2017 Webroot Threat Report Reveals Dramatic Increase in Technology Company Phishing Attacks – Seven Times More Likely Than Financial Institutions

The 2017 Webroot® Threat Report today revealed that for every new phishing URL impersonating a financial institution, there were more than seven impersonating technology companies. The data was collected throughout 2016 by Webroot, the market leader in network and endpoint security and cloud-based threat intelligence, and clearly demonstrates a significant change since 2015, when the ratio was less than one to three. This increase may indicate that it is easier to phish a technology account, and that due to password reuse, they can be more valuable to hackers as a gateway to other accounts. The top three phishing targets in 2016 were Google, Yahoo, and Apple.

Webroot also uncovered a decreasing lifecycle in phishing attacks. The longest-running phishing site was active less than two days, and the shortest was only 15 minutes. Eighty-four percent of all phishing sites were active less than 24 hours.

Continued Prevalence of Polymorphic Malware and Ransomware

The most important 2016 trend in malware was polymorphism, which is when each instance is unique and undetectable by traditional signature-based security approaches. In fact, approximately 94 percent of malware and potentially unwanted application (PUA) executables were only seen once.

Ransomware continued to be a significant threat, with Locky being the most successful ransomware seen in 2016. In its debut week in February 2016, Locky infected more than 400,000 victims and was one of the first ransomware programs to encrypt unmapped network drives. The FBI estimated that cybercriminals would collect more than $1 billion in ransoms in 2016, and Webroot expects ransomware to continue to proliferate in 2017.

Android Apps Pose Five Times Greater Threat

Nearly 50 percent of the new and updated mobile apps analyzed in 2016 were classified by Webroot as malicious or suspicious, totaling nearly 10 million during the year. In contrast, just over 2 million such apps were identified during 2015.

As for the threats malicious mobile apps present, adware experienced significant growth, jumping from a negligible share in 2015 to nearly 10 percent in the second half of 2016. This change is likely due to the Android operating system’s growing market dominance, which makes it a more attractive target for adware.

Trojans continue to make up the majority of malicious mobile app threats, holding at 60 percent from 2015 to 2016.

Millions of Unique Malicious IP Addresses

Throughout 2016, Webroot identified malicious IP addresses from nearly 150 countries. In 2016, 33 million unique malicious addresses appeared on the blacklist, a slight increase over 2015. This indicates that the previous years’ trend is continuing; attackers are changing IP addresses to avoid detection. This is underscored by the fact that over 88 percent of the top 10,000 malicious IP addresses used in attacks appeared on the list only once.

“The continued increase in sophistication and volume of phishing attacks, ransomware, and polymorphic malware mean we are at greater risk than ever from cybercriminals,” said Hal Lonas, chief technology officer at Webroot. “It’s clear that relying on threat lists, virus signatures, and simplistic rules for protection is wholly insufficient against a threat landscape that is constantly evolving. Proven, real-time machine learning-based analysis that includes an understanding of threat behavior and context is necessary for accurate decision making and protection from today’s threats.”

Download the Webroot 2017 Threat Report or visit Webroot at booth 1307 in the South Hall during the RSA Conference in San Francisco.

About the 2017 Webroot Threat Report

The 2017 Webroot Threat Report presents analysis, findings, and insights from the Webroot Threat Research team on the state of cyber threats. The report analyzed more than 27 billion URLs, 600 million domains, 4 billion IP address, 50 million mobile apps, and 13 billion file behavior records. The statistics contained in the report come from threat intelligence metrics automatically captured from over 40 million sensors, as well as third-party sources, and analyzed by the Webroot Threat Intelligence Platform. The Webroot Threat Intelligence Platform is an advanced, cloud-based machine learning network that continuously produces threat intelligence used by Webroot SecureAnywhere® endpoint and network security products and by Webroot partners through Webroot BrightCloud® Threat Intelligence Services. Unlike traditional, list-based or single-vendor threat intelligence, Webroot threat intelligence is highly effective for identifying and stopping even the most sophisticated zero-day, never-before-seen, and advanced persistent threats.