KILL
communication
crime
mortgage cybercriminals
shopping money documents credit
informationsocial
engineering
transaction transfersoftware
cyber
data
shipment web
computer
wire
A Look at 2015’s
Email Social Engineering Landscape
bank
theft
WORDS
that
security
visa
loan
target
vulnerability
malware attacks email attachments
shipment
international
network hackers product
INTRODUCTION
2015 has so far been an interesting year for the AV industry with regards to the
number of zero-day vulnerabilities that were disclosed on various platforms. Typically,
a software vulnerability disclosure easily makes headlines, perhaps due to the idea
that these security holes leave end users susceptible to malware attacks, thus
generating the FUD (fear, uncertainty, and doubt) so often associated with these
bugs.
However the majority of zero-day attacks, like many other attack vectors, make use
of social engineering for the infection to happen in the first place. While there is a lot
of technical information being shared about malware, there is far less discussion of
the social engineering aspect of attacks.
In this post, we will talk about one of the most prevalent and effective social
engineering-pedalled attack vectors - Emails with Malicious Attachments. In such
attacks, the goal of social engineering is to trick users to open an attached malicious
file. We will take a closer look and dissect the social engineering elements of these
email threats to get a better understanding of what makes social engineering work for
so many of us.
1
WHAT TOPICS ARE MOST EFFECTIVE?
We collected email samples from different spam
collection sources starting from January 1 up to
September 3, 2015 and extracted metadata from
Others
each of them. We then studied the email Subject
20%
field for words or social engineering “hooks” that
have the highest instances. In an email, the email
Subject typically defines what will be the content of
the rest of the email. This is also the case in malicious
emails where the Subject defines the “theme” of the
social engineering, such as the email body content
Documents
14%
DISTRIBUTION OF
SOCIAL ENGINEERING
SUBJECTS
Shopping
41%
and attachment filename. It is for this reason that we
focused our study on the email Subject field.
Tallying the instances of social engineering hooks
reveals the top three social engineering topics used by
Money
cybercriminals - Shopping, Money, and Documents.
25%
The figure to the right shows these distributions.
2
Shopping
Online shopping is a convenient way to buy goods
Below is the distribution of commonly used words
without the hassle of travelling, queuing, and physically
related to Shopping. For this category, we found that
browsing for goods which can be time consuming,
the most commonly used hook is “invoice”, followed
if not tiring. Additionally, many online shops offer
by “order”:
convenient return policy programs similar to what you
will get in brick and mortar establishments. Online
2% 1%
shopping also allows you to buy goods outside your
3%
city or country. For these reasons, many consumers
2% 2%
4%
shop online and cybercriminals are taking advantage
27%
5%
of this fact, making Shopping the top email social
5%
engineering bait.
5%
DISTRIBUTION OF
SOCIAL ENGINEERING
WORDS USED
RELATED TO SHOPPING
6%
7%
24%
7%
invoice
PO, P.O
DHL
merchant
order
shipment, shipping
receipt
Fedex
quote, quotation
deliver, delivery, delivered
package
purchase, purchasing
product
parcel
3
MONEY
Today, a lot of transactions are being made online
not only for shopping but also in banking, bill pay,
3%
3%
6%
involved in some form of online transaction, making
Money the number 2 social engineering ploy.
7%
In the Money category, the terms “pay” or “payment”
were used 44% of the time:
1%
3%
remittance, and many other areas. Therefore, it is
safe to assume that the majority of Internet users is
2%2%
8%
DISTRIBUTION OF
SOCIAL ENGINEERING
WORDS USED
RELATED TO MONEY
44%
10%
11%
pay, payment
bill
cheque
transfer
wire
mortgage
transaction
credit
visa
bank
loan
remit, remittance
4
DOCUMENTS
The 3rd most used bait on the other hand, appears
2%
to target the working class. Online exchange
13%
of documents is typical in a day to day work
27%
environment. As a result, there is a high chance that
document-themed malicious emails will blend with
legitimate work emails, thus increasing the chance of
14%
them being inadvertently opened by users.
“Document” or “documents”, followed by “fax”, are the
DISTRIBUTION OF
SOCIAL ENGINEERING
WORDS USED
RELATED TO DOCUMENTS
most used hooks in this category:
19%
25%
document, documents
scan, scanned
resume
fax
report
contract
5
OTHERS
Words under the Other category are typically used in
conjunction with or are supplementary words for the
6%
2%
18%
6%
top 3 categories above. For example, “urgent” will be
used in an email subject such as “Urgent Order”. This
9%
figure shows the word distribution in this category
where most of the words appear to be evenly used:
9%
DISTRIBUTION OF
SOCIAL ENGINEERING
WORDS IN THE
OTHERS CATEGORY
13%
13%
11%
13%
urgent
request, requested
inquiry
copy
account
rejected
notification
confirmation
attach, attached, attachement
statement
6
EMAIL ATTACHMENTS
So where do these social-engineering tricks lead? Our
analysis of attachment metadata reveals that over half
16%
of the malicious email attachments were ZIP archives.
The ZIP file extension is a widely known archive file
type even to inexperienced end users. In an email
social engineering attack, ZIP files may play into the
curiosity of an unsuspecting recipients as they do not
instantly see the archive’s content. Additionally, there
is also a chance that the recipient may forget to check
3%
3%
3%
4%
DISTRIBUTION OF
SOCIAL ENGINEERING
WORDS IN THE
OTHERS CATEGORY
DISTRIBUTION OF
ATTACHMENT FILE TYPES
63%
4%
4%
the extracted file’s extension name as opposed to, for
instance, seeing an EXE attachment on an email which
looks more suspicious.
