Q3 2017 report: there's 2,200 percent more malicious email than last year

  • Liam Tung (CSO Online)
  • 27 October, 2017 03:57

The threat of automated exploit kits on websites has subsided, but cybercriminals are hammering inboxes across the globe.

Security firm Proofpoint reports that the volume of email with malicious links between July and September grew 600 percent compared to the prior quarter, and a whopping 2,200 percent on the corresponding quarter last year. 

One of the main forces spreading malicious links in email is a group the company calls Threat Actor 505 or TA505, which was behind the biggest malicious spam campaigns the firm has ever seen, distributing links that install the Dridex banking trojan, Locky ransomware, Jaff ransomware, and the Trick or Trickbot banking trojan. 

The group sent so much URL-based email attacks it drove overall malicious email volumes up 85 percent in the quarter, despite a 74 percent decline in emails with malicious attachments. 

Many of the emails with malicious attachments distributed RAR and 7-Zip archive files, often containing JavaScript or VBScript that downloads and installs Locky ransomware. Proofpoint notes that 64 percent of malware it detected in the quarter was ransomware, followed banking trojans at 24 percent.

Other security firms have observed a number of fake invoice campaigns using Q3 using well known Australian brands, such as Telstra and energy firms, to target Australian computers. The emails contained links that downloaded Gozi, Trickbot, and Emotet malware. 

According to Proofpoint, Trickbot accounted for 70 percent of all emails carrying banking trojans and most of that came from TA505. 

The company also saw steady growth in attempted email fraud or “business email compromise” (BEC) attacks, which were up 29 percent across its global customer base. 

The Australian Government run Australian Cyber Security Center noted in its annual report that in the 2016-17 period Australian businesses lost over $20m to BEC fraud. This was more than double the $8.6m in BEC losses reported in 2015-16, and most likely doesn’t capture the full value of losses due to under-reporting and misreporting.  

The Australian Cybercrime Online Reporting Network (ACORN), which is run by the Australian Criminal Intelligence Commission (ACIC), collected its first full year BEC fraud numbers in 2015-16 financial year. There were 749 cases reported in the period. In the first quarter of 2016-2017 there were 243 Australian BEC victims, according to an ACIC 2017 report in August on organised crime.  

A common technique used to fool employees within a targeted organization is to spoof the domain or the company in order to boost the legitimacy of the email. Proofpoint notes that 89 percent of its customers experienced at least one domain spoofing attack in the quarter. 

It also notes that while Q2 cybercriminals appeared to show a preference for larger firms, in Q3 firms of all sizes were targeted uniformly. Also, attackers that did target an organization typically spoofed the identity of more than one employee.