Trust, but verify. That was the motto of President Ronald Reagan. It also ought to be the motto of everyone who uses email.
Security vendors Sophos and Kaspersky Lab both have in recent days warned of scam emails using the names of well-established companies to try to lure victims to malware sites. The scheme is obvious, or ought to be -- they figure if they use a trusted name, victims will trust the link.
The scams have been present virtually since email began, but security experts say they are increasing at an accelerating pace.
Graham Cluley, senior technology consultant at Sophos, reported early last week on a "widespread malware campaign that has been spammed out, disguised as a communication from DHL Express." He said it claims to be a tracking notification.
A few days later, Cluley reported on emails claiming to be from companies like British Airways, LinkedIn, YouTube, Google and Amazon. "The truth is that the headers are forged, and the emails have been specially crafted to look like legitimate communications from online firms, he wrote.
"Clicking on the links could send your computer to Canadian pharmacy-like spam sites offering to sell you Viagra, or even webpages hosting malicious payloads," he wrote.
On Kaspersky Lab's Threatpost blog, Brian Donohue wrote: "Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users."
There are multiple other examples, purporting to come from American Express, Microsoft and others.
There are mixed opinions about whether this means that malware attacks are now more focused on email than web searches. Chester Wisniewski, a senior security adviser with Sophos, said web infections still impact more users than any other method.
"There has been an increase in malicious email, but it hasn't approached the amount of infections sourced from the web," he said. "It really is just a change in how email infections work. They used to be attached EXEs and SCRs that were simple Trojans. Most organizations are smart enough to block executables from entering through their email gateways, so criminals have moved on to HTML, PDF and RTF files."
But Bogdan Botezatu, senior e-threat analyst at Bitdefender, said web search malware "has now lost ground in terms of email spam bundled with malicious attachments or malicious links."
Botezatu said a Bitdefender study earlier this year found that of 264.6 billion spam messages sent daily, 1.14% carry attachments. "That means that, every day, about 300 million spam messages carry a malicious payload. We expect this trend to increase by 2% to 6% from one year to another," he said.
Cluley said it is difficult to compare the two types of attacks strictly in numerical terms. "Many attacks these days will incorporate aspects of both. An email may contain a link to a malicious website, or an email with a dangerous attachment may then download further code from the web," he said.
"I think we can safely say that neither web nor email threats are going away," Cluley said.
The best way to avoid all this trouble is to adopt some version of Reagan's motto. In his blog post, Cluley advises users to always be careful about clicking on links in unsolicited emails. "Hover over links with your mouse to tell where it's really going to before clicking, and keep your antivirus and anti-spam protection updated," he said.
Stephen Cobb, a security evangelist at ESET, said to "'Be intelligent,' together with 'Be informed' and probably 'Be suspicious.'"
"I would also say that running good antivirus at all times adds a strong line of defense in addition to anything your browser, browser add-on, or email service is doing to keep you safe," Cobb said.
Another way to spot scams is to recall the grammar you learned in elementary school. Scams are frequently littered with grammatical mistakes.
One scam email circulating Monday, purporting to be a sweepstakes award from Microsoft, declared in a sentence fragment: "Where your email address (XXXX) emerged as one of the online Winning (sic) emails in the 2nd category and therefore attracted a cash award of 350,000.00 Euros (Three Hundred and Fifty Thousand Euros Only) and a (sic) HP laptop."
Cobb and others say some email providers are better than others at screening out scams. "Gmail is pretty good, largely because it can leverage Google's vast amount of traffic to spot malicious activity," Cobb said.
"But, of course, pretty good is not always good enough," he said. "I run Gmail in parallel with an unfiltered email app on some accounts and clearly Gmail learns about new malicious email campaigns pretty quickly, but I sometimes see infected documents and malicious links coming through Gmail, and these are usually first-of-a-kind attacks."
Bogdan Botezatu said while Gmail and Yahoo Mail block potentially malicious attachments, "it would be unreasonable to assume that any e-mail service could block these attachments with 100% accuracy."
J. Wolfgang Goerlich, an information security manager for a Michigan-based financial services firm, agrees that technology is part of the solution. "Organizations need to utilize and update spam filters to reduce the likelihood of scam emails getting to the end user," he said.
But he said given that signature controls always lag behind the scammers, "people become the last line of defense. It is important for an organization help its employees develop the equivalent of email street smarts," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.