Proofpoint’s senior director of the threat research team discusses the strange levels that attackers are going to in order to persuade victims to click on phishing messages.
Hackers aren’t just targeting infrastructure anymore – they’re actively playing on the emotions of people, whether it’s a consumer who desperately wants to lose weight to an employee who is nervous he will lose his job if he doesn’t do exactly what his boss says.
That’s according to Proofpoint’s 2019 Human Factor Report, released this week, which outlines the top social engineering tactics that attackers are using – including the most lucrative industries and victim types they’re looking at, the most-clicked type of spear-phishing and spam message (hint: it has to do with diet and mental enhancement), and how the social engineering threat landscape is changing in general.
Sherrod DeGrippo, the senior director of the threat research and detection team at Proofpoint, joins Threatpost editor Lindsey O’Donnell to swap stories about the craziest scams and phishing attempts that she’s seen – from swearword-riddled threats to sue victims, to real estate scams that have actually succeeded in swindling buyers out of hundreds of thousands of dollars – and how hackers are playing into victims’ emotions to get them to click on that malicious attachment or link.
Lindsey O’Donnell: Hi, welcome back to the Threatpost Podcast. This is Lindsey O’Donnell with Threatpost and I’m here today with Sherrod DeGrippo, the senior director of the threat research and detection team over at Proofpoint: Sherrod, thanks for joining me today. It’s nice to be speaking to you again.
Sherrod DeGrippo: Thanks for having me, Lindsey. I always love talking with you. Thank you so much.
LO: So today we’re going to discuss the 2019 Human Factor Report, which was released by Proofpoint this week. The survey was really interesting. It was based on data collected over 18 months between 2018 and the first half of 2019. And you guys analyzed billions of messages daily and hundreds of millions of domains, to look at the ways in which actors are increasingly exploiting what you call the “human factor.” So Sherrod first of all, can you tell us about the “human factor?” I mean, what does that human factor mean in the context of cybersecurity and in the context of attacks?
SD: I think that with the human factor, what we’re really talking about is getting beyond the technical protection mechanisms of the system. So when you think of a system protection, you think of your perimeter defenses, you think of patches… all those things that are the traditional foundations of information security – have been leveraged really effectively to protect systems in organizations’ environments. And what we focus on now is the tactics that are used to get around those technical defenses. And a lot of times they require a human factor, which means it requires human intervention of some kind. That’s something that we focused on really heavily because as you said, we process over 5 billion emails a day. And so that’s a lot of data and it’s a huge opening for threat actors to get in and all they need is a human to make a small action of some kind to interact with them, and they can compromise that business potentially.
LO: Right. And I think that’s really a great point, especially because with this kind of emerging modern threat landscape, we’re really seeing it becoming more increasingly people-centric with attacks that are focusing more on employees and people and identities, as opposed to infrastructure. And we see that every week with phishing emails being sent to employees, really playing on emotions, giving a false sense of urgency into making different sorts of wire transfers or through other tactics. So I do think the report is really relevant. Taking a step back before looking at some of the key takeaways of this report, can you give us some background on social engineering? What do attackers look at when they’re crafting these emails, and trying to construct the perfect social engineering tricks?
SD: Oh, that’s a great question. So social engineering, I think, is something that in the information security industry, people love. It’s definitely of interest to me, it’s something that’s really important to Proofpoint. Essentially, what we find is that social engineering is getting a person to feel an emotion or take some kind of action. It’s evoking excitement or fear or comedy to sort of get someone to take that action and help the threat actor out with whatever they’re doing. Social engineering has been really, really important for getting technical threats onto machines, you know, since the beginning of time, but essentially now humans have so much access and so much capability. If you’re able to get a human to take a step for you, say clicking something, then as a threat actor, that makes the job a lot easier, because you don’t have to worry about all the system protections that might be in place. A great example of that is in 2018, the most effective lure for phishing was something called brain food. We wrote a blog on that last year. Essentially, it’s one of those kind of smart drugs that basically says it’ll make you into some kind of super genius if you take it. So it’s pretty basic pharmaceutical spam, but it was the most effective phishing lure that we saw last year. And I think that a big reason that it was so effective was, one, people were clicking on it because they were interested. But people were sharing it around and forwarding it to their friends, because it seemed interesting or shocking, or something that they might find that their friends were interested in. So we were actually finding that social engineering was being shared through both email, social media and things like that; making that phishing lure even more effective than it would have been otherwise.
