Category Archives: Spam

Explorations in the spam folder

Everyone has a spam folder. It’s often disregarded as a dark, bottomless pit for fake emails from FedEx, pharmacy offers, and introductory emails from women far too amorous to be anything but fantastical. You’d be right to largely ignore this folder.

Yet each day new emails end up in it. Most of us have learned to leave it well enough alone. Still, few would admit to having no curiosity as to what’s in there. To satisfy this curiosity, we’ve dug into spam folders to explore the current types of messages being sent and find out what happens if you click the links and open the attachments. In essence, we’re opening these spam messages so you don’t have to.

Do not try this at home

This exploration is meant to inform, showcasing some of the scams and threats currently out there. However, in all of the spam messages we’ve examined, the links were clicked and attachments opened within a secure, sandbox environment.

In this case we used Cisco Threat Grid, which is an advanced sandboxing tool that can analyze threats against millions of other samples to fully understand its behaviors in a historical and global context, and then provide context-rich analytics and threat intelligence. We’ve also coupled this with Cisco Umbrella Investigate, which provides an excellent view of the relationships and history of particular internet domains and IP.

While most of the spam we looked at was prosaic, many were not. It’s mostly the latter that we’re showcasing here. Opening these emails on your own computer or device is very risky and can end up compromising it. In short, do not try this at home.

Snake oil sales

Let’s start off with the more mundane spam emails—the ones that more often than not simply attempt to part a fool from their money.

If there were a unified theory of spam it would be that it plays to both our aspirations and our insecurities: get in shape, lose weight, get a great night’s sleep, get the girl/guy, protect your family, improve your credit score, etc. There’s a wide variety of these emails that play to these desires—far too many to cover in any detail. Consider these as a smattering of what’s currently out in the spam landscape.

In this type of spam messages, many of the message bodies share similar characteristics. This points to the use of email spam kits that leverage templates for crafting emails. These kits go far beyond the email bodies too, allowing all sorts of customization. For instance, some of the examples above were marked as “high importance” and flagged for follow-up before they even hit the spam folder.

Text only spam

Sometimes saying nothing is more effective than saying anything at all. That’s certainly the case with spam, as bare-bones spam messages are very popular. For instance, some emails just put the recipient’s name in the body, along with a link. The link leads to a get-rich-quick scheme in the guise of a fake news report about a Bitcoin investment platform. A “Try Now” link on the page leads to a second site that gives the user an option to register.

Spam promising romance or intimate encounters with strangers is also very common. Many are clearly advertisements, while others are attempts to begin a rapport before asking the victim for money. In this case, the site that you are directed to depends on the country you’re visiting it from. In general, these links guide users to lesser-known dating and meet-up sites, where it’s likely the scammers are generating ad revenue through click-through programs.

Social networking spam

Likes, comments, and profile views are the lifeblood of social networking, and the networks often entice users to return to their sites by sending emails on the user’s profile activity. In this particular example, the scammers have lifted the look of a LinkedIn email notifying the user that their profile had appeared in searches. If any of the links in the email are clicked, the page that loads isn’t LinkedIn. Instead, the user is notified that they are the “5-billionth search.” As a result, they can claim prizes ranging from gift cards to hardware devices. However, before receiving their prize, the user is required to fill out a survey and provide some personal details. More than likely the gift card never materializes.

Are they safe?

In each of the examples shown so far, there were indications that some sort of suspicious activity could be taking place. However, there was no smoking gun. Some sites and IP addresses appeared to have participated in past phishing campaigns or other malicious activity. So while these scams may not be performing malicious activity today, there’s nothing to say they won’t be tomorrow.

So now that we’ve covered the suspicious, let’s move on to the obviously malicious.

Log in to view

In the following example, the email appears to hint at an upcoming disbursement. While the details are sparse, the idea of unexpected money could lead a curious individual to click. After all, the email simultaneously warns the user that the email is from outside their organization and that it comes from a “trusted sender,” hoping that the recipient will let their guard down.

While it looks like the document is attached, the email only contains an image of an attachment. Clicking it does take the recipient to an actual Word doc, hosted on a SharePoint subdomain.

This document contains a link to what appears to be another document. Clicking that link opens another window containing what looks like an Office 365 login page:

Clicking the first link will take the user to another page that requests the user use their Office login details:

When they click the “Sign in” button, the user is redirected to a legitimate Office 365 page that presents an error message:

However, login details entered into the previous page have been logged on the malicious site, successfully stealing them from the user.

This type of spam isn’t exclusive to Office 365. There are plenty of instances where the bad actors go after other valuable login details, such as those from other webmail accounts, subscription services, or social media accounts.

Package delivery spam

This popular type of spam has proven to be effective enough that it’s used for a variety of objectives. The shipping companies impersonated vary widely and the spam emails are often modeled directly after email notifications you would receive from the actual company.

In other cases, the emails are a little more toned down, arriving as plaintext and including attachments rather than links.

The attached document, if opened, doesn’t show the user the promised contact form. In fact, it doesn’t appear to do anything at all. However, behind the scenes the attachment has compromised the computer with a trojan called “Hawkeye.” This threat is an infostealer that is often used to extract passwords from email and web browser applications, as well as log keystrokes, harvest stored credentials, screenshots, and network activity.

The worst of the worst

The bad actors behind Emotet are one of the largest malicious spam email peddlers these days. We’ve discussed this threat our Defending against today’s critical threats report, and Talos Intelligence has published multiple blogs on the threat. The folks behind Emotet have a few tricks up their sleeves when it comes to email distribution. Their spam campaigns often leverage news headlines and regularly utilize package delivery spam as described above.

