Why criminals are using this old technique to take cyberattacks back to the future

Why employ advanced techniques to target victims when spam emails are once again so successful?
Written by Danny Palmer, Senior Writer

Spam emails work, cybercriminals are discovering.

Image: iStock

In all walks of life, there are those who believe that the old ways are the best. It appears that despite involvement in a technologically advanced, constantly evolving arena, cyberattackers are increasingly turning back to the same tactics which worked for them at the start of the decade.

The payloads might have changed, but cybercriminals are turning back to tried and trusted methods of delivering them, with email spam at a level which hasn't been seen since 2010 -- and more of these junk messages contain malicious attachments designed to deliver the likes of malware and ransomware than ever before.

The continuing problem of spam email -- which not so long ago was at its lowest level for some time -- is set out in the Cisco 2017 Annual Cybersecurity Report.

While the likes of antispam technology and the high-profile takedowns of certain cybercriminal operations helped to reduce spam levels in recent years, cybercriminals are increasingly harnessing the power of botnets to ramp up the volume of malicious messages.
Total spam volumes jumped to 3,500 emails a second by the end of 2016. Cybersecurity researchers attribute the growth to the Necurs botnet, the network of zombie devices commonly used to deliver Locky, the most successful form of ransomware, and the Dridex banking Trojan.


Total spam volumes across 2016

Image: Cisco

Many of the IP hosts within Necurs have been infected for over two years, but the botnet uses techniques to stay as well hidden as possible. Often, infected hosts are used to send spam for two or three days, then rested for two or three weeks before continuing to send malicious messages.

The botnet has become so successful that by the last quarter of 2016, Necurs traffic accounted for the vast majority of the 75 percent of total spam containing malicious attachments. But while the delivery method has returned to well-established methods, the types of attachments being used constantly changing in order to keep campaigns fresh and attempt to avoid detection.

While malicious Office Documents and ZIP files remain popular and successful methods for delivering malware, cybercriminals are experimenting with new types of malicious attachments such as .docm, JavaScript, .wsf, and .hta files in spam emails.

The amount of all of these types of files fluctuated throughout the last six months of 2016, suggesting that cybercriminals are altering their tactics, pulling the use of certain types of attachment if they think they're becoming easy to detect.

Given the rise of smartphones and other internet-connected devices, perhaps it isn't a surprise that cybercriminals are reverting back to old tactics. While there's been some levels of cybersecurity improvement around the use of PCs and laptops, many users are seemingly unaware that their smartphone or tablet could be just as vulnerable to cyberattacks.

That's creating an easy target for hackers, who are hitting smartphones with data-stealing malware, ransomware, and more. According to a survey detailed in the Cisco report, this lack of awareness around how smartphones are targeted makes mobile devices security professionals' biggest sources of concern related to cybe attacks; 58 percent of respondents suggested that mobile devices are very or extremely challenging to manage.

Read more on cybercrime

Editorial standards