.png)
Key Takeaways
.png)
IBM announced recent cyber threats in its "2025 X-Force Threat Intelligence Index." report.
- Email serves as the primary vector for cybercriminals to expand identity theft attacks, with these types of emails increasing 84% year-over-year in 2024. Early 2025 data suggest an even sharper surge in this trend, with weekly incidents expected to increase over 180% compared to 2023.
*Infostealer malware: Malware specifically designed to extract sensitive information from infected systems, primarily targeting critical information such as personal passwords and credit card numbers. - 70% of all attacks that IBM X-Force responded to in 2024 occurred at critical infrastructure organizations, with over a quarter resulting from vulnerability exploitation. These organizations remain exposed to security threats due to continued reliance on legacy technology and delayed deployment of security patches.
- As cybercriminals adopt more sophisticated tactics, ransomware attacks against enterprises have declined, while credential thefts of the lower-profile have surged.
- IBM X-Force captured cases where attackers leverage AI to create phishing websites or develop malware.
- Asia-Pacific recorded the most damage, accounting for 34% of global cyberattacks, with Japan comprising 66% of total incidents.
- By industry, manufacturing accounted for 26% of all attacks, ranking as the most attacked industry for four consecutive years, with the highest number of ransomware-based encryption incidents.
Key Countermeasures Against Cyber Threat
Countermeasures Against Malware Attacks
Infostealer malware primarily infiltrates systems through phishing emails, malicious attachments, or compromised websites. Representative types of malware attacks via email include zero-day malware, malware in attachments, and malware in URLs.
Zero-day Malware (ITU-T X.1236 7.1.1, 8.1.1, 9.1.1)
Zero-day malware attacks exploit security vulnerabilities after they are discovered but before patches are released to fix them. In zero-day attacks via email, cybercriminals send emails with malware-containing attachments or clickable links, luring recipients to click before the threat can be detected.
To counter zero-day malware attacks, organizations must conduct behavioral analysis testing—environmental operating system change testing—to observe behaviors before allowing interaction with user systems, thereby detecting and reporting potentially harmful activities. Security administrators must strictly quarantine emails containing zero-day malware, notify users, and thoroughly manage to prevent mail retransmission.
Malware in an Attachment (ITU-T X.1236 7.1.2, 8.1.2, 9.1.2)
Malicious attachments represent one type of threat where cybercriminals hide malicious software inside files typically sent via email. Attachments in these malicious emails can masquerade as documents, executable files, or image and video files. These files can be encrypted with different extensions. Attacks using executable files can involve spoofing sender addresses to trick recipients into opening emails containing malicious documents.
To counter malicious attachment attacks, organizations need to detect forged file extensions in various file formats and conduct email reputation analysis. Organizations must implement big data-based inspection to scan all of the inbound and outbound email data of users, extract malicious attachments requiring additional inspection, and identify forged file extensions.
Malware in Uniform Resource Locator (ITU-T X.1236 7.1.3, 8.1.3, 9.1.3)
Malicious URL attacks involve embedding clickable links containing malicious software within emails, aiming to lure the recipients into visiting malicious websites. Malicious URLs can embed in large attachments or email bodies. These attacks execute malicious software not only when users click URLs in emails or regular attachments but also when they forward them.
To counter malicious URL attacks, organizations need endpoint URL monitoring that tracks final destinations within multiple linked URLs to check all URLs for malware. Organizations must conduct URL post-testing that reviews URL access in real-time when users execute URLs after receiving emails and restricts access when threats are detected. Finally, organizations must convert URLs to images to prevent recipients from accidentally clicking malicious URLs and opening them.
Countermeasures Against Social Engineering Attack
Social engineering attacks exploit psychological or social factors to deceive individuals into revealing confidential or personal information. Rather than using technical methods for system intrusion, these attacks rely on deception and manipulation to trick individuals into providing sensitive information or performing actions that compromise security.
According to ITU-T X.1236, social engineering attacks via email are classified into four distinct attack types.
Forged Header (ITU-T X.1236 7.2.1, 8.2.1, 9.2.1)
Forged header refers to attackers forging account information in email headers to avoid detection. For example, it refers to forging sender addresses by impersonating a help desk of a well-known company.
To counter forged header attacks, organizations must block or warn users when reply-to email addresses differ from the actual sender addresses in incoming emails.
Additionally, it is essential to verify whether emails of the sender comply with email communication protocols such as SPF and DKIM, and to detect email forgery through IP address and domain reputation of the sender.
Look-alike Domain (ITU-T X.1236 7.2.2, 8.2.2, 9.2.2)
Look-alike domain refers to attacks where cybercriminals send malicious emails from domains similar to the email addresses of familiar senders.
To counter look-alike domain attacks, it is essential to calculate domain similarity. If the domain of the sender is identified as a look-alike domain based on the accumulated email history of the user, the system must alert the user to the level of risk similarity and block the email accordingly. The criteria for determining these attacks include applying letter count differences in email addresses and cases where top-level domains (TLDs) differ. Additionally, security administrators should be able to directly register suspicious fraudulent email addresses.
