By Marc Laliberte, Sr. Security Analyst, WatchGuard Technologies
Cybersecurity threats are continuously evolving as attackers constantly vary their methods and tools to sidestep improved cyber defenses. To better understand this behavior, the WatchGuard Threat Lab analyzes these changing trends in our quarterly Internet Security Report. Not surprising, in Q4 2018 our team saw a mix of threats targeting organizations of all sizes. However, there were several attack methods that stood out and are worth exploring in more detail.
Perhaps the biggest trend throughout the quarter was a rise in phishing attacks. Specifically, we tracked two separate campaigns that made it into the most prolific and most widespread threat lists respectively. Phishing – or using spoofed emails to trick victims as part of an attack – isn’t a new threat in and of itself. Cybercriminals have been using phishing as a method to initiate some truly devastating attacks for years, from the Target data breach to taking down Ukrainian power grids. But, this quarter highlighted two unique types of phishing attacks that everyone should be aware of:
Your Dirty Little Secret – Sextortion
The first phishing attack was actually detected by a malware signature called Trojan.Phishing.MH and claimed the #2 overall rank by volume for the quarter’s threats. Despite the name, this particular attack didn’t actually use a Trojan or any malware. This phishing campaign was actually a sextortion attack designed to extort its victims out of hundreds of dollars using bogus claims.
In the email, the attacker claims to have infected the victim’s computer with malware several months prior. The cyber-criminal states that he/she has been monitoring the victim for some time, including browsing behavior and using the victim’s webcam. The attacker claims they will release all of the victim’s dirty secrets to their friends and family unless they send $528 in bitcoin.
While on the surface, this type of Phish may seem obviously fake, some of the variants we found used tricks to add additional credibility. For example, the attacker spoofed the “From” address in the email to make it look like they sent the message from the victim’s own account. To someone not versed in the technicalities of email delivery this may seem like proof, but in reality, spoofing the “From” address in an email message is incredibly easy.
Some other variants “prove” they have access to the victim’s computer by including one of the victim’s passwords, taken from one of the many password breach databases available on the dark web. These little extra additions could be enough to trick an unsuspecting victim into believing the authenticity of the message.
Time to Cash in – Wells Fargo
The second phishing campaign showed up ranked 5th in our list of most widespread detections, meaning it affected a large number of unique organizations. This attack masqueraded as a notification from Wells Fargo bank, informing the victim that their contact information was updated, and prompting them to download their “contact information file” to view the change or make additional updates. This is a common method attackers use to trick victims into downloading malware into their computers.
Phishing remains one of the primary avenues for initiating an attack. End users are typically the weakest link in any cyber defense. It isn’t entirely their fault either, many organizations still don’t set their end users up for success with phishing and security awareness training. As phishers become more believable, anti-phishing training becomes even more important. Without training, most industries suffer from phishing “click rates” between 20 and 30 percent, according to baseline tests from KnowBe4. Getting that number down to single-digits can go a long way towards reducing your organization’s risk.
Crypto miners (Still) Reign…
Phishing wasn’t the only trend in Q4 2018. Cryptojackers or cryptocurrency-mining malware continued to plague organizations throughout the quarter. Even though cryptocurrencies as a whole have plummeted in value since their record highs in December 2017, cybercriminals haven’t backed off hijacking computer resources to mine them.
Cryptojacking comes in a few different forms, JavaScript-based miners that run in a user’s browser, and traditional malware applications that run on the victim’s operating system. We saw both show up across malware detections during Q4. The #1 most widespread threat from the quarter was CoinHive, a popular JavaScript-based cryptocurrency miner. CoinHive started out as a “legitimate” cryptominer for websites to use as an alternative revenue stream, mining cryptocurrency in a visitor’s web browsers in place, or in addition to, advertisements. Attackers quickly stole the idea, and much of the code, to inject into other websites and earn a coin for themselves.
CoinHive wasn’t the only cryptocurrency miner we saw during the quarter. A standalone crypto miner malware payload showed up ranked #3 in the top attacks by volume. Additionally, Razy, a trojan with a recently-added crypto mining module, stayed in the top ten for the second quarter in a row.
Attackers don’t care if an individual crypto jacker infection only earns them fractions of a cent per day. If they can create a botnet of a few thousand infected hosts, the revenue can quickly add up. Cybercriminals are getting better at hiding these attacks too. They’ve started throttling the number of resources their malware uses to make users less likely to notice an infection. This allows them to sit around for even longer, turning stolen CPU cycles into cash.
In general, attackers are getting better at masking their tracks, which means organizations need to rely on tools that can detect evasive threats. Signature-based anti-malware is no longer sufficient on its own. The good news is, more advanced tools that use machine learning or behavioral analysis are available to even the smallest organizations. By using the latest defensive tools, and ensuring employees are properly trained, companies can ensure they are on the best footing to defend themselves against the latest attack trends.
These were just a few of the most compelling threat trends from last quarter. Read the full report for more information and best practices.
About the Author
Marc Laliberte is a Senior Security Analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and trends. He has discovered, analyzed, responsibly disclosed and reported on numerous security vulnerabilities in a variety of Internet of Things devices since joining the WatchGuard team in 2012. With speaking appearances at industry events including RSA and regular contributions to online IT, technology and security publications, Marc is a thought leader who provides insightful security guidance to all levels of IT personnel.