LO: I’ve definitely seen those kinds of diet and mental enhancement types of spam just filtering through my own inbox so I can see why they would be dangerous. And I know you guys said that they were the most clicked lure with – what was it – like 1.6 clicks per message or something like that? Right?
SD: Right it was over a click and a half per message. And what’s interesting about that is that means that people are either clicking on multiple links in the same message, or they’re forwarding the message around so that more than one person is clicking within the same message. And that’s fascinating that what’s essentially a phishing email is able to get such a high click rate. That’s the threat actors’ dream.
LO: That’s an extremely high click per message rate. Were there any other lures that you guys found were extremely effective like that one?
SD: Sure. So that was really effective in 2018. But now in 2019, what we’re seeing is that people love to click on a cloud storage or services link. They love DocuSign. They love Microsoft Cloud services. They love a Dropbox, they love a Box link. We’re finding that those threat actors are relying on the cloud services because people have gotten used to clicking on things from SharePoint or a Google-hosted document. So people just click on those, they trust them. So if you can design a lure that’s leveraging one of those services, those have become really, really effective in 2019.
LO: Yeah, those can definitely be tricky as well. I had a question too about the victims of social engineering and of these phishing lures. I know in the report, you guys talked about, as you call them, “very attacked people” – these people or employees or even just regular consumers that are being targeted, that you were observing in the research. And I wanted to know if you could break down what the different types of victims were, because one thing that stuck out to me in the report was that only a few years ago, it seemed like the C-Suite and the top execs were largely at risk for malspam campaigns or from malicious emails. But this most recent report shows that that’s not necessarily the case anymore for high profile individuals. I think you guys found that it was only 7 percent of executive emails were a part of the report. So could you really break down the most common victims you’re seeing for social engineering?
SD: Sure. So for very attacked people, that concept is a big focus for us at Proofpoint. It’s something that we developed internally at Proofpoint where we started seeing that certain types of people with certain kinds of access and certain titles, were getting higher amounts of targeted attacks, or higher amounts of attacks in general, than other people in the organization. And there’s this idea, I think that instantly people think, “Oh, you know, my C-level executives, my C-suite, that’s who I need to protect. That’s who has the power. That’s who the threat actors are going to go after.” But that isn’t actually what we found. The most important people in your organization from a hierarchical perspective are not actually the ones that are the most attacked. And a lot of the reason for that is, the people that typically have more of a public presence, they don’t tend to publish their emails, they don’t tend to have a lot of publicly accessible contact information that threat actors can use. But everybody has group emails, such as support, or HR or billing, that go into their organizations. Another is a lot of people in positions that are senior, but not necessarily executive, sometimes have larger public presences. They’re doing public speaking, they’re publishing reports, they may be in a recruiting role. And so they have contact information that’s much more accessible. So we’re finding that the threat actors are going after the profiles, either on social media on things like published reports in the particular industry, if they’re well known, and the threat actors are savvy at finding those connections, tracing them back, finding the people to attack and it’s typically not those in the C-Suite. The concept of just sending a massive email campaign – It’s just not what the sophisticated threat actors do. Like you said there’s only 7 percent of executive emails that are available online – executives are keeping them hidden. But people a little bit further down, they’re trying to build their profiles, build their brands, they’re much more accessible, and the threat actors are finding them.
LO: Like you said, the combination of having social media now and then also, those larger groups for support within companies is almost like the perfect opportunity for these hackers to kind of swoop in and gather those emails or, contact information that they need to launch these attacks. What were some of the other top takeaways from the report that you wanted to highlight in particular, that might underscore some of the future trends of social engineering and of the human factor?
