I would hope by now that most people know the basic tricks of how to tell a real email from a phishing email, but we know that the bad guys have gotten very good at their tricks, particularly with spear-phishing emails that are on target and do an amazing job of mimicking the real thing.
New research from Trend Micro has found that 91 percent of all advanced persistent threat (APT) cyber attacks start with a spear-phishing email. Because these emails are so successful at convincing the recipient that it is a real email, the recipient is more likely to click on the link or open an attachment. This leads to malware being loaded onto the computer. Trend Micro provided some hints on what to look for in these attachments:
Spear-phishing emails can have attachments of varying file types. We found that the most commonly used and shared file types in organizations (e.g., .XLS, .PDF, .DOC, .DOCX, and .HWP) accounted for 70% of the total number of spear-phishing email attachments during our monitoring.
What was surprising to me was that .EXE, or executable files, were not as common, especially since I just received two phishing emails in the past week with .EXE attachments. But Trend Micro’s theory is that, more often than not, your security software has detected these attachments and blocked them or alerted the user. Even so, attachments appear to be more favored than embedded links, as Trend Micro found that 94 percent of the spear-phishing emails contained attachments.
Why so many attachments when we should be on high alert to not open anything we aren’t expecting? It is because the emails are so well targeted. The people who are receiving these scams are people who regularly receive attached documents. Trend Micro also added this interesting tidbit:
Targeted emails without attachments are more often sent to noncorporate or nongovernmental organization (NGO) targets like activist groups and international organizations as their members typically reside in different countries. In such a case, a spear-phishing email that lures victims to click a link and to download a file from a remote site may not appear suspicious.
The bad guys have added a new layer to their trickery, but I’m not sure how widespread this is yet. This happened to me in two emails, and the security folks I talked to were unaware of the tactic. They were targeted to me, using my name, in regards to my YouTube account. Now, my first clue that this was spam was that I don’t have a YouTube account, but I still did my usual checks to see how the spammer was trying to trick me. When I rested my cursor on top of the link — no attachments this time — I got a pop-up that showed the YouTube URL. But a closer look at the left hand corner of my screen revealed the real URL, which was most definitely not YouTube.
Like I said, the bad guys are always one step ahead. Once you have one of their tricks figured out, they’re moving on to something else to better fool you. The problem now might be that they’ve gotten so far ahead of the game that the security defenses aren’t keeping up. I’ll discuss that more tomorrow.