to more opti­mized, high-end cor­po­rate tar­get­ing, accord­ing to a report by Proof­point, a secu­ri­ty and com­pli­ance com­pa­ny that offers threat pro­tec­tion, inci­dent response and oth­er cloud-based secu­ri­ty solutions.

In its Human Fac­tor Report 2015, Proof­point found that attack­ers are using new ways to psy­cho­log­i­cal­ly exploit end users. They espe­cial­ly view mid­dle man­age­ment work­ers as the per­fect tar­get because those employ­ees have valu­able access and are eas­i­ly dis­tract­ed due to infor­ma­tion overload.

Info­graph­ic: Phish­ers cast lures inside cor­po­rate networks

Humans are infi­nite­ly deceiv­able,” said Kevin Epstein, Proofpoint’s vice pres­i­dent of advanced secu­ri­ty and gov­er­nance. “We have moments of weak­ness. And we’re curi­ous and fallible.”

In its pre­vi­ous report, Proof­point found that a social media invi­ta­tion with mali­cious links was the most-pop­u­lar attack vec­tor. But as users became more edu­cat­ed about that type of threat, cyber crim­i­nals have shift­ed tac­tics, accord­ing to the 2015 report.

The most pop­u­lar email lures in 2014 were mali­cious attach­ments with a com­mu­ni­ca­tion mes­sage (such as an eFax or voice­mail) and cor­po­rate finan­cial emails, such as ACH and wire-trans­fer fraud.

Proof­point also found that cyber crim­i­nals are using pop­u­lar web­sites and whitelist­ed com­mu­ni­ca­tions, such as legit­i­mate enewslet­ters, to send users to mal­ware links, instead of embed­ding their own mali­cious URLs.

New meth­ods of attack

The attack chain sev­er­al years ago was sim­ple. Some­one would com­pro­mise the serv­er, send a blast of emails out, peo­ple would click on the email, and bad things would hap­pen,” Epstein said.

Now, he said, the chain includes mul­ti­ple lay­ers, and fil­ters and redi­rects through sev­er­al com­pro­mised sites. Some of the tech­niques are not unlike the fil­ter­ing sys­tem used by legit­i­mate behav­ioral-based advertisements.

Proof­point ana­lyzed aggre­gat­ed, anonymized data based on its cus­tomers’ actu­al clicks. It found that no mat­ter how many or few mali­cious emails a com­pa­ny received, the aver­age click rate was about the same, one in 25 emails.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

A near­ly 4 per­cent click rate—which would be the envy of any marketer—is stun­ning, Epstein said.

The click rate is quite a scathing indict­ment of how effec­tive their lures and tac­tics are. It’s impres­sive in a neg­a­tive way,” he said.

The bad guys, of course, don’t have to play by the same rules as mar­keters. So they can make their lures more attractive.

But it’s obvi­ous they’ve been study­ing the busi­ness habits of cor­po­rate man­agers. For exam­ple, they’ve adapt­ed email dis­tri­b­u­tion times to blend in with peri­ods of high email activ­i­ty, with Tues­day and Thurs­day morn­ings as the peak times.

They’ve also shift­ed to tar­get­ing cor­po­rate finan­cial cre­den­tials, using a mix of both high-vol­ume, long­tail cam­paigns and more tar­get­ed attacks that have a low­er click rate but high­er yield.

Cash exfil­tra­tion is becom­ing more promi­nent, Proof­point found. Epstein said that attack­ers used both a tech­ni­cal and social approach to go beyond sim­ply har­vest­ing credentials.

For exam­ple, they would install a key­log­ger on a manager’s com­put­er and observe trans­ac­tions pro­to­col and account num­bers, then access the account to autho­rize trans­fers. Or they would go a step fur­ther, get­ting con­trol of an executive’s email accounts in order to autho­rize a trans­ac­tion and ask the appro­pri­ate employ­ee to per­form it.

Oth­er findings:

  • Emails were opti­mized so users clicked sooner—96 per­cent of the clicks occurred by the end of the week; 66 per­cent occurred in the first 24 hours, com­pared to 39 per­cent in 2013.
  • The use of attach­ments has increased sig­nif­i­cant­ly. Attack­ers returned to old tac­tics that users were defend­ing against sev­er­al years ago but are not as sen­si­tized to now.
  • Bank­ing and finance com­pa­nies received 41 per­cent more mali­cious mes­sages, but all indus­tries were tar­get­ed. Pre­vi­ous­ly “unin­ter­est­ing” sec­tors such as con­struc­tion and man­u­fac­tur­ing are now being tar­get­ed because of their intel­lec­tu­al prop­er­ty assets.

Epstein said that the biggest take­away from the analy­sis is that every orga­ni­za­tion is going to be attacked.

You need a lay­ered, mod­ern secu­ri­ty defense system—the lat­est secu­ri­ty gate­way, tar­get­ed attack pro­tec­tion, and auto­mat­ed threat response—because every­body clicks,” he said.

He said that small and medi­um-size busi­ness­es often think they’re much less like­ly to be tar­get­ed than larg­er enter­pris­es, but in real­i­ty they are more vulnerable.

It’s worse for them because they don’t have the same degree of sophis­ti­cat­ed pro­tec­tion,” he said.

Plus, he added, a big com­pa­ny may have more lever­age to deal with a sig­nif­i­cant loss of cash due to a rogue trans­fer. But for SMBs, the loss of tens or hun­dreds of thou­sands of dol­lars could be devastating.

Epstein cau­tioned that peo­ple shouldn’t be para­noid, but should think of cyber­se­cu­ri­ty like liv­ing in a big city where crime is a part of life. You would take basic pre­cau­tions like hav­ing mod­ern locks on the door and avoid­ing cer­tain parts of town after dark.

If you live in a big city, you don’t leave the front door open,” he said. “Too many com­pa­nies are effec­tive­ly doing that.”

More on emerg­ing best practices
Encryp­tion rules ease retail­ers’ burden
Track­ing priv­i­leged accounts can thwart hackers
Impen­e­tra­ble encryp­tion locks down Inter­net of Things

Posted in Cybersecurity, Data Security, News & Analysis