What is Phishing? What are malvertising, spam e-mail and malware e-mail campaigns?
These terms have started to become intertwined and used interchangeably which generally means that there is a lack of understanding in the IT community which is typical. Over time laziness and improper training has a way of bending security definitions into bundles. A great example would be the term “rootkit” which Microsoft and some in the security community have decided to adopt as a general term for backdoor software which provides an attacker a means to covertly access a compromised host, trojan processes and erase log files and so on. The problem with calling any Windows backdoor a rootkit is that there is no “root” user on a Windows system and you don’t root a Windows box. The first rootkit that I created was in the mid 1990’s and there wasn’t even a question about what a rootkit was, you would get laughed at if you associated a rootkit with any Windows backdoor, and most likely you still are being laughed at by the real hacker community.
So, what is Phishing?
Phishing is a fraudulent attempt to steal information via social engineering which can encompass personal information such as bank account login and passwords, security questions, social security numbers, e-mail accounts but it could also be crafted to gain corporate sensitive information, PII and health insurance information. Phishing is typically conducted via e-mail, the scope of the phish is dependent on the motivations of campaign conductor. The best way to protect yourself from phishing is to learn how to recognize a phish.
Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.
In order for Internet criminals to successfully “phish” your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email. Always validate any link you are intending on clicking within an e-mail by ensuring that the domain name matches EXACTLY what it should and that there is no redirection within the URL, additionally any banking or health insurance company will certainly use encryption and you will see an HTTPS in the link.
A few tweaks to “Phishing” – Spear Phishing and Whaling:
Spear phishing is the act of phishing target(s) at a specific organization, company or group. This kind of activity could be originating from a competitor or rival business or from a more sophisticated phishing campaign manager who knows that better conversions will come from those whom can relate to the content or title of the e-mail or medium used.
Whaling, just like spear phishing is targeted, however with whaling campaigns the hostile actors are attempting to phish the big cats such as a CEO or a politician (Hillary Clinton would be a great example and a high converting phish according to open source.)
How US-CERT defines phishing (mostly accurate)
Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.
When you believe that you have identified a phishing attempt you can use a trusted third party site http://www.phishtank.com/ to submit the link to where it will be verified. This is also a great place to search for a link or domain you may suspect is conducting phishing attacks as the site holds a database of known and suspected phishing links.
What is Malvertising?
Malvertising is the process of advertising malicious links containing malware in a nut shell. The tactics and methods for distributing these links varies greatly. The term originated fairly recently, it arrose from crimeware actors utilizing legitamate advertising agencies to create ads that contain malicious links in them. You might wonder how any advertising agency could ever push ads out to the world with links to malware in them and on the surface it seems like a simple thing to prevent, it’s not. Even Google gets hit with malvertising campaigns, typically they get burned when they approve an advertiser and their link which is legit at the time of submission and typically the landing page will switch to a redirection after a campaign has launched. There are countless advertising agencies online these days offering everything from text based ads to pop ups and pop unders. Many of the smaller and less technical agencies are plagued with malvertising campaigns as their detection methods are usually not top of the line.
One of the latest trends is a type of drive by download social engineering somewhat considered malvertising where the link advertised opens a pop up or pop under that alerts you that your infected and won’t let you close the alert window without agreeing to download their software or a window will pop under stating that your Java or Flash is out of date and prompt you for a download. Rarely are these campaigns delivering “true” malware but rather serious adware that borders the line between malware and adware which is often referred to as riskware or as a PUP which is a possibly unwanted program. If they are serving actual malicious content they typically get shut down very quickly.
What is SPAM e-mail?
Image courtesy of phishtank.com
Spam email is a form of personal, commercial, political or another type of email that is unsolicited and promoting typically a product or website without your consent to be contacted via email. This is economically viable because email is a very cost-effective medium for the sender. If just a fraction of the recipients of a spam message purchase the advertised product, the spammers are making money and the spam problem is perpetuated.
Spam e-mail has gotten so out of control and prevalent that an act was actually signed into law:
“The CAN-SPAM Act of 2003, signed into law by President George W. Bush on December 16, 2003, establishes the United States’ first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions.”
How does malware fit in with Phishing attacks and Spam e-mail?
Malware delivered via e-mail typically comes in three different ways, the first being a direct malicious attachment that is an executable and when run will infect the users system if not quarantined and removed by anti-virus or Windows Defender. The second way is very similar, it involves an attachment but the attachment appears to be innocuous in the form of a Microsoft Windows Word document extension such as .docm which is the format for a document containing a macro. A macro, when executed can download a malicious file from a hostile site and infect the user. The last typical means of delivering malware via e-mail is by including a malicious link within the e-mail that once clicked will download a malicious file.
Typically, e-mails containing and delivering malware are considered malicious spam e-mails which puts them in a class of their own. Phishing attacks are based on gathering information via social engineering as discussed, however a caveat to that would be including a malicious file somewhere in the process, perhaps if they are not successfully phished they are redirected to download a file or after being phished they are told to download a file. These are SEPARATE processes, phishing is phishing. General Spam e-mail is not malicious by nature, billions of dollars of revenue are generated yearly via spam e-mails promoting products and services to millions of e-mail accounts and conversions are made.
Malware campaigns delivering the now infamous Ransomware variant known as Locky/Zepto are a type of malicious spam e-mails leveraging social engineering to entice a potential victim into clicking a link or downloading an attachment.
There are many sites dedicated to tracking these malware campaigns and will post updates as they become available, one such site is called Tech Help List – https://techhelplist.com/index.php/spam-list which identifies the topic of the malicious e-mail, the sender, the malware, e-mail headers and command and control information if available as well as any other IOCs. You should also take note that this activity is classified as SPAM and tagged with MALWARE, not phishing.
Examples would look like this on the site:
Having troubles contacting Accounts Dept. of your company – Malware
- Parent Category: Spam List
Important Notice: Your March 2016 Statement – AMEX – Malware
- Parent Category: Spam List
make sure you are referring to it as malicious spam or malware spam e-mail.