Analysis: How Malware Creators Use Spam To Maximize Their Impact
Spreading malicious software through spam emails is still incredibly effective. Here’s why
If it works, why change it?
This is what malware creators must think when planning a spam campaign to spread their malicious code to as many potential victims as possible.
Spam has remained a preferred attack vector for decades since its emergence in the early 1990’s. We could say that spam is as old as the Internet itself! And malicious actors have never ceased to take advantage of this opportunity so they can achieve their wicked goals. Let’s see how.
More than half of the security alerts we issued this year showed how cybercriminals used spam campaigns to spread malware (be it financial malware or ransomware) to reach as many potential victims as possible. According to the IBM X-Force Threat Intelligence 2017 report, spam has increased its volume by 44%. Even worse, almost 44% of spam emails contain malicious attachments. How bad is it?
85% of those malicious attachments are designed to spread ransomware.
Have you seen how much a Bitcoin goes for now? The most famous cryptocurrency of them all peaked in November 2017 at $7800 and the trend is upwards. If they encrypt your data, they will usually demand Bitcoin as ransom. Every single day, the cost of an attack grows higher.
But if this is so common, how come spam emails still work?
We wanted to get to the bottom of this. This article will show you why using spam to deliver malware is so popular with malicious hackers. Let’s start with the “why”.
Why do cybercriminals prefer spam as an attack vector?
Although they don’t lack creativity when it comes to modifying malware strains to become more powerful, more harmful and more difficult to detect and remove, attackers still rely on spam campaigns because of several factors:
Spam is pervasive.
The numbers have been declining or increasing over the past 6 years at an unpredictable rate, with a single certainty: spam is here to stay.
Source: CISCO via ZDNET
Spam campaigns are cheap.
And cybercriminals are just as lazy as you and me.
This fantastic report revealed that 83% of all spam is sent during weekdays, with spammers being the least active on Monday and Friday. Just like us, they have the Monday blues. Unlike most of us, their job is also automated.
Cybercriminals rely on botnets to do the work and send spam emails to targeted victims. Botnets are networks of infected computers whose resources are used to deliver attacks against other unsuspecting users.
This way, users whose computers are already infected pay the price of the campaign (energy, data and hardware resource consumption).
Most owners whose computers are part of a botnet have no idea what’s going on. Millions of computers are part of these botnets, according to the data provided by TrendMicro, and there is no way to know exactly how many computers are compromised.
When looking at the countries where most spam emails come from, we can see where the largest botnets are located as well. USA, China, Vietnam, Germany and Russia are the top 5 countries with most infected computers used to send spam campaigns.
Source: AV Test
Spam reaches the potential victim directly.
It’s every cyber criminal’s dream to hit their potential victims as close to home as possible. And the user’s email address is what we could call home if we’d ever look for one online.
A simple email can provide unmitigated access to a vulnerable victim. He/she can be tricked to open that email, click the link inside or download the attachment. These actions usually trigger a malware infection.
Spam emails can include attachments and links.
Malicious actors have the opportunity to include infected attachments and links in spam emails. One click on the link and the victim is redirected to a rogue website that downloads malware onto the system. Just download the attachment and open it, and you can become infected with anything from spyware, financial malware, keyloggers or ransomware.
Source: AV Test
It’s easy to target spam campaigns to reach a certain country or region.
Malware creators invest a lot of resources into harvesting email addresses so they can send their malicious campaigns (check out how they do it below). When collecting email addresses, they often know where their potential victims are from, so they can target their attacks to the countries or regions they are after.
Source: AV Test
Don’t be deceived by the downward trend, it just means malware is now much more potent and specialized.
Usually, cybercriminals choose rich, developed countries, where they know that victims have valuable data or considerable financial resources. They don’t always go for the money, but that’s often the objective.
Targeting a region also means that the attackers will localize the spam emails, translate them and use symbols that the potential victims recognize and trust. That is what makes spam emails so believable and that’s why so many Internet users are still deceived by them.
Spam gives attackers access to a large number of potential victims.
Besides allowing malware creators to create and deploy targeted campaigns, using spam to deliver malware also provides cyber criminals access to a huge number of potential victims.
Spam campaigns used to spread malware are usually massive, involving thousands of email addresses. This is especially the case for “spray & prey” campaigns, which are not targeted but rather sent and expected to “stick”.
