MaliciousMail_SQIn two decades since Internet connectivity morphed from a luxury enjoyed by academics, government workers and a handful of computer hobbyists into a “must have” for most of the population, email has been a constant. It was considered by many to be the “killer app” and in fact unseated the postal service as the primary means of communication – at least until the rise of text messaging and social networking.

Even though email may have waned somewhat in popularity and is considered “old school” by the younger generations, the fact remains that most of us have and use at least one email address – if for no other reason than the fact that you need one to sign up for a Facebook or Twitter account. Personally, I have almost a dozen that serve different work and personal purposes, and I get hundreds of messages per day (many of which, unfortunately, are either outright spam or semi-spam, a.k.a. “gray mail”).

With all this mail coming into our networks, email has long been a natural attack avenue for distributors of viruses and other malware. The first known computer virus to be propagated via email was called Happy99, which infected thousands of systems one year before the turn of the century. Its payload was pretty benign by today’s standards; it displayed a “Happy New Year” message and attached itself to all email messages subsequently sent by the user.

Unfortunately, email-based malware has gotten much more malevolent over time. Today it’s more likely to attempt to steal your banking password or make your computer a zombie in a botnet than to deliver a cheerful greeting and go on its way. Ransomware, spyware, root kits, and the more traditional viruses and worms can all find their ways onto a system via email attachments or links. Phishing messages abound, designed to trick you into revealing credit card or bank account numbers or other personal information that can be used by identity thieves. Viewing mail in HTML format gives you a much richer experience – but it also increases the risk. An HTML message can contain the same types of code as a web site – JavaScript, Java applets, Active-X, web beacons – and thus poses the same risks as visiting a web site.

I get dozens of malicious mail messages every week. Many of them depend on users’ trust in particular brands or entities. Some of the recent samples I’ve received include messages that purport to be from Southwest Airlines, Amazon, E-Z Pass, Equifax and TAX@irs.gov. They notify me that I’ve won extra mileage rewards, ask me to review my recent order, inform me that I’m “in arrears for driving on a toll road,” warn me that my credit score has changed, and direct me to download more information about my tax payment that was returned by my financial institution.

To my jaded eye, most of these fraudulent messages are laughable. Anyone who places as many orders with Amazon as I do knows that they don’t send order confirmation in .zip files. I’ve never driven on an E-Z Pass road in my life; down here our toll roads are run by the NTTA (North Texas Tollway Association). The IRS sends old fashioned snail mail, not email messages and certainly not messages that ask me to click a link to the “cubby.com” domain. Equifax isn’t my BFF and so probably isn’t going to address me as “Deb.” And Southwest Airlines (on which I haven’t flown in decades) isn’t likely to sign their messages “Airline Perks” or send them from an email address like Grayson@lipsel.com.

Easy as it is for me and other IT/security professionals to recognize and dismiss such messages as very poor attempts that won’t fool anyone, they do in fact fool thousands of less savvy Internet users. And some would-be attackers are better at their job than these. I’ve run across phony “Verizon Wireless” emails that were almost identical to the real thing and spoofed the domain to make it appear their links went to the real site; only a check of the mail headers identified them as fakes. There are also talented attackers who construct mail messages that will automatically redirect the email program to a malicious web site if you just open the message itself in a mail client that has HTML content reading enabled.

Anti-malware software won’t catch all of these, because attackers frequently change them up, and legit messages often contain the same or similar types of content. The most dangerous messages are those from companies that you do business with all the time. When I get a notice from my bank, for instance, I don’t click on the link to go to my account; I open my browser and type the known URL in the old fashioned way. About 99 percent of the time, I find the notification was real, but I’m the suspicious type and I’d prefer to sacrifice a little convenience rather than take the risk. Of course, these days even legitimate web sites can contain malware or redirect you to sites that do, thanks to the easy availability of exploit tools such as Darkleech, which was used to infect tens of thousands of innocent web sites last year.

Perhaps the most dangerous aspect of malicious email is the fact that many security pros see it as “old hat” or an outdated form of attack. They assume that, because it’s been around for so long and because some of it is so obvious, no user will fall for the ploy. They fail to properly educate users about the risk, and take the easy way out by issuing blanket recommendations such as “don’t open attachments” and “don’t click links” – which are so restrictive they’re likely to be ignored. Email might no longer be the killer app it once was, but it’s still in common use and malware delivered via email can still kill your system, your data, or your financial standing. Maybe we need to start taking email security more seriously again.