Proofpoint has released its Q3 2019 Threat Report, highlighting the threats and trends across Proofpoint’s global customer base and in the wider threat landscape. Notably, Proofpoint found that despite a nearly four-month absence, the return of Emotet within the last two weeks of September accounted for nearly 12 percent of all malicious email samples in Q3, delivering millions of messages with malicious URLs or attachments.
“As individuals become accustomed to email-based lures, cybercriminals are broadening the scope of their attacks with more robust and insidious malicious payloads. The resurgence of malware such as Emotet – which targeted organisations in the Middle East – has also been met with more sophisticated forms of social engineering, as illustrated in our Q3 Threat Report”, said Emile Abou Saleh, Regional Director, Middle East, and Africa for Proofpoint. “As cyber threats continue to grow in volume and sophistication, it is paramount that organisations in the Middle East build a robust and people-centric cybersecurity strategy to protect their data, customers and, most importantly their people.”
TA542, the cybercriminal group responsible for distributing Emotet, also expanded its regional targeting during this period to several new countries, including Italy, Spain, Japan, Hong Kong, and Singapore. Reverting to methods that the group had shifted away from in early 2019, TA542’s re-emergence included highly targeted seasonal and topically relevant lures rather than generic financial themes. For example, on Sept. 23, Proofpoint observed the actor leveraging news-related “Snowden” lures.
Additional Q3 2019 Proofpoint Threat Findings
- Global combined malicious URL and attachment message volume decreased nearly 40 percent compared to Q2, largely as a result of Emotet’s absence for the first 10 weeks of the quarter.
- Malicious URLs made up 88 percent of global combined malicious URL and attachment message volume, a slight increase from Q2, but overall in-line with the trend for 2019.
- Over 26 percent of fraudulent domains used SSL certificates, over three times the rate of domains across the web. This contributes dramatically to social engineering around these domains as we have been conditioned to look for the padlock icon as a sign of security and safety as we browse.
- Ransomware remained virtually absent as a primary payload in malicious emails, with the exception of smaller campaigns generally distributing Troldesh and Sodinokibi.
- Threat actors leveraged the Keitaro TDS in both malvertising and URL-based email attacks, building on the trend of more complex attack chains and redirections to hide their activities and exploit multiple vectors, including exploit kits.