The boom in devices and content makes it easy to deceive users.
The advent of smartphones and tablets and the decreasing costs of owning a computer have brought about unprecedented connectivity and access to technology.
Coupled with the alarming growth of IoT devices, aka gadgets connected to the Internet and usually with an extreme lack of secure settings, and you have a godsend for malicious hackers.
A prerequisite of enjoying the web is to have an email address, it’s like your SSN or the most basic ID card.
More devices > More email addresses > More potential victims> More spam
But not all these users are educated about the dangers of using the web without adequate protection. So technology adoption is moving at a faster pace than people can protect themselves from cyber threats.
This leaves a huge number of email users unprotected. Cybercriminals would never miss this opportunity!
This is also how malware creators use spam to maximize their impact. Now that we’ve seen why they prefer this method to other infection vectors, let’s talk about the “how”.
How do cybercriminals collect email addresses for their spam campaigns?
Harvesting email addresses is an important activity for cybercriminals, so they are always on the lookout for new ways to scale their efforts. Here are the top techniques they use to get their hands on thousands of emails:
- Hacking company databases – this is a bold approach, but brings in huge amounts of data for attackers (the Equifax fiasco and the Yahoo one are still creating ripples);
- Compromising mailing lists – attackers might also focus on hacking servers which host mailing lists;
- Crawling websites and forums – if you’ve ever had a blog, you could’ve added a contact email address so that people can reach you; if it’s not protected, it will be harvested;
- Phishing on social media channels – you’ve probably seen a tempting offer shared by one of your Facebook friends at least once or failed to recognize a Tinder Bot; when clicking the link, the user is directed to a website that requires an email address to access it;
- Tapping into your network connection (man-in-the-middle attack) – when you connect to an unprotected network, an attacker might eavesdrop to your data exchanges on the web and collect the information you provide, including your email address;
- Ransomware – certain ransomware strains can be instructed to connect to the email accounts you are logged into when the infection happens to collect all your contacts and leak them to the cyber criminal controlled server (see the dreaded WannaCry strain that brought the entire world to tears or its successor, Bad Rabbit, still affecting organizations around the globe);
- Purchasing email databases on the dark web – cybercriminals like to go shopping too, and they can find and buy email addresses in bulk from other attackers who harvested them. Stolen card credentials go as low as $5-$8 with the CVV2 number included, but an email can cost even under $1! They’re even copying the IaaS or Saas method with Phishing as a Service, simply subscribing to fresh batches of compromised emails every month);
- Compromising your browser – your browsers are one of the weakest spots in your system, so there are plenty of vulnerabilities that they can leverage to infiltrate in Chrome, Firefox and especially Internet Explorer to intercept the data you are providing for different websites (including your email address);
- Attacking your website domain contact points – if you’re a website owner, anyone can find out your email address by using the “whois” command or freely available databases;
- Guessing – certain attackers resort to guessing email addresses, which they verify by sending test messages – if no error is returned, then the email is valid and can be used in the next attack;
- Social engineering – cybercriminals may sometimes call you and pose as organizations you trust – they’ll also ask for your email address and maybe other information.
Who are the most vulnerable users?
Cybercrime relies heavily on psychological manipulation (also called social engineering) to achieve its damaging objectives. Attackers leverage technology and its vulnerabilities as well, but no attack can be deployed without “the human touch”.
Users’ curiosity, short attention span, tendency to multitask, but also their trust in certain organizations and lack of cybersecurity education are all psychological factors that cybercriminals use against potential victims.
This means that several user categories become even more vulnerable: the elderly, the young and users who are not experienced in matters of the web and lack even basic cybersecurity knowledge.
These users are not aware of what can happen if they click on a link or download an attachment from an email coming from an unknown sender. Sometimes, they can’t even identify an email as being spam or having potentially malicious content. Not to mention that they don’t even think of installing an antivirus or other cybersecurity software.
Because of this context, cyber attacks are often successful. Not only that, but they also feed the malware economy, providing more vulnerabilities, having their machines enlisted in botnets and more. We know you’re concerned about these insidious attacks, so we created a mega-guide to protect yourself against social engineering here.
What are the most common email spam types I should look out for?
