Home Security Malicious emails hit a high as malware strikes take their toll
Malicious emails hit a high as malware strikes take their toll Featured

Malicious email volumes soared in the third quarter 2017, increasing 85% from the prior quarter, according to a new security threat report from Proofpoint that reveals much of this increase was driven by an explosion of email with malicious URLs linking to hosted malware.

According to the global cyber security firm in its latest cyber threat report for Q3 2017 the volume of emails with malicious URL rose 600% for the three months to the end of September, from the previous quarter and more than 2200% from the year-ago quarter.

The company says this represents the highest proportion of malicious URL messages — compared to attachment-based email attacks — that it has seen since 2014.

But, it cautions, attachment campaigns were still very present, with malware hidden in compressed file archive attachments comprising much of the volumes in these campaigns.

Proofpoint also says that across its global customer base, ransomware appeared in almost 64% of all malicious email – while new ransomware strains appeared daily, but Locky remained the top payload, both in terms of ransomware and across all malware families.

“Banking Trojans, on the other hand, represented 24% of all malicious email volume, with The Trick accounting for 70% of banking Trojan payloads and displacing Dridex as the top banker in Q3.  Dridex — along with Ursnif, Bancos, and Zloader — continued in regionally focused campaigns,” proofpoint notes in its latest quarterly report.

Proofpoint warns that  new version of Retefe also appeared using a leaked exploit from the US National Security Agency known as EternalBlue to spread across internal networks, “echoing the use of NSA exploits in destructive ransomware attacks from Q2”.

And, the report reveals that email fraud rose 29% versus the previous quarter, while attack frequency also increased, with 12% more email fraud attempts per targeted organisation than in Q2.

Kevin Epstein, vice-president, Threat Operations of Proofpoint, said: "Threat actors never stop innovating, whether through new network attack vectors, more sophisticated social engineering, or evolving email campaigns with hosted malware and obfuscated code."

"The ongoing dominance of ransomware in the threat landscape means that it remains lucrative for actors who repeatedly demonstrate their willingness to ‘follow the money’. However, we also continue to see a combination of adaptability — switching payloads and malware families as necessary to maximise returns — and specialisation, as actors focus on particular regions and malware types that best suit their needs and expertise."

According to Proofpoint, exploit kits suffered a well-publicised decline in 2016 and it continues to observe traffic levels hovering around 10% of their 2016 peak.

“However, attackers are layering social engineering schemes into their EK campaigns, a trend suggesting they are looking beyond increasingly scarce exploits to monetise EK activity,” cautions proofpoint.

And the firm concludes that threat actors continue to make use of lookalike and typosquatted (also known as URL hijacking) “suspicious domains” to perpetrate fraud and trick unsuspecting users.

It notes that registrations of suspicious domains outnumbered defensive registrations by brand owners 20 to 1 in Q3 and, at the same time fraudulent support accounts, used for so-called “angler phishing”, doubled from the year-ago quarter as actors continue to capitalise on social engineering across the threat landscape.

Proofpoint concludes its report with recommendations for combatting the rise in threats from cybercriminals, including:

Combat typosquatting on the Web

Defensive domain registration is a simple and cost-effective tactic to keep attackers from creating lookalike domains for email fraud and credential phishing. Work with your business leaders to define a list of potential look-alike domains to register. Include conference and marketing campaign websites, which are frequent targets.

Deploy email authentication to stop domain spoofing techniques used in email fraud

With protocols such as DMARC (Domain-based Message Authentication, Reporting & Conformance), you can stop fraudsters from using your email domain. For email attacks that use lookalike domains, your solution should be able to find domains that could be mistaken for yours – and work with third-party services to take them down.

Protect your users from email attacks of all types

Whether they’re malware attachments, malicious URLs or socially engineered email fraud, your email defenses should cover the widest range of email-based threats. Robust protection includes robust analysis capabilities to preemptively identify and sandbox suspicious URLs and attachments. It should use multistage sandbox analysis to identify malicious attachments and URLs—at the delivery point and later when employees click. And it should identify and block non-malware threats, such as emails that could trick your employees from sending money and sensitive information to impostors.

Partner with a threat intelligence vendor

Smaller, more targeted attacks call for sophisticated threat intelligence. Leverage a solution that brings together analysis data with threat intelligence, combines static and dynamic techniques to detect new attack tools, tactics, and targets—and then learns from them. By correlating analysis results with threat intelligence feeds, these difficult-to-detect emails can be caught before a user has a chance to click.

Protect your brand from impostors on social media

Look for a security solution that alerts you to lookalike social media accounts, especially those offering fraudulent “customer-support” services. The solution should not just detect infringing accounts but work with takedown services to stop them from defrauding your customers and partners.


With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

· CDAO Sydney is designed to bring together senior executives in data and analytics from progressive organisations
· Improve operations and services
· Future proof your organisation in this rapidly changing technological landscape
· CDAO Sydney 2-4 April 2019
· Don’t miss out! Register Today!
· Want to find out more? Download the Agenda



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).


Popular News




Sponsored News