Webroot 2016 Threat Brief Explores Next-Generation Cyber Threat Landscape and Targeted Intrusion Trends

Rise of Polymorphic Malware, Significant Increase in Malicious IPs, and Upsurge of PUAs Demonstrate that Traditional Cybersecurity Defenses are Nearly Useless

BROOMFIELD, CO. - February 23, 2016

The latest edition of the annual Webroot® Threat Brief reveals 97% of malware is unique to a specific endpoint, rendering signature-based security virtually useless. The data collected by Webroot, the market leader in next-generation endpoint security and cloud-based collective threat intelligence, throughout 2015 clearly show that today’s threats are truly global and highly dynamic. Many attacks are staged, delivered, and terminated within a matter of hours, or even minutes, having harvested user credentials and other sensitive information. The report shows that countering these threats requires an innovative approach to attack detection that leverages advanced techniques and up-to-the-second threat intelligence.

Key findings from the Webroot 2016 Threat Brief include:

  • Malware and potentially unwanted applications (PUAs) have become overwhelmingly polymorphic, with 97% of malware morphing to become unique to a specific endpoint device. By changing attributes to evade detection, polymorphic threats pose a major problem for traditional, signature-based security approaches, which often fail to discover singular variants.
  • Approximately 50 percent of Webroot users experienced a first contact with a zero-day phishing site, as compared to approximately 30 percent in 2014. This data indicates that zero-day phishing attacks are becoming the hacker’s choice for stealing identities.
  • Technology companies, including Google, Apple and Facebook, were targeted by more than twice as many phishing sites as financial institutions, such as PayPal, Wells Fargo, and Bank of America. These tech companies are targeted because the same login credentials are often used to access many other websites, resulting in multiple compromised accounts with each phishing victim.
  • 100,000 net new malicious IP addresses were created per day in 2015, a significant increase from the 2014 average of 85,000 a day indicating cybercriminals rely less on the same list of IPs, and are expanding to new IPs to avoid detection.
  • The U.S. continues to have the most malicious IP addresses of all countries. In 2015, it accounted for over 40 percent of all malicious IP addresses, a significant increase from 31 percent of malicious addresses in 2014. Top countries hosting 75 percent of malicious IPs include the U.S., China, Japan, Germany, and the UK.
  • As with malicious IP addresses, malicious URLs are largely hosted in the U.S. (30 percent), followed by China (11 percent). Furthermore, the U.S. is by far the largest host of phishing sites, with 56 percent of sites within its borders.
  • In the second half of 2015, 52 percent of new and updated apps were unwanted or malicious—a significant increase over the first half of 2014, when only 21 percent were unwanted or malicious.

"2015 was yet another record year for cybercrime, during which more malware, malicious IPs, websites, and mobile apps were discovered than in any previous year,” said Hal Lonas, chief technology officer at Webroot. “It comes as no surprise to those of us in the Internet security industry that the cybercrime ecosystem continues to thrive, given new innovations and little in the way of risk for those who choose to participate. The continued onslaught of hacks, breaches, and social engineering scams targeting individuals, businesses, and government agencies alike has caused many in the security field to ask if it’s truly possible to defend against a persistent attacker. We conclude that we can only succeed by being more innovative than our criminal opponents."

What can organizations and individuals do?

With the various increases in polymorphism and other malware trends, it is more apparent than ever that organizations need to bolster their security posture with next-generation endpoint protection and real-time, highly accurate threat intelligence to protect themselves, their users, and their customers from cybercriminal activity. Dynamic intelligence enables them to set proactive policies to automatically protect networks, endpoints, and users as part of a defense-in-depth strategy. This is especially necessary when security teams consider the threat landscape as a whole, in addition to conducting in-depth analysis on the threats targeting them. Furthermore, individuals need to be more vigilant than ever about the websites they visit, the URLs they follow, and the applications they download and use.

For a copy of the Webroot 2016 Threat Brief, visit Webroot at booth #3837 at RSA Conference 2016 in San Francisco on Feb. 29-March 4, 2016, or download the report online: www.webroot.com/Webroot-2016-Threat-Brief.

About Us

Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world.