Nearly every time I write about a small- to mid-sized business that has lost hundreds of thousands of dollars after falling victim to a malicious software attack, readers want to know how the perpetrators broke through the victim organization’s defenses, and which type of malware paved the way. Normally, victim companies don’t know or disclose that information, so to get a better idea, I’ve put together a profile of the top email-based malware attacks for each day over the past month.
This data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham, a school I visited last week to give a guest lecture and to gather reporting for a bigger project I’m chasing. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to Virustotal.com, which show the percentage of antivirus products that detected the malware as hostile.
As the chart I compiled above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include Amazon.com, the Better Business Bureau, DHL, Facebook, LinkedIn, PayPal, Twitter and Verizon Wireless.
Also noticeable is the lack of antivirus detection on most of these password stealing and remote control Trojans. The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.
According to UAB, about two-thirds of the top email-based malware attacks in the past month have used exploit kits, and most frequently that kit was BlackHole. Exploit kits are made to be sewn into the fabric of hacked or malicious sites, so that visiting Web browsers are checked for close to a dozen outdated plugins; any insecure plugins found can be used to silently install malicious software on the vulnerable machine.
It’s not hard to see why so many small to mid-sized organizations get hit with these attacks. When the malware slips past their antivirus, it is often just a question of whether the organization has someone or something in place that is vigilant about applying security updates for things like Flash, Java, and Adobe Reader and a host of other programs that hook into the browser.
This is why I continuously implore small business owners to bank online using only a dedicated system that is carefully maintained and not used for anything other than transacting with the bank’s Web site. For those who don’t have a spare computer handy, a Live CD version of Linux may be the best way to go.