All posts

Scoring Email Security Services

How seriously do you take the email threat?

Cyber criminals often use email as a way to start an attack. According to many sources email is by far the most common way that attackers try to gain access to your business and personal systems.

The UK government’s Cyber Security Breaches Survey 2022 reported that email phishing alone accounts for 83% of attacks.

Email cyber threat

But we all know that, don’t we? Because organisations, large and small, receive thousands of general and more targeted email threats every year.

Continue reading “Scoring Email Security Services”
All posts

Email ransom attack without the malware

Do You Do Any of These Embarrassing Things?

Email ransom attack

Email ransom attacks are easy and common. It’s like ransomware, but without the clever coding. Not every hacking attack has to be sophisticated. Sometimes hackers simply demand money, with the threat of making life worse if you don’t pay.

Your Device Was Hacked

The following is an example of a non-targeted, completely opportunistic email ransom attack that threatens to expose embarrassing personal details. A ransom of $1,650 will ensure the details stay private.

Continue reading “Email ransom attack without the malware”
All posts

Email security: A beginner’s guide

How SE Labs tests and scores email security services

Email security services can do a lot to protect users from online threats. This also means a lot can go wrong too. Testing and scoring these services requires a lot of attention to detail and a scoring method that takes into account all of the possible outcomes, including unexpected ones.

Learn:

  • How email security services work
  • How you should use them
  • Why we score services the way we do
Continue reading “Email security: A beginner’s guide”
All posts

How well do email security gateways protect against targeted attacks?

 
Email security gateways protection:  Email security test explores how and when services detect and stop threats

Latest report now online.

This new email protection test shows a wide variation in the abilities of the services that we have assessed.

You might see the figures as being disappointing. Surely Microsoft Office 365 can’t be that bad? An eight per cent accuracy rating seems incredible.

Literally not credible. If it misses most threats then organisations relying on it for email security would be hacked to death (not literally).

Email security gateways protection 

But our results are subtler than just reflecting detection rates and it’s worth understanding exactly what we’re testing here to get the most value from the data. We’re not testing these services with live streams of real emails, in which massive percentages of messages are legitimate or basic spam. Depending on who you talk to, around 50 per cent of all email is spam. We don’t test anti-spam at all, in fact, but just the small percentage of email that comprises targeted attacks.

In other words, these results show what can happen when attackers apply themselves to specific targets. They do not reflect a “day in the life” of an average user’s email inbox.

We have also included some ‘commodity’ email threats, though – the kind of generic phishing and social engineering attacks that affect everyone. All services ought to stop every one of these. Similarly, we included some clean emails to ensure that the services were not too aggressively configured. All services ought to allow all these through to the inbox.

So when you see results that appear to be surprising, remember that we’re testing some very specific types of attacks that happen in real life, but not in vast numbers comparable to spam or more general threats.

Threats at arm’s length

The way that services handle threats are varied and effective to greater or lesser degrees. To best reflect how useful their responses are, we have a rating system that accounts for their different approaches. Essentially, services that keep threats as far as possible from users will win more points than those who let the message appear in or near the inbox. Conversely, those that allow the most legitimate messages through to the inbox rate higher than those which block them without the possibility of recovery from a junk folder or quarantine.

 
If you spot a detail in this report that you don’t understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.
 
 
SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.
 
 
Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.
All posts

Tough test for email security services

 

Our latest email cloud security test really challenged the services under evaluation.

Latest report now online.

Last summer we launched our first email cloud security test and, while it was very well received by our readers and the security industry as a whole, we felt that there was still work to do on the methodology.

This report shows the results of six months of further development, and a much clearer variation in the capabilities of the services under test.

The most significant change to the way we conducted this test lies in the selection of threats we used to challenge the security services: we increased the number and broadened the sophistication.

Whereas we might have used one fake FBI blackmail email previously, in this test we sent 10, each created using a different level of sophistication. Maybe a service will detect the easier versions but allow more convincing examples through to the inbox?

We wanted to test the breaking point.