There are several types of spam emails:
- spam emails that advertise products, such as miraculous weight loss pills or sexual enhancers;
- scams that try to trick you into paying money or give away personal information;
- phishing emails which attempt to harvest sensitive information from unsuspecting victims, such as usernames, passwords, and credit card details;
- blank spam – this is an empty email, sometimes without a subject line, used by cyber criminals to test the validity of the email address so they can then target that address with a malware-laden spam.
There are several notorious types of spam campaign which you may see in your inbox from time to time:
- the money laundering scam (Nigerian scam) – you get an email from someone claiming to be your relative, who needs your help to retrieve a large sum of money that is the result of an inheritance;
- the greeting card scam – you get an email claiming that a friend of yours has sent you an electronic greeting card which you can see by clicking a link;
- the make money fast scam – someone emails you about a sure-fire way to increase your revenue in just a few weeks;
- the travel scam – you receive an email with a holiday offer that seems too good to be true (it most likely is, of course);
- the post office/delivery service scam – your local post office or a delivery company informs you that you weren’t home when they tried to deliver a package and that you should click a link to get more details (please, don’t!);
- the bank phishing email – you get an email from your bank informing you that your account could be compromised if you don’t change your password and offers a link you can access to do so;
- the online dating scam – a dating website appears in your inbox, advertising the opportunity to meet singles in your area;
- the SEO spam – an email announces a Google algorithm update and offers professional help you handle the change;
- the scan/fax spam – claiming to deliver a scan of an important document that has been scanned or an important fax;
- the invoice spam – that pretends to be an invoice or a receipt for a product or service the user has purchased.
You can read about other potential dangers to avoid in this top of 11 online scams to stay away from.
How a spam email can trigger a cyber attack
The common attack pattern used by spam campaigns whose objective is to spread malware is the following:
Step 1: The unsuspecting victim opens the spam email.
There are two scenarios that can follow:
A. The user clicks a link in the email which redirects to a malware-infected website. That website drops a malicious payload (packet of data) onto the user’s system. The payload scans for vulnerabilities in software and finds a way to gain administrator privileges. The payload then communicates with the servers controlled by cyber criminals. There it gets the instructions to collect information, encrypt the data, remain dormant until a banking website is accessed, etc.
B. The user downloads the malicious attachment and opens it. The attachment includes a malicious payload that scans the system for vulnerabilities. The payload then connects to the server controlled by the attacker to get its command. Then the infection unfolds, according to its objective.
Don’t be fooled: as complicated a process as this may seem, it only takes a few seconds! And to think that it all starts with opening an email, a task we mindlessly perform on a daily basis, because it feels natural to us.
Kaspersky’s Spam and phishing in Q1 2017 report shows what the most common infections carried by spam emails are:
Source: Kaspersky Lab
Just in Q1 2017 (in such a small interval), just Kaspersky products (just one security specialist) blocked a whopping 51 million attempts to open a phishing page.
An eloquent example: Dridex in 2015
A few years ago, on October 13 2015, news about a huge takedown operation came to light: a bunch of command-and-control (C&C) servers used by the DRIDEX botnet were dismantled by the FBI and the National Crime Agency (NCA) in the UK.
That was excellent news for the cyber security community and for Internet users in general. Dridex was one of the most dangerous banking infostealers, used to defraud Internet users of sizeable amounts of money (we’re talking millions of dollars/euros here).
But cyber criminals have bounced back faster than expected. The Heimdal Security team has observed again that several massive spam campaigns have started to spread the Dridex malware.
Our intelligence indicated that traffic from the Dridex infrastructure continued to rise, in spite of the several attempts to disable the botnet made by several institutions. The botnet 220, which launched the campaigns, was especially active.
And this is just a few years ago. In May 2017 we saw possibly the worst ransomware attack in history:
Named by Europol a ransomware attack of “unprecedented level”, it affected hundreds of thousands of computers running Windows, in 99 countries. The National Health Service (NHS) in England and Scotland was one high-profile victim of WannaCry. Effects? About 40 of NHS’s medical organizations and practices were hit, interrupting critical services and affecting patients’ data.
Then, at the end of October 2017, Bad Rabbit created panic when it took down major organizations in Eastern European countries, from regular companies to transport behemoths.
How to protect yourself from spam and the malware infections it may carry
I know your inbox is probably already bombarded with spam. Let’s see what you can do to prevent a malware infection from making its way into your system via a junk email. We hope the tips below are enough to keep you safe. If you were still struck by an infection, we recommend you check out our malware removal guide.
