Proving that most malicious hackers are more than happy to employ time-tested tactics instead of developing sophisticated new techniques and tools, Symantec has reported a huge spike in generic polymorphic malware (malware that changes shape to bypass detection) spread via good old fashioned socially engineered email messages.
Generic polymorphic malware variants accounted for 72 percent of all email-borne malware in September, compared with 18.5 percent in August and 23.7 percent in July. "This unprecedented high-water mark underlines the nature by which cyber criminals have escalated their assault on businesses in 2011, fully exploiting the weaknesses of more traditional security countermeasures," wrote Paul Wood, senior intelligence analyst at Symantec.
The challenge for cyber criminals is to dupe victims into downloading and opening dangerous attachments. One new approach entails fooling users into thinking they've received an attachment sent from an office printer that has a scan-to-email capability; this feature enables users to send scanned files directly from a printer to a specified email addresses.
To pull off this dupe, hackers send users malicious emails with Subject lines stating "Scan from" followed by the convincing-looking office-printer information. The message itself contains additional fake details about the so-called scanned file, including a sender's name, the number of pages, the type of file, a device number, and possibly the printer's location in an office.
This is all intended to lull targets into a sense of security such that they'll download the attached file, which turns out to be a zip file with a malicious executable.
"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as zip file attachments. No printer or scanner hardware was involved in the distribution process," wrote Bhaskar Krishnappa, malware analyst at Symantec.
Symantec's September Intelligence Report also covers a vulnerability in the WordPress platform, which spammers are exploiting to compromise Web servers and hide files deep with the WordPress directory structure. The files are basic HTML pages, according to Symantec, that redirects users to the Canadian Health & Care Mall spam website. WordPress-hosted blogs aren't affected by these vulnerabilities, according to the report; only older versions of software downloaded from WordPress.org.
Other findings in Symantec's report include:
- Spam rates dipped to 74.8 percent in September, a 1.1 percent drop since August
- One in 447.9 emails were actually phishing attempts, marking a 0.26 percent drop month over month
- One in 188.7 emails in September contained malware, an increase of 0.04 percent
- The number of malicious websites blocked daily rose 1 percent since last month, up to 3,474
- 44.6 percent of all malicious domains blocked in September were new, up 10 percent since August
- 14.5 percent of all Web-based malware blocked in September was new, down 2.9 percent since last month