CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Good (But Mostly Still Bad) News About Spam and Phishing

Bill Gates' bold prediction that spam would be a "thing of the past" is inching closer to coming true, some decade-and-a-half after he suggested unwanted email would be eradicated in a two years' time.

The 2018 Trustwave Global Security Report found that the percentage of inbound email that is spam dropped last year to 39 percent, well off the high of 85 percent in 2008. This vast improvement in spam prevalence has come with a notable downside, however: The percentage of spam messages that contain malware remains well above normal, at 26 percent.

The days of your inbox being littered with messages hawking counterfeit watches and weight-loss supplements may be behind us, but that doesn't mean the spam trade has dried up. In fact, it has arguably grown more nefarious.

"The good news is that intended recipients don't see most of this spam because of multiple layers of filtering at the network edge and in client email programs and services," the report said. "The bad news is that, as it did many years ago, spam is again rivaling the web as a delivery mechanism for dangerous malware."

Trustwave researchers largely blame this high rate of malicious spam (also called "malspam") on the pesky and prolific Necurs botnet, a rapid-fire network of zombie computers capable of unloading spam leading to banking Trojans, ransomware and other malware from between 200,000 and 400,000 unique IP addresses daily.

Meanwhile, phishing made up 2.1 percent of spam types in 2017, but may have proved the most lethal of them all. Social engineering emails containing rogue links or attachments are a common way that hackers establish an initial foothold within a targeted environment, typically through credential theft (which sometimes starts with a malware infection).

According to the 2018 Trustwave Global Security Report, phishing facilitated 47 percent of all compromises in point-of-sale environments and 55 percent in corporate and internal network environments. Phishing (a topic that our SpiderLabs team has written about in earnest, including this terrific and detailed blog post) exploits the trust that people associate with specific brands. In some cases, the attackers base their templates on actual messages, just changing a few words and the underlying links.

Common Phishing Lures in 2017

Banks: Fake landing page that harvests online banking credentials.

Couriers: Fake parcel deliveries and receipts from shipping companies. Links lead to malware downloads, such as ransomware and banking Trojans.

Utilities: Fake bills from energy or telecom companies, with links leading to ransomware or banking Trojans.

Finance Software: Fake emails appearing to come from accounting providers, such as MYOB, QuickBooks, Xero and Intuit, leading to the Dridex banking Trojan.

Tax Returns: Fake messages from tax collection agencies leading to Java-based remote access Trojans.

Mail Quota: Fake notes warning that your mailbox is full with the goal of stealing credentials.

Amazon: Fake receipts that lead to a variety of landing pages, including ones seeking credentials and pushing junk products.

Apple: Fake receipts or password "resets" with the goal of harvesting credentials.

Best Practices to Dodge Malicious Spam and Phishing

You can't fall victim if you don't engage. These attacks, unlike exploit kits, require human interaction. As such, you should avoid opening any emails that appear suspicious - and if you do, avoid opening any downloaded files.

That admittedly isn't the easiest advice to heed when your inbox is getting hit with phishing that is targeted and personalized, including CEO fraud. But as a general rule, don't rush to click links even if they seem legit and sent by someone you know. If you did not expect them, check with your contact first to see if they intended to send it.

You should also refrain from opening zip files that come from unknown sources and avoid executing unknown file formats like JavaScript, from which malware is often distributed. In addition, the Global Security Report also pointed out that PDF files are growing in prevalence as a phishing delivery method. Attackers trick victims into clicking on a link in the PDF to supposedly view content, but the link instead diverts users to an attacker-owned web page.

For businesses especially, you should deploy a secure web gateway, which leverages sophisticated logic to detect web-based attacks. Also, keep systems tested for and patched against vulnerabilities (as some attacks take advantage of known flaws) and continually educate your employees on how to identify phishing attacks, especially the ones that are so good, you just can't believe they are malicious.

Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More