Account Take-over (ITU-T X.1236 7.2.3, 8.2.3, 9.2.3)
Account take-over refers to attacks where attackers steal actual user email accounts, log in, search user email history, then request payment account changes or exfiltrate confidential information stored within the account.
To counter account takeover attacks, organizations must analyze sender email data and detect changes in the geographic location of the sender. When incoming email sender location differs from previously received emails, or when the email server Internet Protocol (IP) address or transmission route is inconsistent with the previous ones, the system should either alert the user or block the email.
Uniform Resource Locator Phishing (ITU-T X.1236 7.2.4, 8.2.4, 9.2.4)
Uniform resource locator (URL) phishing refers to attacks designed to deceive users into providing confidential information. Cybercriminals make emails appear to originate from reliable institutions, luring users to access URLs and directly enter login credentials or personal information.
To counter uniform resource locator phishing attacks, it is essential to track final destinations of URLs in mail contents, check for web pages that solicit personal information entry, and issue warnings. In particular, it is necessary to check whether the destination webpages contain input text boxes to solicit credentials such as IDs and passwords.
Outbound Email Attacks by Attackers
Hackers can steal accounts to launch secondary attacks targeting associated accounts, and may gain unauthorized access to email servers to access company email accounts. Therefore, appropriate countermeasures are required.
Account Takeover (ATO) (ITU-T X.1236 7.4.1, 8.4.1, 9.4.1)
Outbound email attacks typically begin after user accounts are stolen. Hackers exploit the personal information of others in users' incoming and outgoing emails through stolen accounts to send random follow-up emails. Accounts associated with compromised users may potentially become secondary targets and subsequently be reused in phishing attacks.
One of the most common characteristics of account takeover (ATO) attacks is that hackers log into accounts or send emails from unusual IP addresses or foreign countries. Therefore, organizations must configure specific IP addresses and countries that can access accounts to prevent ATO attacks. Additionally, organizations must implement malware detection for outbound emails at the same level as incoming emails, as hackers who take over accounts send emails containing malware to other users, spreading additional damage.
Unauthorized Email Server Access (ITU-T X.1236 7.4.2, 8.4.2, 9.4.2)
Unauthorized email server access is a type of outbound attack where hackers take control of servers. Hackers can gain unauthorized access to users’ company email accounts with stolen account credentials. For example, when email servers are compromised, attackers can retrieve user passwords, which can grant hackers access to other hosts on organizational networks.
To counter unauthorized email server access, organizations must block unregistered SMTP (Simple Mail Transfer Protocol) and country access to webmail services. Organizations must thoroughly record all access attempts through email server logs to detect and record unauthorized email servers, and block email transmission when SMTP information of sender doesn’t match user-configured SMTP.
References
https://www.ibm.com/kr-ko/reports/threat-intelligence
https://www.packetlabs.net/posts/what-is-infostealer-malware-and-how-does-it-work/
.png)
![[Media] XSS Attacks Across SNS: A Historical Analysis](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1PB2eQDHDkUQntp2VK8pqovijupQN4tsrV42fIq9vBw8TYis-BnTLjbZb2hLTnDMTM5PtTdnZTwHCaBsRCLPdYMEkmi3UboL_qpWnczwCT6E66xtBzYodLKKDaWPTOJRh5BYjfp5murVjPZ18Oz_6fjJK7mRrvalwrWijFM5vkRbDQza_ISTQlm3kM4Y/w72-h72-p-k-no-nu/%EC%8D%B8%EB%84%A4%EC%9D%BC.png)
![[DDoS] DDoS Attacks and Email Security](https://blogger.googleusercontent.com/img/a/AVvXsEilLO12WT5qpmRXH13cNNkfoLY0wBwZrEiFpdq2xSyTJCPFi6C80t-H5Hs6YUiZRZKNSpuQXfiin3GHa0vtU46NXv2fzyLMDRtYJ1JmAWGdgRYP84yMTtAaihWZbxUAhoKjRAsYgtDwClX8nQnvUgllsbGZ4WKHP-xY4Z2CUpSTpaGM2l2BmQlCLENg-cI=w72-h72-p-k-no-nu)
![[Phishing URL] With just one click, your life can be phished](https://blogger.googleusercontent.com/img/a/AVvXsEiMZfwpN_jo42_q0JI6Cvn3pdWmBwZQ7ZjMhbFZA_firmlw2y0833OjRiWTtsWuU28F2BuzwH7gNRqifA0hHapX2ezZajNfa_SFZ84DRXr7_hDnoOP576GiLIou0MroeTU6U7ztyeyP_PcfoSPWOKyaESBvDlvnplTmduTRuT8npx-q49NkRYAirrN5JuU=w72-h72-p-k-no-nu)
.png&description=Email, the Primary Vehicle for Identity Theft Attacks: IBM 2025 X-Force Report Reveals the Reality){kind=link}
0 Comments