You’ve got mail!

Anyone old enough to remember this iconic AOL catchphrase, will surely recall the thrill of receiving your first e-mail. The prospect of instantly sending and receiving mail around the world promised to usher in a communications revolution.

And in many senses e-mail was revolutionary.

Unfortunately, it wasn’t long before the thrill turned to frustration. Advertisers quickly began abusing the new technology to flood people’s inboxes with reams of unwanted advertising material, known as spam. Suddenly, sorting through all the spam clogging your inbox in an attempt to identify legitimate e-mail communications became a time-consuming hassle.

Not only did spam overwhelm people’s inboxes. It soon started overwhelming e-mail servers too. Without measures to curtail spam, the whole e-mail system was headed for meltdown.

Subsequent legislative initiatives by governments, such as Australia’s Spam Act (2003), aim to reduce the problem. So do technical measures, such as spam filtering, that are implemented by e-mail hosts. Recent studies suggest efforts to keep a lid on spam volumes are having the desired effect.

Today, the problem with spam is less about volume and more about intent.

We are witnessing a worrying rise in the use of spam by malicious actors to deliver dangerous payloads. Spam is now one of the most common vehicles for launching phishing attacks, known as “MalSpam”.

In this blog, we will examine spam, phishing and the nexus between the two, as well as strategies you can adopt to ensure you don’t become a victim.

What is spam?

Put simply, spam is an unwanted e-mail or message that advertises goods or services. Whilst we typically think of spam as being in e-mail format, it can also come via SMS or instant messaging platforms, such as Messenger or WhatsApp.

According to the Australian Communications and Media Authority (ACMA), in order for a message to be considered spam, the message must be commercial in nature. Therefore, it must contain either offers, advertisements or promotions.

By contrast, a message is not considered spam if it does not contain advertisements, is an appointment or payment reminder, notifies you of a product fault, or is about a service you use. Telemarketing calls are also not considered spam.

Before an advertiser sends any marketing messages, they must obtain the recipient’s permission, include their contact details in the message and provide a way to stop receiving further messages.

Permission can be expressly granted or inferred.

Express permission is most commonly obtained by filling in a form or ticking a box in an online form. Permission can also be inferred through purchasing a product or service from the sender if the recipient has knowingly and directly given their address and it is reasonable to believe they would expect to receive marketing from the business. This is usually when a person has a provable, ongoing relationship with the business, and the marketing is directly related to that relationship.

How common is spam?

Efforts by both regulators and e-mail hosts to reduce spam levels seem to be paying off.

According to Statista, in 2007, spam represented 88.5% of total e-mail traffic globally. By 2019, that figure had dropped to 28.5%.

Trends in Spam
Source: https://www.statista.com/statistics/420400/spam-email-traffic-share-annual/

Whilst this trend appears encouraging, other studies indicate that spam rates are still very high. According to Talos Intelligence, current spam rates represent approximately 85% of total global e-mail volume.

Either way, such massive volumes of spam risk congesting the flow of legitimate internet traffic. Furthermore, the use by criminals of automated software, known as bots, in the distribution of vast volumes of spam messages, provides them the ideal means to carpet-bomb huge numbers of potential victims with phishing e-mails containing malware.

Spam has moved beyond simply being a nuisance. It is now a tool in the armoury of malicious actors.

What is phishing?

Phishing is an attack method used by criminals to steal confidential information. Attackers usually send phishing messages via e-mail, but also potentially via SMS or instant messaging platforms.

Phishing attacks can target both individuals and organisations.

When targeting individuals, financially motivated attackers are usually after online banking or credit card details. Phishing messages are usually disguised to look like they were sent by a legitimate institution, such as a bank. The messages often contain a link that directs the victim to a fake webpage where they enter login and password details. This paves the way for identity theft and a range of financial crimes.

When attackers target organisations, they maybe after a range of valuable commercially sensitive data. Once again, the messages are disguised to look like they were sent by a legitimate organisation. Often, when targeting organisations, phishing messages will prompt the victim to click a link or open an attachment that installs malicious software, known as malware.

Malware may run in the background, searching for login and password credentials so attackers can gain access to the organisation’s network or application layer. This can result in breaches of confidential corporate, financial, customer, or employee data. It can also result in breaches of valuable research, product development data and patents.

Malware can also pave the way for ransomware attacks, in which an organisation’s systems and data are encrypted until the victim pays a hefty ransom to the attackers.

The consequences of phishing can be serious, ranging from potentially crippling financial losses to the public release of commercially sensitive information and long-lasting reputational damage.

How common is phishing?

Phishing is consistently the most widely reported type of scam in Australia, according to the Australian Competition and Consumer Commission’s ‘ScamWatch’.

Reports of phishing attacks have grown exponentially in Australia in recent years, jumping 75% from 2019 to 2020.

  • 2018: 24,291 reports of phishing in Australia
  • 2019: 25,170 reports of phishing in Australia
  • 2020: 44,078 reports of phishing in Australia

Phishing has emerged as a highly lucrative form of cybercrime and is now the leading cause of data breaches in Australia.

“MalSpam”: The nexus between spam and phishing

A recent trend that should concern everyone, is the blending of spam tactics with phishing motives. Known as MalSpam, this vector sees adversaries using the power of bulk email capabilities, including bots, that are widely used by spammers. However, rather than simply flooding inboxes with advertising material, the messages contain malicious links.

This tactic ensures attackers have the ability to distribute malware to far larger numbers of computers than ever before. In particular, it appears this tactic is being used in the wild to distribute trojans, a type of malware that installs a secret ‘backdoor’ into a computer or application. Once infected with a trojan, code is installed that enables the attackers to remotely control the compromised computer, paving the way for espionage, data breaches or ransomware attacks.

Recent reports highlight the distribution of a new banking trojan, known as RM3. Whilst those behind this malware have sought to distribute it via a number of channels, it appears that distribution by spam has been the most effective. The threat actors behind this particular malware have been targeting Australian based financial institutions.

According to the Australian Institute of Criminology, trojans are the type of malware most often found in spam traffic, with attackers often resorting to email content that references current events or special offers. Examples include natural disasters, sporting events, air-ticket giveaways, or cryptocurrency mining promotions as leads or hooks. Australians are among those most often targeted.

How to avoid being a victim of MalSpam?

An obvious way to stop MalSpam is clicking on the “Unsubscribe” link that usually appears at the bottom of an email message. However, be warned – attackers are by definition not complying with spam laws. Any “Unsubscribe” link is unlikely to be genuine and may in fact be a link that tricks you into installing malware.

If you are receiving communications that you suspect may be a phishing attempt disguised as spam, delete the message using the “phishing” button in your email client. You should alert your IT team so they can take steps to permanently block the sender.

Comprehensive email security training should be mandatory for everyone in your organisation. Special consideration should be given to raising awareness around the risks of spam. Many people incorrectly assume that spam, whilst annoying, is generally not a security threat. We now know that is not the case.

Everyone should operate on the assumption that spam is simply phishing in disguise and therefore should be treated in the same way as any other phishing emails.

That means all links should be carefully scrutinised before clicking on them, and attachments should only be opened if they are from a known, trusted sender.

Email security awareness training, such as that provided by Phriendly Phishing, helps everyone in your organisation acquire the skills they need to keep your organisation secure. Contact us today for further guidance.