New Webroot BrightCloud threat report highlights the need for end user security training as part of a multi- layered approach to cyber resilience
Webroot’s 2021 Webroot BrightCloud Threat Report highlights the continuing risk that malicious actors pose to computer and smartphone users. Based on telemetry from 285 million endpoints/sensors collected by Webroot’s machine learning security platform, which powers all Webroot protection and BrightCloud services, the report identifies the evolving tactics of cyber-criminals, as well as the security weaknesses they exploit to launch phishing attacks and spread malware. Business Info spoke to Grayson Milbourne, Security Intelligence Director at Webroot, to find out more about some of these risks and, more specifically, what businesses and end users should be doing (or doing better) to protect themselves.
One of the first points he makes is that these findings, notably a 34.4% year-on-year increase in phishing activity, reinforce the need for security awareness training as part of a multi- layered approach to cyber resilience.
“Three plus years ago, Webroot launched a security awareness training platform with the idea that you can educate your users and greatly reduce the risk they introduce to your business, because we all know it is someone’s mistake that leads to most cyber incidents. Our security awareness training includes a couple of things: there are compliance courses and there’s training that allows you very easily to send a simulated phishing attack or an email to your employees. There are lots of different templates that we keep very fresh; we are constantly taking from the wild and implementing a mirror version, so we really use what’s out there,” he explains.
“What we typically see are click rates of around 15%, which, after just one round of training, drop by 30% or so. If you do training on a regular basis, you can get people’s click rates down to 4% or 5% and that helps greatly.
“Then, when we look at customers who combine our different technologies – not everyone uses security awareness training – we see that those who do undertake training have less malware
in their environments. There’s almost 12% less malware for customers that use both solutions, rather than just the endpoint protection.
“Our story has long been that cyber resilience is the best form of cyber security. It is very difficult to protect every avenue 100% of the time, but if you have a layer that is 75% effective at reducing something and then if you train your employees so there is 75% less chance they click something bad, when you start stacking these layers together, you might find yourself in a spot where even if seven layers fall and you end up going back to your backup, you have that backup, you are not paying the ransom.”
Keep up to date
Webroot’s report also highlights the importance of using up-to-date, fully supported operating systems.
“The report really highlights how Windows 7, despite having been end-of- life in terms of support by Microsoft for over a year, is still prevalent in around 10% of business environments. It is a much riskier operating system. We see around twice as many infections for Windows 7 as Windows 10, which is more secure, with many more security- enabled features,” says Milbourne.
“With Windows 10, Microsoft instrumented what they call ‘AV always on’, whereby, if there is no AV, they enable Defender regardless of what the user thinks. This is a good thing. Microsoft understands that their brand is really under attack and they desperately want to be like Apple and support one operating system. Today they support a few, but largely Windows 10 and Windows Server versions, so they are getting to a more closed eco-system. Windows 10 also introduced several additional security features that make it more difficult to exploit systems.”
Milbourne points out that up-to-date operating systems are also important when it comes to the security of mobile devices, with outdated operating systems responsible for nearly 90% of Android infections.
“When we look at all the real-world infections that we saw from our Asian customer base over the last year, something like 3% of our customers are still using Android version 6, but they accounted for 25% of all infections. I call these half-day infections – they are not zero-day infections because they are known. You are just on a device that is vulnerable. It is fixed on Android 8, but you are on 7; it is fixed on Android 10, but you are on 9.”
So, what does Milbourne think are some of the key trends in this year’s report and what lessons are we to draw from them?
Milbourne points out that not only has ransomware continued to sky-rocket for SMEs, with the average payment rising to around $150,000-$200,000 in 2020, but it has also evolved into more of an extortion model, where cyber criminals threaten to steal and expose the victim’s data if they don’t pay.
Moreover, because ransomware is often the last stage of an attack, after the victim’s network has been penetrated, cyber-criminals will often have done enough damage
and gathered enough intelligence to persuade a business that the ransom is a price worth paying to avoid the burden and bad publicity of a data breach.
