IT Security Blog

An MXL co-worker (Thanks, Grant!) directed me to this blog posting by a guy named Lance Winslow titled "SPAM Killing Small Business Productivity".  It is no surprise to anyone that any small business that has not taken steps to protect their infrastructure with some kind of anti-spam/traffic shaping/traffic control device or service (I am partial to the managed service form factor, BTW :) ) is feeling the effects of the amount of spam flying over the internet on a daily basis.  So, in that respect Lance hasn't started off his post with anything revolutionary.

Then things start to get weird...

Lance states "...the Federal Trade Commissions; FTC’s war on SPAM is killing small businesses and flooding their inboxes with junk mail".  What?!  Last I checked, a LOT more people than just who are involved in the FTC are fighting spam on a daily basis and doing a pretty decent job of it.  I work with many of them on a daily basis both at MX Logic and at our many competitors.  Secondly, how is the FTCs war on spam killing small businesses and flooding inboxes with junk mail?  Last I checked, that was the spammers who were responsible for that....oh yeah, and the infected PCs that they use to do their dirty work.  I'll concede that CAN-SPAM hasn't done much, but spam hasn't increased as a result of CAN-SPAM.  Spam has increased due to money chasing criminals using spam as a vehicle to make money.

Lance then goes on to say "America Online indicated that it culls 75% of the incoming SPAM thru filters and many other companies are able to do this too. But what if you are a small business which does not have such features on your website? What do you do then? You cannot do a thing."  Strike 2!  Firstly, I know quite a few of the anti-spam folks over at AOL personally and I'll be more than happy to publicly defend them and say that I am sure they are catching more than 75% of incoming spam.  If that were MX Logic's catch rate I surely would have been fired years ago!  It certainly hasn't been my looks that has gotten me by! :)  Further, how can Lance ascertain that there is nothing you can do if you do "not have such features on your website"?  I am going to guess that he is really referring to inboxes here and not web sites (as web sites are a bit of a different animal than what he originally started out his post with).  Has he ever looked into the cost of a Managed Security Service or a network appliance?  Anyone can deploy anti-spam defenses at fairly low cost per user.  The cost can even be free if you are willing to do the work yourself to maintain your own installation of a software based service like Spamassassin. 

His final paragraph states "A concocted report from MX Logic purports that SPAM is down a whopping 9%? If you believe that you are on drugs just like the FTC. If you are a small business getting 300 junk mails per day, obviously this is not going to help you in the least as it still means you are getting over 275 junk mails a day. Worse the figure of nine-percentile is said to be a complete misrepresentation and convenient fabrication."  Perhaps Lance should do a bit more reading about the decline in spam volumes since the shutdown of McColo back on November 11th (although I do appreciate that he is reading our report!).  Although the botnets that were originally debilitated as a result of the McColo shutdown are back online, spam volumes overall are still down from where they were pre-McColo.  Now, I will agree with Lance's point where he said that if you were getting 300 spam emails per day and are still getting anywhere from around 275 per day, you are still getting deluged (perhaps our sales folks should try to sell Lance an anti-spam solution :) ).  At a micro level this doesn't seem like a big deal, but when looked on a much more macro scale in an environment like ours and other major ISPs who process hundreds of millions of emails per day, the effects are dramatic.

I'm curious as to what authority he stands on or interviewed to make the statement that drops in spam volume are a "complete misrepresentation and convenient fabrication" ?  How is saying that spam volumes are down convenient for us?  In our business, spam sells.  The more there is, the better sales numbers grow as businesses become more aware of the inadequacies of their own systems in trying to manage spam themselves.  They realize that they NEED an alternative so that they can focus on their core competencies and not just on keeping their mail servers online.  As a result, crises and large spam events like the CNN outbreak from back in August are great for our sales numbers.  It certainly makes selling the need for a solution easier on them.  I've been accused during media interviews by less tech savvy reporters of trying to spread FUD because "I have to say that spam volumes are up because fighting spam is the business that we are in", but never that I'm lowering numbers for convenience.  I don't quite see how that argument makes any sense.

The closing of his post is the coup de gras: "If you have innovative thoughts and unique perspectives, come think with Lance."  I would certainly say that Lance's perspectives are unique (and completely uninformed), but his thoughts are not quite so innovative (however quite imaginative!).

Ireland is tired of spam and is putting legislation into law that will fine spammers up to 250,000 Euros if convicted according to this siliconrepublic.com story.  The story does not go into specifics of the law or what an email needs to contain in order to be in compliance (e.g. CAN-SPAM has several rules that marketers must follow in order to be compliant), but references "spammers" as a general term.

Lost in the noise of all of this let us not forget the difference between a "spammer" and a "spam message". 

Spammers are people who send nothing but spam 100% of the time.  Spammers utilize botnets to conceal the original message sender and utilize networks that they otherwise have no right or license to use. 

Compare this to a (accidental) sender of a spam message. 

