Bob Dylan’s lyrics ring ever true today. We live in turbulent times. Pandemic. Fight for equality and justice. Political upheaval. Climate change. These dynamic forces bring out the good and bad in people, but, unfortunately, too often the bad. As always, there are those that seek to exploit the chaos for their own personal gain. And cyberspace is no different. Bad actors congregate around every opportunity to take advantage while our guard is down and we’re distracted…and boy have we been distracted.
The latter half of 2020 and early 2021 witnessed peak Covid-19 cases, a tumultuous US presidential election cycle, and unprecedented global public outcries for justice and equality, which led to increasingly cacophonous 24×7 news programming, rampant internet hype, and meteoric increases in social media use and online interactions. Of course, attackers, always the opportunists, were at the ready and took full advantage. ZeroFox plotted these two tracks — world events and cyber attacks — to see how they correlate and to possibly learn how we can better prepare ourselves for the inevitable continued change.
Attackers Have Found Opportunity in Last 12 Months
According to ZeroFox’s The Future of Digital Threats: 2020 Insights 2021 Predictions Report, ‘while workers went home, hackers still went to work’. Meaning the attackers kept on doing, with even more passion, what they do. Impersonations, phishing, and other traditional methods of targeting employees and work environments rose dramatically during the period, near doubling in some months, due in part to the ripe set of opportunities to connect. They knew our guard was down and our curiosity heightened – fueled by the non-stop distraction of rapidly evolving events. To our misfortune, bad actors went to work perfecting their enticements and amplifying their delivery.
During the six months from August, 2020 – January, 2021, ZeroFox saw an overall 120% increase in executive impersonation activity compared to the first half of 2020. Brand impersonations, which happen at nearly a ten fold frequency, increased significantly during the period as well. While impersonations increased across all industries, both of these substantial upswings were acutely concentrated with top impersonation targets within broadcast and cable news brands (tv and internet) and journalist personalities, religious organizations and their leaders, and (thankfully one ‘good news’ distraction imho) sports entertainment teams and celebrities. Attackers knew just where to go where we would be attentive.
Marked Increased Threat Activity Correlates with Global Events
As reported in the July 2020 blog, “Executives Targeted with Account Hack, Impersonations and Other Social Media Security Threats”, executive threat activity grew significantly in April 2020, and then again in June 2020, as Covid-related quarantine and remote work had many feeling disrupted, unaccustomed to new work habits and perhaps a bit less guarded in their digital communications. In October 2020, there was a notable 70% increase in threat activity leading into the US presidential election. Then January 2021 set a record for the volume of impersonation attempts, nearly doubling the prior months averages. This is directly attributable to the US presidential confirmation period (including the US capitol incursion that occurred Jan. 6 and the subsequent inauguration of President Joe Biden on Jan. 20) where worldwide attention was fixated on extended news cycles and it seemed nearly everyone was expressing themselves online. Catching people off guard, distracted from their routine, appears to be the open door attackers hope to tailgate undetected through every chance they get.
Predictable Targets, Innovative Techniques
Trending topics and news jacking typically drives attention for victims as well as cyber criminals.
Riding on these trends, ZeroFox researchers saw threat actors use creative tools and new techniques to distribute threats that involved Morse code to evasively spread phishing URLs and continued use of remote desktop protocol (RDP) exploits to target individuals at home due to COVID-19 and the transition to remote employment. ZeroFox researchers identified certain industries that faced increased cybersecurity risks due to COVID-19-themed threats including financial, pharmaceutical and retail.
For instance, from early 2020 and continuing in 2021, pandemic assistance fraud remains a threat to finance organizations. As reported in APNews, according to The U.S. Department of Labor Inspector General’s Office estimates that more than USD 63 billion has been lost to pandemic-related financial fraud in the US alone. Equally troubling for the pharma industry, threat actors are deploying phishing websites to sell fake vaccines and vaccination cards, and steal victims’ personal information. And last but not least, in 2020, the retail industry exhibited increased sales due to a surge in online shopping. As a result, site impersonations, data theft (via digital point of sale ‘skimmer’ code injection), and fraud are all on the rise. All of these foretell a dire need for improved digital brand protection.
Social Media Executive Impersonation and Threat Activity
All of this event and news activity added up to a potpourri of distraction that was the perfect backdrop for attackers to pounce. And pounce they did! In the latter half of 2020, there were more than 2.8M incidents of impersonations and other threats for over 12,000 executives ZeroFox protects. On average, that’s more than one per day – some execs and VIPs see dozens of impersonation attempts per day. Attackers use these impersonations to phish employees, defraud customers, and steal data, hoping all the while that victim inattentiveness will allow them to go unnoticed. Continuous diligence is a necessity to prevent these attacks from becoming successful, and to avoid the resulting loss of confidential information, revenues and trust.
Predictable Future for Executive Impersonation and Other Digital Threats
While we can’t necessarily know the next topic of social disruption, we can anticipate the behaviors – we know the patterns of these attacks. The Mitre ATT&CK and PRE-ATT&CK frameworks provide a good start. The earlier in the digital cyber attack kill chain one can intervene, the easier it is to control the outcome. Intelligence from attack planning chatter via dark web attacker forums is one method. Continued monitoring for the staging of fake, brand-abusing domains another. Constant monitoring for ATO of your owned social media accounts a third…..and so on. Further, if you can establish a pattern of threat activity (and corresponding policy / ToS violations), you have the ability to actually dismantle attacker infrastructure to dissuade them and prevent attacks altogether. As attackers remain innovative and opportunistic, having visibility at all points in the chain is essential to gaining earlier warning and being prepared for whatever comes next.
Have questions about brand and executive threat intelligence? Contact us here.