Cybercriminals ‘manage’ phishing emails using techniques similar to those used by marketing agencies, including the use of ‘test audiences’ to see how effective a particular email is, according to Mark Sparshott, executive director at email security firm Proofpoint.
The most successful form of email-borne attack at present is fake LinkedIn invitations, Sparshott said – with click rates double that of attacks such as banking emails and fake order confirmations.
Speaking at Computing’s IT Leader’s Forum event in London, Sparshott says that criminals send out small bursts of emails to test the response of their audience – testing several formats against one another. The criminals analyse the rate at which the ‘test’ victims click, and then use the most successful in the main email burst.
“Cyber criminals manage the content of their emails to entice clicks,” he said. “It’s the same technique you might find a leading marketing agency using.”
Sparshott based his conclusions on analysis of a number of email-based attacks – and found that, on average, 10% of targeted users clicked, but the rates varied widely between companies, with some firms having a click rate of up to 50%.
“The top three which achieve most success are social network communication, financial account warnings and order confirmation. That preys on human curiosity and desire to broaden one’s network, or to not lose money, or to check something you feel you didn’t order.”
Sparshott says that the most effective attack at present relies on fake LinkedIn invitations sent via email, “The LinkedIn lure is particularly effective, because it can look exactly as if it has come from LinkedIn itself. LinkedIn lures are twice as successful as others, and the most successful is the LinkedIn invitation.”
ESET Senior Research Fellow David Harley says, “Effective email abuse is usually at least partly reliant on social engineering, in the sense of similar techniques for psychological manipulation to those used by legitimate marketers. The three kinds of SE gambit he cites (posing as social media communications, bank phishing, fake order confirmations) are classic lures.
“Malicious emails have indeed gone far beyond the simple malicious attachment posing as a JPEG (or whatever), and infection can be a multi-stage process involving multiple redirects with the payload delivered long after the initial message. Nonetheless, that’s no guarantee of infection: on-access scanning can still work on payload delivery, though – obviously, it depends on whether the malcode is recognized as malicious or even as a variation on a known theme.”
“There’s usually no need to open a LinkedIn message. You can simply use the arrival of such a message as a cue to go to the site to see what, if anything, is waiting. That doesn’t mean you can trust a message just because it really did go through LinkedIn, of course.”
We Live Security offers tips on how to avoid the latest phishing scams in a new how-to here.
Author Rob Waugh, We Live Security