More than 99% of cyberattacks need human intervention: report
Proofpoint report shows threat actors continue to use socially-engineered attacks
ybercriminals are targeting people, rather than systems and infrastructure, to install malware, initiate fraudulent transactions, steal data, and more, a new report by Proofpoint says.
The Human Factor report, based on an 18-month analysis of data collected across Proofpoint’s global customer base, spotlights attack trends to help organisations and users stay safe.
“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of Threat Operations for Proofpoint. “More than 99% of cyberattacks rely on human interaction to work—making individual users the last line of defence. To significantly reduce risk, organisations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defences that provide visibility into their most attacked users.”
More than 99% of threats observed required human interaction to execute - enabling a macro, opening a file, following a link, or opening a document – signifying the importance of social engineering to enable successful attacks, the report noted.
Microsoft lures remain a staple, the report said. Nearly 1 in 4 phishing emails sent in 2018 were associated with Microsoft products. 2019 saw a shift towards cloud storage, DocuSign, and Microsoft cloud service phishing in terms of effectiveness. The top phishing lures were focused on credential theft, creating feedback loops that potentially inform future attacks, lateral movement, internal phishing, and more.
“As technology evolves, cyber-attacks also become more sophisticated. Threat actors focus on people, their roles within an organisation, and even their likelihood to “click here”. The report illustrates that the most popular times that people click on links show significant regional differences, for example, Middle Eastern and European users are more likely to click at midday, after lunch and into the late evening, likely reflecting the time shifting necessary to do business with North American organisations and colleagues,” observed Emile Abou Saleh, regional director, Middle East and Africa for Proofpoint.
Other key findings
- While one-to-one attacks and one-to-many attacks were more common when impostor attacks first began to emerge, threat actors are finding success in attacks using more than five identities against more than five individuals in targeted organisations.
- Attackers target people – and not necessarily traditional VIPs. They often target Very Attacked People (VAPTM) located deep within the organisation. These users are more likely to be targets of opportunity or those with easily searched addresses and access to funds and sensitive data.
- Thirty-six percent of VAP identities could be found online via corporate websites, social media, publications, and more. For the VIPs who are also VAPs, nearly 23% of their email identities could be discovered through a Google search.
- Imposters mimic business routines to evade detection. Impostor message delivery closely mirrors legitimate organisational email traffic patterns, with less than 5% of overall messages delivered on weekends and the largest portion - over 30%- delivered on Monday.
- Education, finance, and advertising/marketing topped the industries with the highest average Attack Index, an aggregated measure of attack severity and risk. The education sector is frequently targeted with attacks of the highest severity and has one of the highest average number of VAPs across industries. The financial services industry has a relatively high average Attack Index but fewer VAPs.
- 2018 saw impostor attacks at their highest levels in the engineering, automotive, and education industries, averaging more than 75 attacks per organisation. This is likely due to supply chain complexities associated with the engineering and automotive industries, and high-value targets and user vulnerabilities, especially among student populations, in the education sector. In the first half of 2019, the most highly targeted industries shifted to financial services, manufacturing, education, healthcare, and retail.
- Attackers capitalise on human insecurity. The most effective phishing lures in 2018 were dominated by “Brainfood,” a diet and brain enhancement affiliate scam that harvests credit cards. Brainfood lures had click rates over 1.6 clicks per message, over twice as many clicks as the next most clicked lure.