Online criminals have gotten savvier but they’re still relying on the same old tricks they’ve been using for decades. Research by the Helsinki-based cyber security firm F-Secure shows spam remains the most common method of spreading malicious URLs, scams and malware more than 40 years after the first email spam was sent.
“Email spam is once again the most popular choice for sending out malware,” says Päivi Tynninen, Threat Intelligence Researcher at F-Secure. “Of the spam samples we’ve seen over spring of 2018, 46% are dating scams, 23% are emails with malicious attachments, and 31% contain links to malicious websites.”
Spam has been one of the main infection vectors for decades, Tynninen notes. “During the past few years, it’s gained more popularity against other vectors, as systems are getting more secure against software exploits and vulnerabilities,” she says.
The technique still relies on spewing out massive numbers of emails in order to snare a tiny number of users. And criminals continually refine their tactics to deliver to better results.
While spam is a numbers game, there are certain tactics that play on recipients’ psychology to make spam more potent:
- The probability of recipient opening an email increases 12% if the email claims to come from a known individual
- Having a subject line free from errors improves spam’s success rate by 4.5%
- A phishing email that contains an urgent call to action gets less traction than when the urgency is implied
Criminals are not just relying on the content of spam to trick users. They are also using new methods to infect users who are wise to the dangers of clicking on unsolicited attachments.
“Rather than just using malicious attachments, the spam we’re seeing often features a URL that directs you to a harmless site, which then redirects you to a site hosting malicious content. The extra hop is an analysis evasion method for keeping the malicious content hosted for as long as possible,” Tynninen says. “And when attachments are used, the criminals often attempt to avoid automatic analysis by asking the user to enter a password featured in the body of the email to open the file.”
Despite the increasing amounts of money being spent by businesses, F-Secure’s research shows that unsuspecting employees remain the weak link in any effort to shore up cyber security. Periodic awareness training for employees will go a long way toward protecting that investment.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.