Malicious email volumes soared in the third quarter 2017, increasing 85% from the prior quarter, according to a new security threat report from proofpoint that reveals much of this increase was driven by an explosion of email with malicious URLs linking to hosted malware.
According to the global cyber security firm in its latest cyber threat report for Q3 2017 the volume of emails with malicious URL rose 600% for the three months to the end of September, from the previous quarter and more than 2,200% from the year-ago quarter.
The company says this represents the highest proportion of malicious URL messages - compared to attachment-based email attacks - that we it has seen since 2014.
But, it cautions, attachment campaigns were still very present, with malware hidden in compressed-file archive attachments comprising much of the volumes in these campaigns.
{loadposition peter}proofpoint also says that across its global customer base, ransomware appeared in almost 64% of all malicious email – while new ransomware strains appeared daily, but Locky remained the top payload, both in terms of ransomware and across all malware families.
“Banking Trojans, on the other hand, represented 24% of all malicious email volume, with The Trick accounting for 70% of banking Trojan payloads and displacing Dridex as the top banker in Q3. Dridex—along with Ursnif, Bancos, and Zloader —continued in regionally focused campaigns,” proofpoint notes in its latest quarterly report.
proofpoint warns that new version of Retefe also appeared using a leaked exploit from the US National Security Agency known as EternalBlue to spread across internal networks, “echoing the use of NSA exploits in destructive ransomware attacks from Q2”.
And, the report reveals that email fraud rose 29% versus the previous quarter, while attack frequency also increased, with 12% more email fraud attempts per targeted organisation than in Q2.
Kevin Epstein, Vice President, Threat Operations of proofpoint, said: "Threat actors never stop innovating, whether through new network attack vectors, more sophisticated social engineering, or evolving email campaigns with hosted malware and obfuscated code."
"The ongoing dominance of ransomware in the threat landscape means that it remains lucrative for actors who repeatedly demonstrate their willingness to ‘follow the money’. However, we also continue to see a combination of adaptability -- switching payloads and malware families as necessary to maximise returns -- and specialisation, as actors focus on particular regions and malware types that best suit their needs and expertise."
According to proofpoint, exploit kits (EKs) suffered a well-publicised decline in 2016 and it continues to observe traffic levels hovering around 10% of their 2016 peak.
“However, attackers are layering social engineering schemes into their EK campaigns, a trend suggesting they are looking beyond increasingly scarce exploits to monetise EK activity,” cautions proofpoint.
And the firm concludes that threat actors continue to make use of lookalike and typosquatted (also known as URL hijacking) “suspicious domains” to perpetrate fraud and trick unsuspecting users.
It notes that registrations of suspicious domains outnumbered defensive registrations by brand owners 20 to 1 in Q3 and, at the same time fraudulent support accounts, used for so-called “angler phishing,” doubled from the year-ago quarter as actors continue to capitalise on social engineering across the threat landscape.
proofpoint concludes its report with recommendations for combatting the rise in threats from cybercriminals, including:
Combat typosquatting on the web
Defensive domain registration is a simple and cost-effective tactic to keep attackers from creating lookalike domains for email fraud and credential phishing. Work with your business leaders to define a list of potential look-alike domains to register. Include conference and marketing campaign websites, which are frequent targets.
Deploy email authentication to stop domain spoofing techniques used in email fraud
With protocols such as DMARC (Domain-based Message Authentication, Reporting & Conformance), you can stop fraudsters from using your email domain. For email attacks that use lookalike domains, your solution should be able to find domains that could be mistaken for yours—and work with third-party services to take them down.
Protect your users from email attacks of all types
Whether they’re malware attachments, malicious URLs or socially engineered email fraud, your email defenses should cover the widest range of email-based threats. Robust protection includes robust analysis capabilities to preemptively identify and sandbox suspicious URLs and attachments. It should use multistage sandbox analysis to identify malicious attachments and URLs—at the delivery point and later when employees click. And it should identify and block non-malware threats, such as emails that could trick your employees from sending money and sensitive information to impostors.
Partner with a threat intelligence vendor
Smaller, more targeted attacks call for sophisticated threat intelligence. Leverage a solution that brings together analysis data with threat intelligence, combines static and dynamic techniques to detect new attack tools, tactics, and targets—and then learns from them. By correlating analysis results with threat intelligence feeds, these difficult-to-detect emails can be caught before a user has a chance to click.
Protect your brand from impostors on social media
Look for a security solution that alerts you to lookalike social media accounts, especially those offering fraudulent “customer-support” services. The solution should not just detect infringing accounts but work with takedown services to stop them from defrauding your customers and partners.