Phishing, Breach

The Good (But Mostly Still Bad) News About Spam and Phishing

Author: Dan Kaplan, online content manager, Trustwave
Author: Dan Kaplan, online content manager, Trustwave

Bill Gates' bold prediction that spam would be a "thing of the past" is inching closer to coming true, some decade-and-a-half after he suggested unwanted email would be eradicated in a two years' time.

The 2018 Trustwave Global Security Report found that the percentage of inbound email that is spam dropped last year to 39 percent, well off the high of 85 percent in 2008. This vast improvement in spam prevalence has come with a notable downside, however: The percentage of spam messages that contain malware remains well above normal, at 26 percent.

The days of your inbox being littered with messages hawking counterfeit watches and weight-loss supplements may be behind us, but that doesn't mean the spam trade has dried up. In fact, it has arguably grown more nefarious.

"The good news is that intended recipients don't see most of this spam because of multiple layers of filtering at the network edge and in client email programs and services," the report said. "The bad news is that, as it did many years ago, spam is again rivaling the web as a delivery mechanism for dangerous malware."

Trustwave researchers largely blame this high rate of malicious spam (also called "malspam") on the pesky and prolific Necurs botnet, a rapid-fire network of zombie computers capable of unloading spam leading to banking Trojans, ransomware and other malware from between 200,000 and 400,000 unique IP addresses daily.

Meanwhile, phishing made up 2.1 percent of spam types in 2017, but may have proved the most lethal of them all. Social engineering emails containing rogue links or attachments are a common way that hackers establish an initial foothold within a targeted environment, typically through credential theft (which sometimes starts with a malware infection).

According to the 2018 Trustwave Global Security Report, phishing facilitated 47 percent of all compromises in point-of-sale environments and 55 percent in corporate and internal network environments. Phishing (a topic that our SpiderLabs team has written about in earnest, including this terrific and detailed blog post) exploits the trust that people associate with specific brands. In some cases, the attackers base their templates on actual messages, just changing a few words and the underlying links.

Common Phishing Lures in 2017

Banks: Fake landing page that harvests online banking credentials.

Couriers: Fake parcel deliveries and receipts from shipping companies. Links lead to malware downloads, such as ransomware and banking Trojans.

Utilities: Fake bills from energy or telecom companies, with links leading to ransomware or banking Trojans.

Finance Software: Fake emails appearing to come from accounting providers, such as MYOB, QuickBooks, Xero and Intuit, leading to the Dridex banking Trojan.

Tax Returns: Fake messages from tax collection agencies leading to Java-based remote access Trojans.

Mail Quota: Fake notes warning that your mailbox is full with the goal of stealing credentials.

Amazon: Fake receipts that lead to a variety of landing pages, including ones seeking credentials and pushing junk products.

Apple: Fake receipts or password "resets" with the goal of harvesting credentials.

Best Practices to Dodge Malicious Spam and Phishing

You can't fall victim if you don't engage. These attacks, unlike exploit kits, require human interaction. As such, you should avoid opening any emails that appear suspicious - and if you do, avoid opening any downloaded files.

That admittedly isn't the easiest advice to heed when your inbox is getting hit with phishing that is targeted and personalized, including CEO fraud. But as a general rule, don't rush to click links even if they seem legit and sent by someone you know. If you did not expect them, check with your contact first to see if they intended to send it.

You should also refrain from opening zip files that come from unknown sources and avoid executing unknown file formats like JavaScript, from which malware is often distributed. In addition, the Global Security Report also pointed out that PDF files are growing in prevalence as a phishing delivery method. Attackers trick victims into clicking on a link in the PDF to supposedly view content, but the link instead diverts users to an attacker-owned web page.

For businesses especially, you should deploy a secure web gateway, which leverages sophisticated logic to detect web-based attacks. Also, keep systems tested for and patched against vulnerabilities (as some attacks take advantage of known flaws) and continually educate your employees on how to identify phishing attacks, especially the ones that are so good, you just can't believe they are malicious.

Dan Kaplan is manager of online content at Trustwave. Read more Trustwave blogs here.