We will count the malicious
campaigns that used email as a vector of propagation in recent years, and how
they evolved.
The communication is a key
element for the interaction of people in all areas in which there are various
ways that allow us to send and receive information. For many years, a widely
used route has been postal mail, which with technological advances has been complemented
by electronic mail.
As part of the celebration of
World Mail Day (October 9), we want to celebrate the use of traditional mail
and e-mail alike. Therefore, without detracting from the advantages they offer
us and highlighting the benefits that each medium offers, in this publication
we seek to make a count of the different malicious campaigns that have used email
as a vector of propagation.
Although the purpose of this
celebration is to raise awareness about the role of postal mail in the daily
lives of people and companies, as well as its contribution to the social and
economic development of countries, in the same way, this principle is
applicable to the Therefore, raising awareness about its contribution to
progress and about the security risks associated with its use is also a
necessary task today.
Continuous Threats That Spread, Among Other Means, Through
E-Mail
It is evident that with the mass
use of e-mail, it became an element helped by cybercriminals, who in an effort
to take advantage of users, began to use it for malicious purposes. From then
on, it was possible to identify countless campaigns that, based on the messages
and attached files, sought to affect potential victims.
Hoax: Fake News via Email
The first threat is related to
the hoax or “hoax”, a false news spread mainly through email (now also in
messages on social networks), with misleading content that is distributed on
chain because it uses shocking or sensationalist themes, that appear to come
from a reliable source or because the same message requests to be forwarded.
For example, the first cases of
hoaxes used to distribute announcements about excessive cyber threats, news
about the closure of some web service or the request for help for patients.
From its distribution, one of the purposes of this type of deception is usually
the collection of addresses to send spam, generate uncertainty among the
recipients or simply create fun among its creators.
First scams carried out through the mail
After knowing the scope of the
email, the first scams around this useful tool appeared. Many of them were
totally aimed at creating emotions among users, alluding, for example, to
alleged fortunes, lotteries or inheritances to which they could be creditors.
The scam was presented after
convincing the potential victims, and once they fell into the deception they
had to pay an amount of money in advance, as a condition to access the
non-existent fortune. At times, the amounts required were high, but to a lesser
extent when compared to the supposed benefit that the victims would receive.
At this point, perhaps the most
representative example corresponds to the Nigerian scam, although it is not
limited to it, since in other cases the scams were translated and propagated
for Spanish-speaking users.
Spam: bulk, anonymous and spam messages
From the collection of email
accounts, the sending of spam or junk mail began to be used, carried out in
bulk by an unknown sender. The spam is generally used for sending advertising,
although it is also used to spread malicious code campaigns phishing or scams.
The massiveness, anonymity and
undesirability of an email is what determines spam, although it would be enough
to meet at least two of these characteristics to consider it as such, just as
happened with the recent fine imposed on LinkedIn for sending emails on behalf
of its users. On the other hand, despite the development of antispam
technologies, we continue to see various campaigns due to the profits they can
generate for their creators and because of the methods used to evade security
filters.
Phishing, fishing for users through messages
Along with spam, phishing is
another threat that continually spreads through email. It is closely related to
the use of Social Engineering, that is, the dissuasion of people to achieve a
purpose that they had not contemplated to carry out. With this, this deception
technique seeks to fraudulently acquire personal and / or confidential
information of the victim, such as passwords for Internet services or credit
and debit card details.
To carry out the deception, the
scammer impersonates a recognized person or company (generally banking
institutions), and through the use of an apparent official statement, seeks to
dissuade users from providing their information. This technique remains in
force and campaigns are continuously recorded, such as the recent case that
sought to affect Santander bank users. It is important to mention that phishing
uses, in addition to emails, other means such as instant messaging systems or
even telephone calls.
Malicious code spread
Last but not least, email is
still used as one of the main methods of spreading computer threats such as
malware. Campaigns completely aimed at spreading malicious code through message
attachments are continuously observed.
This type of program has evolved
to avoid including an executable file as an attachment, and instead it uses
variants of malicious programs, such as the so-called macro malware, which
works from a TrojanDownloader in an office file that once executed, download
more harmful programs from the Internet. In the same way, other types of
malware spread through the mail, for example, recent ransomware campaigns that
operate on the same principle.
Some Details To Take Into Account And Warn Of These Fraudulent
Emails Are:
·
Be wary of emails from
unknown senders. It is possible to spoof any address, but not all scammers are
that smart; they are likely to use a random email address to disclose them.
·
Be extremely careful with
emails that have attachments or links. Here it is essential to have an
installed and up-to-date antivirus
software, which will help prevent the download of malicious code and
phishing sites. For a cybercriminal, nothing is sacred: wedding invitations,
unpaid bills and tax returns are frequent hooks.
·
In case of receiving mail
from a known contact, it is a good practice to use other means of
communication, such as asking him by instant message or via SMS if he really
sent that mail.
·
Analyze the situation,
that is, what the email raises and use common sense. As seen in the Messenger
example, do not enter usernames and passwords anywhere. Verify that the mail
service is legitimate and that it has the secure HTTPS protocol.
·
Another aspect to take
care of in emails are PDF files, since sometimes they take advantage of flaws
in the PDF reader, giving the attacker control of the computer. At this point
it is also crucial to keep the applications used up to date, so that security
patches can resolve some vulnerabilities exploited by attackers.
·
Do not spam and be careful
when filling out online and paper forms, especially when there are boxes like
"I want to receive additional information". Databases can change
ownership or leak, and your email could fall into the wrong hands.
·
Do not store sensitive
data in the "Sent" folder. Many users send their bank account or
credit card details to a family member or friend on a particular occasion and
then forget that information is there, so it is best to delete it. In truth,
the ideal would be not to use email to send that type of data better pick up
the phone.
·
Avoid the obvious security
questions. It is probably very easy for a cybercriminal to find out where your
elementary school is or what your mother's name is, especially if you share
information from your daily life on your social networks.
·
As we have seen, messaging
has evolved by leaps and bounds, shortening distances and times. But it is also
used for malicious purposes, for which the user's caution and attention, in
conjunction with an installed and updated security solution, can help to fully
enjoy this technology, without worries.
Comments
Post a Comment