Even as authorities come to terms with the Commonwealth Bank of Australia’s failure to mention Australia’s biggest-ever data breach for a year, that company’s loss of nearly 20 million customers’ account data is a reminder to every company about the persistent security risks of human error.
It’s a theme that every security vendor and consultant has been hammering home for years – with little success, if the results of a recent password audit, Verizon’s recent extensive DBIR review of over 2200 data breaches, and “shocking” ongoing reports of data breaches are anything to go by.
Proofpoint’s recently-released Human Factor Report 2018 offers a detailed breakdown of the most effective phishing techniques – and adds further evidence to the hypothesis that humans simply aren’t very good at security at all.
Dropbox-based lures were far and away the most frequent vector for phishing attacks, followed by the use of financial institutions used as bait, generic email credential harvesting, and Microsoft OWA and Office 365 phishing.
Users were most likely to click on phishing emails purporting to be related to the use of DocuSign electronic-signature tool, while use of malicious attachments exceeded the use of malicious URLs by almost 28 percent.
Phishing-borne malware, however, wasn’t just installing itself: increasingly common vectors leveraging Microsoft Office macros and attached scripts, for example, were proving successful even though users have to click through multiple security warnings to enable support for such code.
Ransomware and banking Trojans were the most common attacks against Australia users, while brand theft and typosquatting were tricking even savvy users with simple tricks such as swapping individual characters (found in 41 percent of typosquatting) or inserting additional characters (32 percent).
Noting the “pervasive” nature of brand theft and its prevalence around the recent 2018 Winter Olympics in PyeongChang – which saw more than 100 similar domains registered – Proofpoint’s analysis notes that attackers have created a pervasive and continuous threat that is continually poised to take advantage of human weaknesses.
Nearly 95 percent of web-based attacks now incorporate a social-engineering element, using tactics like fake updates, bogus security alerts, or other tricks to convince users to download and install malware.
“All signs point to the human factor as a main component in most attacks going forward,” the report’s authors concluded, noting that exploiting human vulnerabilities are both more reliable and more lucrative than relying on technologically sophisticated attacks.
“Whether they are broad-based or targeted; whether delivered by email, social media, the web, cloud apps, or other vectors; whether they are motivated by financial gain or national interests; the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, downloaded unsafe files, installed malware, transferred funds, and disclosed sensitive information at scale.”
And that doesn’t even include the physical loss of data such as what occurred at the Commonwealth Bank, which lost track of a massive cache of backup tapes that was ultimately believed – without any tangible evidence – to have been destroyed as per intentions.
Fully 11 percent of breaches analysed in Verizon’s DBIR 2018 involved physical actions, while 17 percent had errors as causal events. Some 16 out of 213 financial-services incidents involved lost and stolen assets, while 1 percent of breaches were attributed to partners.
Acting head of retail banking Angus Sullivan told the ABC that the bank admitted the incident – blamed on subcontractor Fuji-Xerox – was “unacceptable” but had decided to keep quiet about it.
"We've been unable to assure ourselves that the drives have been destroyed,” he said, “but the investigation that we undertook indicates that the most likely outcome was that they were.”