SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Caught in the wild: A look at email scams and spam
Tue, 21st Aug 2018
FYI, this story is more than a year old

When we first opened our doors nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren't typically malicious. A lot has changed since then.

Today, cybercriminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defence is the human firewall.

The human what? In a world where organisations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at headquarters and everywhere else, the only thing between your company and a ransomware attack could be whether or not your users click or don't click on a malicious link.

Every day cybercriminals come up with a wide variety of phishing tactics with the intent of scamming innocent users. In May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts – the same email content, potentially sent to hundreds or even thousands of people. In most of June, Barracuda blocked 1.7 million phishing emails with over 2,000 unique attempts.

Here are some of the real attempts sent by criminals:

1. Money scam

Criminals attempt to scam users out of money. In similar attempts, we've also seen criminals try to acquire information or infect a computer with malware.

Money scams like this are fairly common. They often promise a large sum of money to the user like this one. When the recipient replies, the criminals usually request a smaller sum from the user, and in return, promises to send a larger sum back — which of course never happens.

2. Information scam

Cybercriminals attempt to gather information from a user. In this case, a spoofed bank message tries to convince the user to act on their request.

The criminals did a decent job of making this message appear to actually come from a bank. However, if the user clicks on the link, they could be prompted to enter their credentials in a different window — ultimately surrendering their username and password.

3. Malware distribution

Another common problem users face from phishing is the distribution of malware. The goal is to trick a user into either opening an attachment or clicking on a URL.

In this example, criminals are trying to convince the user to open an attachment by acting as if the document is pertaining to an urgent matter. For the malware to work, criminals have to get the user to install the software on their computer. Malware can be distributed in many forms including viruses, worms, bots, ransomware, password stealers and more.

4. Multiple file extensions

Phishing attempts often require a user to open an attachment to install malware. However, there are a lot of different ways criminals attempt to convince users to do this. One way is that they'll include attachments with multiple file extensions in an attempt to trick users into thinking that the file type is different than it actually is.

Here the criminals are using a “PDF.zip” file extension, which should raise a red flag to the user because they're two different file types. However, this could easily be looked past since they're also file types that most people would find familiar.

5. Disguised links

Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny.

The link itself doesn't look suspicious; however, the link actually points to an entirely different URL. Not only can links like this be used to spread malware, they can also direct users to sites set up by criminals to capture credentials or other personal information.

When unsure, don't click on a link. You can also hover the cursor over the link without clicking, to identify the actual location of a link.

6. Spear phishing   

While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual to create a sense of trust with that person. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source.

Effective spear phishing takes a great deal of reconnaissance about the target to increase the probability of a user actually falling for an attack. Here's an example where criminals actually took the time to register a deceptive domain that contains the name of an actual entity to appear legitimate.

They obviously want the message to appear like it's coming from Netflix; however, if you look closely at the URL, you'll notice that “Netfliix” is actually spelt incorrectly. This technique is called typosquatting, which is often used to sell the ruse when the attacker wants the user to click a link.

Take action 

All of these examples are just a small sample of the many variations of phishing scams criminals are sending out each day, but they certainly make the case for why today's users need to be properly trained to stay safe online.

The best defence against phishing and spear phishing is to make users aware of the threats and techniques used by criminals. The best approach is to implement a simulation and training program to improve security awareness for your users, to help them recognise subtle clues to identify phishing attempts.