Holiday Shopping Season: Increased Online Shopping and Increased Malicious Email Threats (Dec 4, 2015)

By

Holiday Shopping Season: Increased Online Shopping and Increased Malicious Email Threats

In this SonicAlert we will briefly discuss the seasonal increase in online shopping, and some of the types of malicious email campaigns that are taking advantage of the flurry of online shopping at this time of the year.

The two charts shown below show the network traffic patterns for Amazon Web traffic (www.amazon.com) during the month of November for 2014, and 2015. In the charts you can see an slight increase on the day or two before Thanksgiving Day–Thursday, November 27, 2014, and Thursday, November 26, 2015. Also, you can see a huge spike on the corresponding Cyber Mondays, December 1st, 2014, and November 30th, 2015, respectively.

Amazon.com HTTP Traffic Hits for the days of November 2014
Amazon.com HTTP Traffic Hits for the days of November 2014

Amazon.com HTTP Traffic Hits for the days of November 2015

The increase in shopping at this time of year creates an opportunity for cyber criminals to take advantage of consumers looking for deals, as well as people who have ordered goods online and are expecting packages in the postal service.

Phishing Emails

Phishing emails are emails that use social engineering to deceive users into believing that the email is coming from a legitimate source with whom the recipient already established a relationship of trust. The email will try to entice the recipient to click on a link in the email which will take the useer to a website that appears to be owned and operated by the trusted entity. The goal of the phishing scam is to acquire the real login credentials, and other personally identifying information (PII) like credit card numbers, Social Security numbers (SSNs), birth dates, etc., anything that will allow the theif to gain access to the users’ online accounts, bank accounts, etc. Campaigns we have seen during past Holiday seasons include fraudulent emails appearing to be from sites like Amazon.com, U.S.P.S., FedEx, and other companies involved in holiday commerce. A typical malicious email will be from a domain like customer_service@amazon.com–0123-xyz.malicious-site.com, and contain a message about a free gift card, or an order confirmation request, or shipment tracking links. These links go to the attacker’s domain, malicious-site.com, and not amazon.com.

Dell SonicWALL is providing protection from malicious emails with Email Security and Gateway Anti-Virus (GAV) solutions. Multiple GAV signatures have been created to protect customers. The following are some of the types of email attachments we are seeing, and the GAV signatures that are detecting them:

SubjectFilenameDetection/Prevention
Added security to your debit cardVerify.htmlGAV: Phish.A_31 (Trojan)
DHL Delivery Parcel dispatch notificationDHL Line Express tracking.htmlGAV: Phish.A_28 (Trojan)
Payment Confirmation SwiftDownload_Payment-Copy.html.htmlGAV: Phish.AL (Trojan)
Code:[******* **.****] Refund On Pending !Refund-Form.htmlGAV: Phish.A_18 (Trojan)

Trojan Emails

Trojan emails are emails that have malicious files as attachments to the email. Trojan emails can come from trusted sources, like your friends, or acquaintances–people from whom you have received (incident-free) emails in the past, or from unknown sources. These trojan file attachments appear to be legitimate documents and files, eg. xls, doc, exe, js, html, but they contain malicious code–macros, exploit code, shellcode, process injection code, or other malware that can take control of the unpatched program software that opens them, or even take over your unpatched operating system (rootkits). The malicious code then goes on to replicate the attack campaign by getting control of your email accounts and spamming out malicious emails to your contacts from you.

SubjectFilenameDetection/Prevention
Track Your Shipment DHL Shipping DocumentDHL Shipment Notification DHL001895.exeGAV: Injector.C_42 (Trojan)
Shipment Tender Notice SID **********1454136866784532.exeGAV: FileLocker.A_52 (Virus)
Invoicesfacture_37854634_181115.exeGAV: Kryptik.D_33 (Trojan)
November Invoice INV-**** from Eye on BooksInvoice INV-9771.xlsGAV: Downloader.AN_6 (Trojan)

How to Stay Safe

An important skill to stay safe online is how to identify fraudulent domain names used in malicious links in emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of hostnames. Appearing to come from a legitimate sources, the malicious email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user’s system. Other attack vectors come directly in email attachments–word docs, executables, and other infected files.

Best practices for avoiding email scams

  • Never click on links in emails without thinking about it carefully.
  • Authenticate the sender: Is the sender truly who they say they are? Do I recognize and trust the sender?
  • Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.
  • If there is any doubt about the authenticity of this domain name? Taking the example above, customer_service@amazon.com–0123-xyz.malicious-site.com. Is this domain in the sender’s email address, malicious-site.com, owned by Amazon or by someone else? (The easiest way is just to go to amazon.com and take care of any notifications or required actions by first logging-in to the site directly, rather than clicking on links in emails.
  • For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.
  • Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.
  • Never open file attachments from unknown/untrusted sources.
  • Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.
  • Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.