• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Grammar and Spelling Errors in Phishing and Malware

By Josh Pyorre
Posted on February 8, 2016
Updated on March 4, 2020

Share

FacebookTweetLinkedIn

jpyorre_blogpost_20160204_TitleMistakes happen. You’re in a hurry or spell check modifies a word, creating a grammatical error in its place.
But what about all the poorly written phishing emails, off-putting malware names or their misspelled user agents?
Cybercriminals are able to write a program and orchestrate a maze of elaborate fraud schemes, but just can’t seem to get the wording right. If those criminals can put so much effort into creating phishing attempts that appear to be from a legitimate bank, why wouldn’t they also proofread emails or double check the user agent used in C&C communications.
Let’s take a look at some examples, starting with malware.
Upatre has been used as a dropper that installs banking malware like Zeus or Dyre. Those malware families typically attempt to capture banking credentials on a victim’s computer. Upatre is often delivered via a phishing email (which was probably misspelled).
When Upatre calls out, it attempts to look like legitimate traffic. The traffic has a HTTP GET request and a user agent, but the user agent is a bit off.jpyorre_blogpost_20160204_UpatreThis spelling oversight makes it much easier to detect and mitigate. The following IDS rule looks for exactly that misspelled user agent:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Mazilla Suspicious User-Agent Jan 15 2015″; flow:established,to_server; content:”User-Agent|3a| Mazilla/”; http_header; fast_pattern:12,7; reference:url,malware-traffic-analysis.net/2015/01/15/index.html; classtype:trojan-activity; sid:2020235; rev:3;)

Another example isn’t actually malware. It’s a check-in for an LG brand smart TV.
The network traffic looks like it’s from a web browser. However, the user agent is misspelled. This would trigger an IDS alert if it was looking for unusual user agents with regex patterns, and it would probably be classified as a false positive after some quick incident response.
jpyorre_blogpost_20160204_Samsung
Let’s switch over to phishing. The following three samples were seen in the wild. They are either missing some words that are considered important when completing sentences in English, or they simply read as if a child wrote them.
This email wants the victim to validate an email account because it’s full:
jpyorre_blogpost_20160204_example1
This email is stating that the victim needs to upgrade an email account to an unlimited data plan:
jpyorre_blogpost_20160204_example2
And this one actually wants you to send your username and password in the reply:
jpyorre_blogpost_20160204_example3
In an attempt to guess at what’s going on, we’re going to create our own phishing email targeted at an English speaker, but written from the perspective of a phishing author who doesn’t speak English. The assumption is that the author would write a grammatically correct email in their language and then use Google translate to convert it to English.
Here’s our legitimate-sounding phishing email, written in English before using google translate:
Dear Card holder,
We have detected unusual login activity associated with your bank account.
Please re-confirm your account information and update your profile with us by visiting the following page:
<link>
Thank you for being a valued customer.
2014 American Express Account Security
Fraud Prevention Network.
Andrew Mei, one of our previous security research interns, wrote a grammatically correct version of this email in Cantonese. We then used Google translate to convert it to English. Here’s what we got:
jpyorre_blogpost_20160204_cantonese
Andrew mentioned that the term, “Dear CardHolders” is something one might say to a lord over a hundred years ago and there isn’t an equivalent term in English.
“If you are a club member” is odd since you should be a “member” if receiving the email, and what “club” is this?
And finally, the lack of punctuation creates a run-on sentence.
jpyorre_blogpost_20160204_cantonese_grammar_fixFor the next version, Artsiom Holub, our Russian-speaking security analyst, wrote a grammatically correct version of the text in Russian, which was translated to English using Google translate:
jpyorre_blogpost_20160204_russian
This looks a little better than the Cantonese version, but still has errors. There’s a “(th)” between “Dear” and “card holder” and the signature line is messed up. However, it’s got the right punctuation and doesn’t mention anything about “club members.”
IDS signatures will catch malicious software with misspelled user agents and other attributes, but email is often not passed in the clear. Additionally, IDS signatures are fairly ineffective against bulk text seen in an email.
Since all phishing emails are going to be sent without end-to-end encryption (unless it’s some sort of advanced, targeted attack in which a private encryption key might already have been compromised), emails could possibly be analyzed on the wire using natural language processing.
OpenDNS already utilizes natural language processing along with other techniques to automatically classify unusual domain names seen being requested by users of OpenDNS. If a client is performing a DNS lookup for paypa1[.]com (notice the number 1 instead of the letter ‘L’), we will automatically use that information in classifying that domain as malicious.
With just a little effort from an enterprising system administrator, it could be possible to build a local system using similar techniques to analyze the clear text emails as they come into an email pooling system.
The errors in phishing are useful though. The emails that make it past spam filters have one final filter to pass through: the user. Vigilance in reading the email and noting where it originated and how it uses language are great steps in staying secure from phishing.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella