Cyber attackers’ success in tricking employees to willingly give up personal data and access highlights a critical, overlooked vulnerability in company IT defenses.

As cybersecurity professionals become more skilled at securing critical core systems and businesses’ IT networks, cyber attackers have started to focus their efforts are on an easier target: human behavior.

Last year marked a substantial shift in hackers’ strategy towards exploiting the online behaviors of company employees using email, social media platforms and mobile applications, according to Proofpoint Human Factor 2016 report.

Kevin Epstein, vice president of Proofpoint’s Threat Operations Center noted to Legaltech News that the findings “incorporated a statistical sample of tens of billions of emails, social media posts, and mobile apps, taken from a larger corpus volunteered by a worldwide customer base. Results reflect data correlation across approximately one trillion data points.”

You’ve Got Phishing

According to Proofpoint, during the past year alone, URLs in malicious emails linking to credential phishing attempts were almost three times more likely than those linking to websites containing malware, accounting for almost three-quarters of all spam email links and solidifying phishing’s growing dominance as hackers’ method of attack. During the second half of 2015, however, cyber attackers become more sophisticated in their attempts, switching tactics en masse to using emails with malicious phishing attachments.

“The most common [attack] we saw last year, just by volume, were large-scale campaigns in which users received an email with an Office document attachment — usually Word, but sometimes Excel format — that claimed to be an invoice or receipt; unknown to the user, the document also contained an embedded malicious Visual Basic macro that would download and install the Dridex banking Trojan,” said Epstein.

“When the user opened the document attachment, the contents of the document were often obscured or ‘encoded for security,’ with instructions to the user to click the ‘Enable Content’ button in Word to view the document’s contents. Doing so actually ran the malicious macro code and resulted in the infection of the user’s computer,” he added. These attacks signified a broadening scope for the banking Trojan, from its use in exploiting vulnerabilities in computer software to targeting the user credentials of a host of services, including proprietary and network accounts, and increasingly, cloud services.

Indeed, account credentials for cloud storage services like Google Drive, DropBox and Apple platforms were the most attractive prize for hackers, according to the report. While phishing attempts targeted Apple accounts the most, those attempts aimed at accessing user’s Google Drive accounts were the most acted upon.

Cyber attackers’ emails attempts were also timed to maximize potential exposure and increase employee action. The amount of malicious messages sent to companies peaked around 9:00am and fell by 1:00pm on weekdays, with Tuesday being the most the preferred day for such attacks.

A small portion the email attempts were highly targeted, heavily researched attacks made on a few high-level personnel, usually those at a company with the ability to transfer funds directly. Deemed “wire transfer phishing” or “CEO Phishing,” according to the report, these attacks usually involve emails that surreptitiously use a company’s executive name or an email domain of similar companies. Because of their sophisticated and specific focus, these attacks are far less frequent than others.

Asked about the reasons behind phishing’s success, Epstein pointed to their appeal to employees’ inquisitiveness. “Most tricks depend on users' own basic curiosity. We all want to see what that blurred image is in a document, or who's inviting us to a social network. There are a wide variety of techniques attackers can use to trick users into carrying out exploits.”

In Through the App

Beyond email phishing, cyber attackers are also finding success exploiting how employees use their personal devices. Malicious mobile apps download from “rogue app stores,” the report found, currently affect around 40 percent of businesses. The apps, which can even affect phones that are not jailbroken, aim to steal sensitive, personal and access data, and are overwhelmingly game or entertainment software, though education, book, lifestyle and utility apps are also common.

These apps’ foothold in the digital marketplace is vast — according to Proofpoint, there are more than 12,000 of these malicious apps on Android app stores alone, with more than two billion downloads.

So why do users willingly download these data-stealing apps?

“Everyone wants free stuff, “explains Epstein. “Threat actors capitalize on that desire for free apps and content on the any device at any time. Users — or their children — often access a DarkSideLoader marketplace to download games, wallpaper, and other media for free; get free movies and other content; get free productivity apps; and get apps that are not available on Apple’s official app store. The top-ten paid apps on the Apple App Store are all available for free on the vShare marketplace, including well known titles such as Minecraft and Geometry Dash, as well as business apps from publishers including Adobe and Microsoft.”

Given cyber attackers’ success and effectiveness in undermining and successfully exploiting employee behaviors, Epstein believes these types of attacks will continue to influence the cybersecurity world in the years to come. “Money talks. Phishing scams have been and remain popular with threat actors because they are scalable and very profitable, delivering profits both directly in the form of bank transfers and indirectly through the sale of user information, credentials, and compromised accounts,” said Epstein. “In addition, phishing scams are supported by a sophisticated cybercrime infrastructure that can quickly adapt to changing defenses, making it possible to continuously maintain and improve their effectiveness. Phishing scams continue to be successful because they leverage the one part of an organization’s IT infrastructure that cannot be patched: people.”