Intro from the 2016 Threat Brief:
“2015 was yet another record year for cybercrime, during which more malware, malicious IPs, websites, and mobile apps were discovered than in any previous year. It comes as no surprise that the cybercrime ecosystem continues to thrive, given new innovations and little in the way of risk for those who choose to participate. The continued onslaught of hacks, breaches, and social engineering scams targeting individuals, businesses, and government agencies alike has caused many in the security field to ask if it’s truly possible to defend against a persistent attacker.
…
At Webroot, we believe it is possible to effectively protect enterprises and users, but only by understanding your adversary and the techniques they employ for their attacks.
…
Our approach and security solutions reflect our in-depth understanding of the threat landscape and how attackers think, to provide cutting-edge, proven next-generation protection and real-time detection of threats as they emerge. The Webroot 2016 Threat Brief provides a glimpse into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks seen by our users over the past year.”
The brief in its entirety can be found here.
However, in this blog, I want to talk about two sections of the Threat Brief and what I found to be most interesting. The first has to do with new malware discoveries and how often malware ensures it is unique with each new infection. The other has to do with the prevalence and targets of phishing attacks, as well as a tactic to improve your personal online security.
Before I go on, it is first important to talk about the source of this data. With respect to malware and phishing site encounters, these stats are pulled directly from Webroot SecureAnywhere users and their real world encounters with these threats. This is an important distinction as it enables us to calculate how frequently different types of attacks occur and the likeliness that an average user encounters such an attack.
Let’s begin with what was interesting in the malware detection data, mainly the fact that around 97% of the time, malware is unique to the system it infects. That is to say that the specific malicious file is never seen elsewhere. This is intentionally done by malware authors and distributors to make the discovery of their threats more difficult. The technology behind this technique is not new however, and is known as polymorphism. The overwhelming trend is that malware uses polymorphism, either on the server side where the malware is distributed from, or through the malware itself where with each new infection, the samples change. While polymorphic malware has been around for over a decade, it is now the norm for nearly all threats today.
Beyond the polymorphic trend, malware encounter data also showed that Webroot SecureAnywhere users encountered more threats on average than in 2014. The per-user infection rate in 2015 was 1.6 infections per customer, compared to 1.2 in 2014. What this means is that infections are more common and during the course of a year, you will more than likely be exposed to a threat. The good news for Webroot customers is that we’ve protected you from these threats. That said, our users were 25% more likely to encounter threats in 2015 than in 2014.
The last bit I want to talk about with respect to malware, is the speed at which churn between variants occurs. We measure this by counting the number of examples per variant that are discovered, on average, before no new samples show up and a new variant is discovered. In 2015, this number plummeted to 97 examples per variant compared to 2014 where nearly 700 examples were discovered. Ultimately, what this shows is that malware authors and distributors are speeding up their variant release process in their efforts to evade detection. Thankfully, the Webroot model for threat discovery isn’t affected by the speed of new malware development, and instead relies on awareness at each individual endpoint we protect. This ensures that even if the samples per variant drops to one, we are still aware of that individual threat and are able to identify and protect against the infection.
The second threat type I want to talk about is the notorious phishing attack. These are malicious websites that impersonate legitimate websites as they look to steal login credentials and more. The vast majority of phishing URL’s show up in carefully crafted emails that use social engineering techniques to encourage some call to action. A common example is an email claiming your account has been suspended and to log in to restore access.
In 2015, over 4 million phishing URL’s were clicked on by Webroot SecureAnywhere users. The good news is that none of these users had the chance to give away their credentials as SecureAnywhere blocked the URL’s page from loading. The bad news is that that the volume of phishing URL’s has increased considerably over 2014. In 2015, about 50% of WSA users clicked on a phishing URL compared to 30% in 2014. There are a number of factors that are responsible for this increase, but the two main ones are that phishing sites are inexpensive to host and that they are an effective method for collecting credentials. In so long as people can be tricked into clicking on a malicious link, phishing sites aren’t going anywhere.
The other interesting data around phishing site detection surrounds correlating the phishing site to the company or entity that is being impersonated. In the Threat Brief, we break them into two main categories which are financial institutions and technology companies. When looking at all phishing sites discovered in 2015, a little more than 2/3 of sites were targeting a technology company such as Google or Apple. This might sound odd as you might think that breaking into someone’s bank account would be more valuable. However, quite the opposite is true. Google is by far the number one target of phishing attacks because the value of breaking into someone’s primary email account is very high. The reason is that an email account provides information about what other accounts an individual has (including financial accounts), as well as the ability to reset those accounts’ passwords as the password reset option validates through the associated email address.
This brings me to my final point, which is less about phishing and more about email security. The number one tip I recommend to help improve personal online security is to make sure your primary email account password is unique from all other passwords. This ensures that your email is difficult to break into when a password for another site is compromised. This happens all-too-often by no fault of a user, but rather because businesses are often attacked and credential data is compromised. The first thing hackers do with stolen credential data is to see what other accounts can be accessed. If your email password is unique, there is no chance of it being compromised through a collateral attack.
There are many other interesting observations in the full 2016 Threat Brief, and I encourage you to read the full report.