BEC-style attacks exploded in Q4 2018

Email remains the top vector for malware distribution and phishing, while BEC fraud continues to grow rapidly, Proofpoint warns in its Q4 2018 Threat Report.

“The number of email fraud attacks against targeted companies increased 226% Quarter-on-Quarter and 476% vs. Q4 2017,” the company pointed out. “On average, companies targeted by BEC received about 120 fraudulent emails in the fourth quarter of the year, up from 36 in Q3 2018 and up from 21 in the year-ago quarter.”

BEC attackers loved to target companies in the telecommunications industry, but didn’t avoid those in other sectors, especially transportation, education and the automotive industry.

“As we noted in Q3 2018, email fraud has shifted towards a ‘many-to-many’ challenge: attackers spoof many identities to target many people within the organizations; 59% of attacks followed this pattern in Q4. Notably, 60% of companies saw their own domains spoofed by email fraud actors, an increase of almost 10 percentage points from the previous quarter,” the company added.

Malware threats and extortion attempts

Messages leveraging malicious URLs outnumbered malicious attachments by roughly 2:1 for Q4.

56% of malicious emails carried banking Trojans as a payload. (Of those, 76% carried Emotet.)

Q4 2018 threats

17% of the malicious attachments were downloaders and another 17% were credential stealers. Remote access Trojans (RATs) were contained in 8% of the malicious messages.

Interestingly enough, attackers have been avoiding delivering ransomware – it seems that ransomware campaigns don’t generate sufficient returns. Instead, the attackers are turning to direct extortion as an easier and less expensive way to get money from victims.

“These campaigns may take the form of so-called ‘sextortion’ or some other form of blackmail in which actors threaten to reveal compromising informwebation or take destructive action if the victim does not pay a fee. With rare exceptions, these emails do not contain malware or malicious links and rely on the human factor to trick recipients,” Proofpoint noted.

Web-based attacks and social media threats

December witnessed a short but intensive spike of Coinhive activity (23 times the average for the year) but returned to low levels and continued to grow slowly.

Fake antivirus notifications and fake software updates that lead to malware downloads or phishing landing pages are a far more pervasive threat.

Social media support fraud – i.e. instances of threat actors inserting themselves into legitimate interactions between consumers and brands – increased by about 40% over the previous quarter (and over 500% over the entire year). Proofpoint believes it to be a direct consequence of platforms successfully clamping down on phishing links.

Don't miss