A security firm’s released an interesting survey of trends in the most popular words used in phishing emails. Trying to get the targets to click on a malicious attachment, crooks went from preferring “label,” “invoice,” and “post” in the second half of 2011 to “DHL,” “notification,” and “delivery” in the first half of 2012.
Indeed, both of the top-20 lists are dominated by shipping-related keywords. This seems odd at first: normally you think of phishing scams as offering up links to reverse fraudulent transactions or “confirm your account password.”
As I suggested a long time ago, though, much more effective than phishing is spear-phishing. If the attacker can craft a malicious email that fits within the target’s normal window of experience, the attack is much more likely to succeed. Usually this means using keywords and people’s names the attacker knows the target is familiar with. Shipping and delivery confirmations represent a wonderful way to integrate this sort of knowledge into an attack, by e.g using the target’s shipper of choice and a recipient or sender name the target already sends or receives many packages from.
“The top words cybercriminals use create a sense of urgency, to trick unsuspecting recipients into downloading malicious files. The top word category used to evade traditional IT security defenses in email-based attacks relates to express shipping, according to FireEye.
Urgent terms such as “notification” and “alert” are included in about 10 percent of attacks. An example of a malicious attachment is “UPS-Delivery-Confirmation-Alert_April-2012.zip.”