WatchGuard’s Internet Security Report also shows growing use of a new sextortion phishing malware customised to individual victims
Network attacks targeting a vulnerability in the Cisco Webex Chrome extension have increased dramatically according to WatchGuard® Technologies. In its latest Internet Security Report for the last quarter of 2018, they were the second-most common network attack. The vulnerability was first disclosed and patched in 2017 and attacks were almost non-existent in early 2018, but WatchGuard detections grew by over 7,000 percent from Q3 to Q4.
The report also shows that Phishing campaigns saw a dangerous increase in sophistication, with new attacks using advanced methods including threatening to release recordings of users visiting adult content online, customising emails for specific targets and creating fake banking login web pages. Based on data from tens of thousands of active WatchGuard Firebox appliances around the world, a new sextortion phishing attack was the second-most common attack detected in Q4 2018. It accounted for almost half of the unique malware hashes detected, because the email phishing message is tailored to each recipient. The message claims the sender has infected the victim’s computer with a trojan and recorded them visiting adult websites, threatening to send these compromising images to their email contacts unless they pay a ransom.
“There was a noticeable increase in advanced phishing attacks targeting high-value information,” said Corey Nachreiner, CTO at WatchGuard Technologies. “Now more than ever, it’s vital for businesses to take the layered approach to security and deploy solutions that offer DNS-level filtering designed to detect and block potentially dangerous connections and automatically refer employees to resources that bolster phishing awareness and prevention. A combination of security controls and human training will help businesses avoid becoming hooked by phishing attacks.”
The other top findings from the report include:
- 16.5 percent of all Fireboxes were targeted by CoinHive cryptominer – The most widespread malware variant in Q4 came from the popular CoinHive cryptominer family, showing that cryptomining remains a popular attack type. Two of the top ten most common pieces of malware detected were also cryptominers.
- A major phishing attack leverages a fake bank page – Another widespread piece of malware in Q4 sent a phishing email with a fake, but highly realistic Wells Fargo login page to capture victim emails and passwords. Overall, WatchGuard saw a rise in sophisticated phishing attacks targeting banking credentials.
- One ISP’s filtering error routed Google traffic through Russia and China for 74 minutes – The report includes a technical analysis of a Border Gateway Protocol (BGP) hijack in November 2018 that inadvertently sent most of Google’s traffic through Russia and China for a short time. WatchGuard found that a Nigerian ISP called MainOne made a mistake in their routing filters, which then spread to Russian and Chinese ISPs and caused much of Google’s traffic to be routed through these ISPs unnecessarily. This accidental hijack highlights the underlying insecure standards that the internet is based on. A sophisticated attack targeting these flaws could have potentially catastrophic consequences.
- Network attacks rise after historic lows in mid-2018 – Network attacks rose 46 percent by volume and 167 percent in terms of unique signature hits in Q4 compared to Q3 2018. This follows a trend seen in previous years with attacks ramping up during the holiday season.
The 2018 Q4 ISR also includes a granular analysis of source code for the Exobot banking trojan. This highly sophisticated malware attempts to steal banking and financial information from Android devices. The WatchGuard Threat Lab’s analysis includes a list of the 150 sites such as Amazon, Facebook, Paypal and Western Union that Exobot can automatically target, as well as a detailed look at the UI an attacker using Exobot would use to push commands to infected devices.
The insights, research and security best practices included in WatchGuard’s quarterly Internet Security Report help organisations of all sizes understand the current cyber security landscape and better protect themselves, their partners and customers from emerging security threats.
The findings are based on anonymised Firebox Feed data from over 42,000 active WatchGuard UTM appliances worldwide. In total, these Fireboxes blocked over 16 million malware variants (382 per device) and approximately 1,244,000 network attacks (29 per device) in Q4 2018.