Over the last year, cybercriminals increased their use of social engineering, scaling up people-centred threats and attacks that rely on human interaction and dialled down the automated exploits. Founding new ways to exploit “the human factor” — the instincts of curiosity and trust that lead well-intentioned people to click, divulge, download, install, move funds and more every day.
These threats focused on real people and their individual roles within an organisation rather than just computers, servers, websites and IT infrastructure. Cyber attackers and their sponsors are attacking real people at both macro and micro scales, causing serious challenges for everybody involved in the WordPress Security niche. At the macro level, they wage massive, indiscriminate campaigns in email and social channels. For example, RANSOMWARE was the biggest email-borne threat of last year (2017). And broad, multimillion-message malicious campaigns defined the new normal for the year. At the micro level, state-sponsored groups and financially-motivated email fraudsters launched highly targeted attacks. Even attacks on cloud-based platforms relied on human error, carelessness and credulity to penetrate systems of value.
Whether they are broad-based or targeted; whether delivered via email, social media, web apps or other vectors; whether they are motivated by financial gain or national interests, the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, divulged sensitive information, downloaded unsafe files, installed malware or ransomware, transferred funds and disclosed sensitive information at scale.
Social engineering underpins the Human Factor. Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain and even our time constraints to persuade us to click, rendering competent WordPress Security safeguards irrelevant.
• Suspiciously-registered domains of large enterprises outnumbered BRAND-REGISTERED DOMAINS 20 to 1. That means targets of phishing attacks are more likely to mistake typosquatting and suspicious domains for their legitimate counterparts.
• Fake browser and plugin updates appeared in massive malvertising campaigns affecting millions of users. As many as 95% of observed Web-based attacks like these, including those involving exploit kits, incorporated social engineering to trick users into installing malware rather than relying on exploits with short shelf lives. Two years ago, social engineering in Web-based attacks was much less widely deployed.
• About 55% of social media attacks that impersonated customer-support accounts — a trend known as “angler phishing”—targeted customers of financial services.
• Some 35% of social media scams that used links and “clickbait” brought users to video streaming and movie download sites. In-browser coin mining, in which attackers hijack victims’ computers to generate cryptocurrency, also went mainstream. These attacks converged largely around pirated video streaming sites; users’ long viewing sessions gave the miners extended access to victims’ PCs, netting more income for their operators.
WordPress Security Recommendations:
Train employees to identify attacks that use social engineering through email, social media, and on websites — even those seemingly tied to well-known brands or current events. Use PHISHING simulations (fake attacks that test use real-world tactics) to see who in your organisation clicks. Paired with awareness training, these simulations can reduce the impact of real attacks.
DEFENSIVE DOMAIN REGISTRATION
The recommended practice of buying up internet domains that could be mistaken for yours before attackers do. Lookalike domains can be used to trick customers and partners with fake websites and fraudulent emails that appear to be from your organisation.