2015 cyber crime trends: malware attachments and business phishing both up

R66E2T133WSaaS vendor Proofpoint has released its top trends of 2015 so far, which, combined with its data on unsolicited email for the first half of the year, provides an interesting overview of the evolving threat landscape.

Basically, it’s all about the exploitation of human error.

Threat trends

Proofpoint notes four main trends from the first half of 2015:

  1. A shift back to attachment-based malware campaigns

There was a notable move away from malicious URLs and a resurgence in cyber criminals’ reliance on emails that used malicious attachments to deliver malware payloads. Malicious macros are cheap and easy for criminals to use and, because of their reliance on recipients’ fallibility, can bypass antivirus and anti-malware software. The majority were delivered by the Dridex botnet.

  1. A change in phishing techniques targeting business users

2015 has also seen “a shift by cybercriminals to targeting business users.” Attackers used “communication notification templates, and corporate and personal financial communication lures. The communication message took a variety of forms, with voicemail and fax notifications being the most common.” Financial phishing templates focused “more on wire transfer, purchase orders, and business-type transactions than on simple personal account status updates.” Phishing emails frequently featured ‘from’ lines that included a named executive from the recipient’s company, such as the CFO or CEO.

  1. Social media increasing as a source of brand and compliance risk

Proofpoint notes that “distributing malicious content via social media [is] an attractive channel for hackers and scammers. A single phishing lure, malware link or spam message posted to a high profile corporate social media destination may be viewed by ten thousand or more potential victims.” UK brands “suffered from 60% more spam than top US brands”, indicating that companies need to manage their social media risks a lot more carefully.

  1. A continued decrease in the overall volume of unsolicited messages

Year-on-year, there has been a decrease in the overall volume of unsolicited messages – owing in part to the takedown of several high-profile botnets. This could, however, indicate that criminals are simply getting more efficient. Volume may be lower in 2015, but “what was lost in volume was more than made up for in maliciousness. This is represented not only by the increasing use of ransomware and other cyberextortion techniques, but also by the fact that an ever-greater portion of malware delivered by unsolicited email are able to evade detection by antivirus solutions.”

Best-practice cyber security

All of the attack vectors above rely on one thing: human error. The international standard ISO 27001 sets out the requirements of a best-practice information security management system (ISMS) that addresses people and processes as well as technology, ensuring that security measures cover the entire enterprise. There’s little point, after all, in having expensive technological solutions if you can’t rely on your staff not to click on malicious attachments, or open phishing emails or messages.

Click here for more free information on information security and ISO 27001 >>

Easy ISO 27001 implementation for all organisations

Priced from only £380, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organisations, whatever their size, budget or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organisations to implement an ISMS with the minimum of disruption and difficulty.

Staff awareness training

If you’re concerned about your staff’s susceptibility to phishing attacks, you may also be interested in the following:

  • Our Employee Phishing Vulnerability Assessmentwill identify potential vulnerabilities among your employees and provide recommendations to improve your security, giving you a broad understanding of how you are at risk and what you need to do to address these risks.