Image
Human-Driven Exploits in the Driver's Seat
Vulnerability drive-by attacks took a backseat to social attacks in 2016. According to Proofpoint's report, human-centric or "click-enabled" attacks accounted for 99 percent of email-based financial fraud techniques by the end of the year. Similarly, nine in 10 malicious URL messages pointed to credential phishing sites rather than landing pages for exploit kits like RIG and Bizarro Sundown.Image
Threat on Arrival: When to Expect Which Email-Based Threats
E-mail-based "click-enabled" threats arrived on each day of the week, but some came in larger droves than others depending on the day. For instance, the combined total of attachment messages and URL messages delivered on Sundays amounted to less than 25,000 instances. Sunday was the only day on which URL messages numbered more than attachment messages. All other days, malicious link-based missives remained below 50,000 instances, peaking on Tuesdays and Thursdays. Meanwhile, attachment messages consistently remained above 150,000 instances on most other days, with their peak of over 300,000 attacks arriving on Thursdays. Proofpoint found that the bulk of each day's attachment messages consisted of ransomware. As its researchers explain in their report:"On Thursday, Ransomware message volumes were much higher on Thursday than the other days of the week, driven primarily by high-volume campaigns that sent the Locky strain. With few exceptions, ransomware was the only category of malware sent on weekends."
Image
Credential Phishing Lures and Click Rates
The most prolific phishing lures of 2016 leveraged well-known technology brands to generate clicks. Apple accounts came in on top by accounting for a quarter of all phishing lures, followed by Microsoft Outlook Web Access (OWA) and Google Drive at 17.0 percent and 12.9 percent, respectively. Delivery volume did not line up exactly with click rates in large-scale (20,000+ messages) email fraud campaigns, however. Lures that used Dropbox and Adobe generated click rates greater than 10 percent. Google Drive-based lures registered a 5.1 percent click rate, whereas Microsoft OWA and Apple clocked in only at 2.8 percent and 1.2 percent, respectively. By contrast, local post office service lures saw a click rate of 78.6 percent in small campaigns (100+ messages). Broken down even further, nearly half of all clicks (44.7 percent) occurred on Windows machines. Sixty-six percent of those Windows-based clicks occurred on operating systems outside of "mainstream support" like Windows 7, whereas nearly a fifth (19 percent) of clicks on Windows PCs took place on unsupported OS platforms like Windows XP, Windows Vista and Windows 2000. The second largest OS of user clicks was Android at 37 percent, followed by Mac OS X (8.3 percent), iOS (5.2 percent), and Other (4.8 percent). Not surprisingly, user clicks picked up at the beginning of the work day, peaked 4-5 hours later, and slowly dropped off into the evening. Figure 11 reveals this trend.Image
"The most striking takeaway from Figure 11 is that users click on malicious URLs at every hour of the day. Whether at work or at home, day or night, users are clicking on URLs that can lead to phishing pages and malware downloads."On business days, it took most users less than an hour to click on a malicious URL after delivery. More than a quarter (25.5 percent) of clicks occurred within 10 minutes of delivery. Meanwhile, 98.3 percent of clicks occurred in a week.
