When people imagine threat actors tricking victims into installing malware, the first thing that comes to mind is probably email phishing or typosquatted domains. These days, digital attack vectors are so easy to deploy that physical vectors may even get a chance to fly under the radar.

In a recent campaign uncovered by Trustwave, the criminal threat group FIN7 mailed USB drives serving an unknown malware strain disguised as a free Best Buy gift card offering. The letter mailed with the USB drive states that the retail giant is sending out gift cards to its loyal customers, and the gifted credit can be used to buy products from a specific list that is found on the enclosed USB stick.

When security personnel think of email attacks, usually the first word that comes to mind is “phishing." While phishing is a very common (and sadly, very successful) attack vector, many threat actors take a different approach to gaining access to victims’ accounts. Breaching an email mailbox is a critical first step, creating a doorway to endless exploitation possibilities.

In this blog post, we will outline five different ways that cyber attackers can breach your email account and steal personal information.

Photo Cred: Forbes

Many companies have gone completely remote, and had to do it quickly in light of current events, but that doesn’t mean the need to secure company data has diminished. As more workers are accessing secure files and applications from home, there is an increased need for organizations to be thinking about how to secure those devices that are accessing that information. We have already seen evidence that criminals are trying to take advantage of this situation to launch attacks against companies, and employees working from home without the security protections of the company network are targets for opportunistic attacks.

With the Coronavirus death toll constantly on the rise, people are becoming more and more panicked. It seems that almost everyone these days is thirsty for any information they can get on how to avoid the deadly virus, creating a tremendous opportunity for cyber attackers to exploit these fears and steal personal information and credentials.

Most malware is often delivered from otherwise legitimate sites. Sometimes this occurs via compromising existing websites, but more often than not, it is by using existing advertising networks as a means to ultimately deliver malware. Quite simply, the attacker buys impressions via existing channels and uses a variety of malvertising tricks to either directly compromise the web browser, or at the least trick the user to installing the malware. This specialized form of malware delivery requires a specialized collection methodology to detect such attacks.

Malicious emails are one of the cyber realm’s most widespread epidemics. Over 215 billion business and consumer emails are received daily, and with such an overwhelming flow of emails arises a very attractive opportunity for threat actors to easily penetrate victims’ online activity and lure them in to giving up credentials, downloading malware and more. According to the Symantec Internet Threat Security Report, one out of 412 emails contains a malware attack.

Although it seems as though cyber awareness is somewhat increasing due to the attempt to keep up with rapid advances in attack techniques, preying on human error continues to be extremely rewarding for threat actors. In retrospect, many email attack victims are dumbfounded when they realize that the email they so willingly acted upon is quite obviously suspicious upon second look. On top of that are highly thought out, sometimes tailored malicious emails, which do not even alert relatively cyber-aware people.

While it does not boast any special or complex installation tactics, Shlayer’s distribution vector has made it a tremendous success - the malware has been the most prevalent MacOS strain since its debut two years ago, never falling off its leading spot. Shlayer uses a well-known infection tactic – pressing on a bad link directs the victim to a fake Adobe Flash update.

Earlier this month, a new variant of the Guildma information stealer was analyzed by the Internet Storm Center (ISC). The malware’s new campaign has been seen targeting various countries in South America, with the highest number of infections recorded in Brazil. It seems that Guildma is spreading quickly, with another recent campaign reaching over 150,000 infection attempts in a matter of weeks.

Making connections and finding new indicators is an important part of IOC analysis, and is probably the most enjoyable part as well. Blog posts and reports on new threats will usually mention the indicators seen to be used by the specific malware sample or attack vector analyzed, yet in many cases there is a larger malicious infrastructure behind them just waiting to be uncovered (and blocked!). Sometimes, a whole other malicious infrastructure can be revealed by examining IOCs related to malicious IPs and domains. There are a variety of tools out there that can help analysts investigate indicators of compromise and their infrastructure, and perform enrichment to shed light on related, malicious IOCs.

In this post, we will review some of our Security Research Team’s favorite connection and enrichment platforms.

You’ve probably heard of Threat Intelligence, it's all the rage and all the cool kids are doing it… where’ve you been? Threat Intelligence, or “TI,” is everywhere and in everything, and it can be cool, but it can also be slippery and confusing and complex and a huge waste of time and resources depending on what you do (or don’t do) with it. In this post, we’re going to make a bunch of snarky statements about Threat Intelligence, and we’re going to spill the tea on how you (as a small or medium sized business) can use it and actually get some security value in return.