Are You in the 14 Percent Club?

Forty years after the first spam email was sent, it is still the favorite tool of crooks and criminals online. A new report from the Finnish security group, F-Secure, reports that spam is the most common method used to distribute malware, malicious URLs, scams, and other bad news. Read on to see if you’re in the ’14 percent club’ and some of the tell-tale indicators of malicious emails…

Spam: Still Number One With Crooks

You’ve got software to protect your computer from viruses, spyware, ransomware, and rogue websites. You’re careful to keep all your software up to date. Your identity theft spider sense tingles with every suspicious phone call. But then that innocent-looking email pops into your inbox. It appears to be from your friend, your bank, or your favorite online store.

You click, and you’ve been had. Spam is still the most effective attack vector for hackers and online criminals, according to new research from F-Secure and MWR Info Security finds.

“Of the spam samples we’ve seen over spring of 2018, 46% are dating scams, 23% are emails with malicious attachments, and 31% contain links to malicious websites,” says Päivi Tynninen, Threat Intelligence Researcher at F-Secure. As usual, cyber-criminals are taking their cue from water — traveling along the path of least resistance.

As software vulnerabilities are closed and anti-malware suites grow more capable, spam becomes relatively more effective compared to hacking and exploitation of software vulnerabilities. Spam still is infinitely scalable, too; it costs nearly nothing to blast out millions of spam emails from a compromised machine, and spam-bot networks of thousands of slave machines are commonplace.

While success still depends on spewing out millions of spam emails to get a handful of “bites,” spammers are constantly refining their techniques and improving their batting averages.

Spam Click Rates are Increasing

“Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” says Adam Sheehan, Behavioral Science Lead at MWR Info Security. His firm, which was acquired by F-secure in June, 2018, develops a site called phishd that helps businesses audit and improve their anti-phishing efforts.

Among the insights that MWR provides are clues to what makes phishing spam successful:

  • The probability of a recipient opening an email increases 12% if the email claims to come from a known individual
  • Having a subject line free from errors improves spam’s success rate by 4.5%
  • A phishing email that explicitly states in its call to action that it is very urgent gets less traction than when the urgency is implied

Most users have finally learned not to click on email attachments sent by strangers, or any attachment that comes unexpectedly. So more phishing emails include URLs instead; people are still conditioned to click on links to see where they go, especially if the link says “click on this link…”

The link often does not lead directly to a malicious site, but to an innocuous site that redirects traffic to a malicious site. That way, the bad guy avoids detection by automated analysis software that previews links and compares them to known malicious URLs.

F-secure includes these and other tips for security-conscious people in its latest podcast entitled, “Ransomware Out, Cryptojacking In?” Other trends the company notes include:

Ransomware is down substantially as an attack vector. The demise of Adobe Flash is echoed in declines of malicious drive-by downloads. And exploit kits, bundles of malicious programs that work together to test and penetrate a company or home network, are also on a decline.

The good news is that with education and software, we have eliminated or limited many malware attack options to spam. The bad news is that spam still works. My best advice: Think twice before you click.

Have a great week from all of us at Zoha Islands