“In a lot of cases we see that ransomware is actually the last stage in the attack,” he says. “They’ve penetrated your network; they’ve snooped around a bit; they’ve understood your financials; they realise there is little money to be gained by snooping around and that the longer they do so the more likely they are to be caught. But, because they have breached the network, they can disable back-ups, turn off security solutions and basically deploy the ransomware like a policy update, so all the endpoints get it at the same time. A lot of times the ransom cost is calculated to be right in that sweet-spot where a business might think what is the bigger headache or the bigger burden, paying the ransom or going public with it and coping with the damage to productivity and reputation.”
Phishing continued to be a major threat in 2020, with a 34.4% year-on-year increase in activity, and continued to evolve in response to changing end user habits caused by the coronavirus pandemic.
“Covid really had an impact,” explains Milbourne. “One of the brands we had never seen before at the top of the list of phishing targets was eBay. Typically, the most targeted sites are email providers because criminals want to get into your main email account and then break into whatever other accounts you have. For the first couple of months of the pandemic, basically every phishing attempt we encountered was some variant of an eBay log in, saying your order has an issue or spoofing the natural notifications you would get from eBay. We suspect product shortages and people trying to buy stuff on eBay. Then we saw it rapidly fall off; 90% of eBay’s total phishing for the year happened in those two months.”
In February last year, 31.1% of all phishing attacks impersonated eBay. In March, phishing activity surged among streaming services like YouTube (up 3,064%), Netflix (525%) and Twitch (337%).
Another Covid-related risk, not featured in this year’s report but which Milbourne expects to have telemetry on next year, is scam sites or improperly secured shopping sites.
“We saw a lot of this with Covid. Phishing isn’t always for log-in credentials. A lot of times it could just be leading you to donate money to a scam charity – and that whole process could have https and look very good. In the last year we have been investing more in identifying sites that aren’t textbook malicious but which you might wish you hadn’t tried to buy a pair of shoes from so that they could sell your credit card details.”
Meanwhile, the trend for phishing sites to use https continued. In fact, by December it had become the norm, with 54% of such sites using https, compared to 46% using http. Milbourne expects the ratio to have reached 70:30 by the end of the year, as it already has in some verticals, such as cryptocurrency sites.
Malware has declined since its peak in 2015, due to a number of factors, including the roll-out of Windows 10; actions by Google amongst others against the PUA (Potentially Unwanted Applications) group of threats and the pay-per-install model; and, thirdly, a shift to the use of Windows built-in components to carry out attacks instead, like the PowerShell administrator tool.
“You can do almost every stage of an attack with PowerShell itself, so in 2018 we released script protection as part of the Webroot Evasion Shield to really try to stop these attacks. We advocate disabling PowerShell if it is not needed – the same for office macros. Almost no one needs them, and if they do, then enable it for that individual specifically. The same goes for PowerShell; it should definitely not be enabled for a local user account,” says Milbourne.
Despite these changes, malware is obviously still a problem, especially for consumer devices, which experience twice as many malware infections as business ones.
“One interesting thing we saw is that there is not that much diversity in where the majority of malware tries to hide itself on the operating system. We found that most malware hides in one of four directories – the temp directory, the browser, cache directories or your download folder. You can easily set up a policy to prevent execution from these directories. It’s an easy layer to implement that gives you 25% or 30% efficacy just based on breaking how malware tries to install itself.”
4 Mobile and Android
Not surprisingly this is a growing area of concern, not just because malware for Android devices, including IoT devices, is growing, but also because of new techniques like fleeceware, where scammers lure a victim in with a cheap subscription of, say, $1.99 a month which then rises to $199 a month.
There is a lot more detail, statistics and advice in the 2021 Webroot BrightCloud Threat Report itself. To download a copy, please visit :
Infection Rates by Country and Industry
*At 2.3%, Japan had the lowest PC infection rate per region, followed by the United Kingdom (2.7%), Australasia (3.2%) and North America (3.7%)
*In Europe, home devices were more than three times as likely to encounter an infection as business devices (17.4% versus 5.3%)
*Healthcare and Social Assistance (down 41.4% from the YoY average) had the lowest infection rates; the industries with the highest infection rates were Wholesale Trade, Mining/Oil/Gas and Manufacturing