SD: Sure. So something that we’re finding is that a lot of sophisticated actors are doing really sophisticated campaigns, and a lot of times we’re seeing marketing companies being leveraged. I think that marketing was one of the top-attacked verticals in the report that you’ll see. And what that means is those marketing companies, they hold such incredible data, such as all of your customers’ names, titles, locations, maybe work habits. And so if you can compromise one of those marketing companies that sends email on your behalf, you can very easily as a threat actor, find out who’s more likely to click on things, you can send very targeted campaigns. For example, I saw one recently, that was to an electronics company, and it was sent to their support address, and it had very specific subject lines detailing new products that that company was releasing. And so it would say something like “I have a problem with the name of the new product” in the subject line. And the body of course talks about a problem they’re having. Those are sent from spoofed email addresses for marketing companies. A lot of times marketing companies are safe listed in receiving for organizations because they know “hey, that’s my marketing company. We want to get the emails that they send.” But threat actors are leveraging those marketing companies and their brands, as well as reaching them to get to their sender lists and names and sending out really targeted, really interesting threat campaigns to those those addresses.
LO: Right, I feel like that having that kind of marketing contact list too would be a gold mine for then, in turn, sending spear phishing emails to those contacts, too. So were there any other industries that you guys saw being targeted, in particular in 2019?
SD: Sure, we saw a lot of, in terms of the severity of the attacks, we saw a lot in things like real estate. And I think what’s so interesting about real estate, we publish blogs along that industry talking about that vertical and the threats to them. Real estate is a highly targeted industry. And one of the reasons we assume for that is, real estate typically deals with a lot of really quick high value transactions of funds. You need to pay your earnest money, you need to pay for an inspection, “oh, we forgot this $500 fee that we had to pay for closing costs.” There are really quick exchanges and transactions between multiple parties. And it’s easy to sort of slip in there as a threat actor and say, “Oh, you know, you forgot to pay this $500 transfer, go ahead and send the funds here.” Getting into a real estate organization is a really successful get for a threat actor if they can get inside those transactions and start siphoning off those little payments and fees that go through a lot of real estate agents.
LO: Right. I remember I think it was back in February or early 2019. There was some news story about a wire transfers scam that cost a homeowner more than $300,000 because of this type of situation. And, what they were saying was that part of the issue is that a lot of these real estate business deals are publicly listed too. So that makes it easier for potential attackers to really get in between the seller and the buyer and launch these attacks.
SD: I think that for most people, if you sit and think about, “hey, what’s an industry that I would want to try to exploit, that I would want to try to get in the middle of their transactions?” Real Estate’s a really good choice. Finance is another. That’s a top industry that we see targeted with malware. It’s huge to send malware into finance companies, because again, they’re moving money around, they have access to that kind of capability. And they don’t always know what’s being sent, where it’s being sent to. They get emails from customers that say “do this, do that click on this, I’ve got a problem.” And if you get what you think is a customer who’s upset, who wants your help, a lot of us take it very seriously. And we want to do the best we can in our jobs. And that’s what the threat actors are leveraging. That’s really the social engineering that comes into play.
LO: Yeah, I had another question around social engineering and scams, and that’s specifically about some of the new technologies that are being used. I don’t know if you saw this story. But last week, it was reported that there was a successful financial scam that was used via audio deep fake. So cyber criminals were able to create an impersonation of a chief executives’ voice and use that audio to fool his company into transferring a large sum of money to their bank account. So do you think that new technology like deepfake, like artificial intelligence will play a big future part in tricking victims into believing an attacker is legitimate? I mean, what role does that have in the human factor report as well?
SD: Oh, that’s a great question. So I absolutely do think that that will happen. And I think what we’ll start to see as those technologies continue to evolve, we’re going to see the threat actors who are sophisticated, become more and more capable of taking advantage of that. In general, what we see with commodity crimeware is threat actors who maybe aren’t the most technically sophisticated, there’s a spectrum. They’ll take bits and pieces of things that are already out there that are freely-available, and they’ll put together their campaigns based on bits and pieces of scripts or malware, or botnets, leveraging all of the things that are available to them to create a campaign, and as things like deepfakes and AI become more available, they will absolutely use that to do social engineering at scale. That’s really what we’re talking about, is when a threat actor thinks of an idea. They think of the social engineering aspect of it and then they start going out to find the technology that can help them do that social engineering, but do it at a scale that is big enough to win, is big enough to get them whatever their goal is, and also allows them to customize what they’re sending, so that they can send very customized, highly labor intensive threats to lots of individual people.
