Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Cloudmark 2015Global Threat Report

Measuring the Impact of Spear Phishing

For the past several years, the security industry has watched the tremendous growth and success of spear phishing attacks on business and governments. The headlines have been shocking, documenting incidents costing businesses tens of millions of dollars or compromising millions of confidential customer records.

We wanted to look beyond the news reports and gauge the impact of spear phishing and the threat it poses to enterprises. So we commissioned a study, conducted by the independent research firm Vanson Bourne, of IT decision makers in enterprises — 100 in the U.K, 200 in the U.S.

The results: spear phishing is endemic. Ninety-five percent of U.S. and 83% of U.K. respondents experienced spear phishing attacks (91% combined).

Spear phishing is effective: despite deploying traditional security solutions, 84% of respondents experienced spear phishing attacks that penetrated their security solutions.

Spear phishing is costly: of those experiencing attacks over the last 12 months, 81% suffered some negative impact as a result, with an average financial cost of $1.6 million — and some losses in the tens of millions of dollars.

And yet — there is a substantial gap between the reality of this threat, where almost every business is at risk, and its perception amongst enterprises. Ninety-one percent of respondents have experienced spear phishing attacks, and when enterprises test their employees, the failure rates are high. Seventy-nine percent of respondents test their employees' responses to spear phishing attacks, and 78% of those had failure rates of up to a quarter of their employees in their most recent test. Only 3% had no failures.

Spear phishing is a substantial risk to nearly all enterprises, but only 73% of respondents feel that spear phishing currently poses a threat to their organization. Seventy-seven percent feel that it will pose a threat within the next 12 months. And this gap is reflected in respondents' actions, as only 71% have implemented a specific solution to attempt to prevent spear phishing, leaving a large number of respondents poorly protected. Those 71% are depending on traditional anti-spam (84%) and anti-virus (81%) software to protect their users, along with staff training (79%) and educational campaigns (64%).

These measures are only partially effective. As we saw above, 84% of respondents received spear phishing attacks which passed through their security solutions. The high financial lossses — $1.6 million on average — are only part of the story; other respondents experienced loss of reputation or even customers, a drop in stock price, or other negative effects. In some business sectors, more than half of respondents (55%) suffered a loss of customers; in others, almost half (47%) suffered a financial loss.

Anti-spam and anti-virus technology can be effective in blocking some kinds of generic phishing. About 45% of respondents have deployed secure web gateways or URL filtering solutions, which might be effective in protecting users from threats such as fake bank or webmail login pages hosted on hacked domains. And secure email gateways and file sandboxing (deployed by 58% and 28% of respondents, respectively) can be effective against malware deployment, an attack which 30% of respondents have experienced. While these technologies add valuable layers of defense, they are not effective against many kinds of spear phishing.

For example, in so-called "CEO fraud" or Business Email Compromise (BEC) attacks, the spear phisher masquerades as the company's CEO or another executive and instructs an employee in the finance department to send money via wire transfer to a bank account controlled by the phisher. These messages almost never contain an attachment or a call-to-action URL, so they will bypass traditional security technology easily.

BEC attacks are widespread. Sixty-three percent of respondents received spear phishing involving the spoofing of a CEO for financial gain in the last 12 months; in one sector, 48% received more than 30 such attacks over that period. Almost half of respondents tell us that the financial staff or department were specifically targeted in cyberattacks.

These cyber-attacks are costly for organizations, and current technological solutions offer only partial protection. But we found that training, an obvious complement to technological solutions, is not widespread: only 56% of respondents train staff to avoid spear phishing attacks, and only 34% of respondents provide ongoing training. Twenty-one percent provide only one-off or ad hoc training. Perhaps as a consequence, only 36% of respondents told us that their staff were very prepared for a spear phishing attack, but 57% were only somewhat prepared.

These gaps in training, existing solutions, and indeed even in the perception of the risk of spear phishing, have left organizations vulnerable — a vulnerability which spear phishers are effectively exploiting. There's a clear need for improved technology which is designed specifically to counter spear phishing, complementing existing solutions and training.

Swizzor Malware Campaign

With all of the talk of ransomware (e.g. CryptoLocker, Cryptowall, TeslaCrypt), crimeware (e.g. Dyre, Drydex) and other high profile fraud-related malware campaigns, some lesser-known malware families continue to operate under the radar. One such family is Swizzor/Bayrob, which is designed to deliver unsolicted ad content to victims and to modify browser settings without the user's permission.

