The Blurring Lines Between Spam and Cybercrime: A Security Researcher’s Perspective on Evolving Spam Techniques

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

Despite the proliferation of anti-spam solutions on the market, spam levels are at an all-time high. By some estimates, more than 90 percent of all email sent in 2007 was spam. Why? As global Internet usage increases, the potential financial gain through spam is lucrative. Even with low response rates and better spam detection technology, it continues to rise because both unethical marketers and cybercriminals recognize spam as the cheapest method to reach the largest number of potential targets. Spam has become a global medium for cybercriminals, who are combining new techniques, using bot networks and sophisticated ways of evading traditional spam filters. As we saw with the Storm writers this year, the new techniques make it extremely difficult to track. Much less take down the bot networks that are illegally distributing traditional spam, along with malware designed to steal company or personal information for the financial gain of the spammer.

From a security research perspective, we have seen spammers not only change their techniques across email, but also other forms of Internet communication channels in order to get their messages to the widest possible audience. In addition to the traditional method of sending out spam over email, attackers increasingly use Web-based spam to post URLs to malicious sites within blogs, forums, in the “talk-back” sections of news sites and on compromised Web sites. This “link spam” drives traffic to infected Web sites. It also helps the purveyor’s site sit higher on search engine rankings, thereby increasing the risk that users will visit the compromised site.

Spammers Get Creative

In 2007, we observed spammers use new media types to reach their audiences. In some “pump and dump” stock campaigns, we saw spammers begin embedding images in PDF files, XLS and Text attachments. In one instance, there was a short-lived MP3 audio spam campaign. Some speculate that video spam will be the next frontier as Internet users increasingly download video files.

We also saw resurgence in the use of hosted data centers. Spammers go to great lengths to avoid having their IP addresses blacklisted by targeting certain regions and organizations with accurate distribution lists and trusted reputations. They register companies, domains, SPF records and corresponding Web sites, and craft emails in an attempt to appear legitimate. Typically, the spammer is able to remain globally undetected for up to a month before moving on, often before having to pay any bill for the services used.

To avoid detection by email reputation systems, recently we discovered spammers deploying bots designed to break CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). The goal being to register accounts on legitimate email hosting services, such as Microsoft LIVE/Hotmail and Gmail—allowing spammers to send spam from addresses that have “good” reputations.

With spam techniques growing in sophistication, it is becoming more difficult to differentiate email borne threats from harmless junk email. The level of volume and sophistication means that the accurate detection of spam can only be done by classifying, not only the content of emails, but also the reputations of the senders. Companies may also want to consider hosted email security services, which block the spam and other malicious content before it ever reaches the corporate network and servers. This significantly reduces bandwidth, processing, storage, as well as the costs and complexity of managing, maintaining, and tuning in-house security systems that keep up with the rapidly changing techniques spammers employ to evade detection.

About Dan Hubbard

Dan Hubbard is the vice president of Security Research and manages Websense Security Labs. He is the pioneer behind Websense’s ThreatSeeker technology, which scans more than 600 million Web sites per week searching for malicious code. ThreatSeeker technology is the foundational technology behind the Websense security portfolio of solutions, along with Websense Hosted Security that scans more than 500 million emails per week looking for email security threats. This combined security intelligence closes the window of vulnerability and defends against Trojan horses, spam, phishing, keylogging, P2P, and zero-day threats. Hubbard often speaks about emerging security trends at industry events such as RSA, Defcon and Blackhat.