System vulnerabilities were responsible for less than 1 percent of observed cyber attacks, according to a damning analysis that found human error was responsible in 99 percent of cases as criminals increasingly – and successfully – target vulnerable people with social-engineering tactics.
Despite the increase in executive-targeting business email compromise (BEC) attacks – which the US FBI recently said has become a $US26b ($A38b) problem in the past three years – Proofpoint’s 2019 Human Factor Report found that ‘very attacked people’ (VAPs) often were not company executives.
Rather, the report notes, they are people who “tend to be either easily discovered identities or targets of opportunity like shared public accounts”.
Fully 36 percent of identities associated with a breach could be found online just by scanning corporate websites, social-media accounts, publications, and other documents. From there, detailed and highly effective social-engineering campaigns were proving so effective that cybercriminals were finding them easier to run and manage than malware.
“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of Threat Operations for Proofpoint.
“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defence. To significantly reduce risk, organisations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defences that provide visibility into their most attacked users.”
Real-estate, construction, government, and insurance targets were most frequently attacked, according to Proofpoint Attack Index ratings – a combined measure of actor, targeting, and threat type – that also found that the education, entertainment/media, automotive, construction, engineering and healthcare industries had the highest concentration of VAPs.
Impostor attacks were most frequently targeted at engineering and automotive firms were largely due to “easily exploited supply chain complexities,” the report noted, and educational institutions due to that sector’s high concentration of VAPs and user vulnerabilities.
While harvesting of generic email accounts provided targets for nearly 25 percent of phishing schemes last year, in 2019 this had been supplanted by campaigns based around harvesting Microsoft Office 365 credentials.
Cloud storage services, DocuSign, and Microsoft cloud services had become increasingly popular phishing conduits during the first half of 2019, reflecting users’ high degree of acceptance of online file sharing and collaboration tools.
Attackers were continually refining the angle taken by their phishing campaigns, with themes “varying widely by both actor and intended target” but food, shelter, love, and money singled out as “perennial favourites”.
Attackers would befuddle BEC targets by building a rapport with them, using multiple points of contact, and creating a sense of urgency. Domain fraud was also popular, with attackers using techniques like look-alike domains and legitimate secure certificates to allay the VAPs’ suspicions.
Many users were not only clicking on phishing emails but were sharing them with friends, Proofpoint’s analysis showed, with phishing emails related to the Brain Food credit card-harvesting botnet clicked an average of 1.6 times each.
Also widely clicked were phishing attacks targeting the Blackboard school management system, WeTransfer file-sharing service, and Zoominfo business contact database.