RSA Conference 2015: Criminals targeting gaps in user awareness training

Using data gathered from their own customers, Proofpoint, a Security-as-a-Service provider in Sunnyvale, California, says that while awareness training is working, criminals are still able to obtain a high degree of success in their Phishing campaigns.

The company published their findings in a report released on Wednesday during the RSA Conference in San Francisco.

Examining their customer's data, Proofpoint discovered that widespread focus on user awareness targeting common Phishing lures - such as social media invites and unsolicited messages in general, led to a 94 percent decrease (year-over-year ) in number of successful Phishing campaigns. That's great news, but unfortunately, the criminals switched tactics.

Previous awareness training initiatives focused on executives first and everyone else second. This allowed criminals a prime opportunity to target lower level staffers and middle management, using tactics that were different from the ones that users were trained to spot. The altered tactics were also able to bypass most mail filters.

The result was a resounding success for the criminals, and an observable lesson that every company clicks, and no one person or department within the organization is immune to Phishing or similar social engineering attacks.

"The central lesson of 2014 for CISOs is that while user education may have an impact, attackers can always adapt and adjust their techniques more rapidly than end-users can be educated," the Proofpoint study states.

Proofpoint says that when it comes to malicious messages, 1 out of 25 will be successful. None of the organizations in their dataset were able to eliminate clicking on malicious links entirely.

While all user roles within the organization are targeted, middle management is the new goal; they received more malicious messages in 2014 than the previous year. Moreover, managers and staff had twice the amount of clicks than executives did.

All industries are being targeted, but Banking and Finance received 41 percent more malicious messages than the average across all industries.

The same can also be said for departments within an organization. All departments are targets, but Sales, Finance, and Procurement (the supply chain) clicked on malicious links 50-80 percent more than the average departmental click rate.

Proofpoint says that the most successful Phishing lures were posing as communications, such as e-faxes and voicemail alerts.

The use of social media notifications and order confirmations dropped off in 2014. Users were catching on to the scam. So when criminals switched tactics, they had more success.

"Email lures that employ attachments rather than URLs, such as invoice and account statement lures, increased significantly as a vector, on some days driving 1,000% increase in messages with malicious attachments over the normal volume," the report said.

Attacks are occurring mostly during business hours, or at least that was the common thread in 2014. Proofpoint says that a majority of malicious messages were delivered during business hours hitting a peak on Tuesday and Thursday morning.

Tuesday is the most active day, with 17 percent more clicks than any other weekday. However, there were plenty of after-hours clicks, so end-users are vulnerable around the clock, regardless of whether they are on-site or remote.

In addition to a regular schedule, criminals are also working faster. Two to three people are convinced to follow a malicious link on the first day; and by the end of the week the campaign as ended for the most part, as 96 percent of all clicks have occurred.

Most malicious clicks happen outside of work. Off-network clicks vary significantly by company and industry, but all experienced some amount of off-network clicks in 2014. A majority (91%) of clicks in 2014 came from mobile devices.

The Phishing campaigns in 2014 were so successful because criminals didn't use tactics that end-users were trained to spot. Previously, the focus was on social media invites and other unsolicited messages. But when that changed, users couldn't keep up.

"When attackers changed their strategy to targeting corporate users with attachments in high-volume campaigns, while piggybacking on legitimate messages, such as email newsletters and opt-in marketing emails, end-users were faced with a large number of malicious email that they could not recognize as a threat," the report says.

"For example, there was a high volume of Microsoft Outlook Web Access (OWA) credential phish, as it is very easy to spoof these pages, and they produce high-value results."