Emotet also often pulls a trick that’s less likely to end up in your spam folder with ordinary email filters applied. These emails often arrive as replies to email conversations you may already be having with someone you know, usually an acquaintance, a co-worker, or an associate in another organization you do business with.

The attachments in these cases, if opened, generally download a copy of Emotet, effectively compromising the system.

How to protect yourself

The simplest way to protect yourself from spam emails such as these is to simply leave them in your spam folder. However, not all spam filtering applications are created equal and sometimes such messages can end up in your inbox—in particular some of the latter examples showcased here. The best thing you can do to identify spam is check for anomalies in the email messages you receive:

  • Multiple spelling and grammar errors in emails that appear to come from legitimate organizations should raise a red flag.
  • Move your mouse over URLs without clicking them. If the URL that appears at the bottom of the browser window looks at all suspicious, don’t click it.
  • Check the From: address. Does the name align with the email address? If not, disregard it.

Beyond the user-based aspects of identifying spam, a layered approach to security is critical in defending an organization from such threats.

Spam filtering software for email is critical. Deploying a robust email threat defense like Cisco Email Security that utilizes URL blocking capabilities and Advanced Phishing Protection’s machine learning to understand and authenticate email identities and behavioral relationships filter out spam emails and prevent attacks.

Endpoint protection software can also assist in detecting and quarantining malicious attachments. Cisco AMP for Email Security defends your business against such threats. Not only that, but AMP analyzes emails for threats such as zero-day exploits hidden in malicious attachments. It gives you advanced protection against spear phishing, ransomware, and other sophisticated attacks.

Tools for dynamically sandboxing threats, such as Cisco Threat Grid, can be used to analyze threats in a safe environment. Even better, integrate sandboxing so that it happens automatically in the background for new files and URLs arriving in email to quickly understand if they are malicious.

Finally, solutions such as Cisco Umbrella can not only block access to malicious sites, stopping many threats in their tracks, but additional tools like Umbrella Investigate provide further threat intelligence around a URL, domain, or IP address to better understand the sites your organization comes in contact with.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 

The post Explorations in the spam folder appeared first on Cisco Blogs.

High-risk vulnerabilities and public cloud-based attacks on the rise

A sharp increase (57%) in high-risk vulnerabilities drove the threat index score up 8% from December 2019 to January 2020, according to the Imperva Cyber Threat Index. Following the release of Oracle’s Critical Patch Update – which included 19 MySQL vulnerabilities—there was an unusual increase in the vulnerabilities risk component within the Index. Specifically, there was a 57% increase in vulnerabilities that can be accessed remotely with no authentication required, have a public exploit available, … More

The post High-risk vulnerabilities and public cloud-based attacks on the rise appeared first on Help Net Security.

Top Email Security Threats of 2020 – How To Stop Them

As hackers’ methods become more sophisticated, the scale of email security breaches and the frequency at which they occur grow greater with each passing year. In 2019 alone, an estimated 2 billion unique email addresses, accompanied by over 21 million unique passwords, were exposed within a single data breach. After the initial panic, it became […]… Read More

The post Top Email Security Threats of 2020 – How To Stop Them appeared first on The State of Security.

Spam Campaign Leveraged RTF Documents to Spread Infostealers

A spam campaign leveraged malicious RTF documents to distribute notorious infostealers including Agent Tesla and Lokibot. While digging through a few other spam campaigns, Lastline observed unusual use of the C# compiler from the command line in some samples. Its researchers performed additional analysis and found that the samples belonged to the same malicious spam […]… Read More

The post Spam Campaign Leveraged RTF Documents to Spread Infostealers appeared first on The State of Security.

A sloppy click can exfiltrate your important data!

Phishing email still remains one of the top malware propagation medium. Recently, we came across an interesting phishing email containing couple of Jumpshare links pointing to malicious components. Jumpshare is an online file sharing service and often cyber criminals abuse these kind of file sharing services. Upon clicking on one of the links in…

Ako Ransomware targeting businesses using RaaS

Ako Ransomware targeting businesses using RaaS Quick Heal security researchers recently observed ransomware that uses RaaS (Ransomware as a Service) which is a subpart of MaaS (Malware as a Service). Before delving into the AKO ransomware or RaaS, one must understand what Malware as a Service means, as it is…

Smashing Security #162: Robocalls, health hacks, and facial recognition fears

A hospital gets hacked because of an ex-employee’s grudge, robocalls are on the rise, and we share a scary story about the future of facial recognition.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Michael Hucks.

Sextortion scam leverages Nest video footage to fool victims into believing they are being spied upon everywhere

A bizarre sextortion scam is attempting to trick victims that not only has their smartphone been hacked to spy upon their private lives, but also every other device they have encountered which contains a built-in camera.

Read more in my article on the Hot for Security blog.

Ako Ransomware Using Spam Attachments to Target Networks

Security researchers observed that Ako ransomware is using malicious spam attachments to go after organizations’ networks. On January 14, AppRiver Senior Cybersecurity Analyst David Pickett contacted Bleeping Computer and told the computer self-help site that his company had observed Ako being distributed via spam email. Using subject lines such as “Agreement 2020 #1775505,” the attack […]… Read More

The post Ako Ransomware Using Spam Attachments to Target Networks appeared first on The State of Security.