Analysis: How Malware Creators Use Spam to Maximize Their Impact
Spreading malicious software through spam emails is still incredibly effective. Here’s why
If it works, why change it?
This is what malware creators must think when planning a spam campaign to spread their malicious code to as many potential victims as possible.
Spam has remained a preferred attack vector for decades, since its emergence in the early 1990’s. We could say that spam is as old as the Internet itself! And malicious actors have never ceased to take advantage of this opportunity so they can achieve their wicked goals.
More than half of the security alerts we issued this year showed how cyber criminals used spam campaigns to spread malware (be it financial malware or ransomware) to reach as many potential victims as possible.
But if this is so common, how come spam emails still work?
We wanted to get to the bottom of this and help you understand why using spam to deliver malware is so popular in the cyber crime community. Let’s start with the “why”:
Why do cyber criminals prefer spam as an attack vector?
Although they don’t lack creativity when it comes to modifying malware strains to become more powerful, more harmful and more difficult to detect and remove, attackers still rely on spam campaigns because of several factors:
Spam is pervasive.
More than half of all email traffic in 2014 was spam, although the numbers have been gradually declining over the past 6 years.
Spam campaigns are cheap.
Cyber criminals rely on botnets to do the work and send spam emails to targeted victims. Botnets are networks of infected computers whose resources are used to deliver attacks against other unsuspecting users.
This way, users whose computers are already infected pay the price of the campaign (energy, data and hardware resource consumption).
Most owners whose computers are part of a botnet have no idea what’s going on. Millions of computers are part of these botnets, according to the data provided by TrendMicro, and there is no way to know exactly how many computers are compromised.
When looking at the countries where most spam emails come from, we can see where the largest botnets are located as well. The USA, China, Vietnam, Germany and Russia are the top 5 countries with most infected computers used to send spam campaigns.
Source: AV Test
Spam reaches the potential victim directly.
It’s every cyber criminal’s dream to hit their potential victims as close to home as possible. And the user’s email address is what we could call home, if we’d ever look for one online.
A simple email can provide unmitigated access to a vulnerable victim, who can be persuaded in a number of ways to open that email, click the link inside or download the attachment. These actions usually trigger a malware infection.
Spam emails can include attachments and links.
Malicious actors have the opportunity to include infected attachments and links into spam emails. One click on the link and the victim is redirected to a rogue website that downloads malware onto the system. Just download the attachment and open it, and you can become infected with anything from spyware, financial malware, keyloggers or ransomware.
Source: AV Test
It’s easy to target spam campaigns to reach a certain country or region.
Malware creators invest a lot of resources into harvesting email addresses so they can send their malicious campaigns (check out how they do it below). When collecting email addresses, they often know where their potential victims are from, so they can target their attacks to the countries or regions they are after.
Usually, cyber criminals choose rich, developed countries, where they know that victims have valuable data or considerable financial resources. They don’t always go for the money, but that’s often the objective.
Targeting a region also means that the attackers will localize the spam emails, translate them and use symbols that the potential victims recognize and trust. That is what makes spam emails so believable and that’s why so many Internet users are still deceived by them.
Spam gives attackers access to a large number of potential victims.
Besides allowing malware creators to create and deploy targeted campaigns, using spam to deliver malware also provides cyber criminals access to a huge number of potential victims.
Spam campaigns used to spread malware are usually massive, involving thousands of email addresses. This is especially the case for “spray & prey” campaigns, which are not targeted but rather sent and expected to “stick”.
The boom in devices and content makes it easy to deceive users.
The advent of smartphones and tablets and the decreasing costs of owning a computer have brought about unprecedented connectivity and access to technology. And a prerequisite of enjoying the web is to have an email address. That’s where everyone starts.
More devices > More email addresses > More potential victims> More spam
But not all these users are educated about the dangers of using the web without adequate protection. So technology adoption is moving at a faster pace than people can protect themselves from cyber threats.
This leaves a huge number of email users unprotected. Cyber criminals would never miss this opportunity!
This is also how malware creators use spam to maximize their impact, so now that we’ve seen why they prefer this method to other infection vectors, let’s talk about the “how”.
How do cyber criminals collect email addresses for their spam campaigns?
