The security and compliance vendor's second annual ‘The Human Factor Report 2015' reveals that 2014 was the year attackers “went corporate”, moving away from high-volume consumer attacks to more sophisticated approaches targeting middle managers in business who are often overloaded with information.
The report, which is based on customer data, found that, on average, users click on one in every 25 malicious messages, with click rates doubling year-on-year for middle managers.
Sales, finance and procurement executives were the worst offenders, with click rates up by 50-80 percent compared to average department rates.
But arguably the most worrying statistics of the report were that attackers were able to lure two-out-of-three users into clicking on the email the first time around, with 96 percent of all clicks occurring by the end of the day – representing a significant rise from 66 percent in 2014 and 39 percent in 2013.
Interestingly, Proofpoint noted said that none of the organisations observed had been able to completely eliminate clicking on malicious links.
Clicks peaked during business hours, and typically on Tuesday and Thursday mornings, when business mail would be flowing thick and fast.
On a more positive note, clicks on social media lures – one of the biggest concerns in 2013 - were down 94 percent in 2014, but this only saw hackers switch to new tactics, like ditching URLs for attachments claiming to contain message notification and corporate financial alerts.
Cyber-criminals would, according to Proofpoint, look to mix these longline campaigns with strategic web compromises, attachment-based campaigns, and corporate communication and financial email lures. They would specifically look to targets those running on Windows and the Internet Explorer browser.
During select days in 2014, Proofpoint saw a 1,000 percent increase in messages with malicious attachments over the normal volume. "The central lesson of 2014 for CISO's is that while user education may have an impact, attackers can always adapt and adjust their techniques more rapidly than end-users can be educated," reads the report.
"The Human Factor research validates the critical value of threat information—and provides insight into how, when and where attacks are taking place," said Kevin Epstein, Proofpoint's vice president of advanced security and governance.
"The only effective defence is a layered defence, a defence that acknowledges and plans for the fact that some threats will penetrate the perimeter. Someone always clicks, which means that threats will reach users. Proofpoint's approach is effective because our systems can determine who those users are, where they are, and what's happening in real time—and actively protect organizations with real-time automated threat response."
The AntiSocial Engineer's principal consultant Richard De Vere has an extensive background in penetration testing and social engineering, including ‘red team' exercises, phishing and information gathering assessments.
He told SCMagazineUK.com that the report “very much mirrors” his own experience of running simulated social engineering attacks on client organisations.
“I have yet to have a client completely resist a determined attack. Many have come close but they all give away sensitive access, credentials or control in some way.
“Add in the fact that larger companies have more money and data to steal, and it's easy to see why attackers are moving away from the small time antics of carding and PayPal scams into the larger, more affluent scene of corporations..
De Vere added that it was “no surprise” middle management was an increasing target. “If you're putting together a phishing email, LinkedIn is a goldmine of middle managers and C-level executives. Automated tools can quickly pull together a list of hundreds of email addresses — together with user data and VPN/OWA/Active Directory credentials.”
“The rest of the data also clearly tells us what we know deep down. Let's put computers to one side for a second because it's easy to get wrapped up in software and solutions, vulnerabilities and SIEM. The real issue is bigger than Heartbleed, bigger than Sony or Target or Shellshock. It's human nature — greed, complacency, carelessness. “
“If you send a salesperson a PDF called ‘Purchase Order' are they going to open it? — yes. Do they actually want to damage their company and lose the job they struggled to get? — rarely. Would they click the link if they knew it meant jeopardising their job? — never. This isn't an issue of computers or exploits, it's an issue of knowledge. The only effective defence is training.”
Mo Amin, an independent information security consultant, who is currently working with The Roer Group on the Security Culture Framework, added in an email to SC: "Enterprise environments are dynamic in nature and as such it's inevitable that someone within the organisation may click on a link they should have thought twice about be they a middle-manager or sales executive.
“As always it comes down to people, process and technology - yes, we need adequate technical controls in place but without the right processes and effective awareness programmes what might have been avoided can turn into a media frenzy.
“Ultimately organisations need to appreciate that the threat landscape is constantly changing as such you need a security conscious workforce i.e. a security culture.
“Let's be realistic, attacks will occur and organisations will get compromised - the key is how you handle the incident and how you evolve going forward."