When are you most likely to be hit by a cyberattack? What methods and tools do cybercriminals prefer to use when they are targeting an individual or an organisation? Security specialist Proofpoint has looked at some common trends to come out of recent attacks to reveal the habits of hackers.
IT picture from Shutterstock
First thing Tuesday is the most effective time to hit inboxes with bogus invoices and receipts looking to catch people unawares, according to Proofpoint's Human Factor 2016 security report. Hackers are targeting busy people who are quickly clearing their inbox for the day ahead, hoping their attack will hit the mark before the IT team has a chance to act.
Rather than linking to sites hosting malware, three-quarters of malicious links sent last year directed their recipients to bogus pages designed to steal passwords and other credentials, says Kevin Epstein – Proofpoint's Vice President of Threat Operations. "Attackers target the human factor because it is so much more difficult to defend with the kinds of traditional defence – like signature and reputation-based antivirus and anti-spam – on which most organisations still rely," Epstein says.
"People are easier to fool than machines. Anti-malware software is never too sleepy to question legitimacy, or too curious to avoid clicking." Scammers are expanding their efforts beyond email to focus more on SMS and social media, with password-stealing "phishing" attempts 10 times more common than malware links in social media posts. While email-based scams peak in the morning, social media-based scams are more common in the afternoon as people look for distractions from their work. Advertisement
Access to online banking is their primary goal, such as the recent SMS phishing scam targeting ANZ Internet Banking customers. Online banking is also the primary target of malicious downloads, with banking Trojans accounting for three-quarters of all malicious payloads in emails.
Rather than just casting their net wide, scammers also target specific businesses by tailoring sophisticated spear-phishing attacks. These communications often appear to come from senior executives within the business, with instructions to transfer money, pay bogus invoices, ship products or provide access to sensitive data.
Known as Business Email Compromise (BEC) attacks, they're particularly difficult to defend against because they specifically target staff with the authority to perform the required task, appearing to come a superior they trust.
It's possible to defend against such threats by configuring email servers to authenticate internal emails and detect fakes, as well as look for commonly used words such as "transfer". Apart from these technical countermeasures, it's also important to put strict processes in place and educate people about the tricks used by scammers, Epstein says.
"It's important to conduct culture training for all employees, emphasising that money transfers should never be carried out based solely on an email request," he says.
"Businesses should also ensure that internal finance and purchasing controls are in place to authenticate legitimate requests, including the addition of a secondary approval by another individual in the organisation. Moreover, these controls should be out-of-band, requiring an in-person or telephone confirmation, rather than via email."
Staff can also unwittingly put businesses at risk by bypassing security warnings and downloading mobile apps from rogue marketplaces, a threat that affects 40 per cent of enterprises according to the security report. This issue is made harder to tackle by the rise of Bring Your Own Device programs which allow people to use their personal devices for work tasks.
Proofpoint discovered more than 12,000 malicious mobile apps in authorised Android app stores. Many were capable of stealing information, creating backdoors and other nefarious functions, Epstein says.
"To date most of the focus for mobile device security has been around data protection and ensuring basic compliance with company security policies," he says. "Mobile Device Management solutions are generally very well-suited to this kind of challenge, but malicious mobile apps are an entirely different problem."
"Organisations and people are only now waking up to the nature and extent of the risk from malicious apps. People who download malicious apps on smartphones or tablets that they also use for work are definitely putting their employer at risk."
This article originally appeared in The Sydney Morning Herald