The holiday season is known historically to herald a significant number of email-borne threats, using relevant themes such as merchant sales or package deliveries to attack unsuspecting users and trick even the keenest ones. FireEye Labs has collected data on the most prominent malware families delivered via email campaigns throughout this holiday season, such as Dridex, FareIt and TeslaCrypt, among others. During this busy period, nine email attacks took place within the UAE, of which four targeted financial services.
So far, the leading culprit has been Dridex, a lethal banking Trojan whose primary goal is to steal banking credentials and obtain money from a victim’s financial accounts. Dridex is known to be highly dynamic and adaptive, thus increasing its chances of infecting users. It is distributed mainly through phishing emails using either malicious Word or Excel attachments, or malicious hyperlinks. The second week of November saw a spike in Dridex activity, with a tenfold increase in the volume of attacks.
FareIt is another malware that has been around for many years. Its main goal is to collect credentials from FTP applications, browser caches and cryptocurrency wallets such as Bitcoin, Bytecoin and Litecoin. Recent developments suggest that FareIt is now using malicious spam campaigns as the infection vector in attacks. During the holiday season, it was observed that FareIt masqueraded as Walmart, using fake emails saying that Walmart was giving away gift cards just a few days before Christmas. FareIt also leveraged the travel aspect of the holiday season using email messages with itinerary and reservations themes. Some of the emails were made to come on behalf of American Airlines and luxury travel and vacations company Abercrombie and Kent Travel.
One of the most active ransomware families in recent times, TeslaCrypt was first observed in February 2015. FireEye Labs observed a substantial rise in TeslaCrypt-related malicious email activity in the weeks leading up to the holiday season. Like Dridex and FareIt, TeslaCrypt will mimic popular brand names and well-known companies on occasion.
Email phishing remains one of the primary infection vectors used by threat actors to deliver malware. Detecting these email campaigns continues to be challenging, as delivery methods and the form of the malware downloaders continue to evolve. It is interesting to see the evolution of the tricks and techniques associated with various malware families’ infection attempts. Dridex conducted a large-scale attack using new delivery methods in a suspected attempt to obtain new victims following an October takedown, FareIt continues to be creative in its social engineering techniques to entice targets, and TeslaCrypt uses scripts that could easily be modified, which makes each sample highly dynamic in its content and techniques.
Given such a complex landscape, the threat is not going to end, according to FireEye. It is expected that threats will persist and continue to adapt through new social engineering techniques, delivery methods, and the complexity of their attacks. Hence, it is important for organisations to remain vigilant with user education, proactive detection technologies and security policies that help prevent new threats.