Cloudmark observed a recent malware email campaign designed to spread the Swizzor/Bayrob family of malware. This particular campaign delivered booby-trapped emails to unsupecting users with various subjects such as "You have received a coupon!" and "You've just obtained an audible warning." Each email had a unique zip file attachment with names like "10linnie.zip" and "ethans56.zip." The attached zip file contained the malware payload. Examples of the payload filename include "kimberlyn.exe" and "cole.exe."

The following is a screenshot of one email from the Swizzor campaign:

An example of an email intended to distribute Swizzor malware
An example of an email designed to distribute Swizzor malware.

Cloudmark analysts found that the malware uses a very basic domain generation algorithm (DGA) for command and control (C&C) synchronization. DGAs avoid the fragility of statically-defined C&C server lists. A static list of C&C hostnames in the malware is easy to extract and block, preventing the malware from downloading instructions or ad content from the C&C servers. Static C&C infrastructure is also easier for authorities to shut down, or for other criminals to take over.

To make the infrastructure more robust, the C&C domain names are often generated dynamically, usually using the date as one input. The DGA often produces random domains like "yfewtvnpdk.info" or "oumaac.com". A malware controller can generate domains for future dates and use them to rendezvous with the malware network, so that even if today's C&C infrastructure is shut down, the DGA tells you where the malware will be connecting tomorrow. A DGA will generally produce a large number of domain names. The malware controller doesn't need to register all of them, and often control of only a single domain will serve to maintain or regain control of a botnet. Large lists of C&C domains are also harder for DNS admins to block.

Swizzor/Bayrob uses a very basic domain generation algorithim which concatenates lists of common words such as "window", "several", "space", "material", "third", "travel" to create domain names under the .net TLD, such as "materialthird.net" and "severalclose.net". These domains appear more normal than the random ones above, which helps the malicious activity blend in with normal traffic.

But the large number of generated domains has drawbacks as well, such as collision with existing legitimate domains; for example, "windowspace.net", appears to be a web development outfit based in Sri Lanka. But collision also works in the malware's favor, because blocking all possible DGA domains would also block access to legitimate sites.

The large number of domains also creates more opportunities for researchers to study and attempt to take control of the botnet by registering an unused DGA domain, a technique known as sinkholing. We see this with Swizzor/Bayrob's generated domain "materialthird.net", which whois reveals to be registered by "SINKHOLE SECURITY", with email BOTSMUSTDIE@GMAIL.COM.

One particular sample was using the domain "severalclose.net" as its C&C server. At the time of analysis this domain was resolving to 98.139.135.129 (owned by Yahoo!) but it has since been shut down and is no longer resolving. Running a passive DNS query on this IP address revealed a massive list of hundreds of domains related to several malware campaigns using the same IP, dating back to at least 2014-12-28.

Cloudmark will continue to monitor this threat to ensure that all Cloudmark Security Platform for Email customers are protected from the malicious emails.

Bitly, the Spammers' Favorite URL Shortener, May Be Damaging its Brand and Brands That Use It

The Bitly shortener service, which includes bit.ly, bitly.com, and j.mp, is subject to large-scale abuse by spammers. We are currently seeing about 25,000 different malicious Bitly links in spam emails every day. Ninety seven percent of all the different Bitly URLs that we see in email are malicious.

In addition to its direct users, Bitly provides URL shortening services for thousands of companies. Among the top brands that have used it are CNN and AOL. We have seen abuse of these Bitly provided shorteners: CNN.it and AOL.it. This abuse is on a scale that could damage these brands.

In response, we have informed these companies about the spammers' abuses. Both CNN and AOL have taken steps to dramatically reduce spam abuse.

While Bitly's own reputation may be negatively impacted by spammers' abuse, questions remain as to whether or not the other companies' who use Bitly also risk negative impacts to their brand and company reputations.

Bitly's response to spammers' abuse has been inadequate.

If you click on a Bitly link, the chances are very high that you will end up on a page promoting bootleg Viagra™, "free" gift cards, or phony diet pills rather than a legitimate site.

