Targeted Spam: An Unfair Blow to Security

Today, I feel like telling you a true story that happened at Fortinet, the story of Jane Doe.

Jane Doe works for Human Resources at the reception desk, so she is used to receiving lots of mail, UPS or DHL parcels for the company. Some time ago, Jane received an e-mail from DHL, notifying her they had been unable to deliver a parcel (see figure below). She does handle plenty of DHL parcels every day, consequently, she did not give this e-mail any particular attention and, quite absent-mindedly, tried to open the attachment. Fortunately, she did not manage to unzip anything because the attachment had been removed by FortiMail. Only then did Jane realize there was something strange about the e-mail.

Figure 1. Bredolab spam example. Apart from the sender, they look real. Click on the image to enlarge.

Apart from covert advertisement for FortiMail ;) this example just perfectly illustrates the efficiency of targeted spamming. Forge a plausible e-mail (as a matter of fact, UPS or DHL often include attachments in their e-mails to track this or that parcel) and send it to the right mailbox (a person expecting DHL parcels): this is close to guaranteed infection. Proof: it would have worked even at Fortinet where employees are particularly well-aware of the dangers of viruses. So, spammers, please don’t do this: it is an unfair blow.

Incidentally, we had a look at the stats of our scanning system. There was a large spike of DHL spam, October 13th being the largest (around 3,000 spam mails collected by our system), and recently tapered off. This increased from about 50-100 spam mails per day in mid-late September. This spam campaign infects victims with Bredolab.

Guillaume Lovet, Derek Manky, Doug McDonald, Alexandre Aumoine and Jane Doe are the main contributors to this blog entry. Many thanks !