Contributor: Satnam Narang
Attackers behind malicious spam campaigns have shifted their tactics in recent months and are increasingly attempting to infect victims by luring them into clicking on links rather than sending them malicious attachments.
Since late November, Symantec Security Response has seen a spike in the number of malicious emails using this tactic. Over the last six months, there were relatively few spam emails containing URLs. For example, in October, only seven percent of malicious spam emails contained links. That number jumped to 41 percent in November and has continued to climb in early December.
While many malicious emails come with an attachment, organizations can block and filter these types of messages. Symantec believes that the Cutwail botnet (Trojan.Pandex) is behind some of the recent spam messages, along with other botnets, and that attackers have resorted to using links in a bid to avoid email security products that scan for malicious attachments.
Surge in malicious spam emails
Over the last few weeks, spammers have been pummeling mail servers with social engineering-themed messages, including malicious fax and voicemail notification emails. These emails contain information that is typically included in legitimate fax and voicemail messages, such as a caller ID or confirmation number, but the information itself is fake.
The common thread in each email is that they contain links. These links use hijacked domains and have a URL path that leads to a PHP landing page. If the user clicks on the links, they are led to a malicious file. In particular, we have seen Downloader.Ponik and Downloader.Upatre being used in these emails. These are well-known Trojans that are used for downloading additional malware onto compromised computers, including information stealers like Trojan.Zbot (also known as Zeus).
Figure 1. Fake fax email
Figure 2. Fake voicemail email
So far, we have seen the following subject lines used:
- MyFax message from *unknown* – 3 pages
- Fax Message
- Fax Message #[RANDOM NUMBER]
- Voice Message #[RANDOM NUMBER]
- Fax.Com:Message Nr.[RANDOM NUMBER]
Earlier in November we witnessed a similar campaign based around fake telecoms bills written in German. These emails reported that the receiver had recently run up a large mobile phone bill. The goal was to get the receiver to click on the link to find out more about what appeared to be a billing mistake.
We saw the following subject lines related to this campaign:
- Ihre Mobilfunk-Rechnung vom 13.11.2014 im Anhang als PDF
- RechnungOnline Monat November 2014 (Buchungskonto:[RANDOM NUMBER])
- RechnungOnline Monat
- Ihre Festnetz-Rechnung
Figure 3. German email spam campaign
Always a cat and mouse game
This recent shift away from malicious attachments towards malicious links is a reminder that security is a game of cat and mouse. Spammers try to gain the upper hand while mail security products implement detections against these shifts.
Symantec advises users to be on their guard and to adhere to the following security best practices:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails
- Avoid opening attachments in unsolicited, unexpected, or suspicious emails
- Keep security software up-to-date
Symantec and Norton protection
Intrusion Prevention System:
Symantec.cloud customers are protected by Skeptic and antispam heuristics.
For further monthly statistics on the threat landscape, you can also check out our Symantec Intelligence Report.