Spammers Get Smarter By The Second11:11 AM EST Fri. Apr. 09, 2010
In November 2008, a curious thing happened. Spam levels plummeted from record highs to almost nothing after ISP McColo was taken offline by its upstream providers, giving users a welcome relief from junk mail as well as reason to question whether spam levels would ever go back to what they once were. Guess what happened?
Since McColo's demise, spam levels have not only skyrocketed, they are more dangerous than ever, rising to previous levels of millions of messages per day and filling inboxes, eating up bandwidth and distributing malware.
As they have for years, computer users are still falling for myriad 419 and product scams.
Experts say that the biggest spam trend in the foreseeable future is sheer volume. According to a Symantec State of Spam report, spam levels rose 5.5 percent from January to February, representing almost 90 percent of all e-mail messages on any given day. Meanwhile, a February M86 Security Labs report notes that the volume of malicious spam has reached 3 billion messages per day, compared with 600 million messages per day in the first half of 2009. And current spam levels are expected to grow as spammers develop automation technologies and spam engines become more powerful in an attempt to overcome equally powerful spam filtering devices and services, experts say.
That exponential increase ultimately causes untold headaches for IT administrators, who are required to manage the spam volumes, meticulously scan logs and then chase down crucial e-mails that get trapped in spam filters. "What businesspeople are more tuned into is the amount of time they waste fooling with it," said Jim Freeman, principal and CFO of Englewood, Colo.-based Attain Technologies, a Microsoft partner.
But in addition to volume, spam now represents an even bigger security threat for businesses -- as the primary vector used to deliver malware. Spam is often used as the initial hook in what are known as blended threats, which combine identity requests such as fake logins or applications, along with an embedded link directing users to a malicious site or video codec or -- although less frequently -- an infected attachment.
Nowadays, the vast majority of spam is driven by botnets -- such as the notorious spam-spewer Cutwail -- which become exponentially bigger as they infect more computers into the spam network. Subsequently, spam is emitted in surges, causing it to spike upward in short, erratic bursts rather than a steady incline with each campaign. "[Botnets are] getting more horsepower behind them," said Derek Manky, cybersecurity and threat researcher at Fortinet's FortiGuard Global Security. "They also seed themselves. They send out a virus in a spam e-mail so they can grow their botnet."
Some of the biggest money-making spam campaigns continue to be the massive pharmaceutical scams -- which now account for 65 percent of all spam, according to Symantec -- as well as fake antivirus downloads and work-from-home ads, driven by spam bots Cutwail, Zues and others.
Experts say that spam campaigns have and will continue to become more targeted and focused in 2010 as spammers, like the rest of the corporate world, find ways to increase their return on investment in a weak global economy. In general, experts say, traditional phishing campaigns are highly permutated -- lasting anywhere from a few hours to a few days -- due, in part, to the immediacy and timeliness of high-profile news items and calendar events used to lure victims, such as holidays, international conflicts, celebrity deaths and natural disasters.
"They do their homework," said Tim Flood, vice president of engineering at Red Condor."And they're extremely well funded."
Not coincidentally, spammers are becoming more technologically sophisticated, developing well-engineered and legitimate-looking attacks. Consequently, spearphishing -- attacks that target executives or administrators with highly individualized messages -- have become more personal and more localized, experts say. Spam campaigns are delivered in native languages, not just grammatically incorrect English, while phishing messages have become more personal, often including references to friends or local businesses and organizations, in an attempt to get the victim to trust the sender enough to respond or click on malicious links embedded in a message. A February Symantec State of Spam report indicates a 16 percent increase in phishing attacks from January, and experts say those numbers are trending upward.
"As people get used to the Nigerian prince oil-payout story, the scammers find alternative ways that seem less out of the ordinary," said Angelos Kottas, principal product manager for Symantec's Brightmail. "Instead of being far-fetched scenarios,they're picking scenarios that can fool a more savvy user."
Experts also say that spammers will be going after the smaller businesses -- such as credit unions or doctor's offices -- which often have fewer resources and defensive layers protecting critical data.
And they are going after high-payout targets. As exhibited most recently in the January Google Aurora attacks, the price of the bounty has increased from just a year ago, while the value of customers' credit card information and Social Security numbers has significantly decreased on the black market to pennies on the dollar. This has compelled spammers and phishers to go after more lucrative payloads, such as intellectual property and other classified information.
"It's a core business issue," said Satnam Narang, threat analyst for M86 Security Labs. "We're seeing a lot of people concerned about it, and that's driving security at a lot of different levels."