In general, URL shorteners provide a valuable service, by taking long and complex URLs with lots of parameters and converting them to a short and simple URL for inclusion in emails, text messages, or tweets.

For example, to link to a map of Cloudmark's HQ, it's much easier to use goo.gl/zcz5Mo than the original URL:

        https://www.google.com/maps/place/128+King+St,+San+Francisco,+CA+94107/@37.7795799,-122.3929166,17z/data=!3m1!4b1!4m2!3m1!1s0x808f7fd78deaa7e9:0x2e490cb5a74de46
    

However, like many other free services, URL shorteners are frequently abused by spammers. They provide an easy way for spammers to generate an unlimited number of call-to-action URLs. These may all redirect to the same web server where they host storefronts and spam content, but because there are so many different URLs in the email messages, spam filtering based on the call-to-action in the body of the message is more difficult.

In the past, we have periodically seen significant abuse of the CNN.it shortener - created by Bitly - though the CNN.it abuse has not been on the same scale as on Bitly's own domains.

If you go to the Bitly home page and enter any link in the cnn.com domain, Bitly will give you a short CNN.it link rather than a Bitly link. However, within the cnn.com domain, there is a script http://www.mexico.cnn.com/redirectComplete.php, which when passed an arbitrary URL as a CGI parameter, would redirect to that URL. If you want to set up a CNN.it shortener to, say, Cloudmark.com, go to http://bit.ly and request a URL shortener for http://mexico.cnn.com/redirectComplete.php?url=http://www.cloudmark.com/.

Spammy URL Shortener Example
Spammy URL Shortener Example

This email with the subject "!!" and nothing but a CNN.it link in the body might appear to be a hot news story being circulated. In fact, the link went to a phony diet pill page that includes the CNN logo.

Cheap plated clasps including a Chinese-inscribed button
A spammer's shortened CNN link re-directs to a phony diet pill page.

The CNN.it URL shortener was abused from Jan 9th 2016 through Jan 19th 2016, peaking at 8,800 malicious URLs on one day on Jan 11th 2016. (These numbers are not included in the 25,000 Bitly emails mentioned previously.)

Before publication of this report we contacted CNN about the abuse of CNN.it, and the internal redirector URL has now been disabled.

Similar abuse of AOL.it had been going on since fall of 2015, but at much lower levels. AOL.it abuse peaked a couple of times at more than 1,000 malicious URLs in a day but was usually lower. We started sending automated abuse reports to AOL in December and haven't seen any significant abuse since January 7th 2016.

In our experience, we have seen other URL shorteners abused by spammers. In most cases, the shortener provider addresses the abuse problem.

A prime example is Twitter. Eighteen months ago we reported 1 major abuse of Twitter's t.co shortener. We discussed the issue with Twitter and shared our findings with them. Twitter has improved their security and currently only 2.6% of the t.co URLs that we see in email are flagged as spam. We have had similar positive experience when we reached out to other URL shortener providers.

However, Bitly is a different case.

Six months ago in our 2015 Q2 Threat Report 2 we indicated that the majority of spammers had moved from t.co to Bitly.

Since then we have attempted to collaborate with Bitly to fix this problem. These efforts included setting up an automated notification system to email Bitly's abuse reporting address with lists of malicious Bitly URLs within minutes of them being detected.

Unfortunately, the response has been disappointing. Since December 1, 2015 Cloudmark has notified Bitly of over half a million malicious links, and yet none of these appear to have been blocked by Bitly.

Since the vast majority of Bitly links in email are malicious, Cloudmark may be forced to be more aggressive about filtering emails containing such links. It is possible that this may result in some legitimate newsletters containing these links being flagged as spam. If that happens we recommend that the sender switch to using a URL shortener with a better reputation.

We hope that Bitly will improve their anti-abuse practices and shut down access to spammers before they do any more damage to their own brand, their users, and their clients.

Softlayer: 80% Reduction in Outbound Spam, but Still Some Work to Do

In Q3 2015, the largest source of outbound spam detected by the Cloudmark Global Threat Network was the IBM subsidiary, Softlayer. See https://blog.cloudmark.com/2015/11/04/cloudmarks-2015-q3-global-threat-report/. Similar findings were reported by Spamhaus 3. We shared our research with Softlayer directly and they took prompt action to curb outbound spam, especially from new users. There has been a continued improvement since then. In October they were in second place in our list of high volume spam sources, in November fourteenth place, and in December twenty-second place. The average outbound spam volume from Softlayer in November and December was only 20% of the levels seen in Q3.

