Written by Chris Bing

Hackers overwhelmingly prefer to target email accounts as their entry point into organizations now, and it’s causing a massive drop in exploit kit usage, according to new research conducted by Symantec.

The findings underscore a significant and recent transformation in the way that attackers generally seek to compromise systems; a trend that’s greatly accelerated over the last 12 months, Symantec found.

“Malicious activity from exploit kits dropped by 60 percent in 2016, with our research indicating that attackers are now favoring email as a primary infection vector,” Symantec’s 2017 Internet Security Threat Report reads. “[Conversely,] email malware rates increased in 2016, from 1 in 220 emails to 1 in 131 emails” — a statistic largely driven by bot nets dispensing ransomware, said Bill Wright, director of government affairs for Symantec.

The change has resulted in a reliance on what Symantec calls “living off the land” tactics. This translates into hackers shifting towards operating system features, repurposed admin tools and cloud services to compromise networks rather than traditional toolkits full of malware and zero-day vulnerabilities.

Some of the most high-profile cyberattacks in 2016 used a combination of spear-phishing emails and booby-trapped Microsoft Word or Excel files to encourage a user to download a PowerShell script that provided remote access. JavaScript and Office macro downloaders, popularly used in spamming operations, are easy to use and more difficult to detect than exploit kits, experts say.

Exploits kits typically leverage security holes evident in popular, web browsing software products, like Adobe Flash, Microsoft Silverlight and Java, to download a payload onto a victim computer. In other words, kits are designed to specifically target web-based applications with the purpose of identifying vulnerabilities in client machines to upload and then execute malicious computer code.

“From an economic standpoint, if you don’t need these exploits then it’s not worth your time. It takes a lot of time, energy and resources to keep a fresh batch of exploits, especially when email is so much easier now,” said Wright. “Tool kit makers are always competing with one another, so there’s some economics at play as well.”

Because exploit kits typically require maintenance of a backend infrastructure, they’re sometimes seen as less reliable and more burdensome than phishing campaigns — which usually involve sending automated emails, containing malware-laden attachments.

“Consideration must be given to all of the administrative overhead involved with maintaining a kit. Kits are run by cybercriminal services that are continually being chased and stomped out by the research community. For an exploit kit to be successful, work must be done to keep traffic and infection rates high,” a senior cyber intelligence analyst with Symantec’s Managed Adversary and Threat Intelligence group told CyberScoop. “This means that actors will burn through resources and will continually seek to harvest more.”

The drop in exploit kit usage is not necessarily indicative of improved security measures across the internet, however.

While website-centric attacks dropped by roughly 30 percent year-over-year between 2015 and 2016, roughly 76 percent of all websites scanned by Symantec still contained exploitable coding vulnerabilities — representing the exact same percentage found in 2014 and just 2 percent less than in 2015.

“The drop in exploit kits is significant, but it does not necessarily mean the threat from attackers is decreasing, rather they are using different methods to spread threats,” according to Symantec.