Cybercriminals Use Social Engineering Emails to Successfully Penetrate Corporate Networks

FireEye Research Provides Top Words Cybercriminals Utilize in Fake Emails to Infect Corporate Networks and Steal Data

FireEye®, Inc., the leader in stopping advanced cyber attacks, today announced the release of "Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data," a report that identifies the social engineering techniques cybercriminals use in email-based advanced cyber attacks. According to the report, the top words cybercriminals use create a sense of urgency, to trick unsuspecting recipients into downloading malicious files. The top word category used to evade traditional IT security defenses in email-based attacks relates to express shipping.

According to recent data from the FireEye "Advanced Threat Report," for the first six months of 2012, email-based attacks increased 56 percent. Email-based advanced cyber attacks easily bypass traditional signature-based security defenses, preying on naïve users to install malicious files.

"Cybercriminals continue to evolve and refine their attack tactics to evade detection and use techniques that work. Spear phishing emails are on the rise because they work." said Ashar Aziz, founder and CEO, FireEye. "Signature-based detection is ineffective against these constantly changing advanced attacks, so IT security departments need to add a layer of advanced threat protection to their security defenses."

"Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data," explains that express shipping terms are included in about one quarter of attacks, including "DHL", "UPS", and "delivery." Urgent terms such as "notification" and "alert" are included in about 10 percent of attacks. An example of a malicious attachment is ""

The report indicates that cybercriminals also tend to use finance-related words, such as the names of financial institutions and an associated transaction such as "Lloyds TSB - Login Form.html," and tax-related words, such as "" Travel and billing words including "American Airlines Ticket" and "invoice" are also popular spear phishing email attachment key words.

Spear phishing emails are particularly effective as cybercriminals often use information from social networking sites to personalize emails and make them look mostly authentic. When unsuspecting users respond, they may inadvertently download malicious files or click on malicious links in the email, allowing criminal access to corporate networks and the potential exfiltration of intellectual property, customer information, and other valuable corporate assets.

The report highlights that cybercriminals primarily use zip files in order to hide malicious code, but also ranks additional file types, including PDFs and executable files.

"Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data" is based on data from the FireEye Malware Protection Cloud™, a service shared by thousands of FireEye appliances around the world, as well as direct malware intelligence uncovered by its research team. The report provides a global view into email-based attacks that routinely bypass traditional security solutions such as firewalls and next-generation firewalls, IPS, anti-virus and gateways.

The full report, which includes lists of the words and file extensions used by cybercriminals in email-based advanced cyber attacks, is available for download here.

About the FireEye Malware Protection Cloud

The FireEye Malware Protection Cloud offers real-time security data sharing among interconnected FireEye appliances deployed within customer networks, technology partner networks, and service providers around the world. This worldwide cloud shares auto-generated malware security intelligence, such as exploit tactics, malware signatures, and covert callback channels, as well as findings from the FireEye Malware Intelligence Lab.

About FireEye, Inc.

FireEye is the FireEye solutions supplement traditional and next-generation firewalls, IPS, anti-virus, and gateways, which cannot stop advanced threats, leaving security holes in networks. FireEye offers the industry's only solution that detects and blocks attacks across both Web and email threat vectors as well as latent malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, and Juniper Networks.

Media Contact


Lisa Matichak



Katherine Nellums


# # #

FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.