I published the following diary on isc.sans.org: “Common Patterns Used in Phishing Campaigns Files“:
Phishing campaigns remain a common way to infect computers. Every day, I’m receiving plenty of malicious documents pretending to be sent from banks, suppliers, major Internet actors, etc. All those emails and their payloads are indexed and this morning I decided to have a quick look at them just by the name of the malicious files. Basically, there are two approaches used by attackers:
- They randomize the file names by adding a trailing random string (ex: aaf_438445.pdf) or the complete filename.
- They make the filename “juicy” to entice the user to open it by using common words.