Characterizing Email-Borne Attacks

As a security practitioner, you can expect to see different types of attacks against your brands and properties. The three types of attacks most commonly seen on the internet are phishing, pharmaceutical spam and malware. Many of the other generic spam attacks we used to see, such as 411 scams, are not as popular now.

Pharmaceutical spam is generally intended to get the user to buy knock-off Viagra, Cialis or other drugs and, as such, the content is usually very simple and is just intended to convince the user to click on the link to the pharmacy. If you’re trying to characterize the flow, you’ll see that the attacks tend to morph constantly, using varying senders, subject lines and URL’s in every message. Hosts involved in spewing out pharma spam tend to be compromised PC’s controlled by a botnet and each host often emits only a few messages. However, a mass of PC’s together can constitute a large attack. The contents often stay static, with obfuscated names for the various drugs in an attempt to bypass spam filters and just the URL changing every few messages. While not necessarily harmless, pharmaceutical spam is generally not intended to harm the recipient or their computer.

Malware attacks, on the other hand, are quite the opposite. Regardless whether the criminal is attempting to infect the victim with a banking trojan or co-opt their computer to enter a botnet, they certainly intend damage. Malware attacks can vary greatly in form and content, with the malware either included as an attachment or sitting behind a link for a drive-by infection. In general, the messages that distribute malware are similar to pharmaceutical spam in that they often come from botnets, However, the contents are generally shorter than pharma emails. Where the pharmacy owner often puts his prices for various drugs in the message itself, malware distributors often keep the content as minimal as possible trying to drive a click on the attachment or to their URL. Large-scale attacks emanating from botnets with no URL’s can generally be attributed to malware distribution.

The most damaging attacks, however, are often phishing attacks. Phishing attacks are characterized by fairly static content that imitates the actual branding of the financial institution or other organization being impersonated by the “phishermen”. Many attacks utilize only a single subject line, something like “Account Locked Act Now” and are all sent from the same, spoofed email address. Unlike many malware and pharma attacks, phishing attacks often emanate from just a few compromised hosts. (This is a generality borne of the experience of analyzing phishing attacks and by no means a hard-and-fast rule.) Similarly, the URL’s in phishing messages tend to be much more static than with the other messages. In most cases, the criminals have compromised a website such as a blog (WordPress blogs are notorious here) and dropped their phish kit into it. A phish kit is a pre-built version of the corporation’s website that they can drop on to any web server, in order to impersonate the company.

Again, the above characterizes the plurality of attacks we see and should be of use when analyzing attacks against you, but attacks morph and change form constantly so don’t be fooled by attacks that are out of character!