The ZIP file type is also supported natively by Windows,
zip
rar
png
doc
xls
jpg
gif
other
the dominant computer operating system on the
market. Less savvy Windows users tend to double-click
and automatically open the content inside the archive
for convenience. These factors contribute to a higher
chance of infection and therefore may explain the
widespread use of ZIP files.
7
Extracting the contents of the ZIP attachment reveals its true colors:
As can be seen below, the majority of malware hiding inside ZIP files are executable files. 50.87% of all attached
zip files we sampled contained executables. This is followed by Microsoft Word DOC files at 27.36%. These results
suggests that the majority of malicious emails are still targeting Microsoft Windows users.
While these results are based on quantitative analysis of the samples, it is important to note that for a typical
user, looking at the file type extension is not always a reliable way to know the file type of an email attachment.
Cybercriminals may sometimes use tricks to disguise the real file types of email attachments, such as the Right-to-Left
Override technique.
PE, 50.87%
doc, 27.36%
xls, 3.05%
jpg, 2.87%
png, 2.63%
bat, 2.61%
htm, 2.41%
js, 2.19%
jar, 1.64%
other, 1.42%
pdf, 1.12%
gif, 0.80%
xml, 0.42%
vbs, 0.34%
rtf, 0.26%
0%
10%
20%
30%
40%
50%
60%
DISTRIBUTION OF FILE TYPES OF FILES EXTRACTED FROM ZIP ATTACHMENTS
8
TOP MALWARE FAMILIES
Below are top ranking malware families propagated by socially-engineered emails:
WM/Agent, 35.62%
W32/Waski, 20.33%
MSIL/injector, 10.65%
W32/Kryptik, 8.49%
MSIL/Kryptik, 5.92%
W32/injector, 5.64%
MSWord/Exploit, 3.21%
JS/Nemucod, 2.96%
W32/Upatre, 1.44%
W32/Zbot, 0.83%
W32/Papras, 0.77%
W32/Weecnaw, 0.77%
W32/Wauchos, 0.77%
W32/Fareit, 0.64%
W32/Zlader, 0.64%
W32/Elenoocka, 0.50%
W32/Filecoder, 0.47%
W32/Tinba, 0.36%
0%
5%
10%
15%
20%
25%
30%
35%
40%
TOP MALWARE FAMILIES EXTRACTED FROM MALICIOUS EMAILS
9
Descriptions of the top 6 malware families can be found below:
WM/Agent
W32/Waski
MSIL/Injector
A Macro Downloader
used by the Dridex
banking trojan to
download its main
malware component.
A small program that
downloads additional
malware on the
affected system.
A C#-compiled Trojan
family that steals
sensitive information.
The Trojan then sends
stolen data to a remote
machine.
W32/Kryptik
xMSIL/Kryptik
W32/Injector
Generic detection of
malicious obfuscated
code of files in the
PE32 format.
Generic detection of
malicious obfuscated
code of files compiled
in the C# language.
A Trojan family that
is capable of stealing
passwords and other
sensitive information.
10
BEST PRACTICES
Companies and organizations protect their networks
from malicious emails through security appliances
such as antispam gateways. Whether you are part of a
big company or a typical end user, you as an individual
play a critical role in securing your company’s or
personal assets. In fact, you have the capability to
actively defend even if you are not a technical user
simply by making yourself aware of cyber-social
engineering tactics. Below are some best practices
you can observe to avoid falling victim to sociallyengineered email attacks:
1
DO NOT EXPECT
THE UNEXPECTED
If you are not expecting something
such as a shipment, a bank transfer,
or a document, for example, then
chances are that email in your inbox
sent by someone you don’t know is
not legitimate and you should get rid
of it. In other words, use common
sense.
11
2
BE CURIOUS – BUT IN THE RIGHT WAY
If, perhaps, you are expecting an email similar to the one your received but are not sure if it is
legitimate (e.g. if you are in your organization’s HR department and receive a job application email
with an attached resume), or are simply unsure, there are simple ways to investigate further:
a. Consult an expert. Seek the help of your company IT administrator (or a tech savvy friend) regarding a suspicious email.
b. Search online. Usually you can find reports online about samples of the latest email social engineering tactics. Simply searching the subject of the email plus the word “spam” on Google will usually lead you to a variety of reports if the email is actually malicious. You can do the same for attachment file names or email body text.
c. Upload to file scanning sites. Even if you do not have antivirus applications or worry that they may not be effective, there are quite a few free file scanning websites where you can upload suspicious emails. These websites will scan with the latest antivirus engines. An email that is being detected by antivirus engines gives you a good clue that it is malicious. A good example of a file-scanning website is virustotal.com.
12
3
CREATE EMAIL RULES
By being aware of the common baits in email social engineering, you can create email rules to filter
out possible malicious emails. For example, if you are an employee you can create an email rule
that will filter out emails coming from senders outside your organization’s domain and containing
any of the words from the Document category above to a specific folder. It may seem tedious, but
on a busy day when you receive dozens of emails at a time, segregating suspicious email profiles
will help you easily manage and identify intrusion attempts.
CONCLUSION
Socially-engineered emails continue to play a major role in infecting end users and networks today. We believe that this
trend will persist for many years to come; this threat has been well established for years but has become increasingly
sophisticated in its approach. However by carefully analyzing details and trends in email social engineering, we become
more familiarized and are therefore empowered to make better decisions when faced with suspicious emails. In fact,
organizations, their employees, and average end-users alike are entirely capable of defending themselves by observing
best practices and educating themselves about email and other cyber threats.
13
Kenny Yang, Roland Dela Paz, FortiGuard Lion Team
Copyright © 2015 Fortinet, Inc. All rights reserved.