Spam may be the best known security threat in the world. Anyone with email or a Facebook account has experienced it, despite providers’ best efforts to block it from their inboxes.
And although the world’s cyber warriors have taken down large chunks of infrastructure hosting massive spam campaigns, it remains a huge problem.
As soon as businesses started spamming people’s email accounts, it was inevitable that criminals would adopt the model and turn it to their gain. From the early 2000s, crooks figured out how to automate and spread messages designed to dupe people out of their money or their data.
The primary method for disseminating these irksome messages became botnets, some of which grew to a massive size. Millions of infected machines became relays from which messages would spread and spread.
Playing for high stakes
Malicious hackers realised they could lump their command-and-control (C&C) servers on bulletproof hosting services and operate with little chance of arrest. Meanwhile, the money came rolling in from bank account compromises, sales of dodgy pharmaceuticals or pay-per-click fraud, with ad networks paying out for every click on ads served on dodgy spammed links.
Research carried out in 2008 showed the owners of the Storm botnet were making $7,000 a day, even though they were getting only a 0.00001 per cent conversion rate for sales of their knock-off medication. With so many messages going out such low rates still brought in the dollar.
But towards the end of the 2000s the industry started fighting back in earnest and some of the world’s spam giants had their tentacles cut off.
In 2010, Bredolab, a 30-million-strong botnet, was taken apart. Two years later, the mastermind was jailed by Armenia for four years.
In 2011, the epic Rustock botnet, which was said to be sending out 25,000 messages an hour, was effectively neutralised, though there was no arrest despite a $250,000 bounty offered by Microsoft for information on those behind the operation. Grum, which was popping out 18 billion spam emails a day at its peak, was knocked out in 2012.
Meanwhile, spam filters have got better at keeping nasty messages out of inboxes, with a 99 per cent success rate today, according to antivirus firms Sophos and Kasperksy.
“Spam is an interesting example of how over time security threats can be reduced or managed more effectively by technology,” says Brian Honan, founder of security advisory firm BH Consulting.
“In the mid-2000s spam was the big security threat, with experts predicting that email would cease to work because of it. However, what we have seen is that the threat of spam has been effectively managed for many organisations, and indeed for individuals.
“Most companies and personal email providers now provide built-in filters, which has reduced the level of spam that users receive.”
Beware the botnets
But none of this has led to complete victory. If the first part of the decade saw a semi-successful war on spam, the middle period is shaping up as a defeat for the good guys.
In the first half of 2014, spam rose by 60 per cent compared with the same period a year ago. This was probably due to the continuing pain caused by the Conficker worm and the boom in threats such as Mytob, Upatre and ZeuS, which all use spam as their main infection vector.
According to Flora Chang, threat intelligence product manager at Barracuda, today’s spamming botnets are not as widespread as the early behemoths. This is partly because the first ones were around for a lot longer so had more time to develop, and partly because of increased vigilance among defenders of the internet.
“However, the current spammer organisations have learned from the mistakes of the older campaigns,” Chang says.
“While the botnets may not be as prolific as before they are still effective so we have to continue to be on our toes. It’s a never-ending escalation of tactics.”
Darya Loseva, head of content analysis and research at Kaspersky, notes that even when a big botnet is closed the amount of spam drops for only a month or so before it rises again.
“Spammers move to other botnets, botnet masters infect other computers and the process goes on. As for spam masters, botnet takedowns are usually organised by IT vendors and non-profit organisations and are not therefore directly connected to criminals' arrests,” she says.
Indeed the most notable recent botnet action, that of Gameover Zeus which used spam messages to spread bank-login thieving malware, has not seen anyone apprehended. Only arrests will help bring about the serious reduction in spam many dream of.
Hold the front page
Today, spam comes in many forms and with many nasty surprises inside. Crude, basic forms attempting to persuade users to click through to the scammers’ pages are prevalent, and pornographic spam and fake PayPal or banking phishing emails are common.
Though many still want victims to pay for counterfeit gear, often those sites lead to malware downloads. And some of their tactics are getting smarter, according to Chang.
“Spam that uses social engineering, for example, so that the email from your 'friend’ actually contains advanced persistent threats that hide on your system, compromising it in any number of ways, are usually reserved for a specific target audience that lead to higher payoffs.
“Organised criminals are willing to spend more resources in crafting the perfect email that will net them your private account information, be it for Twitter or your bank.”
