In 2014, widespread end-user education succeeded in raising awareness of phishing as a threat, enabling end-users to recognize the most common phishing templates – such as social media invites – and become more wary of unsolicited messages in general. One result of this was a 94% year-over-year decrease in the use of social media invitation email lures.
In response, 2014 was the year attackers ‘went corporate,’ with explicit shifts in approach clearly designed to exploit middle management and exfiltrate cash. By the end of 2014, cybercriminals were targeting subtly different user populations and employing tactics that looked very different from what users – and automated defenses – had adapted to recognize, specifically:
-Campaigns focused on businesses and financial access, with less reliance on social media invitations and other personal communication templates.
-Significant increases in attachment usage, disguised as e-fax, voicemail, or document formats
-Balanced attacks that mixed high-volume longline campaigns with strategic web compromises, attachment-based campaigns, and corporate communication and financial email lures.
-Changed time of distribution to blend in with business high mail-flow times.
-Designed campaigns that cut off the “long tail” of clickers in favor of more immediate payoff to get around faster-adapting defenses.
-Refocused on “traditional’ endpoint platforms that predominate in business IT environments, such as PCs running Windows and Internet Explorer.
The result? It worked. Every company still clicks; every department and industry is still at risk (though financial industries and sales and marketing continue to be the top target areas); and attackers continue to shift tactics to play on human weaknesses as they siphon money and data from organizations.
The central lesson of 2014 for CISO’s is that while user education may have an impact, attackers can always adapt and adjust their techniques more rapidly than end-users can be educated.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program