Think that macro viruses written in VBA (Visual Basic for Applications) are just something that people using the Internet a couple of decades ago had to worry about? Think again. Word macro attacks never went away, they just went into decline. New evidence suggests they could be making something of a comeback though. Coupled with research showing how non-English speaking recipients are being targeted by phishers using this technique, it makes for worrying reading some 15 years after Melissa struck fear into the email using world.
Whenever I hear non-English and phishing uttered in the same breath, I tend to think the speaker is talking about the scammer rather than the attack message itself. The number of emails that appear in my spam and malware filtered folders which have patently obviously come from the keyboard of a non-English speaker far outweigh that have not. However, the language of phishing itself has pretty much always been English for one very good reason: it represents the largest attack surface for the least effort. Of course, there are always exceptions and targeted attacks (also known as spear phishing) are more likely to be crafted in whatever language is thought to be spoken by the recipient based upon the location of that target mark. One thing is for sure, most security researchers will agree that malicious URLs in email tend to be a lot more prolific in English language speaking recipient countries than elsewhere.
Which doesn't mean you are safe if, for example, you live or work in France or Germany. I mention these countries for two specific reasons. Firstly, security researchers are Proofpoint recently disclosed that the URLs in unsolicited email sent to recipients in France and Germany were less likely to be malicious than URLs in emails to recipients in the US or the UK. Secondly, the same security outfit has this last week revealed details of an admittedly low volume targeted phishing campaign that was aimed directly at organizations in the two countries. Interestingly, the latter statement does not dilute the relevancy of the former as although malicious URLs remain the launch mode of preference in the phishing community it isn't the only game in town. The campaign in question was even more old school and relied upon malicious attachments instead.
In all, a total of twelve different Microsoft Word document attachment variations were found to be used, and they were cycled with multiple senders and headings in order to create what is known as a longline phishing campaign. This has the intended, and often successful, effect of evading any reputation-based blocking that is being used. The Proofpoint analysis of the Word attachments revealed documents which were vehicles for a VBA virus in the form of a malicious macro that downloaded and then installed Andromeda malware. An additional level of obfuscation was applied, for both the macro code and the Andromeda payload itself, and this helped the attackers to gain a pretty good rate of antivirus evasion. How good? Well, at the time of the Proofpoint analysis less than ten per cent of antivirus engines were able to detect the attachments as malicious and the Andromeda payload itself was detected by a mere five per cent.
The fact that multiple samples from a single campaign using a variation of attachment name, lure, subject and sending address were successful in this case shows that a modern longline phishing strategy is viable. Especially when they can prove so effective against both reputation and signature-based filtering systems. With at least twelve different attachments in a relatively low-volume longline campaign the odds were high that they would be so far unknown and so allowed to pass even robust anti-spam gateways; high enough to make the attack potentially profitable and so worth launching. According to the Proofpoint researchers it's a perfect example of why organizations must complement their existing anti-spam gateway with advanced detection capabilities: something always gets through even the best traditional defenses. Of course, they would say that given that the company can provide just such capabilities.
However, I say that this campaign also highlights the role of language as yet another variable that attackers can leverage to evade organizations’ existing defenses. Anyone who thinks the days of Word Doc attacks are dead is wrong. Anyone who thinks just because they do not communicate in English they are safe from the phishermen, is wrong. Oh, and anyone who thinks VBA viruses are so 1990's and no longer a threat is most certainly wrong as well...