Harvesting email addresses is an important activity for cyber criminals, so they are always on the lookout for new ways to scale their efforts. Here are the top techniques they use to get their hands on thousands of emails:
- Hacking company databases – this is a bold approach, but brings in huge amounts of data for attackers (just picture the Sony or OPM hacks);
- Compromising mailing lists – attackers might also focus on hacking servers which host mailing lists;
- Crawling websites and forums – if you’ve ever had a blog, you could’ve added a contact email address so that people can reach you; if it’s not protected, it will be harvested;
- Phishing on social media channels – you’ve probably seen a tempting offer shared by one of your Facebook friends at least once; when clicking the link, the user is directed to a website that requires an email address to access it;
- Tapping into your network connection (man-in-the-middle attack) – when you connect to an unprotected network, an attacker might eavesdrop to your data exchanges on the web and collect the information you provide, including your email address;
- Ransomware – certain ransomware strains can be instructed to connect to the email accounts you are logged into when the infection happens to collect all your contacts and leak them to the cyber criminal controlled server (such is the case of the Post Denmark / PostNord attacks that have been unfolding for the past month);
- Purchasing email databases on the dark web – cyber criminals like to go shopping too, and they can find and buy email addresses in bulk from other attackers who harvested them – and they’re not even that expensive (check out The Hidden Data Economy report from McAfee);
- Compromising your browser – your browsers are one of the weakest spots in your system, so there are plenty of vulnerabilities that they can leverage to infiltrate in Chrome, Firefox and especially Internet Explorer to intercept the data you are providing for different websites (including your email address);
- Attacking your website domain contact points – if you’re a website owner, anyone can find out your email address by suing the “whois” command or freely available databases;
- Guessing – certain attackers resort to guessing email addresses, which they verify by sending test messages – if no error is returned, then the email is valid and can be used in the next attack;
- Social engineering – cyber criminals may sometimes call you and pose as organizations you trust – they’ll also ask for your email address and maybe other information.
Who are the most vulnerable users?
Cyber crime relies heavily on psychological manipulation (also called social engineering) to achieve its damaging objectives. Attackers leverage technology and its vulnerabilities as well, but no attack can be deployed without “the human touch”.
Users’ curiosity, short attention span, tendency to multitask, but also their trust in certain organizations and lack of cyber security education are all psychological factors that cyber criminals use against potential victims.
This means that several user categories become even more vulnerable: the elderly, the young and users who are not experienced in matters of the web and lack even basic cyber security knowledge.
These users are not aware of what can happen if they click on a link or download an attachment from an email coming from an unknown sender. Sometimes, they can’t even identify an email as being spam or having potentially malicious content. Not to mention that they don’t even think of installing an antivirus or other cyber security software.
Because of this context, cyber attacks are often successful. Not only that, but they also feed the malware economy, providing more vulnerabilities, having their machines enlisted in botnets and more.
What are the most common email spam types I should look out for?
There are several types of spam emails:
- spam emails that advertise products, such as miraculous weight loss pills or sexual enhancers;
- scams that try to trick you into paying money or give away personal information;
- phishing emails which attempt to harvest sensitive information from unsuspecting victims, such as usernames, passwords, and credit card details;
- blank spam – this is an empty email, sometimes without a subject line, used by cyber criminals to test the validity of the email address so they can then target that address with a malware-laden spam.
There are several notorious types of spam campaign which you may see in your inbox from time to time and should avoid at all costs:
- the money laundering scam (Nigerian scam) – you get an email from someone claiming to be your relative, who needs your help to retrieve a large sum of money that is the result of an inheritance;
- the greeting card scam – you get an email claiming that a friend of yours has sent you an electronic greeting card which you can see by clicking a link;
- the make money fast scam – someone emails you about a sure-fire way to increase your revenue in just a few weeks;
- the travel scam – you receive an email with a holiday offer that seems too good to be true (it most likely is, of course);
- the post office/delivery service scam – your local post office or a delivery company informs you that you weren’t home when they tried to deliver a package and that you should click a link to get more details (please, don’t!);
- the bank phishing email – you get an email from your bank informing you that your account could be compromised if you don’t change your password and offers a link you can access to do so;
- the online dating scam – a dating website appears in your inbox, advertising the opportunity to meet singles in your area;
- the SEO spam – an email announces a Google algorithm update and offers professional help you handle the change;
- the scan/fax spam – claiming to deliver a scan of an important document that has been scanned or an important fax;
- the invoice spam – that pretends to be an invoice or a receipt for a product or service the user has purchased.
