Symantec just released the 2017 edition of its annual Internet Security Threat Report, and the findings tell a story that might surprise some industry watchers. According to the report, although 2016 witnessed an increase in ambitious, large-scale attacks, such as bank heists and political espionage, this increase in boldness was not tied to an increase in malware sophistication. Far from it.
For years, hackers have looked for subtle software weaknesses that they’ve exploited in devious and often ingenious ways before the software creator can fix the underlying problem. But these so-called zero-day attacks are becoming increasingly difficult to carry out. Software development is becoming more secure, and more software companies are using bug bounty programs effectively to reward people who can find bugs before they can be exploited. Another advanced form of attack that’s losing popularity is the attack toolkit, which is a bundle of sophisticated malware sold in the underground economy to help cyber criminals launch an attack. As it turns out, attack toolkits require a heavy backend infrastructure and ongoing maintenance, and these factors deter both would-be attackers and toolkit developers.
Instead, the trend in 2016 was toward simple but effective exploits, most notably through email. The rate of malware infection of all email in 2016 jumped to an alarming 1 in 131 email messages, up from a rate of 1 in 220 the previous year. According to the Symantec report, simple email cons that trick the viewer into clicking a link, like the massive Gmail phishing attack of May 3rd, are the preferred hacking method du jour. Though mass-targeted phishing attacks that cast a wide net are actually in decline, a newer, a more narrowly targeted method called spear phishing is decidedly on the upswing.
With spear phishing, the attacker researches the intended victim before sending the email bait. As is also sometimes the case with generic phishing attacks, the email message appears to be a legitimate contact, but in the case of spear phishing, that identity is backed up by content that seems to validate that the email is from the authentic source. For example, the attacker might determine where you hold a bank account and then copy the logo and web content from that bank into their email. Or they might include information from social media that makes the email look like it’s really from a friend.
Because spear-phishing attacks are customized for the intended victim, these emails tend to be far more effective than traditional phishing attacks. In fact, what was probably the most highly publicized Internet attack of 2016—the attack against the US Democratic Party—was the result of a spear-phishing attack against presidential campaign chairman John Podesta. In another high-profile case, an Austrian aerospace company lost almost $50 million in 2016 as a result of a spear-fishing attack. Other damaging spear-phishing attacks in 2016 successfully targeted Snapchat, Seagate Technology, and Sony PlayStation.
According to the Symantec report, a typical spear-phishing email attack follows these steps.
- The victim opens the attachment, which executes a Windows PowerShell script to download malware from a remote source.
- Malware is downloaded and infects the local computer.
Symantec’s research also revealed that surprisingly few were used in the majority of business-related phishing and spear-phishing attacks. It’s useful to become familiar with them.
|Business E-mail Compromise Subject Lines||% of Cases|
Considering all email attacks and not just business-related ones, the following keywords were found most often in subject line email headers in 2016.
|Email malware subject line keywords||% of Cases|
|“Mail Delivery Failure”||10%|
Symantec 2017 Internet Security Threat Report is 77 pages long and offers an interesting overview of trends in Internet threats. You can download it for free at https://www.symantec.com/security-center/threat-report.