The Threat From Spam Remains a Serious One

Author: Topsec Technology

Date: 10 June 2013

This highlights the importance of email filtering and antivirus software for businesses.

Anti Virus Software

Spammed Malware Attachments with a Twist

Spam with malicious attachments is still a time-honoured tradition among cybercriminals. As noted, 3.3% of all spam carried a malicious attachment. Most of these were standard win32 executable files, but a significant number were HTML files that when opened directed to Blackhole. And, like the messages with malicious links, these attachments also originated from Cutwail bots. In fact, Cutwail operators simply alternate between executables—HTML file attachments and malicious links—from day to day.

Phishing Remained Constant

Levels of traditional phishing, in which users are lured to websites and asked to enter personal data, are relatively low. Currently around 0.17% of spam was phishing, the same as last year. Like malicious spam, there has also been a trend to using HTML attachments, where users are encouraged to enter data into an attached form.

Targeted Attacks Often Start With Email

Concern over targeted attacks is increasing. In previous years and currently, the initial attack is frequently carried out by email, and this situation shows no sign of abating.

Targeted attacks are often thought to be ultra-sophisticated and cutting-edge, using clever zero-days and custom malware. In fact, they are usually mundane, with messages taking advantage of:

- Social engineering: Common email themes are conferences, internal communications, employee reviews, surveys, meeting invitations and security updates.

- Context: The email makes sense to an employee of that organization.

- Homework: Attackers do their research, collect employee email addresses, and the “From” field is changed so it appears to come from someone known to the organization.

- Attachments/links: There is typically a malicious attachment (.doc, .xls, .pdf) that contains exploit code. Executable file attachments and links are also used.

A few public examples from the last year:

About 20 individuals from a defence industry firm were subject to an attack that featured a loaded PDF file that purported to be an Employee Satisfaction Survey. The PDF file exploited a zero-day flaw (CVE-2011-2462), which installed Sykipot, known malware associated with targeted attacks for the past two years.

Another defence contractor was targeted by an email attack involving a malicious Word file, which exploited vulnerability in Windows Common Controls (CVE-2012-0158). The installed malware was a backdoor Trojan known as “PittyTiger.”

A journalist at a press freedom organization was targeted by an email that was carefully crafted to appear to be from a colleague at a sister organization, with a subject of “Fw: Journalists arrested in Gambia.” The email contained a password-protected zip file with an executable file disguised as an image.

Attacks using malicious Word documents were used against a range of organizations with the PlugX Remote AccessTool (RAT). PlugX and its cousin Poison Ivy are examples of malware that appear to be custom-made for such targeted attacks.

----------------------------

Email is an easy way for cybercriminals to distribute malware. With the rise of mobile computing and email on-the-go, email will continue to be important to individuals and businesses alike.

To protect against the impact of email attacks, Topsec Technology recommend that organisations should consider multiple Internet Security protective layers, including:

• Email filtering solutions such as Blockmail with spam filters, antivirus software for business and content filtering capability.

• Email filtering services for checking for, and flagging suspicious attachments, including executables, HTML files and password- protected archives.

• Keeping client machines fully patched.

• Web security gateways for checking clicked links and landing pages.

• Antivirus software for business on client machines.

• User education on the nature of email attacks.