The danger behind low-volume email attacks
“Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim’s defenses,” Websense researchers warned on Friday.
The maliciouus payloads these emails are carrying are often not initially detected by AV solutions, and as the volumes of these campaigns are small, and the contents of the emails are so similar to those of typical business emails (quotations, payments, orders, supply, etc.), network behavior detection, reputation evaluation and antispam rules often fail to recognize the emails as malicious spam.
The malicious attachments are more often than not Zeus variants, and they usually take the form of archive files (ZIP, RAR, etc.), and most often pose as scans of a document.
It’s hard to say what users can do to keep safe from these attacks. The emails are unsolicited but that is not at all unusual when someone wants to do business with a company.
The emails purportedly come from individuals from all over the world, so grammatical and language errors are not as suspect as if they were found in an formal / template email from a well-known company or service.
Checking the attached file with VirusTotal or their own AV solution can provide a false sense of security as at the beginning the files are not detected as carrying malware.
It seems that, in cases such as these, other, more complex solutions are required to keep safe – solutions that analyze and discover suspicious patterns in the content body, message attributes, embedded links, and more.