The more things change, the more things stay the same -- at least for hackers. That's one of the finding in Proofpoint's mid-year threat report on the attacks of choice for the first half of 2015.
In addition to the return of an old friend, the cybersecurity company also found more targeted attacks towards businesses, heightened activity around social media and a shift in the volume and accuracy of the bad stuff that ends up in your inbox, looking to take your money.
Click the attachment
"Human beings have short memories," says Kevin Epstein, vice president of advance security and governance at Proofpoint. "It's fresh again."
Attachments were last an issue in 2006, according to Proofpoint. Users today have been drilled to avoid clicking on unknowing URLs, putting attachments in the back of our minds.
"No one remembers a few years ago when it was 'don't click on attachments.' What's old is new again, and unfortunately from a security perspective, that's bad," he adds.
[Related: The Web's 10 most dangerous neighborhoods]
Proofpoint found that malicious attachments started popping up again in October 2014, and then hit full force in the beginning of 2015. Most attachments have been Microsoft Word documents with malicious macros that required user interaction in order to execute.
Target the bean countersHackers aren't sending attachments to everyone, though. The difference in this reincarnation of a tried-and-true tactic is that cybercriminals are targeting businesses, and sometimes masking as requests or files coming from within the company. They’re even sending them at a time when you'd expect to receive such a missive. "We see the highest point of entry on Tuesday at 10 a.m. local time, when everyone is really busy," Epstein says.
Clay Calvert, director of cybersecurity for MetroStar Systems, says that hackers are often searching for the names of comptrollers or CFOs from company websites – typically available on "about us" pages – and then sending them emails pretending to be from a higher up in the company. They're the targets because they control the money.
Epstein likens this trend to why bank robbers rob banks: because that's where the money is.
"As an individual consumer, if I raid your bank account, I might strike it rich and get away with $10,000. With a small business payroll, I might get $100,000, $200,000, $300,000," says Epstein.
"If I hit something bigger, all I need is for one" attachment to work, he adds.
Proofpoint also found that in 2014, hackers tried to get at these accountants through fake LinkedIn connect requests and other social media lures – and attack that has virtually disappeared in 2015. Instead, the vehicle of choice is communication notification templates, and corporate and personal financial communication lures – things like voicemail and fax notifications.
More companies should avoid their CFOs being easily searchable, Calvert says, by making sure those "about us" pages are not indexed, or making the names of their personnel graphics instead of text on a page.
Mind the social media gapBig event coming up? Something that people will tweet about obsessively? Hackers will show up, too.
"The bigger the event, the more people following it on social media, thus the more potential victims," says Epstein.
Proofpoint analyzed branded social media destinations linked to events like the NFL playoffs/Super Bowl, Valentine's Day and March Madness. They found malicious content customized specifically for delivery to the events' massive audiences.
Sometimes these lures are posted on a brand's Facebook page. That happened on the National Football League's Facebook page during the Superbowl. Proofpoint also found more attacks on top U.K. brands, which are 20 percent more active than those in the U.S. but also suffered 60 percent more spam.
This just isn't bad for a brand's image, but could also make a brand liable for any attacks posted to their pages, no matter who posted them.
"Online is a microcosm of the real world," says Epstein. "If you're in the real world, you're responsible for the safety of people in your store or building. The same is true online. You are responsible for your visitors."
Less is more (more effective, that is)While attacks are getting more specific and targeted, Proofpoint found that the overall volume of messages was down in the first half of 2015. Media daily volume of unsolicited messages dropped over 30 percent from January to June 2015.
This isn't something to celebrate, though. What's still making it through is much more efficient at getting what it wants than all those messages promising to wire you money or improve the function a certain part of your anatomy.
"Follow the money," says Epstein. "If I can make a couple of bucks off each person I get to click on an ad for fake drugs or what have you, that's much less profitable than simple stealing money."