• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

Grammar and Spelling Errors in Phishing and Malware

By Josh Pyorre
Posted on February 8, 2016
Updated on March 4, 2020

Share

Facebook0Tweet0LinkedIn0

jpyorre_blogpost_20160204_TitleMistakes happen. You’re in a hurry or spell check modifies a word, creating a grammatical error in its place.
But what about all the poorly written phishing emails, off-putting malware names or their misspelled user agents?
Cybercriminals are able to write a program and orchestrate a maze of elaborate fraud schemes, but just can’t seem to get the wording right. If those criminals can put so much effort into creating phishing attempts that appear to be from a legitimate bank, why wouldn’t they also proofread emails or double check the user agent used in C&C communications.
Let’s take a look at some examples, starting with malware.
Upatre has been used as a dropper that installs banking malware like Zeus or Dyre. Those malware families typically attempt to capture banking credentials on a victim’s computer. Upatre is often delivered via a phishing email (which was probably misspelled).
When Upatre calls out, it attempts to look like legitimate traffic. The traffic has a HTTP GET request and a user agent, but the user agent is a bit off.jpyorre_blogpost_20160204_UpatreThis spelling oversight makes it much easier to detect and mitigate. The following IDS rule looks for exactly that misspelled user agent:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Mazilla Suspicious User-Agent Jan 15 2015″; flow:established,to_server; content:”User-Agent|3a| Mazilla/”; http_header; fast_pattern:12,7; reference:url,malware-traffic-analysis.net/2015/01/15/index.html; classtype:trojan-activity; sid:2020235; rev:3;)

Another example isn’t actually malware. It’s a check-in for an LG brand smart TV.
The network traffic looks like it’s from a web browser. However, the user agent is misspelled. This would trigger an IDS alert if it was looking for unusual user agents with regex patterns, and it would probably be classified as a false positive after some quick incident response.
jpyorre_blogpost_20160204_Samsung
Let’s switch over to phishing. The following three samples were seen in the wild. They are either missing some words that are considered important when completing sentences in English, or they simply read as if a child wrote them.
This email wants the victim to validate an email account because it’s full:
jpyorre_blogpost_20160204_example1
This email is stating that the victim needs to upgrade an email account to an unlimited data plan:
jpyorre_blogpost_20160204_example2
And this one actually wants you to send your username and password in the reply:
jpyorre_blogpost_20160204_example3
In an attempt to guess at what’s going on, we’re going to create our own phishing email targeted at an English speaker, but written from the perspective of a phishing author who doesn’t speak English. The assumption is that the author would write a grammatically correct email in their language and then use Google translate to convert it to English.
Here’s our legitimate-sounding phishing email, written in English before using google translate:
Dear Card holder,
We have detected unusual login activity associated with your bank account.
Please re-confirm your account information and update your profile with us by visiting the following page:
<link>
Thank you for being a valued customer.
2014 American Express Account Security
Fraud Prevention Network.
Andrew Mei, one of our previous security research interns, wrote a grammatically correct version of this email in Cantonese. We then used Google translate to convert it to English. Here’s what we got:
jpyorre_blogpost_20160204_cantonese
Andrew mentioned that the term, “Dear CardHolders” is something one might say to a lord over a hundred years ago and there isn’t an equivalent term in English.
“If you are a club member” is odd since you should be a “member” if receiving the email, and what “club” is this?
And finally, the lack of punctuation creates a run-on sentence.
jpyorre_blogpost_20160204_cantonese_grammar_fixFor the next version, Artsiom Holub, our Russian-speaking security analyst, wrote a grammatically correct version of the text in Russian, which was translated to English using Google translate:
jpyorre_blogpost_20160204_russian
This looks a little better than the Cantonese version, but still has errors. There’s a “(th)” between “Dear” and “card holder” and the signature line is messed up. However, it’s got the right punctuation and doesn’t mention anything about “club members.”
IDS signatures will catch malicious software with misspelled user agents and other attributes, but email is often not passed in the clear. Additionally, IDS signatures are fairly ineffective against bulk text seen in an email.
Since all phishing emails are going to be sent without end-to-end encryption (unless it’s some sort of advanced, targeted attack in which a private encryption key might already have been compromised), emails could possibly be analyzed on the wire using natural language processing.
OpenDNS already utilizes natural language processing along with other techniques to automatically classify unusual domain names seen being requested by users of OpenDNS. If a client is performing a DNS lookup for paypa1[.]com (notice the number 1 instead of the letter ‘L’), we will automatically use that information in classifying that domain as malicious.
With just a little effort from an enterprising system administrator, it could be possible to build a local system using similar techniques to analyze the clear text emails as they come into an email pooling system.
The errors in phishing are useful though. The emails that make it past spam filters have one final filter to pass through: the user. Vigilance in reading the email and noting where it originated and how it uses language are great steps in staying secure from phishing.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella