Email threats: A thing of the past?

Commentary - There is no doubt cybercriminals continue to use personal and rented botnets to pump the Internet full of unwanted advertisements for fake or knock-off products, but its effectiveness as a money-making device is dwindling. Now in the cyber underbelly, email has turned from mischievous to outright malicious with campaigns once utilizing trickery to fool recipients into spending money to simply taking it.

Delivery methods
Today’s cyber criminals employ many email methods to steal money. And since so many people maintain and rely on email accounts, what better place for cyber criminals to target?

Email-borne attacks come in the form of phishing, spear-phishing, Trojans, malicious attachments, and hidden scripts. Attack techniques are ever-evolving and adapt with technology in an effort to stay ahead of security professionals. This constant game of “cat and mouse” has driven malware authors to become very good at what they do, and has resulted in some very sophisticated code.

In the beginning, cyber criminals wishing to lure victims to a malicious site would first manually set up the site and then attract enough people to that site before it was shut down. As an alternative, cybercriminals sent out Trojan horse viruses pretending to be something of interest to the receiving party. It was often the attacker’s job to write the malicious code, send out emails, and maintain compromised sites. While the Trojan approach still lives on, the need for one person to maintain the prerequisite skill set and personal resources is no longer necessary thanks to underground outsourcing. Today, just about anyone with the desire and wherewithal can assemble an entire cybercrime team and be ready to go within days.

Threat variants
We have seen millions of variants of email-borne malware, including “Melissa” from 1999. Melissa was dubbed after the author’s love affair with; you guessed it, a woman named Melissa. Purporting to be a Microsoft Word document, Melissa was actually a worm that spread so quickly it caused a massive shut down - the largest the world had ever seen up until that point.

In 2000, another threat variant appeared on the scene called Love Bug. Love Bug piggybacked on the popularity of Melissa by convincing its recipients to open a malicious attachment masquerading as a love letter intended for the recipient. Then in 2001, Code Red caused massive online destruction with damages estimated in the billions of dollars in disinfection costs. And, we cannot forget BugBear. BugBear was an email-borne virus leveraging Microsoft Outlook in such a way that the authors stole credit card numbers and passwords before Microsoft was even aware of the happenings and could create a patch for it.

Fast forward a few more years and a massive surge of email-delivered viruses run rampant with help from Blaster Worm, Sasser, Slammer, and an even more destructive and hearty strains such as the Storm Worm which had a team of people maintaining its code and its subsequent botnet. Storm Worm’s code was so strong that it was one the most prevalent threats from 2007 to 2010. Soon thereafter, Storm Worm was replaced by even more aggressive threats such as Waledac, Pushdo, and BredoLab. Some even think that those who wrote the Storm Worm had a hand in the creation of Waledac.

Introducing the malware kit
A decade ago, personal gratification may have been realized when spammers successfully executed a mass email attack. But today’s objective is much more sinister and involves money, your money.

One very popular and dangerous piece of email-borne malware is the Zeus Trojan. The ZeuS Trojan has been around for several years now, and even though the original author has since turned over his source code to an author of another malware toolkit called SpyEye, much iteration lives on. Why? “Kits” are easy to use and easy to find on underground forums.

Malware authors began making malware kits in order to make a few extra dollars and sold them to individuals who had the desire to commit cybercrime, but lacked the ability to do so. Most kits are affordable, initially hitting the black market at a few thousand dollars each then dipping down to a couple hundred dollars. Others come with added benefits like ZeuS and SpyEye, and offer a support feature that grants the purchaser access to the kit author so that any questions related to the kit and its proper function are answered in a timely manner. What’s more, some authors offer upgraded versions so that their payloads attached to email campaigns can remain undetected by even the most current anti-virus solution.

Kits are often made with novice users in mind. One simply needs to input data (such as a victim’s email address), compose a generic email body, and give it a destination to report back to. After that, the user clicks, “Go” and the kit will do everything by exploiting vulnerabilities in other websites on which to host malicious code and stolen private personal information.

A typical ZeuS/SpyEye attack begins once a potential victim receives a disguised email, such as a fake invoice or “official” bank notice that announces account security issues. The email will either host an attachment to view the fake invoice, for example, or include a link to “fix” the bank account issues. Once opened, the malicious link and/or attachment immediately goes to work by opening a backdoor on the victim’s machine. It will look for any anti-virus solution currently running on the machine and disable it without appearing disabled. More aggressive versions will hunt for rival malware running on the machine and attempt to disable it so that it does not have to fight over PC resources. When SpyEye first hit the scene (and before Zeus’ author gave his source code to the author of SpyEye,) SpyEye came with a simple checkbox labeled, “Kill ZeuS” that would specifically target and effectively disable and uninstall ZeuS on any machine it took over.

Once these steps are completed, the backdoor is opened by what is known as a Trojan downloader. Then, malware begins to download from command and control servers. Typically, ZeuS and SpyEye will install key logging programs that lie in wait for victims to enter sensitive sites, such as bank accounts, and then log every keystroke made. Confidential information like usernames and passwords are then pushed out to a predetermined depository often on another compromised server, though this isn’t always the case because with this permanent “backdoor,” the controller of the malware has the ability to push down any other malicious software that they desire.

At this point, the information is bundled and resold on black-market forums. People that buy “fulls”, or collections of tens of thousands of individual names, birthdates, account numbers, credit card numbers, social security numbers, log-ons and passwords will often use the information to either make purchases online and fence equipment or launder money from the accounts via money mules. Mules do not always know about these transactions, however, since many believe they are satisfying “Work from Home” advertisements. Unfortunately for them, ignorance to the law will not help lessen their roles in the crime.

Vigilance is Key
It may be true that spam is on the decline, but email has not become less dangerous because of it. Due to demand and enhanced security, cyber criminals are getting more creative with electronic messaging and unleashing much greater threats. That’s why education and awareness of cyber dangers are needed. After all, the complacent individual is usually the next victim.

biography
Fred Touchette is the Senior Security Analyst with email security company, AppRiver.