May 6 marked the 15 year anniversary of the infamous ILOVEYOU (Love Letter) email virus. The virus is regarded as the first major virus spread by email.
ILOVEYOU reportedly infected tens of millions of computers worldwide, and cost billions of dollars in damage.
Once a machine was infected with ILOVEYOU, the virus scanned the Windows Address Book and subsequently sent copies of itself to every contact within the list. Using the public’s lack of email security to its advantage, the virus was able to masquerade as a legitimate attachment sent by a known acquaintance.
This simple social engineering tactic allowed the virus to propagate world-wide quickly and efficiently.
In the years since ILOVEYOU, we’ve all learned lots regarding email security and ‘best practices’ to use when downloading attachments. There have been numerous articles, write-ups, warnings, and suggestions advising users to be wary when opening attachments that come via email – even when from a trusted source.
Despite more than a decade and a half of these warnings, email is still a primary vector for the installation of malicious software.
The M3AAWG Email Metrics Report, released Q2 of 2014, indicates that over a three-month tracking period, a whopping 987 billion “abusive” emails were identified as being successfully delivered.
While this pales in comparison to the other 9+ trillion emails blocked by the mail providers, these number demonstrate just how successful of a vector email is for malicious actors to use to compromise their victims.
While the M3AAWG report doesn’t distinguish between emails with malicious attachments and other types of abusive emails such as phishing emails, it’s reasonable to assume that at least a significant percentage of the abusive emails did indeed contain a malicious attachment.
As indicated by the report, the vast majority of these messages are blocked by large email providers such as Microsoft and Google, but despite the best efforts of these companies, many messages still find their way through the filters. Here is an example of a malicious email I received to my personal email account just the other day.
The success of these malware campaigns relies in numbers. With an estimated 205 billion emails sent each day, it seems to be a herculean, if not almost impossible task to prevent each and every malicious email from being delivered.
We would all be quite peeved if that important document from our boss wasn’t delivered to our email box, or if that emergency change in insurance wasn’t received from HR.
The big email providers know this, so they are forced to tread lightly when determining if an attachment is malicious or not. The problem is malicious actors know this too. So for them, it’s just a numbers game.
If one address gets blocked, use another. If one message is blocked, send one more – better yet, send a million more. And there in-lies the issue that we in the security field face when it comes to preventing you from seeing (and in the case of malware – blocking) this sort of garbage all together.
A small portion of over-all attempted deliveries and an even smaller percentage of successful installs is all that’s needed to claim success.
Malware authors utilize a dizzying array of tools, services, and botnets to facilitate delivery of malicious email. Email addresses are spoofed. The subject and body can be dynamically generated using unique information to help provide a sense of legitimacy to the email. Most attachments are randomized both in name and MD5’s to thwart detection.
Geo-location is used to send emails to users of a particular region, city, or zip-code. And the subject matter of emails constantly changes to play into the fears, desires, and dreams of every potential person.
Attachments are not limited to .zips either. Attachments have been seen to arrive in .exe format (although rare with large email providers), .scr, .pdf, .com, .js, or a variety of others. Here we can see how some attachments attempt to appear legitimate. Take notice of the large spaces between filenames and the .exe extension on a few of the attachments.
Remember, it only takes a small portion of sent emails, and an even smaller percentage of those to be clicked, in order for a malware author to claim a particular spam-run successful.
The reality is, these people wouldn’t use email as an attack vector if it didn’t work – but it does.
The only reason it does is because a small percentage of us still click such attachments thinking there may be some legitimacy to the content.
Despite 15 years of warnings, billions of dollars in damages, and countless attacks attributed to email, we have yet to learn the dangers of downloading unsolicited attachments.
So for the sake of humanity (a bit dire, I know) please quit clicking attachments from people you don’t know, or from contacts where the content appears suspicious.
If there is a question if the email is legitimate, contact the sender and inquire.
If you didn’t order anything online, don’t click the Word document advising you of your recent purchase.
If you haven’t done so already, configure Windows to always show file extensions. That way, if you do download and extract a malicious attachment, you can hopefully see if any trickery is being played with spaces between the visible filename and the extension.
And most importantly, educate someone you know who would never read this (or any) security blog as to hopefully help them from succumbing to the ever-changing tactics of malware spam.