The sending of malicious emails has picked up after a quarterly lull, according to an analysis of email malware that has also marked a resurgence in business email compromise (BEC) attacks, the resurgence of the Dridex banking Trojan and exploit kits for ad-based malware, and an explosion in fake social-media support accounts.
The figures, contained in Proofpoint’s newly launched Q2 Threat Report, suggested that malware actors were doubling down on time-tested methods of attack. Ransomware, for one, comprised 68 percent of all malicious messages that were carrying malware while the sheer volume of malicious messages increased 250 percent over the previous quarter.
Volumes of attacks have regularly followed cyclical patterns, with declines earlier this year echoing similar drops in 2013, 2011, 2007, and other years.
Recent analyses had suggested the decline earlier this year had come as cybercriminals shifted their attention to launching fewer, more sophisticated attacks. But with those volumes increasing in the second quarter of the year, the period of introspection appears to be over and spammers are playing the volume game again.
Growing focus on BEC attacks – which increased 30 percent over the previous quarter – reinforced the need for companies to tighten their policies around fraud prevention. Failure to do so can have significant impact on a company’s brand – as can attacks that spoof a company domain, which were reported by 87 percent of organisations in the Proofpoint analysis.
A resurgence in the prevalence of the Dridex botnet – which was taken down two years ago but has re-emerged in different forms last year and this year – confirmed yet again that old favourites don’t necessarily die in the malware world: Banking Trojans made up 20 percent of message volume distributing malware, while messages distributing Dridex accounted for 76 percent of overall messages with banking Trojans.
Cybercriminals’ growing habit of exploiting legitimate brands – particularly seemingly-authoritative government sources that carry an implicit threat of penalties for ignoring them – has seen steady increases in ‘brandjacking’ campaigns where scammers exploit the identity of legitimate organisations to boost the perceived legitimacy of their emails.
Some attackers, for example, are using fake social-media support accounts – including purported support ‘bots’ including an alleged Facebook spambot – to trick users into giving up information about themselves.
MailGuard, for its part, has been tracking brand theft on an ongoing basis and recently reported on phishing campaigns purporting to be from numerous high-profile brands including the ANZ Bank. ASIC’s brand was recently exploited in two different malware scams that leveraged domains registered in China and Cyprus, while government services like Queensland’s Go Via and NSW Roads and Maritime Services.
MailGuard has also noted seasonal surges in fake delivery notices from Australia Post, FedEx and DHL; bills from the likes of AGL, Origin Energy and EnergyAustralia during winter months; and malware-carrying bills designed to emulate the formats of accounting packages such as MYOB, Xero or QuickBooks.
“The battle to distinguish legitimate emails from fake is becoming harder,” MailGuard CEO Craig McDonald said in a statement. “Nearly half the people who receive a scam or fraud email fall for it. This creates a huge problem for companies whose names are hijacked by cybercriminals to aid a deception.”
As well as the direct risk of malware infection, he added, the growing prevalence of phishing emails is having a damping effect on customers’ enthusiasm for online billing: many customers cite scams as a reason they won’t sign up for email bills, while protective action by network administrators often inadvertently blocks legitimate emails.
MailGuard’s analysis also identified a number of common attributes to the attacks – including a short shelf life, usually less than 24 hours, as companies identify new scams and blacklist related domains; an increasing reliance on dark-web phishing kits that can be quickly deployed using any domain name; and distribution of attacks to large bulk lists of email recipients that are often appropriated from previous attacks.