Despite potential anti-malware defenses, attacks that target individual employees can easily enter the enterprise network. That is according to a Hacker Intelligence Initiative (HII) Report: “Phishing Trip to Brazil”, by US IT security firm Imperva, Inc.
The Application Defense Center (ADC) evaluated 14 command and control (C&C) servers comprised of more than 10,000 records across almost 5000 IP addresses. The findings in the report include:
The majority of infections found occurred during “office hours,” leading to the conclusion that the infected computers were being used for business.
At least 17 percent of infected machines were directly attached to enterprise networks, showing the ease with which cyber-attacks targeting consumers still put enterprises at risk.
The consumer-centric cyber crimes used malware that rely on social engineering to infect the victim. A legitimate-looking email containing a link to a zipped file is sent to the victim. Once the victim extracts the file and knowingly or unknowingly clicks the executable, the targeted person is infected. The malware then starts to monitor user activity. After the user connects to a business site, in the case of the report, a Brazilian bank, the malware intercepts session data, which it then sends to the cybercriminals.
Cyber criminals are extremely adept at compromising user credentials, which they then leverage for fraud or further attacks.
Amichai Shulman, co-founder and Chief Technology Officer, Imperva said: “Our research underscores that work life and personal life intersect, and when an employee receives a suspicious email from a vendor they trust, like a bank, they are more likely to open it. Unfortunately, if an employee reads one of these emails on a home computer while connected to an enterprise Virtual Private Network (VPN), they are opening up their employer to a potential attack. With malware evolving faster than antivirus protection, companies should shift their focus from detecting malware to directly monitoring and protecting enterprise data, applications, and user accounts. With the prevalence of Bring Your Own Device (BYOD) and remote working, data and file activity monitoring are the best way to protect against compromise of sensitive enterprise information.”
Other findings:
The cyber crime campaigns were not conducted by just one group of criminals operating behind the scenes. It appears that there are several groups of criminals, with varying technical and social engineering skills, all leveraging the same underlying malware. This illustrates how cyber crime itself has become an industry.
Some of the C&C servers were found on legitimate websites that had been hijacked, while others were found on servers that were set up specifically to provide C&C functionality.
The report focused on malware originating from Brazil, targeting Brazilian banks, but similar exploits are possible in other locations and industries.
A full version of the Phishing Trip to Brazil HII report is available at https://www.imperva.com/DefenseCenter/HackerIntelligenceReports.
