Today we are still monitoring a blast of malicious emails that began on February 5,2014. Since that day, we have seen the virus traffic increase to unusually high levels that have continued to reach higher peaks over the last few days. January was the second most active month for malicious emails to date. Though the spike we saw in January was unusually large, the spike in message traffic that we have been seeing over the past few days has been even larger. So far in February we have quarantined over 150 million email messages containing malware attachments, at this rate February has a good chance of surpassing the previous records setting levels that we recorded way back in 2008.
This malware campaign is still going strong but the technique is nothing new. The malware distributors are sending large blasts of emails with varying premise. Attached to each message is a file that attempts to appear legitimate but in actuality contains malicious code. The theme of these emails continue to vary.
For example, today many of these messages were posing as alerts from Visa/MasterCard alerting the recipient that their account had been blocked due to unusual activity (fake security warnings are a favorite social engineering tactic for the blackhats). The file attached to each message is in fact a Trojan that will infect your machine upon execution. Once infected the attackers will have a backdoor to that machine and can further install malware that most commonly includes programs designed to harvest personal and financial information.
While the initial analysis of many of these malicious files have pointed to the Andromeda botnet or even the [not so recently defunct] Bredo botnet, these trojans are mostly identified with generic names. In turn, some of us here at AppRiver have taken to referring to this botnet activity as TidalWave or TidalBot (due to its enormous ebbs and flows). Whether or not this botnet is an completely new build from the ground up or built up from an existing piece, one thing is certain… they have spent some time and effort compiling a large swath of compromised machines to have at their disposal.
You could draw several conclusions as to what danger this all poses to the user. First, it illustrates that people are still clicking on attachments and links in unsolicited email (if they were not cybercriminals would not be relying so heavily on this technique). The users that unknowingly click on one of these attachments are likely to have their activity monitored leading to stolen financial information, personally identifiable information and login credentials. But the impact of this type of malicious activity is not only felt by the recipient of these messages but can also have a cascading effect. It poses an inherent risk to information security in general. Most of the time we just think about an individual falling victim to this sort of attack but what if that individual is your CPA or Banker (or anyone that has access to personal data for that matter)? If they fall victim while on a work computer then it is not just their data that is at risk but your information may now be exposed as well.