These tips are also helpful to keep your inbox protected from future spam emails and also safe from cyber attacks that use this attack vector.
What to do:
- Only subscribe to newsletters and emails from entities you trust. Unsubscribe from emails that clog your inbox unnecessarily.
- Use an anti-spam solution. Also install email filters that can send any suspicious emails directly to the spam or trash folder.
- Choose a reliable email service provider. Big ones like Gmail and Outlook have incorporated spam filters that are pretty good at keeping you safe.
- Never open an email from the spam folder. If the sender looks familiar, email him/her directly and ask him/her to forward you the email in case it was legitimate.
- Install a reliable antivirus solution and keep it up to date. Enable real-time protection so it can scan for malware that might have made its way into your system.
- Use a security solution that can filter your Internet traffic to protect you from malicious websites, phishing attempts, and other dangerous web destinations.
- Always keep your software up to date. Close security holes and don’t leave room for vulnerabilities that cybercriminals can exploit.
- Don’t open emails or email attachments from unknown senders. If you really, really have to, check the email address and verify the validity of the domain by typing it into your browser’s address bar.
- Should you receive any strange and suspicious emails. Simply delete them, without opening them. If you open them, you will confirm to the cybercriminal that your email address is valid.
- Check the “sent” folder or outgoing mailbox to see if there are any outgoing messages that you didn’t send. If you do find some, it’s possible that your email address was hacked. You should disconnect from the Internet and run an in-depth antivirus scan. Also run anti-malware software and see if they find any infections.
- Set up a disposable email address you can use to sign up for online services or newsletters. That way, you can separate your main email address from one that could become a target for cybercriminals. It’s a very good idea to keep more than one email address. In case something happens with one of them, you can use others to retrieve your account.
- Create aliases for your email address. Here’s the simple explanation from Microsoft’s Outlook:
An alias is an additional email address for your Microsoft account. It uses the same inbox, contact list, and account settings as the primary alias. You can sign in to your account with any alias—they all use the same password. You can send email from an alias whether you’re using a mail app like Outlook.
An alias is also the best way to change your email, but keep all your mail. Add an alias, then make the new alias primary. Then you can keep or remove the original alias.
Having an alias provides the opportunity to sign up for services with your email address, but in a way that it looks different. This way you can set up filters in your inbox and don’t give out your real email address.
- View emails in plain text. Spam emails can contain dangerous elements, as shown before, but not only links or attachments. There can be hidden code in their HTML elements. The best way to avoid these dangers is to disable HTML and view them in plain text.
- Don’t post your email address in plain sight on websites. Cybercriminals use spambots that crawl websites to search for email addresses to harvest. You can display an image that spells your email address or write in in this form: Marry_Poppins[at sign]emailprovider[dot]com. You can also use contact forms to fulfill the same purpose.
- Report spam emails. If a spam or suspicious email reaches your inbox, mark it as spam. This way, mail service providers can flag it appropriately. Also, you can ask your Internet Service Provider to include malicious or spammy senders in their block lists.
Source: Kaspersky Lab
What NOT to do:
- Don’t give away your email address so easily. It may not feel like your online actions have an impact, but they do. And losing an email address or having it hacked can be a bigger pain than you can imagine.
- Don’t fall for scams. Teach yourself to remain alert and observant so you don’t fall for the scams mentioned previously. It can happen to the best of us, but we can avoid it if we carefully evaluate our online interactions. This can certainly become a habit and not a hassle.
- Never reply to suspicious emails. We know you’re fed up or bored, but it’s never a good idea to reply to spam emails.
Many think that cybercriminals employ tactics that a regular Internet user could never understand. In fact, it’s not covering cybersecurity basics that gets people in trouble.
If you have a friend or a relative that could use this article, forward it to him or her. It may save you both time, effort and energy. You can also subscribe to the Daily Security Tip, the very opposite of spam. It’s a piece of valuable cybersecurity information, straight in your inbox, every day.
If you have a friend or a relative that could use this article, forward it to him or her. It may save you both time, effort and energy. Being ready and knowing how to handle a threat to your online safety are top skills. You need them for the future when everything is connected. And that’s just around the corner!
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Try Heimdal PRO
Written by Andra Zaharia and updated on 14 November 2017 by Ana Dascalescu.