NetworkTigers discusses the file types preferred by hackers.
Cybercriminals, hackers and threat actors keep security experts on their toes with their shifting tactics and approaches to network infiltration and data pilfering. However, they are not without their preferences. The top three file types through which hackers inject victims with malware are archive files, Microsoft Office documents and PDFs.
ZIP and RAR archive file types
Archives like ZIP and RAR files are attractive to hackers because they are easily encrypted, making detecting malicious content by security software challenging. Criminals that use social engineering tactics can create files that appear to be legitimate and convince their victims to download them without a second thought. These file types need to be opened to be viewed and inspected, so the mere process of looking into them already sets the stage for a hack.
While historically preferred, the use of archive files has been growing in popularity recently among criminals. According to research from HP Wolf Security, 44% of malware was delivered in this manner, an 11% increase from the previous quarter. This surge has made ZIP and RAR files the most common way hackers spread malware, overtaking Microsoft Office documents for the first time.
Microsoft Office documents
Files associated with Microsoft Office (.doc, .docx, .xls, .xlsx) are often weaponized by criminals. These documents can harbor hidden macros that can run scripts, and allow hackers to execute remote code and download malware.
Office files are widely used and distributed in professional settings, so they provide an effective platform to launch attacks. Someone who opens creates and manages dozens of benign files within Office daily is unlikely to view each new document as a potential vector for danger, making them an ideal delivery system for malicious code.
Attacks of this nature are difficult for platform developers such as Microsoft to reliably patch for, as most rely on exploiting user activity instead of a flaw within the software. This adds to their effectiveness and makes them consistently popular among criminals.
PDF file types
Cybercriminals also boobytrap PDF files with links that send victims to malicious websites where they may be asked to submit login credentials or download malware directly. In cases of this nature, it is entirely up to the recipient to determine the validity of the PDF, as security software will have nothing of substance to flag. This type of attack can be targeted to a specific person or blasted to many recipients in a phishing campaign.
It may seem like a hack of this nature would only be effective against those unfamiliar with best practices regarding online safety. However, a code-laden PDF file was at the heart of the recent hack of Axie Infinity, a lucrative crypto gaming platform. A senior engineer at the company was tricked into applying for a fraudulent employment opportunity. They received spyware embedded in a PDF that resulted in $622 million being drained from the platform by North Korean hackers.
Why do hackers favor these files?
A common thread running through these preferred file types is comfort. Criminals prey on people when their guard is down, perhaps in a generally low-crime area or bank accounts.
While the most novice user may second guess opening a .exe file, even if delivered from a supposedly trustworthy source, the familiarity that people have with ZIP, Office and PDF files makes them easy to deliver and unlikely to trigger any red flags. Many people are surprised to learn that the platform they use so often to create spreadsheets for daily work can be turned against them in a way that could bring their organization to its knees.
Modern hackers attack on all fronts
While the three file types described here are the most commonly subverted, hackers can bend almost any file type to their will and make it dangerous.
Today’s most effective cybercriminals rely just as much on taking advantage of human nature as they do exploitable software or network weaknesses. While spray-and-pray phishing campaigns that play the numbers game by blasting emails to thousands of recipients are still employed, savvy threat actors know that gaining a victim’s trust via social engineering can open doors more efficiently than fruitlessly chipping away at a network’s outer defenses.
This trust can be gained via email or chat exchanges and, in some cases, even over the telephone where an actual person on the other end of the line delivers files to victims under the guise of tech support. Some criminal enterprises even employ complete call centers to add a more “trustworthy” human element to their schemes.
How to protect yourself against malicious files
Unfortunately, protection against weaponized files of this nature is hard to achieve. The notion of simply engaging an antivirus program and allowing it to work in the background while you surf the web with reckless abandon is antiquated.
Preventing a hack takes personal diligence and an abundance of caution. Users need to be acutely aware of the tactics that criminals employ and be on guard for danger lurking in places that feel otherwise secure.
If you receive a file of any type, the following steps should be taken to verify that it is safe to open:
- Reach out to the sender. Check in with the friend, coworker or associate who sent the file. Confirm that they are the actual sender, as compromised accounts are often used to deliver malware to entire contact lists. If they received the file from someone else, ensure it has been safely opened and found harmless.
- Check for double extensions. If you receive a file posing as a .jpeg but ending with an additional “.exe,” avoid it. Double extensions are often used to disguise a file’s true nature. The final extension in a file name is the only one you should pay attention to, so think twice if you receive an email from a coworker containing a file labeled “vacationphoto.png.exe.”
- Trust your gut. Phishing scams have become hard to tell from real messages. An email supposedly sent from your bank may check all the visual boxes, but remember that most professional organizations have strict policies concerning asking for login credentials via email or attaching files of any type to customer emails. If something seems amiss, don’t take the bait!