F5 Labs analysis reveals growing global phishing menace and application security vulnerabilities

Findings from F5 Labs’ Lessons Learned from a Decade of Data Breaches report has shed light on the global proliferation of phishing, providing clear insights on why the technique is fast becoming cybercriminals’ easiest and most productive attack vector.

The threat intelligence reveals that phishing is responsible for almost half of breached records by root cause (48%). This is followed by credential stuffing (18%), the automated result of phishing and other attacks collecting identity data, and web app vulnerabilities (18%).

F5’s data is supported by figures from the Anti-Phishing Working Group (APWG), which indicates phishing has risen a staggering 5,753% over the past 12 years.

“Across the world, it is increasingly evident that sophisticated hackers are successfully employing social engineering and phishing techniques on a massive scale,” said Keiron Shepherd, Senior Systems Engineer at F5 Networks.

“Everywhere you look, cybercriminals continue to effortlessly access extensive data on both companies and their employees, which creates significant vulnerabilities. In most cases, applications are the primary entry point. Once an application vulnerability is exploited, attackers find their way through the network and steal the data. It is critical for organisations to take the right steps to mitigate the risks, including equipping staff with appropriate training and awareness for online sharing behaviours, as well as running penetration tests to gauge system susceptibility.”

Based on the research, F5 has identified six key behaviours to help organisations combat phishing’s growing scourge:

1. Beware what you share: Social media platforms encourage users to share in-depth personal data, which can contain sensitive insights about their work. This is gold dust for hackers on phishing expeditions. Organisations must run robust, continually evolving awareness-raising programmes to ensure all employees embrace a culture of responsible social sharing.
2. Regularly evaluate web business content: Attackers target specific organisations through employee details available on company and partner websites. Information such as ownership records, SEC filings for public companies, lawsuits, and social media data all provide maliciously leverageable information. Businesses should periodically review all information shared on their company websites and social media pages to determine if the content is essential.
3. Secure the network: Vulnerable network systems and inadequately protected applications can leak internal information such as server names, private network addresses, email addresses, and even usernames. Security teams must regularly check their network systems are robustly configured to mitigate the risk of sensitive data leaks.
4. Remember that apps contain clues: Many applications are not built with a “security by design” mindset and are usually assembled from libraries and existing frameworks. Some components can contain clues about the development team and organisational processes. Securing these is an unavoidable priority.
5. Check email headers: Email headers are an excellent source of internal configuration information, and attackers will often fire off email inquiries to individuals to gather IP addresses, determine mail server software, and discover how emails flow out of the organisation. Businesses must frequently warn employees to check email headers before opening from unknown sources.
6. Don’t be complacent: Security awareness and associated training programmes help employees understand how easily their online information can be hacked and the implications of a scam. Regular updates, mandatory compliance sessions, and best practice on-line courses can help build a better security culture.