You can read about other potential dangers to avoid in this top of 11 online scams to stay away from.
How a spam email can trigger a cyber attack
The common attack pattern used by spam campaigns whose objective is to spread malware is the following:
Step 1: The unsuspecting victim opens the spam email.
There are two scenarios that can follow:
A. The user clicks a link in the email which redirects to a malware-infected website. That website drops a malicious payload (packet of data) onto the user’s system. The payload scans for vulnerabilities in software and finds a way to gain administrator privileges. The payload then communicates with the servers controlled by cyber criminals and gets its instructions to perform its tasks (collect information, encrypt the data, remain dormant until a banking website is accessed, etc.)
B. The user downloads the malicious attachment and opens it. The attachment includes a malicious payload that scans the system for vulnerabilities. The payload then connects to the server controlled by the attacker to get its command. Then the infection unfolds, according to its objective.
Don’t be fooled: as complicated a process as this may seem, it only takes a few seconds! And to think that it all starts with opening an email, a task we mindlessly perform on a daily basis, because it feels natural to us.
Kaspersky’s Spam and phishing in Q2 2015 report shows what the most common infections carried by spam emails in the past business quarter of 2015 are:
An eloquent example: Dridex resurfaces
Only 10 days ago, on October 13, news about a huge takedown operation came to light: a bunch of command-and-control (C&C) servers used by the DRIDEX botnet were dismantled by the FBI and the National Crime Agency (NCA) in the UK.
That was excellent news for the cyber security community and for Internet users in general, because Dridex was one of the most dangerous banking infostealers, used to defraud Internet users of sizeable amounts of money (we’re talking millions of dollars/euros here).
But cyber criminals have bounced back faster than expected. The Heimdal Security team has observed that, in the last 24 hours, several massive spam campaigns have started to spread the Dridex malware once again.
Our intelligence indicates that traffic from the Dridex infrastructure continues to rise, in spite of the several attempts to disable the botnet made by several institutions. The botnet 220, which launches the campaigns, is especially active.
The unsolicited email arrives with the following contents:
From: [spoofed / fake return address] Subject Line: INVOICE FOR PAYMENT – 7500005791
The attached document uses macros to activate the payload. If the user who receives the email falls for the scam and opens the attachment, activating the content, the Dridex malware will be downloaded from several compromised web pages onto the system (sanitized by Heimdal Security):
hxxp: //www.slasoft [.] co [.] uk / 56475865 / ih76dfr.exe
hxxp: //www.gkc-erp [.] com / 56475865 / ih76dfr.exe
hxxp: //www.etoursweddings [.] com / 56475865 / ih76dfr.exe
hxxp: //www.tokushu [.] co [.] uk // 56475865 / ih76dfr.exe
hxxp: //www.sfagan [.] co [.] uk / 56475865 / ih76dfr.exe
hxxp: //www.cnukprint [.] com / 56475865 / ih76dfr.exe
For those with a technical knack, here is the configuration of the server proves that the payload is, in fact, Dridex 220:
< botnet > 220 < /botnet >
< version > 196733 < /version >
< system > 23624 < /system >
< type > bot < /type >
Dridex now uses a hybrid P2P network that employs multiple network layers to protect its infrastructure, which also acts as a safeguard against take down efforts operated by cyber security institutions.
Here are the P2P nodes, which were poisoned in the takedown attempts, that are now up and running again:
118174.31 [.] 57: 444
160.80.16 [.] 94: 443
162.13.137 [.] 236: 444
164.15.82 [.] 22: 443
185.48.144 [.] 4: 443
119.47.112 [.] 227: 473
157 252 245 [.] 49: 473
195 154 251 [.] 123: 473
188.21.18 [.] 226: 443
192130.75 [.] 146: 444
195251250 [.] 37: 448
198.72.109 [.] 8: 448
200.29.90 [.] 162: 443
217 160 110 [.] 232: 444
37128132 [.] 96: 443
41.38.18 [.] 230: 443
119.47.112 [.] 227: 473
192130.75 [.] 146: 444
Antivirus detection for this campaign is satisfactory, with a total of 22 antivirus products detecting and blocking the threat (22/57 on VirusTotal):
Click here to see the full detection rates at the time the campaign was first reported.
