What happens when you mix the direct personal connection of email with the sneaky propagation tactics of spyware? An explosive spread in trojan horse infections and compromised global network security. Malware and spyware authors have successfully piggybacked on spam mail methods to spread their annoying and costly payload. This resource describes how spammed security threats work and how they are spread. We will also cover how to spot these methods and guard against them using defensive surfing practices and installing the right kind of network security software.
The power of Email – everywhere at all times
Email still ranks as one of the most common Internet activities. Email volume continues to grow year after year as people use email as an indispensable tool for work and personal purposes. Sadly, the volume of unsolicited commercial email continues to grow at a rate that far outstrips legitimate email. You’re probably all too familiar with the kind of spam that floods most email boxes–penis enlargement pills/patches/lotions/exercises, “generic” Viagra/Cialis/Levitra, Nigerian bank deposit scams, Rolex “replicas”, and all matters of scams and shady products. Based on most estimates, there will be no slowdown in the volume of spam soon.
Most spam emails get their recipients to visit their advertised sites through the following methods: including a link in the body of the email, attaching a picture with the url in the picture, remotely
sourcing a picture with the ur of the target site, spacing out the letters/numerals that form the target site’s url and having the recipient type in the url themselves.
The constant threat of malware
Spyware and other malware variants are software applications that vary widely in function from gathering and reporting your keystrokes to a remote computer, to storing and passing on your sensitive personal information, to turning your computer into a relay service for spam, or converting your computer into a denial of service attack source. Regardles of their function, malware has one thing in common—they are unwanted software. To compensate for this, malware uses trojan horse applications to load and infest victims’ computers. Trojan application and methods look like innocent processes or files, but they load more sinister malware that does the actual damage.
The explosive combination of spam mail and malware
Due to the increased effectiveness of anti-spyware software, malware makers are under a lot of pressure to find delivery and propagation models other than web surfers visiting their website through search engine results or through spam links or exploits of heavy traffic sites like pornographic and flash game sites. Malware operators now piggyback on two very powerful factors to spread their malicious payload: mass mail’s ability to reach milions through hard to trace proxy and botnet system and email recipients’ own psychological vulnerabilities.
How spam mail-based malware propagation works
Malware spammers buy spam lists of millions of “live” and working email addresses. They then use bulk mail software to send out email. To avoid detection and criminal prosecution, these individuals and groups use proxy servers, both legitimate public proxies and malware-infested “botnet” computers, to send out their materials. To avoid detection, mail headers and other identifying information are forged.
Deceptive subject lines with a psychological “hook”
Getting the mail to the intended victim is one thing. Getting them to open is another. Malware spammers really get creative at this stage of the game. Deceptive and compelling copywriting skills come into play. Most Internet users are getting more and more jaded when it comes to spam mails so the open rate (the rate in which an email is opened) goes down the more experienced the recipient is.
Accordingly, malware spammers use compelling subject lines that many unsuspecting email users fall for. Here is a small but illustrative list:
System error notifications – Lately, many malware propagators copy system-generated error notices, whether email servers or web servers, to produce fake “updates” and “notices”. These usually have html attachments, which redirect to attack sites when opened.
Bank notifications/Financial institution notifications – Hard to resist when your bank notifies you about suspicious activity in your account, right? Another variation is to “remind” you of new security features or other “updates.”
Money transfer notifications – Western Union, Xoom, Paypal, and other money remittance systems’ names are sometimes abused by malware spammers to trick readers into opening their email. Oftentimes, the subject line includes a claim ID number (in Western Union’s case, it is an MTCN code).
Domain name transfer/hosting notifications – A new disturbing trend in spammed malware is the rise of dubious domain name “transactions” which trick readers to open an email because of perceived changes or threats to their domain name or hosting service.
Fake job application responses – Not as prevalent as the subject lines above but definitely gaining tractions specially during the recent economic downturn. Malware spammers exploit web surfers’ job search or economic anxieties to get them to open their emails.
Fake dating or personal interest emails – There’s nothing more powerful than sexual attraction. Malware spammers exploit this through fake personal introduction or fake dating headlines like “Hi I’m Belinda” or “This is Jennifer from ______” or some other form of vaguely sexual comes on. Variants of this headline involve fragmented very personal messages like “You left before I could…” and other similar titles.
Online gaming/MMORPG notifications – Since a large number of internet users are into online gaming or are familiar with online gaming, these types of headlines are becoming more and more prevalent. The more common variants involve account notifications or beta testing.
How malware spammers get you to their site
Opening an email is one thing. Actually getting to the malware attack page is another. Just like with catchy headlines, malware propagators get creative in this department as well. Since spammed emails with links to attack sites get scrubbed very quickly by most email systems, malware spreaders use the following:
HTML attachments – recipients are instructed to open the attachment. They are redirected to an attack site once they load the html page.
Picture attachments – recipients are instructed to load the url in the picture. The url is either the attack site or a redirect to an attack site. Often, the user is redirected many times before being taken to the actual attack site.
Scrambled or Spaced out url text – if the email is psychologically compelling enough, recipients are often tricked into rewording the url or taking out spaces or characters to produce a working domain which they then load to their browsers.
How to Protect yourself from spammed malware
Spammed malware draws its power from YOU. If you don’t open the email and if you don’t click the link payload or html attachment, they lose most of their power since the email, in of itself, isn’t executable nor does it auto-refresh. The email needs your actions to achieve it’s shady goals. Here’s some key tips on how to avoid becoming a victim:
- Look at the FROM: area. Is the person familiar? Do you remember dealing with the person?
- Look at the SUBJECT LINE Go over the variations of malware headlines discussed above and see if the email subject line is suspicious.
- Be suspicious. Be aware of the psychological ‘triggers’ the email’s subject line is getting at. Is it scaring you? Is it appealing to your sense of loneliness? How about your greed or recent unemployment status?
- Which folder is the email located in? While not all emails in your SPAM folder are necessarily spam, the mere fact that your mail system has placed that email there should make you extra cautious. Use this heightened caution when reading the email carefully.
- Carefully inspect the linked text and the url of the linked text in the email. Are they the same site? If the email mentions the name of a website, does the url for the link the same as the mentioned site? If not, don’t click. If the url is actually a misspelling or uses an unfamiliar domain extension for the site (ie: the legit site is a .com but the link in the spammed mail is a .info or .ws), don’t click.
- Check for inconsistencies: Is the email consistent throughout or does it cancel itself out or are there other inconsistencies?
- Is it too good to be true? If the email involves getting money you didn’t expect at huge amounts, click the delete button. The same goes for attractive females contacting you out of the blue and wanting to know all about you.
- Always make sure you have antimalware software installed and updated. Just because you installed the antimalware/antivirus package your system shipped with is not enough. You have to keep it updated or at least make sure autoupdate is turned on. Moreover, not all antivirus/security software is the same. Some are better at detecting, preventing, or cleaning malware than others. Visit ereviewguide’s internet security software to see the differing features of these differing packages.
- Pay attention to what your security software says. If you have antivirus software installed, make sure to pay attention to what it says. Don’t just keep on clicking okay. Also, many packages require “training” specially when filtering email. Make sure to take the time to train the software carefully. This goes a long way in preventing false positives.
Only YOU can protect yourself
In the end, the only person who can protect you from spammed attacks is YOU. While the security software you have installed will prevent attack sites from loading or flag suspicious email, YOU need to be vigilant and not override or, in the case the trojan/malware of the attack site has overridden your security software, exercise due diligence and caution before installing any suspicious programs or clicking suspicious links or attachments. Please read this article more than once to get a firm grasp of the warning signs.