Image Spam, Old Tricks Top September Malware Threats

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

September was another busy month for enterprise IT departments forced to deal with a barrage of security threats, led by the "Here You Have" worm and an influx of new image spam campaigns that were just a small part of the more than 45 million new pieces of malware identified this month.

According to security software vendor AppRiver's monthly Threat & Spamscape Report (available here in PDF format), overall spam volume was actually down slightly from August, but malware purveyors were particularly adroit at using malicious .html attachments running hidden Javascript code to infect users' PCs and mobile devices and bog down corporate email servers.

The No. 1 security threat of the month was the infamous "Here You Have" worm, which was really just a new take on the old Anna Kournikova scam perpetrated several years ago.

This time around, victims who opened the unsolicited emails with the "Here You Have" subject line in the hopes of viewing pornographic videos or intriguing photos were instead treated to an SCR executable file that disabled their security software apps and then began sending the same spam message to all the contacts in their address books.

And because those people were receiving the email from people they assumed they could trust, the cascading series of events ultimately led to significant disruptions of email systems at some large companies, including Wells Fargo, Coca-Cola and Google (NASDAQ: GOOG).

According to AppRiver, "Here You Have" accounted for more than 9 percent of all spam in circulation during its mid-month run and caused such a disruption that the FBI initiated an investigation into its origin.

"This file type has thrown up red flags since the 1990s due to the fact that even though its proper use is a screen-saver file, it is a standalone executable that has commonly been used by malware authors to disguise payloads," AppRiver's security team wrote in the report. "This is especially true when traveling by email, or offered as a download from obscure websites."

While the websites hosting the malicious "Here You Have" files were shuttered within hours, the damage had already been done and spam traffic surged for a couple days after it was first discovered.

AppRiver said the FBI's subsequent investigation revealed that the worm was created by a Lybian hacker using the name "Iraq Resistance," who tried to build support for a "cyberjihad" group called Tariq ibn Ziyad. The group's goal, according to the investigation, was to infiltrate various U.S. Army departments, websites and databases.

Hidden spam and IRS scams

As damaging as it was, "Here You Have" was hardly the only malware scam on display in September.

AppRiver said beginning on Sept. 10, its filters began blocking an inordinately large number of image spam messages, essentially spam code hidden beneath images displayed within emails.

The security software firm blocked almost 2.5 million image spam messages on Sept. 10 alone, a 900-percent surge above normal daily image spam rates. The flow of the messages tapered off for about a ten-day period before another resurgence in the last week of the month.

Another trend of note in September was a spike in phishing scams using the Internal Revenue Service as the attention-getting lure.

These IRS scams are nothing new, but they're surprisingly effective because people have a natural inclination to respond to anything from the taxman, and the scams incorporate some fairly convincing graphics to further the ruse.

One campaign pretended to be a missive from the Electronic Federal Tax Payment System, a website provided by the IRS to help people pay their taxes online.

AppRiver officials advise Internet users to immediately delete any emails purportedly from the IRS because the government agency never contacts taxpayers via email.

"The spammers get half of an originality point for reinventing the same old scam," AppRiver officials said.

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.