Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services
In the past, MessageLabs Intelligence did some analysis on the words used by the major spam botnets which showed a marked difference in the type of spam each one sent. Recently we decided to have a look at the different types of emails we see going through our systems. We looked at general spam, phishing, malware, and targeted attacks, and like before, each has a distinct pattern of its own.
Spam is fairly unsurprising in its content; mostly it consists of words having to do with selling something such as product names or words like “discount”, “price”, or “sale!” The main aim of general spam is to get the recipient to buy something as quickly as possible. It tends to be designed to try and convince the recipient of a “must have” offer that can’t be found anywhere else.
Malware is different from general spam as the aim is not to take money, at least not directly, instead the aim is to get a piece of code installed on the victim’s machine which can then allow the person behind it to do almost anything they like with it. It could be recruited into a botnet for spamming, or could be used to monitor the user’s traffic and steal information.
The words used show a tendency towards informational emails, explaining that the recipient has received a message, or there is something wrong with their account, etc. Anything that could convince him or her to visit a link to a website hosting malicious code, where cyber criminals attempt to infect the PC using a drive by download, or to open and run an attachment.
Phishing uses some of the same words as malware, like “account” or “mail”, but looking at the whole we see a pattern geared much more toward personal information. Words like address, form, personal, error, inconvenience, security. These are all words that when put together start to paint a picture of a typical phish.
The aim is to get the victim to willingly hand over information by tricking them into believing the mail is legitimate (this is known as “social engineering”). If successful, cybercriminals could have access to the victim’s bank account, e-mail account, or social network account. Access to any one of these things could also allow them to gain access to any other accounts they may have as people tend to use the same details for multiple accounts.
Finally, MessageLabs Intelligence looked at a specialized branch of malware emails, targeted attacks. These are emails that are specially crafted to try and trick specific individuals or groups into opening a malicious attachment, or visiting a malicious link. The recipients of this type of attack tend to be people in positions of high responsibility, or members of large companies or organizations. This is reflected in the types of words that seen in these attacks.
Most of these words are related to political events or organizations or financial matters, and are almost always related to global politics or economics.
It is useful to have an idea of what to expect in different types of spam/malware, as it can help PC users distinguish between the good and the bad. Upon receiving an unsolicited mail, determine what it is saying. Does it fit with any of the patterns above? The most important defense is to always be sure anti-malware software and patches for applications and operating systems are up-to-date, but vigilance is essential as well. Always try to verify a source is genuine, and never click a link or open an attachment from an unsolicited email, even if it appears genuine. Instead, manually type the link into the browser.