Every day new and more complex digital scams emerge. For criminals, however, traditional methods of attack remain the most effective. Proof of this is that malspam is one of today’s most common threats. A mixture of “malware” and “spam”, the term gives its name to the scam in which criminals send e-mails with infected attachments to install malware on the victim’s computer. The fraud, similar to the famous phishing scam, has been going on for decades – at least since the early 2000s.
What makes malspam so beloved by criminals is its ease of application. You don’t need to be a cybercriminal expert to apply the scam – on the contrary. With a simple Internet search, you can find ready-to-use malware available for download. During the 7th ESET Cyber Security Forum, which took place on October 25 and 26, digital security researcher Sol Gonzalez explained how the malspam attack works. Techidence was present at the event and tells you, below, everything you need to know about one of today’s most common scams.
What is malspam and how does it work?
Malspam is a scam in which criminals send e-mails with attachments containing malware to compromise the victim’s device. The tactic is similar to phishing, in that it also uses social engineering to convince users to act – downloading the contaminated file. The difference is that in the latter the goal is to get the victim to voluntarily hand over confidential information.
To convince victims to install the infected file, criminals imitate the verbal and visual communication of the banks or companies they want to impersonate. According to Sol Gonzales, the scam has evolved greatly over the past few decades and is no longer amateurish.
“In the past, emails contained spelling mistakes, or criminals would send messages in Spanish to users from Brazil, for example. Now, the messages are much more detailed; emails come personalized with the colors of the bank or company and even the victim’s name,” said the expert, adding that the high exposure of users on the Internet and social networks leaves a trail that criminals follow to prepare this type of scam.
From love letters to banking trojans
One of the first records of malspam dates back to the 2000s when a worm-like virus called “I Love You” infected more than 55 million computers. The email asked for a simple task: that users open the attached “love letter”. The fake declaration came disguised as a TXT text file but hid a Visual Basic Script (VBS) file. Once installed, the virus changed Windows settings, overwrote files, and sent a copy of itself to contacts on the mailing list, increasing the number of victims.
Since then, e-mail has been used to send malware that, far from just “messing up” a few system files, can cause much greater inconvenience. Data from ESET’s telemetry indicates that malspam is used especially to disseminate banking trojans, which infiltrate the system to perform fraudulent transactions. Spyware, ransomware, and bots can also be sent via malicious e-mails.
One reason for the success of malspam as an attack tactic is its ease of application, and this is due in part to what Sol calls “commoditized” malware. These are infected files that are available for download on the Internet for free or for very low prices.
In a demonstration for the journalists, the digital security expert showed how it is possible, from a simple Google search, to find various malware in online forums. The files do not come customized, but the malicious programs have an easy-to-use interface, which allows customization in a few clicks. Thus, you don’t need to be a cybercrime expert to develop the virus and apply the scam.
How to protect yourself
The tips to protect yourself from malspam scams are as well known as the threat itself but are still neglected by many users. “Traditional attacks continue to be effective because there is no awareness on the part of users,” Sol opines.
To avoid being a victim of fraud of this type guides the expert, the recommendation is always to verify that the sender’s email address corresponds to the official address of the company or bank in question and never open suspicious attachments. “In some cases, criminals send compressed files that ask the victim to enter their password, which should be enough to arouse suspicion,” adds Sol.
If in doubt about the authenticity of the message, the best way out is to contact the institution through the official channels.