More than 200,000 new malware samples were found every day in the first half of 2016 according to the APWG’s (Anti-Phishing Working Group) crime ware statistics. While down slightly compared to 2015, it doesn’t necessarily signal the end of the ransomware/malware/phishing epidemic that has impacted businesses and the public for many years.
In fact, the opposite may be true, at least in highly targeted industries. Analysis of cyberattacks by BrandProtect, reveals that Q3 phishing attacks against banks, insurers, and other financial services enterprises rose 30 percent during Q3 2016 year/year. More significantly, the BrandProtect analysis reveals that while the majority of phishing attacks remains simple in design and execution, the percentage of sophisticated phishing exploits – attacks that automate subjugation of website infrastructure and deploy multiple phishing URLs – has increased dramatically. These sophisticated attacks generate the majority of phishing URLs that must be taken down.
“There is no doubt that sophisticated phishing attacks are becoming the norm,” said Dylan Sachs, Director of Anti-Phishing Services and Incident Response at BrandProtect. “Instead of launching attacks from a single URL, a sophisticated phishing attack will generate and launch attacks from ten, twenty, one hundred, or even more URLs. To put this in perspective, during the third quarter of 2016, just ten percent of the phishing attacks that we detected targeting our clients generated approximately slightly more than fifty percent of the URLs that needed to be taken down.”
The goals of the attacks is shifting too. Instead of merely leading victims to websites where they reveal their credentials, modern phishing exploits frequently install ransomware or malware on the attacked systems. BrandProtect believes that the ransomware/malware/phishing business model is maturing and that the exploits are becoming commoditized. Phishing emails remain the mechanism of choice for the distribution of these malevolent payloads, with most prolific fraudsters most likely to be building their attacks using developer kits that have become widely available online, or by outsourcing their attack development to one of the cyber-for-hire vendors that advertise on the surface or dark web. Today, for an investment of just a few thousand dollars, anyone can be in the ransomware/malware/phishing business.
It is essential that CISOs and Digital Governance teams must implement a two-front defense. First, internal education programs about phishing awareness and best practices for personal cyber safety need to be implemented or expanded. These programs are often supplemented by internally targeted phishing tests, which will likely consistently show an alarming number of “fooled” employees, but will contribute to overall awareness and vigilance. The free monthly BrandProtect Executive Threat Brief is an excellent addition to any internal cyber threat education program.
The second priority may be even more critical - ensuring that the company or executive identities are not being used to “legitimize” third-party phishing attacks that target the company’s customers, employees, partners, or the general public. To address this exposure, CISOs and Digital Governance teams need to look beyond traditional phishing, to identify unauthorized or fraudulent use of company logos, employee profiles, and internet infrastructure.
By implementing comprehensive anti-phishing solutions, which include 24/7 phish detection, evaluation and mitigation, companies can reduce their likelihood of being associated with a successful attack. By aggressively auditing and mitigating unauthorized use of a company's brands and online personality, companies can reduce the effectiveness of phishing exploits. In fact, BrandProtect customers consistently see a decline in phishing attacks after they implement anti-phishing and other external threat protections.
It may a simple matter of dollars and cents. By aggressively combating the attacks, and the attack infrastructures, forward-thinking CISOs and Digital Governance teams are making it harder for the phishers to succeed. Faced with a reduced return on their phishing investment, the bad guys just move to another, less protected company.