Squawking pets, stir-crazy kids, Tiger King: Is it any wonder that work-from-home humans clicked on malicious CAPTCHAs at the astonishing rate of 50 times more than the non-pandemic year before?
In the company’s annual Human Factor 2021 report assessing how the threat landscape morphed over the past year – released on Wednesday – Proofpoint researchers scratched their heads over the reasons for so many users succumbing to malicious CAPTCHAs or clicking on poisoned images in steganography attacks.
Steganography is a well-known, little-used method of hiding code within an image or audio in order to circumvent detection, given that many filters and gateways let image file formats pass without much eyeballing. It appeared in just a few targeted campaigns over the period scrutinized for the report, but its success would make any bad actor’s mom proud: More than one in three people targeted in steganography campaigns in the past year said “Yes, please” and clicked. Indeed these attacks had the highest success rate of them all.
Since its inception in 2014, the Human Factor report has looked at how people play into risk, including where users are most vulnerable, how attackers target them, and the havoc that can be wreaked when threat actors compromise privileged access to data, systems and other resources. Past years’ reports have looked at attackers’ favorite social-engineering tactics, among other things.
For this year’s report, Proofpoint analyzed more than 2.2 billion email messages, 35 billion URLs, 200 million attachments and 35 million cloud accounts, among other data points. It explores the crazy year that was 2020, covering Jan. 1 through Dec. 31 of the planet’s COVID time and peeling back the layers of how the threat landscape was affected. .
Some of the key findings:
- More than 48 million messages contained malware capable of being used as an entry point for ransomware attacks.
- Nearly 10 percent of campaign-related malicious email tried to distribute Emotet malware. In January, law enforcement dismantled Infrastructure for the infamous malware, which is a loader-type malware that’s typically spread via malicious emails or text messages. Prior to that, Emotet was offered for hire to other groups who used it to distribute ransomware and other unsavories.
- Attack campaigns launched by threat actor TA542 – the threat actor linked to the Emotet botnet – persuaded the highest number of users to click. Proofpoint said that the total reflects “their effectiveness and the sheer volume of emails they sent in each campaign.” In fact, the January takedown targeted a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”
- Nearly 25 percent of all attack campaigns hid malware in compressed executable files that only run after a recipient interacts with them.
- The use of data-loss prevention (DLP) alerts spiked with the rise of work-from-home. They included alerts when users used USB devices, copied large files and folders (particularly during odd hours), used file-sharing services, or did other things that might have circumvented user-monitoring tools.
With regards to the success of steganography attacks and rigged CAPTCHAs, it could have been distraction, could have been who knows what, Proofpoint researchers shrugged: “It’s not clear why users were more vulnerable to either technique,” they wrote. “Remote workers may have been more distracted and cognitively taxed under the stresses of 2020. Perhaps some were even primed by new remote-work controls to see the CAPTCHA question as a normal security challenge.”
Podcast: We’re Well-Trained To Clickety-Click
Could be Tiger King, could be distracted clicking or it could be that threat actors jumped on our Pavlovian work-from-home security conditioning, as suggested by Proofpoint vice president and general manager of email fraud defense Rob Holmes.
He offered his thoughts during a Threatpost podcast on Tuesday:
“I think it’s this rather perverse psychological byproduct of CAPTCHA that we’ve learned to trust sites that are gated with CAPTCHA. And when we actually see CAPTCHA where we’re almost encouraged to type in the code and click the button. So I think it’s indicative of the cybercriminals and threat actors just becoming more sophisticated in their understanding of that human vulnerability.” —Rob Holmes
To get Holmes’ take on how the pandemic influenced the threat landscape, you can download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.
Lightly Edited Transcript
Lisa Vaas: Our guest today is Rob Holmes, vice president and general manager of email fraud defense at Proofpoint. He’s here to talk about Proofpoint’s annual Human Factor report, which examines three main facets of user risk: vulnerability attacks, and privilege. Rob, welcome to the show.
