Web still king, but email stages scam comeback

Trust, but verify. That was the motto of President Ronald Reagan. It also ought to be the motto of everyone who uses email.

Security vendors Sophos and Kaspersky Lab both have in recent days warned of scam emails using the names of well-established companies to try to lure victims to malware sites. The scheme is obvious, or ought to be -- they figure if they use a trusted name, victims will trust the link.

The scams have been present virtually since email began, but security experts say they are increasing at an accelerating pace.

Graham Cluley, senior technology consultant at Sophos, reported early last week on a "widespread malware campaign that has been spammed out, disguised as a communication from DHL Express." He said it claims to be a tracking notification.

A few days later, Cluley reported on emails claiming to be from companies like British Airways, LinkedIn, YouTube, Google and Amazon. "The truth is that the headers are forged, and the emails have been specially crafted to look like legitimate communications from online firms, he wrote.

"Clicking on the links could send your computer to Canadian pharmacy-like spam sites offering to sell you Viagra, or even webpages hosting malicious payloads," he wrote.

On Kaspersky Lab's Threatpost blog, Brian Donohue wrote: "Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users."

There are multiple other examples, purporting to come from American Express, Microsoft and others.

There are mixed opinions about whether this means that malware attacks are now more focused on email than web searches. Chester Wisniewski, a senior security adviser with Sophos, said web infections still impact more users than any other method.

"There has been an increase in malicious email, but it hasn't approached the amount of infections sourced from the web," he said. "It really is just a change in how email infections work. They used to be attached EXEs and SCRs that were simple Trojans. Most organizations are smart enough to block executables from entering through their email gateways, so criminals have moved on to HTML, PDF and RTF files."

[See also: After 40 years, email security still elusive, experts say]

But Bogdan Botezatu, senior e-threat analyst at Bitdefender, said web search malware "has now lost ground in terms of email spam bundled with malicious attachments or malicious links."

Botezatu said a Bitdefender study earlier this year found that of 264.6 billion spam messages sent daily, 1.14% carry attachments. "That means that, every day, about 300 million spam messages carry a malicious payload. We expect this trend to increase by 2% to 6% from one year to another," he said.

Cluley said it is difficult to compare the two types of attacks strictly in numerical terms. "Many attacks these days will incorporate aspects of both. An email may contain a link to a malicious website, or an email with a dangerous attachment may then download further code from the web," he said.

"I think we can safely say that neither web nor email threats are going away," Cluley said.

The best way to avoid all this trouble is to adopt some version of Reagan's motto. In his blog post, Cluley advises users to always be careful about clicking on links in unsolicited emails. "Hover over links with your mouse to tell where it's really going to before clicking, and keep your antivirus and anti-spam protection updated," he said.

Stephen Cobb, a security evangelist at ESET, said to "'Be intelligent,' together with 'Be informed' and probably 'Be suspicious.'"

"I would also say that running good antivirus at all times adds a strong line of defense in addition to anything your browser, browser add-on, or email service is doing to keep you safe," Cobb said.

Another way to spot scams is to recall the grammar you learned in elementary school. Scams are frequently littered with grammatical mistakes.

One scam email circulating Monday, purporting to be a sweepstakes award from Microsoft, declared in a sentence fragment: "Where your email address (XXXX) emerged as one of the online Winning (sic) emails in the 2nd category and therefore attracted a cash award of 350,000.00 Euros (Three Hundred and Fifty Thousand Euros Only) and a (sic) HP laptop."

Cobb and others say some email providers are better than others at screening out scams. "Gmail is pretty good, largely because it can leverage Google's vast amount of traffic to spot malicious activity," Cobb said.

"But, of course, pretty good is not always good enough," he said. "I run Gmail in parallel with an unfiltered email app on some accounts and clearly Gmail learns about new malicious email campaigns pretty quickly, but I sometimes see infected documents and malicious links coming through Gmail, and these are usually first-of-a-kind attacks."

Bogdan Botezatu said while Gmail and Yahoo Mail block potentially malicious attachments, "it would be unreasonable to assume that any e-mail service could block these attachments with 100% accuracy."

J. Wolfgang Goerlich, an information security manager for a Michigan-based financial services firm, agrees that technology is part of the solution. "Organizations need to utilize and update spam filters to reduce the likelihood of scam emails getting to the end user," he said.

But he said given that signature controls always lag behind the scammers, "people become the last line of defense. It is important for an organization help its employees develop the equivalent of email street smarts," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsLinkedInBritish Airwaysemail securitycybercrimekaspersky labyoutubesophosData Protection | MalwareGooglesecuritylegalscamssoftwaredata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place