But one of the biggest vectors for spam in 2010 will likely not be e-mail but social networking sites, which are becoming the gateway to the most malicious and widespread attacks, experts say.
"Spammers can try to get your personal information using Facebook as a cover, typically in a phishing message, or they can simply ask for Facebook login information," said Eric Park, Symantec abuse desk analyst. "These guys are so sophisticated even a more savvy group of users may fall for it."
The social networking giant Facebook became a prime target for spammers in fall 2009, when a massive blended-threat spam campaign took users to a spoofed Facebook login page and then prompted them to a download "updatetool.exe," which turned out to be a Zbot Trojan variant,according to a Red Condor white paper. And these types of attacks are just the tip of the iceberg now that Facebook has exceeded 400 million users, experts say.
"Individuals have to worry about what shows up in their in-box," added Red Condor's Flood. "What has historically been a nuisance has really become a serious threat."
NEXT: The Spam Solution
The Spam Solution
But whether a nuisance or security threat, escalating spam levels have users stumped as to how to handle the problem. Antispam solutions vary across board, ranging from cloud, to appliance and almost infinite hybrid solutions that combine the two, depending on the size and needs of the customer.
And while spam affects businesses of all sizes, it's the cash-strapped SMBs that will likely be hurt the most, experts say.
"The amount of spam and amount of malware is doubling every year," said Eric Jensen,Trend Micro senior global product marketing manager. "That's a pretty big headache. The biggest pain point is the rapid evolution of threats, and that puts IT staff in a dilemma."
For the smallest companies, one of the most cost-effective ways to combat spam is outsourcing basic antispam functions to the cloud, which filters all unwanted e-mails at the gateway before they reach the customer's network, while providing scanning and detection in realtime.The cloud model also reduces the customer's overhead costs, increases predictability with one monthly bill, and allows organizations lacking IT staff to focus on growing their business, which makes it a particularly attractive option in the lower market segments, solution providers say.
"For smaller organizations, they tend to go with the cloud model because they don't want to manage it. In the grand scheme, the cost is minimal," said Shane Vinup, president and CEO of Maple Grove, Minn.-based CyberAdvisors, and a Kaspersky Lab partner. "In environments of 1,000 users or less, they are much more comfortable giving up that control."
Roy Miehe, CEO of AAAntivirus, based in Campbell, Calif., and a Red Condor partner, contends that the cloud allows him to provision new customers with an antispam solution that can be up and running in about a half-hour, while allowing him to remotely scan and monitor threats for multiple clients in a matter of minutes.
And while cloud antispam gained traction with the economic meltdown, the cloud model will continue to be viable once the economy recovers, he said, even for some larger customers that prefer to loosen up cash flow by committing to a recurring monthly bill rather than coming up with up-front capital for an on-premise appliance.
"They've got the NOC set up for them. There's no strain or fuss or muss.With 388 million pieces of garbage, Exchange would have had to handle those.You need some pretty big hardware to take care of that kind of stuff," Miehe said. "I think that cloud is here to stay. If it's not broken, why fix it?"
But other solution providers contend that in 2010 and beyond, many larger customers will prefer an antispam solution that falls somewhere in the middle, occupying a hybrid crossover that blends an on-premise appliance, software or some kind of cloud service.
Depending on the customer's needs, the hybrid approach often includes a hosted spam prevention service, coupled with a UTM appliance that incorporates firewall, antivirus and another antispam layer.
Solution providers also say that having an antispam appliance on premise provides a deeper level of defense. Content inspection that looks for key words like Viagra is fine—unless you're a doctor's office and will likely be both sending and receiving e-mails containing these and other sensitive medical terms. And more antispam solutions are also detecting malicious links embedded in the e-mail message, experts say.
Meanwhile, solution providers say that the layered approach will be the surest way to hedge bets in eradicating the majority of spam.
"The one thing we have learned is that everything has to work in layers," Freeman said. "Everything has to be complementary. If you pick a cloud provider, you want to pick something vastly different for a complete protection scheme. You really want that depth of defense."
The hybrid approach becomes infinitely more complex, time-consuming and more varied in the midtier and enterprise—which can translate to more consulting and assessment service opportunities on the presale side for partners. But the added complexity of the hybrid environment enables businesses to tailor their security environment to fit their exact specifications, which ultimately gives them more control over their IT environment, solution providers say.
"With bigger businesses, [security] becomes more complex. There's not a cookie-cutter solution in the midtier," Vinup said. "Having all these pieces in play, you have a pretty solid security plan."
COMMUNITY: Connect with the CRN Test Center at community.crn.com.