Rob Holmes: Thanks very much, Lisa, it’s a pleasure to be speaking with you.
Lisa Vaas: Could you give us an overview of the report?.
Rob Holmes: Yeah, certainly. So obviously lots of different facets to do with cybersecurity. But we maintain very strongly that the landscape has really changed towards the fact that the cybercriminals and the threat actors are targeting the fundamental vulnerability, that being people; hence the human factor.
And so we break it down in terms of, if they are looking to exploit that human vulnerability, what are the vulnerabilities, where do they exist and who is being attacked? And then, you know, kind of what level of seniority tends to get to attacked the most, and also kind of what types of roles and industries tend to get attacked most now.
So I think that there are various trends that to my mind pop out. And indeed during the course of 2021, it’s really kind of extended along that, right. We can’t not talk about ransomware, right? I know you’ve written about it, but it’s top of mind for everyone. I think that there’s been some changes in that world such that back in the day, maybe it was more like dropping the malware in an attachment.
You’d click the attachment and it would release the ransomware. Now it tends to be a little bit more kind of multi-step. That’s to say there’s malware that drops some kind of backdoor onto the person’s machine that can then be exploited to deliver ransomware. We talk about multi-stage. The other kind of big thing right now that we’ve seen an explosion of over the last 20, 12, 24 months is credential theft.
I mean, if you have a credential that’s gold, it can be used and leveraged in so many different ways. So those are kind of some of the themes that we see. And, and of course, if you look at the FBI statistics and the IC3, they’ll talk a lot about the most costly of threats actually being pure social engineering to do with business, email compromise.
Those are probably the kind of key themes that I would pick out. But, you know, Lisa of course you may have read the report and different things popped out.
Lisa Vaas: As I understand it, this report is based on analysis of more than 48 million observed messages containing malware capable of downloading ransomware. I know you guys pose that as a foreshadowing of the risk of recent high- profile cyber attacks. Do you want to get into that? What do you mean when you say a foreshadowing. Which cyber attacks are we talking about that have this human factor involved?
Rob Holmes: It is certainly the case that we analyze 48 million email messages that contained malware capable of delivering these ransomwares where obviously that is a portion of the much bigger email threat landscape that we’re analyzing.
I think actually the report talks about. You know, analyzing 2.2 billion email messages, etc., etc.. In terms of the foreshadowing, there are obviously some very notable ransomware attacks that have happened recently, Colonial Pipeline, JBS Foods. If we take a step back to maybe 2016, broad-scale, we saw fairly obvious ransomware attacks where I’m going to just lure you into clicking on something, which will then infect your computer, encrypt your files and ask for money.
But then we start seeing much more of the multi-stage: “Let’s get a foothold into your environment. Let’s deliver some kind of malicious payload onto your end point,” for example. That would then enable me to deliver ransomware to that machine and potentially go laterally within the organization.
There are some dangerous variants of that where, for example, on the Kaseya example, it was much more broad-scale. It was actually hitting many different companies through supply chain vulnerabilities. And that kind of echoes, if you will, what SolarWinds was about, but actually there was that rapid propagation across lots of different companies of malware that came from an initial infection of a software company. And obviously they published a software update that included that malware. It is more sophistication than we have seen in the past. It’s not to say there haven’t been sophisticated attacks. Consider of course, WannaCry in 2017. But I think we’re starting to see greater sophistication, greater modularity with greater frequency than we did before.
Lisa Vaas: One of the things that interested me in the report was CAPTCHA: how the crooks have successfully weaponized a tool that was meant to fight spam. Your executive summary said that Attacks using CAPTCHA have garnered 50 times as many clicks as the year prior. That’s a 50 fold increase in victims that you guys have tracked.
That’s huge. What is going on with these dumb CAPTCHAs?
Rob Holmes: Yeah, it’s maddening really on so many levels. How many times do I have to figure out is that traffic light in that one or is it in that box? What do those letters really say in that CAPTCHA code?
