Despite a lone report claiming that online piracy is the primary source of malware, spam still reigns supreme as today's main infection vector and the go-to tool of online criminals, according to a report published yesterday by Finnish cyber-security firm F-Secure.
Experts say that one of the main reasons why spam still works is that users are still failing at recognizing spam. Users are having a hard time picking up spam despite spam being more than a 40-year-old trick. This has led to users clicking on spam emails more than ever.
F-Secure reports that spam email click rates have gone up from the 13.4% recorded in the second half of 2017 to 14.2% recorded in the first half of the year.
With browsers and operating systems getting harder to hack via exploit kits and vulnerabilities, spam has been the safety net on which most cybercriminal operations have fallen on.
"Of the spam samples we’ve seen over spring of 2018, 46% are dating scams, 23% are emails with malicious attachments, and 31% contain links to malicious websites," said Päivi Tynninen, Threat Intelligence Researcher at F-Secure.
"We’ve found that just five file types make up 85% of malicious attachments," Päivi added. "They are ZIP, .DOC, .XLS, .PDF, and .7Z."
F-Secure says cybercriminals have not found in spam campaigns a novel and newly efficient infection method. Spam is as inefficient as it ever was, even despite its recently observed increased click rate.
"The technique still relies on spewing out massive numbers of emails in order to snare a tiny number of users," F-Secure said in its report.
But despite the lowly click rate, spam still works better than all alternatives, and criminals are continually refining their tactics to deliver spam with better results.
F-Secure says that the probability of a recipient opening a spam email increases with 12% if the email claims to come from a known individual.
Having a subject line free from errors also improves a spam campaign's success rate by 4.5%, while phishing emails stating that they are very urgent get less traction than when the urgency is implied, rather than spelled out.
These subtle wordings and email design tricks are now the frontline of the cyber-security industry. With exploit kits beaten to a pulp, spam is all that's left.
"We’ve reduced criminals to spam, one of the least effective methods of infection," said Sean Sullivan, an F-Secure Security Advisor. "Anti-malware is containing nearly all commoditized, bulk threats. And honestly, I don’t see anything coming over the horizon that could lead to another gold rush so criminals are stuck with spam."
Unless users are using a really old browser and OS, they can easily avoid getting infected with malware these days by learning to recognize spam when it slips through spam filters.