As businesses grapple with the security implications of hybrid work, malware continues to evolve and increase in sophistication. In fact, malware is no longer confined to traditional risky web categories; it is now lurking everywhere, from cloud apps to search engines.
To avoid falling victim to malware, security leaders must understand how such threats are evolving, regularly revisit their malware protection strategy, and account for all possible entry points. To do this effectively, we must first think like an attacker to better understand how malware is penetrating organizations worldwide.
SEO as a primary attack method
Attackers are becoming savvier, using search engine optimization (SEO) techniques to bump malicious links and files to the top of users’ search engine results. This tactic is directly related to upticks in malicious PDF downloads, with recent research finding that malicious PDF downloads increased by 450% over the past 12 months. By improving the ranking of malicious PDF files on popular search engines including Google and Bing, these attackers are able to rapidly spread malware to often unaware users.
Understanding malware origins and targeted techniques
SEO is just one technique attackers use to lure victims into downloading malware hosted on the web or in the cloud. Email, SMS, messaging apps, and social media are also commonly used to lure users. Web malware downloads originate from many different website categories, led by technology sites and content servers, while cloud malware downloads originate from hundreds of different apps, led by popular cloud storage apps.
Notably, the origin of web and cloud malware downloads are typically from servers located within the same regions as their victims. This is a growing trend that points to the increasing sophistication of cybercriminals, who are frequently staging malware on content servers and cloud apps to avoid geofencing filters and other traditional prevention measures.
When attackers are designing lures to spread malware, they typically try to capitalize on major societal events, such as COVID-19. They also tend to design lures that create a sense of urgency, such as a shipping invoice that needs to be paid or the confirmation of personal information in a healthcare form. Such lures account for the majority of malware downloads. Attackers may also use more technical approaches, such as software exploits, drive-by downloads, or HTML smuggling to download malware onto a victim’s device. So what can be done to help bolster protection?
How to stop malware downloads
Scan everything: Organizations commonly allow sanctioned cloud apps to bypass content inspection, and attackers capitalize on the bypass by abusing the same apps. Instead, organizations should scan all traffic, including popular cloud apps. They should also scan all file types. While PDF files are currently very popular with threat actors, we continue to see a wide variety of files abused for malware delivery.
Add layers: Don’t rely on a single security solution to protect your data. Ensure that you can detect post-compromise behavior such as command and control and data exfiltration that might occur after an attacker gains access to an endpoint.
Reduce risk surface: Reduce risk surface by restricting downloads from and uploads to unsanctioned apps and sites. Use technologies like remote browser isolation (RBI) to isolate endpoints from web-based threats.
The immediate first step to building a stronger security architecture is recognizing that these threat trends are occurring in today’s digital environment. Regularly revisiting the organization’s malware protection strategy and verifying that all possible entry points are accounted for is one way for security teams to stay a step ahead of cybercriminals. Subsequently, by understanding the contemporary methods these malicious actors are using among today’s highly-dispersed business operations, security leaders can ensure efficient, effective protection against data theft, expensive breaches, and unnecessary disruptions in productivity on an ongoing basis.