Security Firm Identifies Top Words Used in Spear-Phishing Attacks

A new report from security software company FireEye details the top words used in malicious attachments and emails distributed by spear-phishers.

Time and time again, social engineering has shown itself to be one of the most effective tactics attackers use to defeat enterprise security.

In a new research paper, security firm FireEye has identified the most common social engineering techniques used in spear-phishing attacks targeting enterprises. In an analysis of the threat landscape last month, Symantec reported the global phishing rate in August increased slightly to roughly one in 312.9 emails that contained some sort of phishing attack.

Most of the organizations spoofed in the attacks, Symantec noted, were e-commerce businesses (39.31 percent), information services (32.31 percent) and banks (27.01 percent).

According to FireEye's report, the world's cybercriminals look to create a sense of urgency to trick unsuspecting victims into downloading malicious files. During the first half of the year, the malicious file names detected by FireEye tend to use the words 'DHL' (23.42 percent), 'notification' (23.37 percent) and 'delivery' (12.35 percent). During the second half of 2011, the top three most common words used in malicious file names were 'label', 'invoice' and 'post.'

"One way cybercriminals fool users is by sending files purporting to be notifications about express shipments," FireEye notes in the report. "Given the ubiquity of these services, and their inherent importance and urgency, users are being compelled to open malicious files labeled with shipping-related terms.

“This ploy is one of the most common. Shipping and postage-related terms made up over 26 percent of words featured in malicious file names, and comprised 7 of the 10 most common words identified in the first half of 2012. File names such as DHL,, and represent samples of the types of file names criminals are using," the FireEye report states.

By far, .zip files were the most common malicious attachments seen by FireEye, compromising 76.91 percent of the file extensions used by attackers. Next on the list were PDF files, which accounted for 11.79 percent.

"Cybercriminals continue to evolve and refine their attack tactics to evade detection and use techniques that work," said Ashar Aziz, CEO of FireEye, in a statement. "Spear-phishing emails are on the rise because they work.”

Beyond terms tied to mail services, FireEye also found that cybercriminals favor words related to finance, such as the names of financial institutions and associated transaction such as '' or tax-related words like '' Travel and billing words such as “American Airlines Ticket” and “invoice” are popular in spear-phishing email attachment as well.

Ali Mesdaq, security researcher at FireEye, said organizations should use this information to better educate users about typical attack strategies.

"Most of these attacks trick users into opening attachments because they think it's urgent or important," he said. "If users were educated on what to look out for then they would not open these attachments so easily."

"There are many things security vendors can do with this and other related information to improve detection," he added. "The main thing is to understand the trends and respond appropriately and if possible preemptively. Understanding how attackers are socially engineering users allows vendors to be better prepared."