Malicious email campaigns increase seven-fold during 2016

JavaScript malware outnumbers malicious documents as ransomware threats continue to multiply

Malicious email campaigns skyrocketed in the fourth quarter of 2016, with the largest campaign just under seven times the size of the biggest campaign in the previous quarter - reflecting an explosion in email-borne threats as attackers focus on propagating ransomware.

And malicious JavaScript attachments now outnumber malicious document attachments - such as exploit-bearing PDFs - by a factor of between four and six.

Those are just two of the conclusions from the latest quarterly Proofpoint Threat Summary.

Ransomware threats largely involved the Locky family of ransomware, sent using compressed files and malicious JavaScript code, "marking a sharp increase in these tactics compared to earlier campaigns that used document attachments with malicious macros embedded", according to the report.

In addition to Locky, Proofpoint also warned that the use of Cerber and CryptXXX ransomware variants also grew quickly.

However, exploit kit activity fell by 93 per cent from its highs at the beginning of the year, while the number of ransomware variants multiplied by 30 times, claimed Proofpoint.

The threats posed by exploit kits have been relegated to malvertising and online adverts embedded with malicious code intended to exploit web browser vulnerabilities, it added.

Proofpoint also claimed that organisations are starting to get to grips with business email compromise (BEC) campaigns, in which attackers spoof emails from senior members of staff ordering rank-and-file workers, typically in accounts departments, to transfer cash out of the organisation, often circumventing established procedures.

"Organisations are becoming more aggressive in how they address business email compromise (BEC) phishing. But BEC actors are adapting as well, employing more effective techniques such as sending spoofed emails to rank-and-file workers," warned Proofpoint.

The security company also claimed that attackers introduced new techniques in a bid to evade detection.

"Threat actors continued to introduce new efforts to avoid, evade, or otherwise thwart automated sandboxing and other forms of automated dynamic analysis.

"For example, we observed malicious document attachments with embedded VBScript and LNK objects in place of malicious macros.

"Other actors began using encrypted or password-protected document attachments with the password included in the email body, both increasing the sense of legitimacy and decreasing the ability of most sandboxes to detonate the documents.

"We observed this technique in campaigns distributing Cerber ransomware and Ursnif banking Trojan, and even in credential phishing campaigns," warned Proofpoint.

Computing's popular DevOps Summit returns on 22 March 2017. Speakers include Pritesh Devani, director of application engineering at Thomson Reuters; Rick Allan, global project delivery assurance at Zurich Insurance; and, David Stanley, head of platform delivery at The Trainline.com. Places are free to qualifying IT leaders and senior IT pros.