Proofpoint experts estimated that 85% of all email spam sent in the second quarter of 2019 (April, May, and June) contained links for downloading malicious files, but not attachments with the files themselves.
Researchers write that in this way, the second quarter continues the trend of the first, when malicious URLs also dominated as the most popular way to distribute malware through email.This trend proves that using links, malicious campaign operators receive more clicks and infections compared to the classical technique of attaching files to emails. Obviously, users have become distrustful of any attachments in the mail.
“As in recent quarters, ransomware was virtually absent in Q2, with the exception of some smaller-scale, targeted GandCrab and Sodinokibi campaigns. Remote access Trojans (RATs), which peaked at a mere 1% of the overall volume in Q1 2019, increased several fold to 6% of initial malicious payloads, largely due to increased activity by TA505, a frequent distributor of RATs in moderate-volume campaigns. Keylogger and backdoor activity increased several fold, but still account for less than 8% of payloads. Banking Trojan activity remained relatively steady, increasing from 21% from Q1 to 23% in Q2”, — also report Proofpoint experts.
It is also worth noting that in a previous Proofpoint report it was reported that 99% of all email-based cyberattacks require human interaction. That is, the goal must open files, click on links or perform any other actions.
Other findings from the latest Proofpoint report released this month read:
- In 57% of cases, spammers use domain spoofing.
- Botnets have become the most popular malware distributed through spam campaigns; they accounted for 37% of all emails.
- The botnets are followed by banking trojans (23%), data theft software (16%), malware downloaders (8%), remote access trojans (6%) and backdoors (5%).
- As in previous quarters, ransomware activity was practically not recorded in the second quarter.
- Ursnif malware accounted for 80% of all banking Trojans sent by email. It is followed by URLZone, The Trick and Dridex.
- In the first place in the ranking of data theft software is Pony, followed by AZORult, Loki Bot and Formbook.
Proofpoint Recommendations
Assume users will click. Social engineering is increasingly the most popular way to launch email attacks and criminals continue to find new ways to exploit the human factor. Leverage a solution that identifies and quarantines both inbound email threats targeting employees and outbound threats targeting customers before they reach the inbox.
Build a robust defense against impostor attacks. Highly-targeted, low volume business email compromise scams often have no payload at all and are thus difficult to detect. Invest in a solution that has dynamic classification capabilities that you can use to build quarantine and blocking policies. This solution must also be scalable as threat actors with a variety of aims and practices adopt identity deception techniques and should, where possible, include full implementation of DMARC.
Read also: Cybercriminals distributed Quasar RAT through fake resumes
Partner with a threat intelligence vendor. Smaller, more targeted attacks call for sophisticated threat intelligence. Leverage a solution that combines static and dynamic techniques to detect new attack tools, tactics, and targets—and then learns from them.