It used to be that malicious attachments came in emails with erotic photos of girls who “want to meet you”, or “scandalous photos” of celebrities. Now, cybercriminals are disguising their messages to make them look like official notifications or business correspondence.
In particular, spammers now like to send out fake notifications for postal services such as UPS, FedEx, and DHL stating that they were unable to deliver a package and that the recipient needs to pick it up from the office immediately, or that the recipient’s address was filled out incorrectly.
The messages contain a ZIP archive file that allegedly contains the forms needed to collect the package. In actual fact the attachments contain various types of malicious programs.
“These changes to how malicious emails are sent are linked to the fact that most users do not expect to find malware in business emails,” explains Maria Namestnikova, Senior Spam Analyst at Kaspersky Lab. “Erotic photos of girls “waiting to meet you’ can be found all over the Internet, while a company’s internal documents are more likely to pique an Internet user’s interest.” After all, how many people are going to sleep soundly after they delete an email that appears to have come from the police asking the recipient to print out details of a driving offence and send it to a municipal court?
Several new tricks for spreading malicious code were registered in August, although they were all based on the same idea: the more mysterious an email is, and the less text there is, the greater the chances of arousing the recipient’s curiosity. Kaspersky Lab identified three different kinds of spam using this technique:
- The first group contained the word “Changelog’ and the date in the subject line. The body of the email only had a couple of words, such as “As promised” or “See attachments”
- The second group had a subject line that read either “End of July Statement required” or “End of July Statement”. The body of the email explained that, as requested, the sender would be transferring unsettled accounts for a particular date that was usually specified;
- The third group featured the subject line “Internal accounts from ATFT Corporation” and contained a message stating that internal 2010 accounts were in the attachments, and expressed gratitude for the support in “setting up this process”.
Predictably, the vast majority of attachments in these messages contained malicious programs.
In August, malicious files were found in 5.9% of all emails – a rise of 1.2% compared to July. This figure has grown by a third over the past two months. This is typical for the summer months, as spammers usually have fewer orders from their clients during the holiday season, and switch gears over to mailings with affiliate programs that are more lucrative.
Country ratings based on the number of email antivirus detections show that users are faced with malicious emails most commonly in the US (10.1%) followed by Russia (8.96%), the UK (7.36%), Germany (5.45%) and India (5.1%)
Meanwhile, the percentage of phishing emails in total mail traffic compared to July increased very slightly and stood at 0.03%. The leading four organisations targeted by phishers – PayPal, eBay, Habbo and Facebook – remained unchanged from the previous month.
Also of note is the drop in phisher interest in online games: RuneScape, which was the number six target in July, dropped two places, and WoW, which was at the tail end of last month’s rating, was not even among the Top 10 targets in August, even though its respective percentage of attacks did not change. The US tax agency, the IRS, can be expected to make an appearance among the top phishing targets in the coming months as the deadline for US tax returns approaches.
It should be remembered that spam is, first and foremost, a threat that needs to be counteracted, which is why spam that promotes something should not be perceived merely as an advertisement.
Even the most harmless-looking email can contain malicious script, and spammers have no problems making money from advertising or from users who unwittingly install malicious code.