BlackFog Global Threat Statistics Q1 2019

BlackFog collected threat statistics on a global basis during the first quarter of 2019. What follows is a summary of the threats determined via data exfiltration techniques across Windows, Mac, Android and iOS clients. Third party use is granted with appropriate attribution back to BlackFog.

During the first quarter of 2019 BlackFog saw continued focus by both Russia and China to exfiltrate data back to servers within their borders. This represented 20% of total threats and 50% of threats by all other countries combined. Russia represented 15.5% and China 4.1%. This does not include anonymized, advertising or profiling servers which would increase these numbers significantly.

With the exception direct or raw IP addresses, PowerShell attacks now represent 5.65% of all threat vectors. With the increased sharing and sophistication of cybercriminal networks working code is quickly leveraged. Hence, the increase in the use of PowerShell and fileless attacks. In fact PowerShell attack vectors represent 9.24% of attacks when data exfiltration by country threats are excluded.

Direct, or raw IP addresses still represent a major problem and are used in 48.8% of all attacks. This provides an easy way for cybercriminals to obfuscate an attack and anonymize their location. Unfortunately, some legitimate applications still employ direct IP’s instead of using common domain names. There is no reason this should be employed in a working application, unless the vendor is trying to also hide their actions.

The Dark Web continues to provide a network for cybercriminals to steal your data and evade detection. This underground network is routinely used to transact and exchange data with other cybercriminals. It represented 3.9% of attacks in the first quarter of 2019.

Lastly, spyware and ransomware contributed 2.6% to the total number of threats.