LO: I’m already on the lookout for suspicious types of emails. But when these new technologies come into play, when you have things like deepfake audio or AI, I think that makes it so much harder, and really raises the bar for threat detection on the consumer level.
SD: Absolutely. I think that that’s going to be something that’s going to have to be examined continually as we keep evolving those kinds of technologies. And when we talk about sophisticated threat actors, as I said, there’s a spectrum and there will always be those on the lower end of the spectrum, who are just waiting for the next thing to be more accessible and more available to them. But we see threat actors now doing things like sending an email, and then having the victim call them on the phone to get them out of band, to verify, for example, it might be a spoof that is spoofing your CEO and it says, “Hey, could you please call the banking institution at this number to verify that the account numbers that I need you to transfer it to?” And so then you take the victim and you get them out of email, and you get them on the phone. And that allows the threat actor to interact with them in a way that seems more personable seems more authentic. AI will allow them to continue to do that bigger and bigger and bigger at scale and more convincingly.
LO: I haven’t heard of that one yet. So that seems like it’s definitely going to be a tricky way to better impersonate the legitimate sender of these these emails. Are there any other tricks that users should watch out for when it comes to social engineering and in that vein, what can they do to really avoid phishing and spear phishing emails?
SD: Always training your users, getting them to understand that if they’re having a deeply emotional reaction to an email that’s coming in, whether it’s from their supervisor, their boss, or who they think might be a customer, to stop and think about it, to stop and verify it, because ultimately, that individual at your organization, they’re one of the biggest lines of defense to protecting your organization. You have to train them, you have to invest in them in the same way that you invest in your technical controls. They are part of the chain of protection. And if they’re one of the very attacked people that we talked about, they need extra help. They need extra technical controls and they need extra training. One of the things that I’ve seen in the past is leveraging things like big events, like the end of Game of Thrones was a huge one for creating lures. So they would say, you know, I have the unaired three episodes of the Last season of Game of Thrones. And if you want to see them before all your friends, click here and you can see a preview of what they’ll look like. Leveraging all of these kinds of pop culture events, social events, it’s really something that the threat actors are tuned into and are smart about. A couple of months ago – You know, I swore up and down that the new royal baby, Archie, by Meghan Markle, and Harry – I thought for sure somebody would use that. And we actually put in a rule in our technology to find anything leveraging the announcement of the royal baby for malware and to flag it for us. But that’s actually one that we did not see. And I was shocked.
LO: It would have been a good one for that.
SD: I know I was waiting and waiting because I’ve seen so many crazy lures out there from “I’m divorcing you, my divorce papers are attached” to you know, “I’ve stolen your identity or I’m going to sue you” – I’ve seen lures that are just full of curse words, cursing people out saying “I’m going to sue you click here to see the lawsuit.” I thought that baby, I really thought that it was going to be a hit.
LO: But I could definitely see how those examples would really play into the victims’ emotions too, especially if they’re kind of riddled with swear words or whatnot. And even this week, I’ve seen warnings about potential lures with this big Apple launch, seeing potential scams around that too. So seems like there’s an event every week and kind of a phishing scam or spear phishing scam that goes along with it.
SD: Absolutely. I’m excited to see now that you’ve mentioned it, if I know that the Apple event is today and they have just finished, if you know we see anything leveraging that brand leveraging the new announced products and we see that sort of stuff all the time, as well as things like large sporting events, like the Super Bowl or the U.S. Open was last week. You know, they leverage those as best they can. But we also see some laziness. You know, we also see reuse or not really taking advantage of a big holiday because then that means that the threat actor can’t reuse their same lure in multiple countries. So if they talk about a French holiday, they won’t be able to use that same lure in the U.S. as as effectively. So sometimes we see a sort of lazy catch-all of just Microsoft stuff, Microsoft lures. So it really depends. It depends on how much work they want to put in.
LO: Right. And unfortunately, it seems like a lot of threat actors still do want to put in a lot of work and are finding success in launching a lot of these campaigns. So, Sherrod, thank you so much for coming on today and chatting about the top social engineering techniques and the overall 2019 human factor report.
SD: Of course, Lindsey, thanks so much for having me. It was great to talk with you.