Proofpoint has released its Q4 2018 quarterly threat analysis which reveals the latest phishing attack trends and provides an insight into the types of individuals being targeted in email attacks.
Email attacks on businesses are conducted for a variety of reasons, most commonly to fool employees into installing malware or ransomware, to obtain login credentials, or convince employees to make fraudulent wire transfers or divulge sensitive data.
To help businesses understand the threat, Proofpoint analyzed data from phishing attempts intercepted between October 2018 and December 2018 and identified the types of individuals and departments that receive the greatest number of targeted email threats. The attack methods used on those individuals were also analyzed.
Cybercriminals often target executives and upper management as they are more likely to have high level privileges and their email accounts are of more value for conducting further attacks on other individuals within an organization; however, individual contractors and lower level management were found to be attacked more frequently.
Proofpoint found that workers in R&D and engineering were attacked most often, followed by the sales department, production/operations, and Marketing/PR.
There was a change in tactics between Q3 and Q4, 2018, which saw a sizable increase in attacks that spoofed more than 5 individuals in an organization. This time last year attacks tended to be more targeted on high authority individuals. In Q4, 60% of attacks targeted more than 5 individuals. Out of the organizations that were targeted with email spoofing attacks, 40% received more than 50 emails, which is four times the level of Q4, 2017.
30% of malware and credentials phishing attacks were conducted on generic email aliases (sales@ for example). These email accounts are likely to be accessed by multiple individuals, which increases the probability of infecting at least one device with malware and stealing multiple credentials with a single email.
Spoofing attempts increased at a low but steady rate between Q1 2017 and Q3 2018, but there was a major increase in spoofing attempts between Q3 2018 and Q4 2018. Attacks jumped from around 36 attempts per company to more than 120. Compared to the same period last year, spoofing attempts were up by 944%.
Domain spoofing is easy to perform. All that is required is a mail server which can be easily configured to make emails appear to have been sent from a trusted domain. Display-name spoofing is commonly used, as is the registration of lookalike domains, which appear at first glace to be genuine domains used by well-known brands.
The biggest malware threat is banking Trojans, which account for 56% of all email-borne malware. The Emotet banking Trojan is the most commonly distributed malware threat via email, accounting for 76% of all banking Trojan campaigns. Banking Trojans steal bank login credentials and allow cybercriminals to make fraudulent bank transfers. Downloaders and information stealers are also commonly used, the former download other malware variants while the latter attempt to steal online account and email credentials.
Web-based attacks grew by 150% from the previous quarter. These attacks fool people into downloading malware or visiting phishing websites through malvertising or popups advising users to upgrade their AV software or download other software updates (Flash Player for example).
Social media attacks were up by 442%. A growing trend is the registration of fake customer service and company social media accounts. The attackers then wait for people to make contact through those accounts – A term referred to as angler phishing.
Protecting against these threats requires a combination of end user security awareness training, phishing simulation exercises, advanced spam filtering solutions, DMARC authentication to block domain spoofing, and monitoring for the use of lookalike domains and fraudulent social media accounts.