While there has been substantial reduction in Softlayer's outbound spam, there is still room for improvement. In December 22% of all outbound mail from Softlayer that reached the Cloudmark Global Threat Network was flagged as spam, which is about twice the level of several other major U.S.-based hosting companies.

Softlayer Spam Email Volume From June to December 2015

As you can see from the above chart, there was a significant reduction in the volume of legitimate email originating from Softlayer when they introduced their anti-spammer measures towards the end of October. Legitimate outbound email levels in November and December were only 35% of the level in Q3. We believe this is because Brazilian marketers were using Softlayer to send large volumes of graymail — unsolicted but not malicious marketing email. Brazil has no anti-spam laws, so email users are bombarded with huge volumes of greymail. Some of this we flag as spam based on user feedback, but some is acceptable enough to the recipients that we do not filter it.

The types of outbound spam that we are seeing from Softlayer have changed as well. The Brazilian phishing attacks are no longer there in large volume, but we are still seeing bootleg pharmacy spam, and unsolicted marketing messages. Though Brazil is still the major recipient of this spam, we are also seeing reports from the U.S., Italy, Switzerland, the U.K., the Netherlands, and many other countries.

It's promising to see the progress Softlayer has made in reducing their outbound spam problem, and we look forward to seeing further success in this area.

2016 Security Predictions

The stream of massive data breaches continued in 2015. It seems that no sector was immune to hacking: banks, government, data sites, healthcare, ISPs, and even security companies were compromised. Anywhere there was sensitive data, hackers were trying to obtain it, and in many cases they succeeded. However, hacking is not entirely without risks, and law enforcement in various countries indicated or arrested individuals alleged to be responsible for some of these data breaches, including the Office of Personnel Management, JP Morgan Chase, and Talk-Talk. Let's take a look at some of the things that we think might happen in 2016.

Someone will find a way to monetize an IoT attack

Security on most IoT devices is terrible, but they have not been subject to many attacks for several reasons. Since there is a large variety of devices, there is no uniform attack surface that cybercriminals can explore. Additionally, it's difficult to monetize a remote attack that turns down someone's thermostat or burns their toast. However, the criminal mind is extremely inventive and someone, somewhere is going to figure out how to profit by hacking vulnerable devices. For instance, any voice activated device has a microphone which might be used to spy on conversations, and any smart TV with a webcam might capture video as well. A home security system could be hacked and instructed to unlock a door to allow a thief to enter. Even a device with no external sensors might be used to monitor network traffic and relay it to an external spy.

Any IoT device installed in a secure environment should have a way for the vendor, and only the vendor, to install patches if vulnerabilities are discovered. Look for the ability to automatically download digitally signed firmware updates. Beware of any listening or webcam devices in conference rooms or other places where sensitive topics are discussed. If you must have secret discussions in a room with a smart TV, don't assume it isn't doing anything because it is turned off. Unplug it from the power outlet unless you are actually watching TV.

DDoS and ransomware extortion will continue to increase

The ease of using Bitcoin for various types of extortion has led to an increase in ransomware and DDoS extortion. However, for the victim the results differ. If you pay a ransom for your data, the chances are you will get it back. If you pay off DDoS attackers, they are likely to just come back for more. Businesses should sign up for a reliable DDoS protection service before they get attacked, rather than having to pay ransom to delinquent script kiddies. Paying ransom to prevent DDoS will only make things worse.

Ransomware being a cash cow for cybercriminals, and Bitcoin making it easier to collect the ransom without being tracked by financial institutions, we can expect to see the attacks continue and spread to other platforms such as Mac OS X and Linux. The best protection against ransomware is not to get infected, so make sure your spam filtering and anti-virus software are current and effective. However if you do get hit, oftentimes being able to restore from a backup will prevent you having to pay ransom. Make sure all your critical data is backed up, preferably with an off-line backup. Test out your restore process from time to time to make sure it still works. For individuals and small businesses there are a number of cloud backup services that do a great job and are far better than paying ransom.

