Do You Know the Preferred Tool of Online Criminals?
It's been 45 years since the first spam email was sent, and it's still the favorite tool of crooks and criminals online. A report from security group F-Secure says that spam is the most common method used to distribute malware, phishing attacks, malicious URLs, and scams. Read on to learn the tell-tale indicators of malicious emails, and the true origin of spam...
Spam: Still Number One With Crooks
You've got software to protect your computer from viruses, spyware, ransomware, and rogue websites. You're careful to keep all your software up to date. Your identity theft spider sense tingles with every suspicious phone call. But then that innocent-looking email pops into your inbox. It appears to be from your friend, your bank, or your favorite online store.
I got one recently that said “A user has just logged into your Facebook account from a Samsung S10 device. We are sending you this email to verify that it is you. Thank you, Facebook Team.” It looks very much like the actual account warnings that Facebook does send out. The subject line says “Please respond immediately.”
So you click, and you've been had. Because of the sense of urgency created by this message, one might ignore the fact that it was sent from “ebxjwwptsoqwvbbqjivcqpoduuxdur.com.au” (clearly not Facebook HQ) and that there were 50-odd sketchy addresses in the Reply-to header.
Spam is still the most effective attack vector for hackers and online criminals, according to research from F-Secure. They reported that phishing, spam, and other email threats were the source of 51% of all attempted malware infections. Hopefully you were not in the 51% Club.
Cybercriminals capitalized on fear and confusion during the Covid-19 pandemic, and continue to use malicious email attachments containing infostealers – malware that steals passwords and other sensitive information. Facebook, Chase Bank, Microsoft, PayPal, and Bank of America were the most frequently spoofed brands. As usual, cybercriminals are taking their cue from water -- by traveling along the path of least resistance.
F-Secure says these phishing campaigns are effective because users are already accustomed
to receiving notifications... failure of delivery emails, alerts for hitting storage limits, requests for reactivation, or package delivery notfications, and ‘update your password’ emails.
Keep in mind that spam and phishing can take the form of text messages as well as email. I wrote about bogus "account services" and package delivery scams in [SCAM ALERT] Smishing is Getting Worse (what you need to know and do).
As software vulnerabilities are closed and anti-malware suites grow more capable, spam becomes relatively more effective compared to hacking and exploitation of software vulnerabilities. Spam still is infinitely scalable, too; it costs nearly nothing to blast out millions of spam emails from a compromised machine, and spambot networks of thousands of slave machines are commonplace.
While success still depends on spewing out millions of spam emails to get a handful of “bites,” spammers are constantly refining their techniques and improving their batting averages.
Why Do People Click?
According to F-Secure, here are some clues as to what makes phishing spam successful:
- The probability of a recipient opening an email increases 12% if the email claims to come from a known individual
- Having a subject line free from errors improves spam’s success rate by 4.5%
- A phishing email that explicitly states in its call to action that it is very urgent gets less traction than when the urgency is implied
Most users have finally learned not to click on email attachments sent by strangers, or any attachment that comes unexpectedly. So more phishing emails include URLs instead; people are still conditioned to click on links to see where they go, especially if the link says “click on this link...”
The link often does not lead directly to a malicious site, but to an innocuous site that redirects traffic to a malicious site. That way, the bad guy avoids detection by automated analysis software that previews links and compares them to known malicious URLs.
Here are some of the most common phishing tactics:
- The Fake Tech Support scam: An email arrives with a warning that your computer has been compromised with malware, and directs you to click a Norton or McAfee link to scan your computer, or call a bogus Microsoft Tech Support phone number.
- The Suspicious Activity scam: An email claiming to be from your bank says there is suspicious or unusual activity on your account. It may ask you to respond with your username and password.
- The HR/IT scam: You get an email that appears to be from your employer's Human Resources or IT department. You may be directed to update employee information, or download an app.
- The UPS/Fedex/USPS scam: An email or text advises you that a package cannot be delivered due to incorrect shipping information. You are urgently advised to click a link or your package will be returned or discarded.
- The Amazon/Apple scam: A message informs you that you've ordered some expensive item from either Amazon or Apple, and asks you to login and confirm the purchase.
In every case, a careful examination of the sending address, or a phone call to verify the sender will reveal that it's unwise to continue. Never trust the phone number or email address provided in the message.
Another technique I've seen lately is a quick email asking "Sorry to bother you, do you order from Amazo n?" If you engage with this scammer, he or she will spin a tale of how they had a problem buying an Amazon gift card for a sick friend's birthday, and ask if you would kindly do so, with a promise that you'll be reimbursed. I can't imagine who would fall for that obvious scam, but apparently there really is a sucker born every minute.
A BIT OF HISTORY: I mentioned in the opening of this article that the first spam message was sent over 45 years ago. That happened in May 1978 when a marketing executive for Digital Equipment Corporation sent an unsolicited email to 397 ARPAnet addresses, with an invitation to a product demonstration. The term "spam" was not applied to unsolicited messages until April 1993, and according to Wikipedia, is thought to derive from a Monty Python comedy sketch "in which a group of Vikings sing SPAM, SPAM, SPAM... at increasing volumes." It was adopted to refer to "unsolicited commercial electronic mail sent to a large number of addresses, in what was seen as drowning out normal communication on the internet." So now you know.
F-secure includes tips for security-conscious people in its security blog. Some recent topics include ransomware, stalkerware, and account takeover. F-Secure predicts that the use of phishing tactics as a lure, using office documents as an infection vector, and the use of cloud services to host malicious content, will likely continue.
The good news is that with education and software, we have eliminated or limited many malware attack options to spam. The bad news is that spam still works. My best advice: Think twice before you click.
Your thoughts on this topic are welcome. Post your comment or question below…
This article was posted by Bob Rankin on 23 Oct 2023
|For Fun: Buy Bob a Snickers.|
Does Your IP Address Reveal Your Home Address?
The Top Twenty
Geekly Update - 25 Oct 2023 (robots, drones, transhumanism)
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Do You Know the Preferred Tool of Online Criminals? (Posted: 23 Oct 2023)
Copyright © 2005 - Bob Rankin - All Rights Reserved