Story image

Caught in the wild: A look at email scams and spam

21 Aug 2018

When we first opened our doors nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious. A lot has changed since then.

Today, cybercriminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defence is the human firewall.

The human what? In a world where organisations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at headquarters and everywhere else, the only thing between your company and a ransomware attack could be whether or not your users click or don’t click on a malicious link.

Every day cybercriminals come up with a wide variety of phishing tactics with the intent of scamming innocent users. In May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts – the same email content, potentially sent to hundreds or even thousands of people. In most of June, Barracuda blocked 1.7 million phishing emails with over 2,000 unique attempts.

Here are some of the real attempts sent by criminals:

1. Money scam

Criminals attempt to scam users out of money. In similar attempts, we’ve also seen criminals try to acquire information or infect a computer with malware.

Money scams like this are fairly common. They often promise a large sum of money to the user like this one. When the recipient replies, the criminals usually request a smaller sum from the user, and in return, promises to send a larger sum back — which of course never happens.

2. Information scam

Cybercriminals attempt to gather information from a user. In this case, a spoofed bank message tries to convince the user to act on their request.

The criminals did a decent job of making this message appear to actually come from a bank. However, if the user clicks on the link, they could be prompted to enter their credentials in a different window — ultimately surrendering their username and password.

3. Malware distribution

Another common problem users face from phishing is the distribution of malware. The goal is to trick a user into either opening an attachment or clicking on a URL.

In this example, criminals are trying to convince the user to open an attachment by acting as if the document is pertaining to an urgent matter. For the malware to work, criminals have to get the user to install the software on their computer. Malware can be distributed in many forms including viruses, worms, bots, ransomware, password stealers and more.

4. Multiple file extensions

Phishing attempts often require a user to open an attachment to install malware. However, there are a lot of different ways criminals attempt to convince users to do this. One way is that they’ll include attachments with multiple file extensions in an attempt to trick users into thinking that the file type is different than it actually is.  

Here the criminals are using a “PDF.zip” file extension, which should raise a red flag to the user because they’re two different file types. However, this could easily be looked past since they’re also file types that most people would find familiar.

5. Disguised links

Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny.

The link itself doesn’t look suspicious; however, the link actually points to an entirely different URL. Not only can links like this be used to spread malware, they can also direct users to sites set up by criminals to capture credentials or other personal information.

When unsure, don’t click on a link. You can also hover the cursor over the link without clicking, to identify the actual location of a link.

6. Spear phishing   

While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual to create a sense of trust with that person. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source.

Effective spear phishing takes a great deal of reconnaissance about the target to increase the probability of a user actually falling for an attack. Here’s an example where criminals actually took the time to register a deceptive domain that contains the name of an actual entity to appear legitimate.

They obviously want the message to appear like it’s coming from Netflix; however, if you look closely at the URL, you’ll notice that “Netfliix” is actually spelt incorrectly. This technique is called typosquatting, which is often used to sell the ruse when the attacker wants the user to click a link.

Take action 

All of these examples are just a small sample of the many variations of phishing scams criminals are sending out each day, but they certainly make the case for why today’s users need to be properly trained to stay safe online.

The best defence against phishing and spear phishing is to make users aware of the threats and techniques used by criminals. The best approach is to implement a simulation and training program to improve security awareness for your users, to help them recognise subtle clues to identify phishing attempts.

Article by Barracuda Networks senior sales engineer Mark Lukie.

How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."
Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Instagram: The next big thing in online shopping?
This week Instagram announced a new feature called checkout, which allows users to buy products they find on Instagram.
Google's Stadia: The new game streaming platform intertwined with YouTube
Move over Steam, Uplay, Origin and all the other popular gaming platforms – Google has thrown its hat in the ring and entered the game streaming market.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
How AI can transform doodles into photorealistic landscapes
The tool leverages generative adversarial networks, or GANs, to convert segmentation maps into lifelike images.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Five signs it may be time for a memory upgrade
Back it the day, a couple of gigabytes of memory would have done you. In fact, a couple of gigs would’ve been all you PC could actually use. With modern 64-bit operating systems like Windows 10, sky’s the limit.