Zero days become so valuable we may see them deliberatley introduced by developers

As zero day vulnerability prices skyrocket to six to seven figures, some developers will deliberately insert bugs into major vendors' code so that a friend can claim the bug bounty, and split the reward with them. Currently the economics aren't quite there in the U.S. It wouldn't make sense for a programmer making a six-figure annual salary to risk losing that for a share of a six-figure bug bounty. However, companies that outsource development of key products to countries where developers are paid less are already at risk to this type of deception. We have previously seen vulnerabilities deliberately introduced into open source software such as WordPress plugins, and commercial software will probably not be far behind.

Cyberattacks will increasingly cross over into the real world

As more factories and critical infrastructure are connected to the Internet, they will become more attractive targets for terrorists and hacktivists. According to a recent ESG survey, 68% of critical infrastructure organizations surveyed claimed they experienced one or more security incidents over the past two years. We may see cyberattacks continue to evolve with attackers escalating from defacing websites to shutting down refineries or power grids, as we are seeing in the Ukraine.

Attaching infrastructure to the Internet allows for remote monitoring and control, which is extremely convenient for the owners and operators. However, this has to be weighed against the increased vulnerability to attack from anywhere in the world. As we have seen over the past few years, there is no such thing as a completely secure system when faced with a sufficiently determined hacker with enough resources.

If you must connect your chemical plant, pipeline, or munitions factory to the Internet, make sure that the cost of breaking in is greater than the damage that an attacker could do, and confirm this by regular penetration testing. The weakest link in any system is often the people using it, so make sure that your staff is trained to detect and respond appropriately to spear phishing and social engineering attacks.

Presidential candidates will be prime targets for hacking

With the election season in the United States gaining steam, presidential campaigns and political action committees will be prime targets for hacktivists. We can expect to see hackers release embarrassing emails or campaign planning documents from campaigns that don't have first rate OpSec. After making this prediction but before publication, Anonymous announced that they are going after Donald Trump, but we expect he will not be the only candidate to attract this sort of unwelcome attention.

High tech companies will be driven out of the U.K.

The United Kingdom will pass the Investigatory Powers Bill requiring a backdoor in strong encryption. As a result, other major Internet companies will follow Yahoo!'s lead and move their operations out of the U.K. to avoid being subject to this law.

Country Report: Germany

Currently the European country with the largest output of spam detected by the Cloudmark Global Threat Network is Germany. German spam output is several times that of such traditional spam sources as Russia, India and China. Most of this is unsolicited bulk marketing email sent from Germany to Brazil by Brazilian companies using German hosting services. Since Brazil has no anti-spam laws, this is technically legal, but still highly undesirable, and it damages the reputation of the hosting services and may negatively impact deliverability for their other customers.

Figure 2

Italy also receives a high volume of graymail and spam from Germany. Collectively Italy and Brazil absorb more than 70% of Germany's spam output. A relatively small proportion (less than 5%) stays at home in Germany.

Three large hosting companies — Contabo GmbH, Hetzner Online GmbH, and Global Access Internet Services GmbH — are responsible between them for 72% of Germany's outbound spam. Global is the favorite for spamming Italy, while Contabo and Hetzner are mostly spamming Brazil.

German consumers are subjected to relatively small volumes of inbound spam. There is some greymail, that is, legitimate marketing emails with poor mailing list hygiene that results in unwanted emails. There is also an affiliate spammer who is targeting Germans with emails sent from a hosting company in Hungary. In December 2015 this spammer accounted for more than 20% of all the spam sent to German consumers. Of course, more malicious software is also targeted at German users, including banking Trojans and phishing attacks.

It appears that Germany's anti-spam laws are largely effective in protecting German consumers from high volumes of spam, but they are not doing nearly enough to protect consumers in other countries against spam originating in Germany.

References

  1. 1 http://blog.cloudmark.com/2014/08/06/how-spammers-are-abusing-twitters-t-co-url-shortener/
  2. 4 https://www.cloudmark.com/en/register/threat-reports/report-15q2/blog-post/html
  3. 1 https://www.spamhaus.org/news/article/727/brazilian-internet-users-suffer-softlayers-security-fail

Cloudmark 2015 Annual Security Threat Report (831KB)

back to top

Cloudmark 2015 Annual Security Threat Report (831KB)

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.

With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.

Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.

Site Map  •  Privacy Policy  •  ©2002–2018 Cloudmark, Inc.