May 2020 Email Threat Round Up

Summary

In the month of May, threat actors attempted to send New Jersey State employees malicious emails through various campaigns. The most prevalent of these campaigns attempted to use the Keitaro Traffic Distribution System (TDS), a legitimate service used by online advertisers but often used for nefarious purposes in malicious advertising and web traffic operations. When used in malicious emails, Keitaro sites frequently redirect users to sites that host exploit kits and deliver malware. Other prevalent campaigns attempted to deliver Dridex or Qbot, which are banking trojans used to steal credentials for financial accounts. Additionally, the Valak information stealer and downloader was more dominant, consistent with recent reporting.

Additionally, the most frequent subject lines used are consistent with common tactics deployed by cyber-criminals in malicious email campaigns in efforts to grab the target’s attention, lure them into opening the email, and convince targets to open attachments, click links, or divulge sensitive information. These subject lines referenced invoices, account updates, returned emails, and local emergency services.

Recommendations

The NJCCIC recommends users avoid clicking links, opening attachments, or enabling macros delivered with emails from unknown senders and exercise caution with emails from known senders. Users are advised to maintain awareness of commonly-used tactics in malicious email campaigns, such as impersonating an entity of authority or conveying a sense of urgency. More information can be found under the social engineering section of the NJCCIC website.