So, yeah, I totally get it. It’s maddening as an end userin the best of scenarios, but this is particularly concerning. This is where we really get into human psychology. Right. We are now preconditioned to expect CAPTCHA if you want to get to content. For your eyes only.
If we want to prove that you are not a robot, then you are going to have to go through this CAPTCHA gate. I hypothesize that as humans, of course, we are part rational and part totally emotional. And we have got this association now with CAPTCHA that since it’s a security mechanism, if we are asked to input some CAPTCHA code, it is a security advantage to doing so.
And so I think it’s this rather perverse psychological byproduct of CAPTCHA that we’ve learned to trust sites that are gated with CAPTCHA. And when we actually see CAPTCHA where we’re almost encouraged to type in the code and click the button. So I think it’s indicative of the cybercriminals and threat actors just becoming more sophisticated in their understanding of that human vulnerability.
Lisa Vaas: How exactly has it been weaponized?
Rob Holmes: A lot of this starts with the threat actor, figuring out how am I going to make you believe that the from field should be trusted enough that you should click on a link in the email. At the point of delivery, that email, of course, that URL in and of itself may not be malicious.
It may go to a site that doesn’t have any malicious payload on it. I’m encouraged to click on that link for whatever reason, it may be gated content: “I need you to act soon,” all of that fear and trust that as emotional beings we’re used to kind of acting on, so before you can see the content, the screen pops up and says, before I show you this, I need you to type in this.
You type in the code, you click the button and that may then install some kind of malware on your machine. It may take you to a site where you have to type in details that you think you’re typing them in, in a secure fashion, but you’re absolutely not. Data input downstream of the CAPTCHA is where the bad is happening.
Lisa Vaas: Thank you for that explanation. Now, another thing that you guys have called out in the report is steganography: It’s had an astonishing jump in success rates in attacks. Proofpoint found that more than one in three people targeted in such campaigns would click on these images.
And that’s surprising because steganography, it’s a well-known, but not terribly common way to sneak booby- trapped images past detection filters and gateways. I’m just so surprised that this is such a successful attack vector.
Rob Holmes: I have to agree with you, quite honestly.
You know what, talking about levels of sophistication on the one hand, and then on the other hand, we’re talking about hiding malicious content behind it. And one starts to wonder whether what’s old is new. If you cast your mind back, it was a bit of a free-for-all for sharing funny things over email, be it images or videos or audio or whatever.
And maybe our guard has been slightly dropped, we’re so focused on you know, not clicking on enable macros in an Excel attachment and less concerned about what may be lurking behind an image. We may be on our guard maybe down there. That was one of the findings that surprised me as well.
Lisa Vaas: The highest success rate of all attacks. What advice do you have for for the people who secure networks? To try to train users out of these things, or it’s just knowing that steganography is so successful”
is that a good enough takeaway for IT people?
Rob Holmes: Most people, if they knew even what steganography is, they might suggest some kind of dinosaur. I think that the reality of it is that you don’t want people to be the first line of defense. But very often people are the last line of defense.
And in that regard, I think there are things that people and IT professionals and security professionals can do to keep as much of it out of the front door as possible by having awesome technology upstream. But you know, tune those security and awareness training programs so that they are training you to be aware of the fact that you shouldn’t enable macros in Excel, but also don’t just think that, because this is a simple image, it is safe. I think really we need to continue to encourage people to be suspicious and to kind of you know, offset our natural kind of trusting with a level of skepticism. So that should such a threat present itself to the end user that they don’t necessarily click on it.
Lisa Vaas: Hallelujah. You are preaching to the choir. Are there any other big takeaways before I let you go, Rob?
Rob Holmes: Most of the bad activities happening are triggered by people.
And so if we can orient our defenses around protecting people, then I think we all make taking a massive step towards solving this pernicious, seemingly never- ending problem.
Lisa Vaas: Well the report is, after all, titled the Human Factor. Thank you so much, Rob. It’s been a real pleasure to have you on. I appreciate you taking the time.
Rob Holmes: Thanks so much, Lisa.