The Register® — Biting the hand that feeds IT

Feeds

Phishers use less strident subject lines to deliver new cunning attacks

'SECURITY ALERT' wasn't: 'Statement available' is

By John Leyden, 13th July 2012
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The use of exploit kits is allowing phishing fraudsters to develop scams that only rely on tricking prospective marks into clicking a link, rather than submitting all their details to a bogus website.

Many recent phishing runs spotted by Trend Micro have made use of the notorious Blackhole Exploit kit. The hacker favourite is used to automate the process of mounting drive-by-download style attacks from compromised (often legitimate) websites. Blackhole preys on browser exploits, Adobe software bugs and most recently the latest Java vulnerabilities, a particular successful strategy since third-party software frequently goes without updates.

By using the exploit kit in phishing emails, cybercrooks move away from the tricky process of coaxing marks into submitting data to bogus websites, traditionally pulled off using a bogus security alert from their bank as a lure, to simply tricking users to open an email and click a link.

The shift means that the subject matter and tone of phishing emails is changing. In addition, the traditional security advice about phishing emails is becoming out-dated, Trend warns.

Phishing messages of yesterday typically screamed "security alert", while modern messages are more subtle and feature subject lines such as "Your statement is available online", "Incoming payment received" and "Password reset notification".

"In many cases these messages are identical to the legitimate messages sent by the legitimate organisation," Trend Micro warns. "Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link".

The use of banking Trojans, spread using exploits and vulnerabilities, such as ZeuS and Cridex has been going on for years. Banking trojans developed using cybercrime toolkits look for activity such as logins to financial websites. As well as appearing on compromised legitimate website surfers are getting exposed to exploit toolkits via their in-boxes, thanks to a shift in tactics by e-banking fraudsters.

Trend's research, published on Thursday, documents changing tactics for spreading banking trojans as well as explaining how standard anti-phishing advice is no longer valid, a factor that make its white-paper Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs (PDF) worth reviewing.

Trend looked at more than 200 separate spam runs featuring in excess of 40 organisations during Q2 2012. The spam campaigns claim to be from legitimate companies such as Intuit, LinkedIn, the US Postal Service (USPS), US Airways, Facebook, and PayPal, among others. Compromised sites were used and reused from one attack to another. Exploit methods were the same and the botnet networks used in many cases were also similar. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (17)
Highly Rated
Simon Harris

I had some sex spam in my mailbox...

... but the quality of the writing proved they were no cunning-linguists

2
0
chr0m4t1c
Reply Icon

Re: Now ask me why ...

I'd rather ask you why all of those people were online in 1992, less than two years after Sir Tim created HTML and before most people even had a machine that was capable of those feats of connectivity.

1998-2000 is when most people came online, 70 million (worldwide) at the end of 1997 became 361 million (worldwide) by the end of 2000.

Slight exaggeration, or do you have an unusual cluster of very early adopters gathered around you?

I ask, because they're all probably doing something now that the rest of us won't begin to seriously adopt for another 5-10 years and I'd like to train/invest.

3
1
Jess

Which is why I stick to plain text email only.

I once nearly got caught by an HTML scam (on a webmail account.) I was expecting a message and a scam one came up, it was only a typo that alerted me.

I removed the webmail account from the service and now only use mail accounts that can be accessed via a plain text client for such purposes.

3
1

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Internet fraud still stings suckers
Australians twice as gullible as Americans
35