Beware document-based malware, warns Sophos researcher James Lyne

Hackers turn to document-based malware as users wise up to malicous email attachments and web links, warns Sophos research chief James Lyne

Cyber attackers are turning to document-based malware as users wise up to malicious email attachments and web links, James Lyne, global head of security research at Sophos, has warned.

“We are seeing a big shift to attacks using macros embedded in documents,” Lyne told attendees of RSA Conference 2015 in San Francisco.

Lyne said a study showed that while only 1 in 200 participants (0.5%) would open an email attachment and 70% would click on a web link, 98.5% would open a document file.

“Most people do not think of document files as being a security risk, which is why we are seeing a massive shift to using malware embedded in documents to launch attacks,” he said.

This is being coupled with high-quality social engineering methods such as sending spoofed emails containing malicious documents.

Lyne, for example, said he recently received an email that appeared to be from someone he knows, asking to meet up and accompanied by malicious document file.

To entice him into opening the document, the spoofed email said: “Please check my itinerary and let me know when we can meet.”

Read more about social engineering

Trend towards data destruction

Lyne said this kind of social engineering attack is worrying because the conversion rate of such high-quality but simple cons could be “astonishingly high”.

Another worrying trend Sophos researchers have identified is the increasing use of destructive document-based malware such as CyCoomer.

Opening a document booby-trapped with CyCoomer will result in the deletion of all files on the victim’s computer and network-connected drives.

“We have not seen this kind of wanton destruction for years,” said Lyne.

He also warned that mainstream cyber criminals are becoming extremely “technically competent” and are routinely outperforming so-called advanced persistent threat (APT) actors that include nation states.

Wi-Fi experiment shows lax awareness

But Lyne said cyber criminals also continue to take advantage of organisations' poor patching practices and employees’ poor Wi-Fi habits.

He said many successful attacks use exploits that have been patched up to three months before. An experiment in New York showed that no-one read the licence agreement for a Wi-Fi hotspot set up by Sophos researchers before connecting.

“We warned in the end user licence agreement (Eula) that we were conducting an experiment to see if we could phish personal details, yet 2,000 people clicked on the ‘agree’ button to connect to the hotspot – within 1.3 seconds on average,” said Lyne.

The Wi-Fi study showed that, of those who connected to what was essentially an unknown free hotspot, only 1% were using a virtual private network (VPN) connection and, in one and a half hours, 100 people connecting to the hotspot entered their credit card details to a company they had never heard of.

Keep software patches up to date

“Before organisations get hung up on advanced attacks, they need to address basic security threats and to better equip end users to recognise and respond appropriately to social engineering attacks, which are likely to increase as software and systems become more difficult to exploit,” said Lyne.

He said many organisations need to address the fact that they are not using the most up-to-date versions of software that have been hardened against known attack methods.

Many organisations also need to improve security practices such as using longer, more complex passwords, he said, and not pay attention to “sacred cows” such as the belief that users take a long time to adopt and adapt to new processes.

Lyne emphasised the importance of ongoing user education and reiterated the threat of document-based malware.

“These attacks are proving to be extremely successful and end users need to be educated not to trust documents and to be wary of clicking on buttons to ‘enable content’ or ‘turn on macros’,” he said.

Read more on Hackers and cybercrime prevention