Researchers at Symantec say they have noticed an uptick of attackers relying on malicious links as opposed to attachments in order to infect users.
According to Symantec, since late November there has been a spike in the number of malicious emails using this tactic. In October only seven percent of malicious spam emails contained links. In November, that number jumped to 41 percent.
“While many malicious emails come with an attachment, organizations can block and filter these types of messages,” Symantec researchers noted in a blog post. “Symantec believes that the Cutwail botnet (Trojan.Pandex) is behind some of the recent spam messages, along with other botnets, and that attackers have resorted to using links in a bid to avoid email security products that scan for malicious attachments.”
During the last few weeks, spammers have been blasting out social engineering-themed messages such as emails about fax and voicemail notifications. These emails may contain information typically included in legitimate fax and voicemail messages such as a caller ID or confirmation number, but the information itself is fake.
“The common thread in each email is that they contain links,” according to Symantec. “These links use hijacked domains and have a URL path that leads to a PHP landing page. If the user clicks on the links, they are led to a malicious file. In particular, we have seen Downloader.Ponik and Downloader.Upatre being used in these emails. These are well-known Trojans that are used for downloading additional malware onto compromised computers, including information stealers like Trojan.Zbot (also known as Zeus).”
Researchers have seen a number of subject lines used, including: MyFax message from *unknown* – 3 pages; Fax Message and Fax Message #[RANDOM NUMBER].
“Earlier in November we witnessed a similar campaign based around fake telecoms bills written in German,” according to the researchers. “These emails reported that the receiver had recently run up a large mobile phone bill. The goal was to get the receiver to click on the link to find out more about what appeared to be a billing mistake.”
“This recent shift away from malicious attachments towards malicious links is a reminder that security is a game of cat and mouse,” the researchers noted. “Spammers try to gain the upper hand while mail security products implement detections against these shifts.”