“If you’re going to encounter malware in 2018, chances are it will happen through spam,” says Sean Sullivan, F-Secure Security Advisor.
The canned meat known as Spam should last on the shelf for two to five years, but digital spam has been around for more than four decades. Gary Turk believes he sent the first spam in 1978 when he mass mailed 400 users of ARPANET, an early iteration of today’s Internet, inviting them to a demo of a new computer. The term was then coined in 1994 to honor how much Monty Python’s enjoyed repeating the word “Spam!” when a law firm offering immigration services spammed more than 6,000 Usenet groups.
Spam has been one of the main infection vectors for decades.
“During the past few years, it’s gained more popularity against other vectors, as systems are getting more secure against software exploits and vulnerabilities,” says Päivi Tynninen, Threat Intelligence Researcher at F-Secure.
It is now once again the most popular choice for sending out malware, according to new research from F-Secure.
“Of the spam samples we’ve seen over spring of 2018, 46% are dating scams, 23% are emails with malicious attachments, and 31% contain links to malicious websites,” Päivi says.
F-Secure is continuing to see considerably less ransomware in 2018 that we found in 2017, a trend first described in “The Changing State of Ransomware” report released in May of this year. Most of the malicious attachments found in today’s spam contains infostealers, including remote access trojans and banking trojans.
“We’ve found that just five file types make up 85% of malicious attachments,” Päivi says. “They are ZIP, .DOC, .XLS, .PDF, and .7Z.”
There are several reasons that spam is resurgent.
First of all, spam works.
“Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” says Adam Sheehan, Behavioral Science Lead at MWR InfoSecurity, the creators of phishd, a service that monitors and improves businesses’ susceptibility to phishing and other data-related attacks. MWR was acquired by F-Secure in June of 2018.
It works because criminals are always getting better at “social engineering,” which employs knowledge of user psychology to improve the design of spam. Sheehan notes that there are simple tactics that noticeably improve click rates. Spam that seems to come from someone the recipient knows, spam with error-free subject lines and spam that uses a call to action where urgency is implied but not emphasized all are more effective.
Second of all, other tactics have become less effective.
The demise of Adobe Flash as one of the most popular plugins on websites has shifted criminals away from exploit kits, which enabled the attack vector known as drive-by downloads. Sean predicted in 2016 that the move away from the Flash plugin would lead to the demise of exploit kits as a business model for criminals. People hoping to spread malware have to rely more and more on email spam
“We’ve reduced criminals to spam, one of the least effective methods of infection,” Sean says. “Anti-malware is containing nearly all commoditized, bulk threats. And honestly, I don’t see anything coming over the horizon that could lead to another gold rush so criminals are stuck with spam.”
The more things change, the more they stay the same.
For more information about spam and how to avoid it, check out this infographic: