Spam with an optical sight
Friday, April 2, 2021
Our experts analysed a targeted attack, supposedly from China, that was carried out against Russia's critical infrastructure entities. We hope you've read this news post. If not, we strongly recommend that you read it and then come back to our AVT issue. Now we want to draw your attention to several important points.
It is unprofitable for criminals (or employees of any company) to attack each individual employee of a company. Its security services will notice (we hope) a mass mailing of spam or a total scanning of the company's computers. For example, our business solution Dr.Web Enterprise Security Suite has the epidemic prevention feature—the administrator is automatically notified when numerous identical malicious events are occurring in a network. So the blow must land directly on a vulnerability. But how can the weak link be found?
The investigation revealed that just before the attack, cybercriminals conducted reconnaissance by sending emails containing images. This was done to collect information for determining a "safe" recipient, one who is guaranteed to open a spam email in the future. To identify an employee who will open the email, the criminals, when sending emails to different recipients, used different request parameters or unique image names in the requests to load the image. If cybercriminals knew who received the email, they could prepare the next email based on the targeted person’s job title. If not, that's still not a bad thing. Anyone opening such email messages is vulnerable.
Thus, cybercriminals moved to the second stage of their attack already knowing who would open their email. The mass mailing of malicious files could also not have been carried out.
And now we come to the crucial point. If every employee were using corporate security software, the protection would block the malicious email upon receipt, according to its malicious features. But today, most employees work remotely and often do not protect their devices with corporate anti-virus solutions. Or they use no anti-virus at all. If an employee's computer is not protected by a corporate anti-virus, the specialists responsible for corporate security may not notice the attack: they will not be notified.
Is it possible to identify which of a company’s employees are working remotely?
When the attached file is requested, an HTTP request goes to the server where the file is physically located. When there is an incoming request, the two hosts share information about themselves with each other, including their respective IP addresses—a mail client, after requesting a ccs file or an image attached to the email, instantly transmits the IP address of the email's recipient.
So, the IP address has been specified, and now you can take advantage of the free database http://www.maxmind.com/en/home to determine the geolocation of the specified IP address. The hit probability is about 95%-98%. For Russian IPs, you can also use this database:
The HTTP request will also contain the user agent's header, which provides a brief description of your browser and operating system.
It’s quite possible that the exact location won’t be determined, but the region will be found. And if it differs from your corporate address, it is likely that you are working remotely.
The Anti-virus Times recommends
- Disable image loading in your email client. You can find instructions on how to do that here, for example.
- Do not open emails from unknown senders.
- Use your corporate anti-virus.