We also used a much larger number of targeted attacks. There was one group of public ‘commodity’ attacks, such as anyone on the internet might receive at random, but also three categories of crafted, targeted attacks including phishing, social engineering (e.g. fraud) and targeted malware (e.g. malicious PDFs).

Each individual attack was recreated 10 times in subtly different but important ways.

Attackers have a range of capabilities, from poor to extremely advanced. We used our “zero to Neo” approach to include basic, medium, advanced and very advanced threats to see what would be detected, stopped or allowed through.

The result was an incredibly tough test.

We believe that a security product that misses a threat should face significant penalties, while blocking legitimate activity is even more serious.

If you’re paying for protection threats should be stopped and your computing experience shouldn’t be hindered. As such, services that allowed threats through, and blocked legitimate messages, faced severe reductions to their accuracy ratings and, subsequently, their chances of winning an award.

Intelligence-Led Testing

 
We pay close attention to how criminals attempt to attack victims over email. The video below shows a typically convincing attack that starts with a text message and ends stealing enough information to clean out a bank account.
 
 
SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.
All posts

Anatomy of a Phishing Attack

We look at phishing attack tactics and impact. Who attacked a couple of internet pressure groups earlier this year? Let’s examine the evidence.

It is interesting to read about the public details of an unusually high-quality spear-phishing attack against a low value target. Particularly if you are engaged in constructing carefully-crafted tests of email security services.

Continue reading “Anatomy of a Phishing Attack”
All posts

Email hosted protection tested

Our first cloud-based email protection report is now available.

Email provides a route right into the heart of our computers, phones and other devices. As such, it is frequently abused to perform a variety of attacks against potential victims of cybercrime.

Latest report now online.

The sophistication of attacks vary but many rely on our almost unbreakable instinct to open, read and interact with messages sent to work and personal email accounts. Businesses rely on email security services to filter out large numbers of such attacks.

Types of attack

The range of attack types in the real world is wide, but in general we consider there to be two main categories: targeted attacks, in which the attacker attempts to target a specific individual; and public attacks, which spread wide and far in an attempt to compromise as many people as possible.

Targeted attackers and general criminals use many of the same techniques. The least technically sophisticated include requests for a money transfer or banking login credentials. More credible attempts include professionally-formatted emails and links to fake websites designed to trick users into entering their valuable details.

Attackers with more resources may use malware to achieve their goals, either in the form of attached files or by linking to websites that exploit visiting computers.

How does email protection compare?

SE Labs monitors email threats in real-time, analysing large  numbers of messages and extracting samples that represent  large groups of those threats. Human testers then manually verify that any malware included works properly. They then re-send these threats to our own accounts through the tested services.

We also generate targeted attacks using the same tools and techniques used by advanced attackers. In gathering threats this way we achieve a realistic and relevant coverage of existing threats in a small set of test samples.

All posts

Infected websites, back from the dead

Forgotten, infected websites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for websites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

Continue reading “Infected websites, back from the dead”
All posts

17 Things Spammers Get Wrong


No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why spammers fail so often.

Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.

To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.

This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.

With that in mind, what follows is a short list of 17 mistakes I routinely see spammers make. All of them immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.

1.    No Subject Header

This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.

2.    No Set Dressing
tesco-6478043

Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.

3.    Generic Companies
generic-1081819

Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.

4.    Multiple Recipients

This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.

5.    Poor Salutation

Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.

6.    No Body Text

Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.

7.    Auto-translated Body Text
paypal2-9354648

Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.

8.    The Third Person

This is a great example of a spammer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?

9.    Finger Trouble
apple2bicloud2b2-6952704

I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.

10.    Unexpected Plurals and Tenses

Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile as being from spammers.



11.    Missing Definite Article

Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.

12.    The Wrong Word

“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.

13.    Misplaced Emphasis
paypal-1531640

Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.

14.    Tautological Terrors
cps-7972121

“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.

15.    Grandiosity
splayer-6973270

Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway.  Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.

What they really meant was: “To mark the release of our new software”.  The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.

16.    Overly-grand Titles

Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash. Spammers would, though.



17.    Obfuscated URLs

If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.

Contact us

Give us a few details about yourself and describe your inquiry. We will get back to you as soon as possible.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.uk Connect with us Find us