Why spam still poses a danger
Users seem to have become accustomed to spam but we cannot rest easy as spammers keep the pressure on to deliver more and more junk in your inbox.
For most of us, spam has ceased to be much of a problem. Our spam filters work fairly well and although we may occasionally see the odd unwanted message, or lose a valid message in the process, we are largely shielded from the bulk of the junk that sloshes around the internet.
But the spammers are not standing still. They are constantly seeking new ways to get through our defences, and it is worth mentioning also that we all pay for the spammers. If they didn't occupy 90 per cent of the email capacity of the internet, we'd all get faster and cheaper service.
But there is little chance of stopping the spammers while their activities continue to be profitable. For virtually no outlay and less risk of getting punished, spammers can afford to churn out millions of messages in the sure knowledge that just a tiny fraction of the recipients need to respond to make it all worthwhile.
In a web survey carried out in February 2007, security company Sophos found that five per cent of people admitted to buying goods sold via spam.
And in August, the share price of a company called Prime Time Group rose steadily within a short period after "pump and dump" spammers went on a concerted email campaign to boost the company's prospects. So spam clearly works, despite our best efforts to contain it.
And so the battle goes on. The latest ploy noted by researchers in recent weeks is to put the message into a PDF or Excel attachment. As Mark Sunner, chief security analyst with MessageLabs, explains: "PDF attachments have rocketed in the last few weeks, and now account for 20 per cent of all image spam. PDF is seen as a more trusted file format, and also looks more professional. Using Adobe Acrobat, the hackers can also crank up the security options, which makes it hard for the anti-spam software to parse the contents."
He says that the tactics of some spammers are also changing, with some of them doing shorter runs that will keep them below the radar of the anti-spam engines. "The bad guys know that most filters rely on honeypots, and there is a window of time before a bogus account [in the honeypot] receives something it shouldn't," he says. "We have seen the window of spam runs coming down to short blasts of as little as 11 minutes. This would appear to be an attempt to get under the radar."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The junk mail aspect of spam is just one side of the problem, though. If someone is just trying to sell you something you don't want, you can delete the message and move on.
But the more serious side is that the spammers are constantly looking for more machines to infect. If they can get a trojan downloaded on to your machine, it then falls under their control and can be used for a variety of purposes. It may become another new node in a botnet, being used to spew out more mail to other targets. Or the hackers may decide to spy on what you do to gather details of your bank accounts, credit cards or other private information.
Increasingly, the spammers adopt the approach of putting a hyperlink in a message, to encourage the user to click through to an infected website. "Throughout this year, the number of messages containing malicious hyperlinks has been going up, while the virus count in attachments is half what it was last year," says Sunner.
This is backed up by data from Sophos, which reported finding an average of 29,000 new malicious web pages during the month of June this year. "The worrying thing is that 80 per cent of these were on legitimate sites that had been hacked," says Graham Cluley, a senior technology consultant at Sophos.
He says the most harmless-looking sites will be infected, such as a message board they discovered, which was devoted to discussion of 'Only Fools and Horses'.
"This causes problems for the anti-spam filters, because they are normally checking emails with known bad sites on them. But if they have a link to a sporting site or something not on the blacklist, then it will get through," Cluley says.
The only defence against the problem, he says, is a mixture good sense and making sure you keep all security patches and anti-virus software up to date. "And this is not just a Microsoft problem," he warns. "We see Firefox being targeted increasingly, and Apache web servers - we found that 51 per cent of the web servers we saw hosting malware were running Apache, rather than Microsoft. The hackers are looking for any vulnerable server running any vulnerable operating system."
If an unsolicited email sounds too good to be true, he says, then don't click on the links, and delete it immediately. Or if you are not absolutely sure, try looking at the attachment through a viewer, such as Wordviewer.
But the hackers are already planning their next move, according Mark Sunner. On June 26 this year, his company suddenly noticed a flurry of 514 targeted emails, all sent within the space of two hours, and all sent to board members of companies - except four which were addressed to the secretaries of chief executives. Each of the messages carried an Word attachment marked 'Customer complaint', 'Invoice', or 'Notice from the FSA'.
When the recipient opened the document they were presented with an icon to click to receive the message. As soon as they clicked the icon, they would be taken to a fake website and a trojan would be downloaded.
So how did the hackers have such precise information about their victims? After a bit of investigation, the MessageLabs team discovered that they were all on the LinkedIn social networking site, and the hackers had merely harvested information and identified everyone with CEO, CFO or some other high-ranking job title.
As Sunner says, it is now possible to buy tools on the Internet that will harvest information from social networking sites such as Myspace, so this is lowering the barrier to entry for people wanting to carry this kind of scam.
"Social networking is great, but is also a goldmine of information that is completely up-to-date. If we've intercepted 514 based on the six million accounts we protect in one day, then there has to be a substantial amount of this going on," he says. "We could see that, if activated, these trojans were going to be able to ship back the documents on the infected machine back to the data repository of infected machine elsewhere on the internet. That could be information about mergers and acquisitions, company strategies, patents. The targets are custodians of the company secrets."