2019 Webroot Threat Report: Forty Percent of Malicious URLs Found on Good Domains

Home User Devices are More Than Twice as Likely to Get Infected as Business Devices

Explore the 2019 Webroot Threat Report

Notable Findings:

  • 40 percent of malicious URLs were found on good domains. Legitimate websites are frequently compromised to host malicious content. To protect users, cybersecurity solutions need URL-level visibility or, when unavailable, domain-level metrics, that accurately represent the dangers.
  •  Home user devices are more than twice as likely to get infected as business devices. Sixty-eight percent of infections are seen on consumer endpoints, versus 32 percent on business endpoints.
  • Phishing attacks increased 36 percent, with the number of phishing sites growing 220 percent over the course of 2018. Phishing sites now use SSL certificates and HTTPS to trick internet users into believing they are secure, legitimate pages. Seventy-seven percent of phishing attacks impersonated financial institutions, and were much more likely to use HTTPS than other types of targets. In fact, for some of the targeted financial institutions, over 80 percent of the phishing pages used HTTPS. Google was found to be the most impersonated brand in phishing overall.
  • After 12 months of security awareness training, end users are 70 percent less likely to fall for a phishing attempt. Webroot found that organizations that combine phishing simulation campaigns with regular training saw a 70 percent drop in phishing link click-through.
  • Nearly a third of malware tries to install itself in %appdata% folders. Although malware can hide almost anywhere, Webroot found several common locations, including %appdata% (29.4 percent), %temp% (24.5 percent), and %cache% (17.5 percent), among others. These locations are prime for hiding malware because these paths are in every user directory with full user permissions to install there. These folders also are hidden by default on Windows® Vista and up.
  • Devices that use Windows 10 are at least twice as secure as those running Windows 7. Webroot has seen a relatively steady decline in malware on Windows 10 machines for both consumer and business.
  • Despite the decrease in cryptocurrency prices, cryptomining and cryptojacking are on the rise. The number of cryptojacking URLs Webroot saw each month in the first half of the year more than doubled in the period from September through December 2018. These techniques can be more lucrative than ransomware attacks, since they don’t require waiting for the user to pay the ransom, and they have a smaller footprint. As far as web-based cryptojacking, Coinhive still dominates with more than 80 percent market share, though some new copycat cryptojacking scripts are gaining in popularity.
  • While ransomware was less of a problem in 2018, it became more targeted. We expect major commodity ransomware to decline further in 2019; however, new ransomware families will emerge as malware authors turn to more targeted attacks, and companies will still fall victim to ransomware. Many ransomware attacks in 2018 used the Remote Desktop Protocol (RDP) as an attack vector, leveraging tools such as Shodan to scan for systems with inadequate RDP settings. These unsecured RDP connections may be used to gain access to a given system and browse all its data as well as shared drives, providing criminals enough intel to decide whether to deploy ransomware or some other type of malware.

Key Quote:

Hal Lonas, CTO, Webroot:

“We wax poetic about innovation in the cybersecurity field, but you only have to take one look at the stats in this year’s report to know that the true innovators are the cybercriminals. They continue to find new ways to combine attack methods or compromise new and existing vectors for maximum results. My call to businesses today is to be aware, assess your risk, create a layered approach that protects multiple threat vectors and, above all, train your users to be an asset—not a weak link—in your cybersecurity program.”

Additional Resources:

About the 2019 Webroot Threat Report

The 2019 Webroot Threat Report presents analysis, findings and insights from the Webroot Threat Research team on the state of cyber threats. The report analyzed more than 32 billion URLs, 750 million domains, all 4.2 billion IPv4 and in-use IPv6 IP addresses, 62 million mobile apps, and 31 billion file behavior records. The statistics presented in this annual threat report are derived from metrics automatically captured and analyzed by the Webroot® Platform, our advanced, cloud-based machine learning architecture. This system provides proactive protection for users and networks against both known and zero-day, never-before-seen and advanced persistent threats. Threat intelligence produced by the platform is used by Webroot® endpoint security products and by technology partners through Webroot BrightCloud® Threat Intelligence Services.

bout Webroot

Webroot was the first to harness the cloud and artificial intelligence to protect businesses and individuals against cyber threats. We provide the number one security solution for managed service providers and small businesses, who rely on Webroot for endpoint protection, network protection, and security awareness training. Webroot BrightCloud® Threat Intelligence Services are used by market-leading companies like Cisco, F5 Networks, Citrix, Aruba, Palo Alto Networks, A10 Networks, and more. Leveraging the power of machine learning to protect millions of businesses and individuals, Webroot secures the connected world. Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at webroot.com.