Attackers Targeting Lower-Level Management, Proofpoint Reports

In an unexpected shift, attackers are now going after different groups of people than they did last quarter, according to Proofpoint's third-quarter 2018 Protecting People report.

Proofpoint Protecting People

Cyber-attackers aren't continuously going after the same executive and high-level management; they are actually shifting targets to other individuals within organizations, including lower management, according to a report from Proofpoint released on Nov. 28.

The Proofpoint third-quarter 2018 Protecting People report found that a staggering 99 percent of the most targeted email addresses in the quarter were not even ranked in the second quarter. Additionally, Proofpoint reported that 67 percent of highly targeted malware and phishing attacks are now aimed at lower-level management and individuals.

"While the speed at which cyber-criminals move to lure new and unsuspecting victims has always been quick, we were surprised to see a 99 percent shift over the past quarter in the top targeted individuals within companies," Ryan Kalember, senior vice president of Cybersecurity Strategy at Proofpoint, told eWEEK. "By targeting primarily lower-level employees with access and privilege rather than senior staff, attackers are also widening their pool of potential targets and increasing their chances at successfully infiltrating a company."

The shift toward lower-level management and individuals for attacks doesn't mean that upper-level management shouldn't be concerned. In some cases, attackers are simply looking for a way into an organization so they can move laterally afterwards.

"Lateral movement is certainly very common," Kalember said. "In addition to traditional local privilege escalation and lateral movement via the network, we’ve seen a major increase in compromised accounts being used to send out further phishing or BEC [Business Email Compromise] messages."

BEC are attacks where a fraudster aims to impersonate a legitimate partner or executive to solicit a payment request. Kalember said that when attackers compromise accounts via a BEC attack, they can easily impersonate a trusted employee or partner and slip through security teams’ defenses that are network- and endpoint-focused.

Ransomware on the Decline

Another big shift observed by Proofpoint is the precipitous decline in ransomware over the past year.

"Ransomware appeared in less than 1 percent of email messages bearing a malicious payload, either via a link or attached document," Chris Dawson, threat intelligence lead at Proofpoint, told eWEEK. "A year ago in Q3 2017, ransomware made up 64 percent of the malicious payloads we observed."

While ransomware is fading, web-based social engineering attacks were up by 233 percent year-over-year. Dawson said the majority of these attacks are fake antivirus, bogus browser updates, fake font packs, etc. For example, a user may browse to a web page and be presented with a modal dialog informing them that they need a Flash update to view content on the page. When they click to download the update, they are actually downloading malware. 


Attackers are also apparently taking notice of the protective measures in place that organizations have for email security, particularly the use of the DMARC (Domain-based Message Authentication, Reporting and Conformance). DMARC has been mandated for use by the U.S. government and includes email authenticity and integrity check to help limit fraud.

“When implemented, DMARC is a significant barrier to cyber-criminals who launch email fraud attacks that spoof a company’s trusted domains," Ryan Terry, product marketing manager at Proofpoint, told eWEEK. "In our experience, attackers that encounter DMARC protection ultimately move on to more vulnerable targets."

That said, Terry commented that fraudsters can also leverage other fraud tactics such as display name spoofing and lookalike domains, which are tactics that DMARC does not protect against. Proofpoint recommends a solution that includes the implementation of DMARC authentication as well as security controls to help stop the additional fraud tactics, according to Terry. 

Protecting People

Protecting people within organizations from cyber-threats requires a combination of technology and training. Kalember commented that 90 to 95 percent of advanced attacks begin with the email vector, which underscores the importance of stopping these attacks before they ever reach the inbox. 

"Advanced threat solutions and having visibility into your most attacked employees on a regular basis are essential components within a successful people-centric security strategy," he said. "That said, in addition to technology, it is critical that organizations prioritize educating their employees to spot socially engineered attacks across email, social media and the web and run phishing simulations (fake attacks that use real-world tactics) to understand who in their organization is most likely to fall victim."

What's Next

Looking forward to 2019, Kalember said he expects that 2019 will be the year where targeted individuals in organizations will take center stage in the cyber-security threat landscape. 

"We expect to see a sustained increase in the targeting of people, rather than infrastructure, as attackers continually find new ways to manipulate unsuspecting individuals into becoming unwitting accomplices," Kalember said. "2019 may also be the first year in which we don’t see a single technical vulnerability (i.e. CVE) actively exploited in targeted phishing attacks, given how few we saw in 2017 and 2018. Until organizations shift to better protect its people, cyber-criminals will continue to exploit human vulnerability for financial gain."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.