As noted in our 2017 cyber security report, exploit kits are dying – but social engineering is hanging around. And in part, that means spam.
Exploit kits, which lurk on compromised or malicious websites to exploit vulnerabilities found in visitors’ browsers and systems, used to dominate as a vector for malware infections. They have seen declining use as software vulnerabilities get patched more promptly, and as zero day vulnerabilities are rarer than ever.
Enter spam email, which has re-emerged as a popular attack vector for spreading malware, frauds and scams. And one trick spammers use to fool recipients is posing as a legitimate company.
“When it comes to spam, social engineering is simpler than in the past,” says Sean Sullivan, Security Advisor at F-Secure. “E-commerce is now so common it only takes a simple ‘Your order cannot be delivered,’ nothing else is needed. The amount of spam pushed practically guarantees that numerous recipients will actually be waiting for a delivery. And that serendipity is what short-circuits any amount of awareness training.”
I love the word “serendipity” to describe the coincidence of receiving a spam email that just happens to fit one’s circumstances in life. A colleague recently confided to me that he’d clicked on an email supposedly from a parking service company about a parking ticket, only to realize it was a fraud. Although he’s aware of the dangers of phishing and spam emails, he happened to have received a parking ticket the week before, so he dropped his guard. Serendipity.
F-Secure Labs is sharing a list of the top companies spammers like to spoof. Populated by giants like Apple, Amazon and Microsoft, the list underscores that the bigger the organization, the more attractive it is to use its brand name as bait in spam. If not tech giants, popular-to-spoof companies fall into certain industries such as online dating (Match.com) and financial (PayPal). Delivery services like USPS and FedEx are high on the list, using package delivery as bait.
“There are so many people that have relationships with these companies, it makes these the most successful ones to imitate in spam,” says Sullivan.
Email spoofs may push ransomware as an attachment, or other types of malware such as banking trojans or keyloggers. They may purport to sell legitimate products but actually be aiming to gather up credit card details or other personal information. They may be phishing emails engineered to steal account credentials.
Sullivan says we don’t see spam slowing down as an attack vector, so he offers these tips to IT admins to prevent infections via spam:
- Do your users really need to be able to receive zip files? With cloud services, users can link to large documents securely. Consider blocking zip files at the gateway or using a group policy to make it an unsafe file type.
- Disassociate jscript from something that will actually execute something on the user’s machine.
- Disable macro scripts from Office files received via email.