Ransomware locks up people’s files and demands payment to unlock them
Elsewhere, many spammers use big news events to trick people into clicking on links, as seen with the recent MH17 flight disaster in Ukraine.
Ferguson notes the Kuluoz malware, distributed by the Asprox botnet, steals headlines and content from the body of real articles from the BBC and CNN for use in the email body of its campaigns.
Upatre started promising interesting information for those who clicked on Dropbox links. Using the cloud service, the crooks have not only been able to make the link look more credible, but they can host the malicious files on Dropbox to propagate the infection.
Spam is also being used for delivery of ransomware, which locks up people’s files and demands payment to unlock them.
“I am aware of a number of cases where social media spam has caused users’ computer to be infected with ransomware,” says Honan.
“In one case the infection not only resulted in the individual's PC being held for ransom but the network shares that user had access to were encrypted and made unavailable.”
Facebook recently announced action against the Lecpetex malware that was being used to spread spam across the social network, affecting as many as 250,000, mostly based in Greece.
Once users were infected, social network cookies were stolen and used to hijack accounts. From there, the attackers spread malicious links to contacts via private messages.
In the mobile sphere, the Information Commissioner’s Office, the UK’s privacy watchdog, took down a giant SMS spam farm in Wolverhampton, seizing hundreds of SIM cards that were being used to send at least 350,000 irritating messages.
Text spam differs from traditional email spam, according to Andrew Conway, security researcher for security firm Cloudmark.
“SMS spam requires a high level of return and relies on gaining the trust of the recipient. In the US, bank phishing is a common form of SMS spam, whereas in the UK we largely see payday loans, insurance claims and pension liberation scams,” he says.
“We don’t see as much SMS spam for pornography or bootleg Viagra, which are common in email spam, because those rely on sending out huge volumes of messages to reach just a few customers. It isn’t economically viable in the SMS world.”
All this is not just a problem for the individual but for businesses too. Apart from the malware and credential theft aspects of modern spam, the sheer volume of messages can also put a strain on infrastructure.
Then there is spam DDoS, where huge numbers of emails with random content are sent from different IP addresses to a single email address and effectively block it.
Much like anti-virus, spam filters block out almost all threats. Bulk spam from known sources shoving out Viagra ads, for instance, is easily dealt with.
Today’s widely deployed protection systems even pick out messages that simply resemble spam.
“When data can be correlated across multiple sources – for example SMTP, HTTP and File – then even an entirely innocent mail from a previously unknown source can be effectively detected," says Rik Ferguson, vice-president of security research at Trend Micro.
“Perhaps it contains a link to a known bad URL, perhaps it carries a file that is a known bad file, or even an unknown file which subsequently carries out a suspicious action such as phoning home to a known C&C server.”
Change the filter
But even the final one per cent of spam that sneaks through average filters can cause pain. That’s where more advanced systems are required.
Ferguson thinks only some security vendors are doing it right. “Intelligence should be sourced across a number of vectors and there should be a feedback loop between the customer and the security vendor," he says.
"When a previously non-blacklisted file phones home to its C&C the security technology can block that attempt, effectively neutering the infection.
“Then the next time the data concerning the file, its source URL and the source of the email that delivered it can all be fed back to the central database of the security technology and used to break the chain of infection higher up.”
Chang says even filters that constantly get new definitions would always be playing catchup. Businesses need a system that can “evolve and expand enough to anticipate and catch variations of current threat types, without blocking any legitimate email”, she says.
They also need to determine when links to infected legitimate sites are being passed around in spam mail, as these are much more difficult to detect due to the ostensibly good reputation of the affected website.
“As criminals adapt their techniques there will always be a lag behind,” says Honan.
In the future Spam volumes look likely to continue to rise: Trend Micro is expecting them to grow throughout 2014.
Attackers will also increasingly target new platforms. Loseva says she has seen spammers send out copies of WhatsApp, Viber and Hangout notifications, as those communications services become more popular.
And as the Internet of Things evolves, not even household appliances will be immune.
Proofpoint research that claimed a fridge was being used to send spam has been contested, though the firm stands by it, but it is possible for many connected things to be exploited by spammers who will use any platform they can if it leads to profit.
“We often talk only about email-borne spam. But judging by the volume delivered through alternative media, it is clear that spam is not going away. It just continues to adapt,” says Ferguson. ®