Story image

Caught in the wild: A look at email scams and spam

21 Aug 18

When we first opened our doors nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious. A lot has changed since then.

Today, cybercriminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defence is the human firewall.

The human what? In a world where organisations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at headquarters and everywhere else, the only thing between your company and a ransomware attack could be whether or not your users click or don’t click on a malicious link.

Every day cybercriminals come up with a wide variety of phishing tactics with the intent of scamming innocent users. In May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts – the same email content, potentially sent to hundreds or even thousands of people. In most of June, Barracuda blocked 1.7 million phishing emails with over 2,000 unique attempts.

Here are some of the real attempts sent by criminals:

1. Money scam

Criminals attempt to scam users out of money. In similar attempts, we’ve also seen criminals try to acquire information or infect a computer with malware.

Money scams like this are fairly common. They often promise a large sum of money to the user like this one. When the recipient replies, the criminals usually request a smaller sum from the user, and in return, promises to send a larger sum back — which of course never happens.

2. Information scam

Cybercriminals attempt to gather information from a user. In this case, a spoofed bank message tries to convince the user to act on their request.

The criminals did a decent job of making this message appear to actually come from a bank. However, if the user clicks on the link, they could be prompted to enter their credentials in a different window — ultimately surrendering their username and password.

3. Malware distribution

Another common problem users face from phishing is the distribution of malware. The goal is to trick a user into either opening an attachment or clicking on a URL.

In this example, criminals are trying to convince the user to open an attachment by acting as if the document is pertaining to an urgent matter. For the malware to work, criminals have to get the user to install the software on their computer. Malware can be distributed in many forms including viruses, worms, bots, ransomware, password stealers and more.

4. Multiple file extensions

Phishing attempts often require a user to open an attachment to install malware. However, there are a lot of different ways criminals attempt to convince users to do this. One way is that they’ll include attachments with multiple file extensions in an attempt to trick users into thinking that the file type is different than it actually is.  

Here the criminals are using a “PDF.zip” file extension, which should raise a red flag to the user because they’re two different file types. However, this could easily be looked past since they’re also file types that most people would find familiar.

5. Disguised links

Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny.

The link itself doesn’t look suspicious; however, the link actually points to an entirely different URL. Not only can links like this be used to spread malware, they can also direct users to sites set up by criminals to capture credentials or other personal information.

When unsure, don’t click on a link. You can also hover the cursor over the link without clicking, to identify the actual location of a link.

6. Spear phishing   

While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual to create a sense of trust with that person. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source.

Effective spear phishing takes a great deal of reconnaissance about the target to increase the probability of a user actually falling for an attack. Here’s an example where criminals actually took the time to register a deceptive domain that contains the name of an actual entity to appear legitimate.

They obviously want the message to appear like it’s coming from Netflix; however, if you look closely at the URL, you’ll notice that “Netfliix” is actually spelt incorrectly. This technique is called typosquatting, which is often used to sell the ruse when the attacker wants the user to click a link.

Take action 

All of these examples are just a small sample of the many variations of phishing scams criminals are sending out each day, but they certainly make the case for why today’s users need to be properly trained to stay safe online.

The best defence against phishing and spear phishing is to make users aware of the threats and techniques used by criminals. The best approach is to implement a simulation and training program to improve security awareness for your users, to help them recognise subtle clues to identify phishing attempts.

Article by Barracuda Networks senior sales engineer Mark Lukie.

52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Preparing for the future of work – growing big ideas from small spaces
We’ve all seen it: our offices are changing from the traditional four walls - to no walls. A need to reduce real estate costs is a key driver, as is enabling a more diverse and agile workforce.
Bluetooth-enabled traps could spell the end for NZ's pests
A Wellington conservation tech company has come up with a way of using Bluetooth to help capture pests like rats and stoats.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."