Cyber criminals often use email as a way to start an attack. According to many sources email is by far the most common way that attackers try to gain access to your business and personal systems.
Email ransom attacks are easy and common. It’s like ransomware, but without the clever coding. Not every hacking attack has to be sophisticated. Sometimes hackers simply demand money, with the threat of making life worse if you don’t pay.
Your Device Was Hacked
The following is an example of a non-targeted, completely opportunistic email ransom attack that threatens to expose embarrassing personal details. A ransom of $1,650 will ensure the details stay private.
How SE Labs tests and scores email security services
Email security services can do a lot to protect users from online threats. This also means a lot can go wrong too. Testing and scoring these services requires a lot of attention to detail and a scoring method that takes into account all of the possible outcomes, including unexpected ones.
This new email protection test shows a wide variation in the abilities of the services that we have assessed.
You might see the figures as being disappointing. Surely Microsoft Office 365 can’t be that bad? An eight per cent accuracy rating seems incredible.
Literally not credible. If it misses most threats then organisations relying on it for email security would be hacked to death (not literally).
Email security gateways protection
But our results are subtler than just reflecting detection rates and it’s worth understanding exactly what we’re testing here to get the most value from the data. We’re not testing these services with live streams of real emails, in which massive percentages of messages are legitimate or basic spam. Depending on who you talk to, around 50 per cent of all email is spam. We don’t test anti-spam at all, in fact, but just the small percentage of email that comprises targeted attacks.
In other words, these results show what can happen when attackers apply themselves to specific targets. They do not reflect a “day in the life” of an average user’s email inbox.
We have also included some ‘commodity’ email threats, though – the kind of generic phishing and social engineering attacks that affect everyone. All services ought to stop every one of these. Similarly, we included some clean emails to ensure that the services were not too aggressively configured. All services ought to allow all these through to the inbox.
So when you see results that appear to be surprising, remember that we’re testing some very specific types of attacks that happen in real life, but not in vast numbers comparable to spam or more general threats.
Threats at arm’s length
The way that services handle threats are varied and effective to greater or lesser degrees. To best reflect how useful their responses are, we have a rating system that accounts for their different approaches. Essentially, services that keep threats as far as possible from users will win more points than those who let the message appear in or near the inbox. Conversely, those that allow the most legitimate messages through to the inbox rate higher than those which block them without the possibility of recovery from a junk folder or quarantine.
If you spot a detail in this report that you don’t understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.
SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.
Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebookto receive updates and future reports.
Last summer we launched our first email cloud security test and, while it was very well received by our readers and the security industry as a whole, we felt that there was still work to do on the methodology.
This report shows the results of six months of further development, and a much clearer variation in the capabilities of the services under test.
The most significant change to the way we conducted this test lies in the selection of threats we used to challenge the security services: we increased the number and broadened the sophistication.
Whereas we might have used one fake FBI blackmail email previously, in this test we sent 10, each created using a different level of sophistication. Maybe a service will detect the easier versions but allow more convincing examples through to the inbox?
We wanted to test the breaking point.
We also used a much larger number of targeted attacks. There was one group of public ‘commodity’ attacks, such as anyone on the internet might receive at random, but also three categories of crafted, targeted attacks including phishing, social engineering (e.g. fraud) and targeted malware (e.g. malicious PDFs).
Each individual attack was recreated 10 times in subtly different but important ways.
Attackers have a range of capabilities, from poor to extremely advanced. We used our “zero to Neo” approach to include basic, medium, advanced and very advanced threats to see what would be detected, stopped or allowed through.
The result was an incredibly tough test.
We believe that a security product that misses a threat should face significant penalties, while blocking legitimate activity is even more serious.
If you’re paying for protection threats should be stopped and your computing experience shouldn’t be hindered. As such, services that allowed threats through, and blocked legitimate messages, faced severe reductions to their accuracy ratings and, subsequently, their chances of winning an award.
Intelligence-Led Testing
We pay close attention to how criminals attempt to attack victims over email. The video below shows a typically convincing attack that starts with a text message and ends stealing enough information to clean out a bank account.
SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.
We look at phishing attack tactics and impact. Who attacked a couple of internet pressure groups earlier this year? Let’s examine the evidence.
It is interesting to read about the public details of an unusually high-quality spear-phishing attack against a low value target. Particularly if you are engaged in constructing carefully-crafted tests of email security services.
Our first cloud-based email protection report is now available.
Email provides a route right into the heart of our computers, phones and other devices. As such, it is frequently abused to perform a variety of attacks against potential victims of cybercrime.
The sophistication of attacks vary but many rely on our almost unbreakable instinct to open, read and interact with messages sent to work and personal email accounts. Businesses rely on email security services to filter out large numbers of such attacks.
Types of attack
The range of attack types in the real world is wide, but in general we consider there to be two main categories: targeted attacks, in which the attacker attempts to target a specific individual; and public attacks, which spread wide and far in an attempt to compromise as many people as possible.
Targeted attackers and general criminals use many of the same techniques. The least technically sophisticated include requests for a money transfer or banking login credentials. More credible attempts include professionally-formatted emails and links to fake websites designed to trick users into entering their valuable details.
Attackers with more resources may use malware to achieve their goals, either in the form of attached files or by linking to websites that exploit visiting computers.
How does email protection compare?
SE Labs monitors email threats in real-time, analysing large numbers of messages and extracting samples that represent large groups of those threats. Human testers then manually verify that any malware included works properly. They then re-send these threats to our own accounts through the tested services.
We also generate targeted attacks using the same tools and techniques used by advanced attackers. In gathering threats this way we achieve a realistic and relevant coverage of existing threats in a small set of test samples.
Forgotten, infected websites can haunt users with malware.
Last night, I received a malicious email. The problem is, it was sent to an account I use to register for websites and nothing else.
Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.
No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why spammers fail so often.
Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.
To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.
This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.
With that in mind, what follows is a short list of 17 mistakes I routinely see spammers make. All of them immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.
1. No Subject Header
This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.
2. No Set Dressing
Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.
3. Generic Companies
Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.
4. Multiple Recipients
This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.
5. Poor Salutation
Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.
6. No Body Text
Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.
7. Auto-translated Body Text
Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.
8. The Third Person
This is a great example of a spammer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?
9. Finger Trouble
I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.
10. Unexpected Plurals and Tenses
Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile as being from spammers.
11. Missing Definite Article
Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.
12. The Wrong Word
“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.
13. Misplaced Emphasis
Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.
14. Tautological Terrors
“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.
15. Grandiosity
Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway. Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.
What they really meant was: “To mark the release of our new software”. The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.
16. Overly-grand Titles
Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash. Spammers would, though.
17. Obfuscated URLs
If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.
Contact us
Give us a few details about yourself and describe your inquiry.
We will get back to you as soon as possible.
Get in touch
Feel free to reach out to us with any questions or inquiries
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy
All posts
