Cybercriminals by far prefer trickery over exploits to install ransomware

Source: Proofpoint. Patches don't prevent people from clicking
Source: Proofpoint. Patches don't prevent people from clicking

Cybercriminals these days by far prefer tricking victims into clicking malicious links to install malware than rely on a potentially un-patched software flaw to do the job. 

Security firms have observed a steep drop off in the use of exploit kits over the past year, following the arrests of key figures behind operations like Blackhole and Angler. The latter exploit kit abruptly stopped activity in mid-2016 after the arrest of 50 people in Russia accused of running a bank fraud group known as Lurk that hacked Russian banks. 

Exploit kits are ideal for spreading malware because PCs could be infected just by visiting a malicious web page. The catch is the kit typically only works if the user is running outdated browser plugins like Flash, which is now automatically updated in Edge, Internet Explorer and Chrome. 

Some exploit kits are still active, as Symantec pointed out today, but the remaining gangs that use these are turning to social engineering or tricking victims into clicking an image or link that installs malware.      

Even the established exploit kit Magnitude, which abuses ad networks in an attack known as malvertizing to deliver the Cerber ransomware, has turned to social engineering. 

Instead of redirecting website visitors via ads to a page with an exploit kit, last year it started sending victims to a page obstructed by fake Microsoft Windows Defender security dialogue boxes. Victims were pushed to install a critical update for Windows Defender, resulting in a Cerber infection.   

Proofpoint highlighted in a report on Tuesday that 99 percent of email-based fraud attacks in the second half of 2016 relied on tricking users into clicking something, such as enabling a malicious macro in an Office document, to install malware. 

It also found that that 90 percent of malicious URLs in email messages led to bogus login pages designed to steal credentials instead of exploit kit landing pages. 

Together, these figures confirm cyber criminals currently prefer to target human interactions rather than rely on automated exploits to infect systems and steal banking or other credentials, according to Proofpoint.

Google has also stepped up its efforts to combat phishing following the widespread bogus Docs scam. It recently announced improved machine learning phishing and spam detection for all Gmail users, and for G Suite business users launched a anti-phishing quarantine system to analyze suspect email for up to four minutes, as well as a tool to stop workers unintentionally replying to an external email address. The latter could help prevent business email compromise (BEC) fraud, which relies more heavily on trickery than malware to defraud victims. 

BEC fraud is far more frequent today than it was two years ago, according to ProofPoint’s detections. In Q4 2015 nearly all email attacks carried banking Trojans whereas in the corresponding quarter in 2016 BEC email accounted for just over 40 percent of email fraud attacks. 

It also noted a downward trend in email seeking to exploit the relationship between CEO and CFO, with other groups coming into focus, including accounts payable for wire transfer fraud, engineering to steal intellectual property, and human resource for tax and identity information. 

The firm has also tracked a shift in the devices that users are clicking on malicious links from, with mobile gradually taking a larger share from Windows desktops. 

“In 2014, 91% of user clicks occurred from Microsoft Windows PCs. In the last two years, that percentage has fallen by half. Over the same period, the percentage of clicks from mobile devices more than doubled, to 42% of total clicks on malicious URLs,” ProofPoint notes. 

The average click rate across all industries for malicious URLs in messages was 4.6 percent, with rates highest in construction and mining, and lowest in IT, utilities, and healthcare. 

The full report is available here.

Tags fraudsymantecproofpointexploit kitmalvertizing

Show Comments