While modern cyber threats can take different forms and delivery methods, email continues to be one of the primary approaches cyber attackers are using to exploit organizations, according to multiple research reports released in May 2019.
In this monthly roundup, eSecurity Planet summarizes findings from seven different research reports — and the key lessons that enterprises can learn to protect themselves against current and emerging security risks.
- Mimecast – State of Email Security
- Proofpoint- Q1 2019 Threat Report
- Rapid 7 – Quarterly Threat Report: Q1 2019
- Risk Based Security – Q1 2019 Data Breach Report
- RSA – Quarterly Fraud Report
- Vade Secure – Phishers Favorites
- White Ops – Bot Baseline
Among the high-level findings Mimecast’s State of Email Security report is that impersonation attacks, a form of Business Email Compromise (BEC), are on the rise, with 73 percent of organizations admitting they experienced a direct loss due to an impersonation attack. Phishing attacks, which aim to trick unsuspecting users into clicking on something or providing personal information, were also on the rise, with the majority (55 percent) of respondents identifying a rise in phishing attacks over the last 12 months.
Email is also a common delivery mechanism for ransomware, which is having a growing impact on organizations. According to the report, 53 percent of organizations experienced a business-disrupting ransomware attack, up from 26 percent in the 2018 report.
“Email security systems are the front line defense for most of attacks,” said Josh Douglas, vice president of threat intelligence at Mimecast. “Yet, just having and providing data on these attacks is not what creates value for most respondents,”
Key Takeaway: Organizations need to have tools that provide actionable intelligence to help identify new and emerging email threats.
Proofpoint’s Q1 2019 Threat report identified the Emotet botnet as a dominant threat during the quarter.
61 percent of all malicious payloads observed by Proofpoint during the first quarter of 2019 were attributed to the Emotet botnet. Emotet is an agile botnet used to deliver various forms of attack traffic, including information-stealing malware as well as spam emails. Also of note in the report is the finding that by volume, there were five times more attacks that made use of malicious URLs in email than malicious attachments.
“Assume users will click,” the Proofpoint Threat Insight Team wrote in a blog post. “Social engineering is increasingly the most popular way to launch email attacks, and criminals continue to find new ways to exploit the human factor.”
Key Takeaway: Have systems in place that can protect the organization against users who will click on potentially malicious web addresses.
Rapid7’s first quarter 2019 threat report warned of the continued risk of remote entry attacks.
According to Rapid7’s analysis, remote entry attacks were the most prevalent threat category for large organizations in the first quarter of 2019, with over 40 percent of large organizations affected. Rapid7 also warned of the continuing risk of fake login pages that victims are directed to via phishing attacks. In particular, fake Microsoft login pages for services such as Office 365, Exchange and OneDrive were found to be increasingly prevalent.
Overall however, credential stuffing and replay was identified by Rapid7 as the top threat across all industries. With a credential stuffing or replay attack, usernames and passwords stolen from one site are used by attackers on other sites in an attempt to exploit users who reuse the same credentials across multiple sites.
“With 2018 being the year of ‘Credentials Gone Wild’ and a constant heartbeat of security news informing us all about ransomware hitting municipalities and SMBs, it was somewhat unnerving to see that attackers in our corpus are still relying on credential replay as a primary tool in their arsenal,” Bob Rudis, chief data scientist at Rapid7, told eSecurity Planet. “The continued use of this technique is a sign that it continues to be effective, which also likely means folks are still abusing their credentials by reusing their credentials.”
Key Takeaway: Do not reuse the same username and password on multiple sites. Use unique credentials in order to minimize the risk of credential stuffing.
According to Risk Based Security’s Q1 2019 Data Breach QuickView Report released May 7, 2019 is already on pace to be the worst year on record for publicly reported data breaches.
In the first quarter, there were 1,903 publicly disclosed data breach events that exposed over 1.9 billion records. The vast majority of the breaches recorded (67.6 percent) in the first quarter were the result of sensitive data being exposed publicly on the internet.
“Researchers are increasingly going public when they discover sizable, unprotected databases containing sensitive information, and unfortunately, they aren’t terribly difficult to find when you know where to look,” said Inga Goddijn, executive vice president and head of Cyber Risk Analytics at Risk Based Security.
Key Takeaway: Protect online databases and make very certain they are not “world-readable” by anyone on the internet. And see our picks for top database security tools.
RSA first quarter fraud report found a 300 percent spike in fraud attacks coming from rogue mobile apps.
Rogue mobile apps represented 50 percent of observed attacks in the first quarter of 2019. In contrast, phishing attacks accounted for 29 percent of fraud attacks, with the top target of phishing-related fraud being Canada at 52 percent of attacks, with the U.S. coming in at only 6 percent. Card-not-present (CNP) fraud transactions increased 17 percent last quarter, and 56 percent of those originated from mobile. On a positive note, RSA recovered over 14.2 million unique compromised cards in Q1, a 33 percent increase from the previous quarter.
“In Q1, the most drastic difference between the value of genuine and fraud transactions was observed in North America, where the average value of a fraud transaction was $403, nearly double that of a genuine transaction,” the RSA report stated.
Key Takeaway: Monitor devices and user behavior with the right technology (User and Entity Behavior Analytics) to help identify and limit the risk for fraud.
White Ops in partnership with the ANA (Association of National Advertisers) released the Bot Baseline report on May 1, providing insight into the state of bot-driven online fraud.
The big finding in the report is that bot fraud financial losses in the advertising business are forecast to come in at $5.8 billion. While that number is staggering, it represents a decline from the $6.5 billion reported in the previous Bot Baseline report released in 2017. Overall bot-related fraud attempts account for 20 to 35 percent of all ad impressions, though the report contends that the amount of successful fraud is a small percentage.
“We are coming off a year of unprecedented industry collaboration that has proved to be a powerful tool for tackling ad fraud at a global scale,” said Tamer Hassan, CEO and Co-founder at White Ops. “But it is important to remember that fraud will always follow the money.”
Key Takeaway: Industry collaboration can have an impact on reducing fraud.
On May 2, Vade Secure released its Phishers’ Favorites report for Q1 2019, looking at the current state of phishing attacks.
According to the report, social media phishing is on the rise as hackers increasingly turn to Facebook and Instagram to lure in their victims. While the social media sites are becoming more popular, they still haven’t unseated the top seed on the list, which for the fourth straight quarter is once again Microsoft. Vade reported seeing multiple types of Microsoft inspired phishing campaigns, including a variety of Office 365 attacks, with victims being sent links to fraudulent documents.
“It seems like every quarter cybercriminals are upping their game and getting increasingly sophisticated, and Q1 2019 was no exception,” said Adrien Gendre, Chief Solution Architect, Vade Secure. “These hackers are now intimately familiar with how both consumer and corporate email users interact with the internet and are constantly evolving their techniques to trick users into clicking malicious links and providing their credentials.”
Key Takeaway: Think twice before clicking a link and use tools that help identify potential phishing addresses.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.