Phishing -- the practice of tricking an email recipient into clicking on an embedded attachment or URL in order to infect their computer or steal information -- remains a leading threat to organizations. Threat actors also use a variety of social engineering tricks to convince users that their requests for information or money transfers are legitimate.
In the last year, the biggest campaigns have focused on delivering payloads that can be rapidly monetized, from banking Trojans such as Dridex to ransomware like Locky. Losses from these campaigns continue to mount, from at least $30 million to Dridex in the UK alone to as much as $1 billion globally for ransomware in 2016. In the 2016 edition of Proofpoint’s annual report, The Human Factor, data examines how attackers are incorporating and automating social engineering in order to exploit the human factor on a massive scale.
So what are the top five email lures compelling all of these clicks?
1. Please see your invoice attached
“Money out” lures are the most popular with phishing attackers by a wide margin, accounting for almost half of all observed phishing campaigns. The “money out” category of phishing lure uses the expectation that a payment is, or will be due, to trick recipients into opening the email messages and clicking on the attachment or link. The “invoice” lure was the most widely-observed “money out” lure, followed by the “bill” lure, which appeared to be used more often in campaigns targeting recipients in Europe. “Your order” lures are also common in this category.
“Money out” email lures often include a document attachment with embedded malicious code, frequently in the form of a malicious macro that has to be enabled by the user. Running the malicious code downloads and installs malware, often a banking Trojan such as Dridex, or more recently ransomware such as Locky. Locky ransomware has exploded on the scene in 2016: non-existent before its discovery by Proofpoint in February, it accounted for 69% of malware payloads by message volume in the second quarter of 2016.
Invoice email lure distributing Nymaim downloader Trojan
Invoice lure document attachment with malicious macro, distributing Nymaim
German bill (“rechnung”) email lure distributing Poshcoder ransomware
“Your order” email lure distributing Locky ransomware
2. Click here to open your scanned document
Fax and scan notification lures
Continuing for another year as the second-most common category of email lure, electronic fax and scanned document notifications were observed in about 1/10 of phishing campaigns. These lures have an inherent urgency, coupled with a historic association of fax with phone lines and audio, which aren’t naturally associated with malware. Employees working through a busy day rarely think twice before clicking to open the attached or URL-linked “fax”.
Fax notification lure distributing CryptoWall ransomware
3. Your package has shipped – your shipping receipt is attached
Shipping and delivery notification lures
Fake shipping or delivery notifications remain popular with phishing attackers as they capitalize on the widespread use of online shopping. While some of these email lures employ stolen branding from major shipping and delivery vendors in order to create a more realistic and convincing email, others purport to be directly from the vendor, rather than the delivery service. As more businesses leverage major online shopping and auction sites as their primary online store, it is not uncommon for an item purchased on a store to be fulfilled by a different vendor that may be unfamiliar to the buyer. This makes the recipient more likely to open emails from a “vendor” from whom they did not directly purchase vendor product.
Shipping notification email lures often include a document attachment with “delivery details.” When the recipient opens the document and automated exploit runs or they are prompted to click the “Enable Content” button in order to view the document’s contents, in either case this will attempt to install malware on the victim’s computer.
Shipping notification lure distributing Vawtrak banking Trojan
4. I want to place an order for the attached list
Business negotiation lure
Similar in style and technique to invoices and order confirmations, “business transaction” email lures differ in that they purport to relate to potential future business, such as requests for price quotes, import and export arrangements, price lists, contracts, and so on. These email lures typically direct the recipient to open an attachment – such as a document or spreadsheet – in order to view the details of the request, enabling the attackers to keep messages short and simple while creating a reason for the recipient to open the document and enable its embedded malicious code to run.
Business transaction email lure distributing Vawtrak banking Trojan
Business transaction email lure distributing Vawtrak banking Trojan
5. Please verify this transaction
Financial transaction notification lures
A perennial favorite of phishing campaigners, financial transaction email lures continue to take a more business-oriented tone but have shifted from relying on URLs to leveraging document attachments to deliver their malware payloads. Phishing emails in this category typically appear to be from a bank or other financial institution and lure the user with the news of an electronic or online payment intended for the recipient, once they have verified or corrected the account information in the attached document. Instead, opening the document – and running the embedded malicious code – leads the user to infect their own machine with a banking Trojan or ransomware – turning the prospective payee into a paying victim.
Financial transaction email lure distributing Dridex banking Trojan
Top tips to not “bite”
Proofpoint research in The Human Factor report has demonstrated that in every organization at least one user will click on a malicious email. To protect your organization, your users, and your data against the latest attacks we recommend the following:
- Given the sheer volume of attacks coming through email, invest in mail gateway solutions capable of detecting and preventing advanced attacks and those that do not involve malware. This step helps minimize the number of threats coming into the network. Once these threats are the network, malware and malicious traffic may be more difficult to detect and distinguish from legitimate business traffic.
- Never allow emails with attached executable code to be delivered. Likewise, do not allow people to share code over email. Enact simple rules that block .exe or .js attachments to prevent obvious malicious exploits from entering your environment.
- Attackers use a variety of methods to target your organization and colleagues; deploy security solutions that can correlate activity across threat vectors. That capability gives you deeper insight into attacks to help you resolve them, block future attacks, and more easily detect those that do get through.
Subscribe to the Proofpoint Blog