Macros big again with cybercriminals

Macro writers got better at evading security mechanisms, and drive-by downloads became harder to do

Up to a year ago, most phishing emails were all about tricking users into clicking on malicious links that led to malware downloads. Starting last fall, however, the use of attachments increased eight-fold, and that increase has persisted to this day, according to a new report from Proofpoint.

Attachments were barely on the radar at the start of 2014, but began slowly picking up in the spring, with growth accelerating in the fall. By the end of the year, phishing emails were evenly divided between URLs and attachments. Then URL use declined at the start of this year, and the use of attachments continued to climb, to the point where they were outnumbering URLs four-to-one by April.

And the trend seems to be accelerating. According to Proofpoint, there were 56 different campaigns that used macros to deliver the Dridex Trojan, sometimes delivering several million malicious emails in a single day.

There were two reasons for this, according to Kevin Epstein, vice president, advanced security and governance at Proofpoint. Macro writers got better at evading security mechanisms, and drive-by downloads became harder to do.

To successfully deploy malware via a browser download, the criminals has to discover a bug in the browser and write code to take advantage of that bug.

"It's not cheap or easy to find these flaws," Epstein said.

Plus, once the first malware campaign hits, everyone learns about the flaw, it gets fixed, people install the patches or updates, and the window of opportunity for the criminals narrows dramatically.

That's not the case with macros, however.

Despite all the training efforts, users continue to open phishing emails and click on attachments.

According to a Proofpoint report, users open 10 to 20 percent of all phishing emails, and click on one out of every 25 phishing attachments they receive. That's a success rate of around 4 percent -- double the success rates of legitimate advertising campaigns, said Epstein. That's because criminals have more tricks they can use than real companies.

[ USER ERROR: The things end users do that drive security teams crazy ]

"They're not bound by ethical constraints. they can spoof your friend's email address, or have an enticing subject line," he said.

Plus, attackers typically don't respect anti-spam legislation and will send out millions of emails at a time. With a 4 percent success rate, that translates into 40,000 downloads per million emails.

"If I initiate one successful bank transfer out of that, I'll have paid for my campaign times 10," he said. "The math works in their favor."

The attackers carefully track both their download rates and their attachment open rates, he said, and continually adapt their email content for maximum effectiveness.

Most recently, he said, those are very straightforward emails pretending to be from an electronic fax or email system, followed by invoices or financial transfer instructions.

When opened, the macros only activate when the user clicks on something in the document -- to see an enlarged version of a table, for example. That way, Epstein explained, they evade sandbox-based security.

Even if the user has macros disabled, they will regularly approve an override out of habit, he said.

"The weakest link, again, is us," he said.

The macro then installs a new piece of malware, usually the Dridex trojan, which quietly monitors the user's browsing history and steals banking credentials.

To battle this threat, Epstein recommends upgrading to the latest gateway security technology if the current system was installed more than a couple of years ago. And, in addition to initial protection, invest in targeted attack protection and threat response technologies, he added, for when malware does slip through.

Join the CSO newsletter!

Error: Please check your email address.

Tags trojanscyber attacksespionageproofpointsecurityphishing

More about Proofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place