How to protect yourself from spam and the malware infections it may carry
I know your inbox is probably already bombarded with spam, so let’s see what you can do to prevent a malware infection from making its way into your system via a junk email. We hope the tips below are enough to keep you safe, but if you were still struck by an infection, we recommend you check out our malware removal guide.
These tips are also helpful to keep your inbox protected from future spam emails and also safe from cyber attacks that use this attack vector.
What to do:
- Only subscribe to newsletters and emails from entities you trust and unsubscribe from emails that clog your inbox unnecessarily.
- Use an anti-spam solution or install email filters that can send any suspicious emails directly to the spam or trash folder.
- Choose a reliable email service provider. Big ones like Yahoo!, Gmail and Outlook have incorporated spam filters that are pretty good at keeping you safe.
- Never open an email from the spam folder. If the sender looks familiar, email him/her directly and ask him/her to forward you the email in case it was a legitimate one.
- Install a reliable antivirus solution and keep it up to date. Enable real-time protection so it can scan for malware that might have made its way into your system.
- Use a security solution that can filter your Internet traffic to protect you from malicious websites, phishing attempts and other dangerous web destinations.
- Always keep your software up to date to close security holes and don’t leave room for vulnerabilities that cyber criminals can exploit.
- Don’t open emails or email attachments from unknown senders. If you really, really have to, check the email address and verify the validity of the domain by typing it into your browser’s address bar.
- If you receive any strange and suspicious emails, simply delete them, without opening them. If you open them, you might confirm to the cyber criminal that your email address is valid.
- Check the “sent” folder or outgoing mailbox to see if there are any outgoing messages that were not sent by you. If you do find some, it’s possible that your email address was hacked. You should disconnect from the Internet, run an in-depth antivirus scan, run anti-malware software and see if they find any infections.
- Set up a disposable email address you can use to sign up for online services or newsletters. That way, you can separate your main email address from one that could become a target for cyber criminals. It’s a very good idea to keep more than one email address, so you can also use them to retrieve your accounts if something should happen to one of these addresses.
- Create aliases for your email address. Here’s the simple explanation from Microsoft’s Outlook:
An alias is an additional email address for your Microsoft account. It uses the same inbox, contact list, and account settings as the primary alias. You can sign in to your account with any alias—they all use the same password. You can send email from an alias whether you’re using a mail app like Outlook or a device such as a phone.
An alias is also the best way to change your email, but keep all your mail. Add an alias, then make the new alias primary. Then you can keep or remove the original alias.
Having an alias provides the opportunity to sign up for services with your email address, but in a way that it looks different, so you can set up filters in your inbox and don’t give out your real email address.
- View emails in plain text. Spam emails can contain dangerous elements, as shown before, but not only links or attachments. There can be hidden code in their HTML elements, so the best way to avoid these dangers is to disable HTML and view them in plain text.
- Don’t post your email address in plain sight on websites. Cyber criminals use spambots that crawl websites to search for email addresses to harvest. You can display an image that spells your email address or write in in this form: Marry_Poppins[at sign]emailprovider[dot]com. You can also use contact forms to fulfil the same purpose.
- Report spam emails. If a spam or suspicious email reaches your inbox, mark it as spam so email service providers can know to flag it appropriately. Also, you can ask your Internet Service Provider to include malicious or spammy senders in their block lists.
What NOT to do:
- Don’t give away your email address so easily. It may not still feel like your online actions have that big of an impact, but, in fact, they do. And losing an email address or having it hacked can be a bigger pain than you can imagine.
- Don’t fall for scams. Teach yourself to remain alert and observant so you don’t fall for the scams mentioned previously. It can happen to the best of us, but we can avoid it if we carefully evaluate our online interactions. This can certainly become a habit and not a hassle.
- Never reply to suspicious emails. Even if you’re fed up and would like to give that spammer or scammer a piece of your mind, it’s never a good idea to reply to such an email.
Many think that cyber criminals employ tactics that a regular Internet user could never understand, but, in fact, it’s not covering cyber security basics that gets people in trouble.
If you have a friend or a relative that could use this article, forward it to him or her. It may save you both time, effort and energy. Being ready and knowing how to handle a threat to your online safety are top skills that you’ll need for the future when everything is connected. And that’s not far away at all!