Eight times more malicious email attachments spammed out in the third quarter of 2008

by Michael Smith

Sophos, the IT security and control firm, reports that eight times more malicious email attachments spammed out in the third quarter of 2008 compared to the previous quarters and has revealed the top twelve spam-relaying countries responsible for this.

Identity thieves and hackers are striking Windows users on all fronts, as Russia rears its head higher in the Dirty Dozen league of spam-relaying nations. Amongst others of this, for instance, also Brazil can be found. China, on the other hand, is busy with hacking into computers in order to gain national and industrial secrets of the western world.

The figures show an alarming rise in the proportion of spam emails sent with malicious attachments between July - September 2008, as well as an increase in spam attacks using social engineering techniques to snare unsuspecting computer users.

We have also seen the fist clickjacking in this third quarter of 2008 and I shall be writing some more about clickjacking as soon as possible.

Sophos’s latest report reveals that one in every 416 email messages between July and September contained a dangerous attachment, designed to infect the recipient’s computer – a staggering eight-fold rise compared to the previous quarter where the figure stood at only one in every 3,333 emails.

This is such an enormous rise that one can but wonder who we can protect ourselves against this, whether large or small business, and especially the home business user.

Sophos has identified that much of this increase can be attributed to several large-scale malware attacks made by spammers during the period. The worst single attack was the Agent-HNY Trojan horse which was spammed out disguised as the Penguin Panic Apple iPhone arcade game.

Other major incidents included the EncPk-CZ Trojan which pretended to be a Microsoft security patch, and the Invo-Zip malware, which masqueraded as a notice of a failed parcel delivery from firms such as Fedex and UPS.

We also must not forget the malware that comes courtesy of visits to website, some even legitimate websites. The so-called “Drive-by Downloads” or as I have termed them “Drive-by Shootings”, often without the user having to do anything at all.

Windows users opening any of these attachments exposed their PCs to the risk of infection and potentially put their identity and finances at risk. The most widespread attacks seen by Sophos are not designed to run on Unix, Linux and Mac OS X.

"For Apple Mac and Linux/Unix lovers, these major spam attacks just mean a clogged-up inbox, not an infected operating system. But organized criminals are causing havoc for Windows users in the hunt for cold hard cash," said Graham Cluley, senior technology consultant at Sophos. "Too many people are clicking without thinking – exposing themselves to hackers who are hell-bent on gaining access to confidential information and raiding bank accounts. The advice is simple: you should never open unsolicited attachments, however tempting they may appear."

The one thing to always consider: if an email looks suspicious do not open the email even, let alone the attachments. While I know that this is not 100% protection as an email may claim to be from a friend or a colleague or such, one way to protect oneself a little bit is to (1) not using the preview pane and (2) to always check any suspect mail via the “properties” box as to contents and originator. The “preview” pane should be deactivated in Outlook, Outlook Express or other email client, as some malware does not require the opening of the payload, that is to say the attachment, but is capable of running just by opening the mail.

Creative social engineering continues to out-fox users

As well as using malicious email attachments, cybercriminals have continued to embed malicious links and spam out creative and timely attacks designed to prey on users’ curiosity.

For example, in August, Sophos warned of a widespread wave of spam messages claiming to be breaking news alerts from MSNBC and CNN. Each email encouraged users to click on a link to read the news story, but instead, took unsuspecting users to a malicious webpage which infected Windows PCs with the Mal/EncPk-DA Trojan horse.

Emails like that are best binned immediately and never, I repeat never, opened. Immediately remove them from the PC by clicking “delete” while holding down the “shift” key. This way they are kept out of the “deleted items” box as well.

"When a spam email appears to come from a trusted source, too many users are fooled and end up clicking through to a malicious webpage," remarked Cluley. "The naivety shown by many internet users is downright dangerous. In the past hackers were more like teenage mischief-makers breaking into sheds to see what they could find. Today they’re hardened criminals wearing hobnail boots with no qualms about breaking into your home and stealing everything they can get their hands on."

New frontiers

Spammers have proven themselves to be unafraid of trying new methods of distributing their marketing messages and spreading their malware to an undefended public during the last three months. Sophos has seen an escalation in the amount of spam being sent via social networking websites such as Facebook and Twitter, and expects to see this continue to rise.

Emerging countries surface as spam-relaying offenders in dirty dozen chart

Sophos made three new entries to the spam hall of shame in the third quarter of 2008 and those are Colombia and Thailand. Those tow nations have assumed eleventh and twelfth place respectively, while India has shot straight into the chart at number seven.

"Insecure computers, wherever they are in the world, are a spammer’s dream – they can be easily hijacked remotely and joined to sprawling networks of botnets designed to create chaos by sending floods of spam and carrying out denial-of-service attacks," explained Cluley. “The message needs to be heard loud and clear: if you don’t properly defend your PC you are not only putting your data, finances, and identity at risk, you are also endangering other members of the internet."

Sophos identified the top twelve countries responsible for relaying spam across the globe between July-September 2008 and whilst the United States retains its position as the top relayer of spam, Russia has increased its contribution to the world spam problem, soaring from 4.4 percent last year, to 8.3 percent during this time period. When it comes to cybercrime of the real high stakes then Russia is one of the top players.

According to Sophos researchers there is no sign that recent legal action by the authorities against major spam gangs have had any perceptible impact on the amount of spam in circulation.

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at their email and web gateways to defend against viruses and spam.

Where does that leave the little guy, however? Well, in a way the same advice applies, that is to say, automatically update anti-virus programs and other protection software, such as firewall, anti-spyware, etc.

Furthermore, the most important thing to do is to use common sense. Yes, that misnomer, because it is not as common as it should be. If someone tells you you have won the lottery despite the fact you never entered into a draw then it is too good to be true and hence it is a fake.

The same it true for Yahoo or MSN lotteries that, supposedly, have drawn your email out of the hat. Those also malware bearing emails or emails which have a “claim” link that will direct him or her who opens such a link to a website with malware.

News items that you have not subscribed to via that feed, for instance, especially if they claim various strange things are certainly not something that you should open and definitely you should not click on the links in any such email.

The best advice must be: if in doubt do not open and check with sender if such an email was sent. That should ensure a certain degree of high level safety.

© M Smith (Veshengro), November 2008
<>