Most ESPs occasionally sign up customers whose intentions are to use the ESPs network to send out email to purchased lists or to people who did not specifically opt-in to receive that mail.  Of course, this is unbeknownst to the ESP until the email goes out and the complaints roll in about spamtrap hits, unknown user rates, and users hitting the "This is Spam" buttons in their webmail clients.  The good ESPs will shut those folks down immediately and make them go troll their email elsewhere.  Does this make these ESPs spammers?  No.  Are they culpable under this new law?  Not sure yet, but those details will certainly come forward.

I can respect what Ireland is trying to do here, but I hope they can take a lesson from the United States and not repeat the same mistakes of CAN-SPAM.  If not implemented correctly (i.e. enforce policy on the true spammers and the ESPs who are not making good faith efforts to remove bad customers from their systems) the only people they may end up hurting are the legitimate email marketers who occasionally have an "oopsie" from a bad customer while the true spammers continue their practices unfettered.

According to a small, recent study performed by Marshal, up to 30% of internet users admit to buying items like sexual enhancement pills, adult entertainment, software, luxury items, and clothing from spam that they have received.  These kinds of studies come up every few months or so and the percentages of email users who admit to buying from spam vary wildly (see this Techdirt article which briefly mentions a couple of them).  Many of these studies have small sample sizes and little information is given as to the some of the other demographics of the participants in the survey (which I think would also be VERY interesting).  No matter whether you believe the real number is closer to 4% or 30%, the underlying moral of the story is that a significant number of people are purchasing products from spammers.  The answer to the spam-old question of "Who would actually get tricked into buying \/1agra?" is "A lot of people!"  Spammers wouldn't continue to spam if it wasn't a profitable venture.

The 30% figure seems a bit high to me in today's internet, especially with the prevalence of spam filters which keep almost all of the junk mail out of user's inboxes.  This does lend credence to the theory though that improved social engineering and targeting of spam emails does have a significant effect on the ROI for the spammer.  Even though far less spam is arriving in the inbox, a significant percentage of people are still buying it. 

I like to play with numbers and derived (what I thought are) a few interesting stats.

Let's do some math (everyone's favorite subject):

Number of spam messages per day on the internet: 150B (industry estimate)
Cost to send a spam message $0.000001 (estimate)
Amount in losses from phishing in 2008: $4B (estimated by Gartner)

So, if you assume 150B spam messages per day at $0.000001 per spam message.  That works out to spam costing spammers approximately $150,000 per day to send. 
If you divide the $4B in losses from phishing ALONE by 365 (the number of days in a year) you get almost $11M per day in losses!  This doesn't even include profits from the things the things that we mentioned at the start of this post such as porn and enhancement pills or even stolen credit cards and compromised bank and brokerage accounts.  Cha-Ching!

To be fair, this isn't an apples to apples comparison because we are considering the cost to send ALL spam every day compared with the losses incurred just from phishing, but even just to compare these numbers is staggering!  Just using the $11M and $150,000 numbers spammers make over 73x what they spend, just in phishing returns. 

How many businesses do you know that would like a 730% daily profit margin?  Raise your hand if yours would :)

So, as we've said before: Spam is easy.  Spam works.  Spam makes huge profits for the criminals behind it all.  The numbers are hard to deny.  Look for more spam headed toward the inbox, mobile device, or blog nearest you!

According to a recent study done on email addiction, Denver is the ninth most email addicted city in the United States (click here for more info and for the other cities in the top 10.  BTW, I LOVE the picture on the top of that linked page.  Even if you don't care about the list, go for the picture.  It's worth it!).

This is not surprising considering the technical culture that exists in and around Denver and I would say its ranking is about right in comparison with the other cities.  My biggest surprise was Detroit.  I have never been to Detroit, but it has never struck me as a tech-centric city so I am surprised that one is on the list.  You could easily win an argument with me on that point though since I really have no personal experience of the city to speak of.

As I sit here in the San Jose airport, I see a number of people checking email on their laptops an on Blackberries (this is San Jose!  Where are the iPhones?!).  People who are addicted to email need effective email filtering to keep all of the junk off of their mobile devices and out of their inboxes.  As more and more malware is developed for mobile devices and as more and more personal information is being stored on those devices, that need will only continue to increase. 

This list will be definitely be making it over to our sales folks :)

Happy emailing!

I wanted to take a moment to respond to the New York Times article that appeared on their website on May 10th with respect to mobile phone spam.

Largely up to this point the United States has missed the boat as it relates to mobile phone spam.  This is largely because the problem pales in comparison in the US to the rest of the world.  When it is more of an issue here, however it will definitely become more problematic for consumers.  In the United States your cell phone number very much becomes tied to your identity.  If you change your cell phone number it is a real pain to have to make sure you notify everyone in your contact list (family members, friends, colleagues, etc) that you can no longer be reached at your old number.  This combined with cell phone number portability that was introduced a few years ago makes it simple to even switch carriers and keep your number, which hadn't previously been possible.  In some other countries, like Japan where mobile spam is a huge problem, cell phone numbers are throwaway.  When the Japanese start getting spam on their cell phone, they change numbers until the new number starts getting spammed.  Rinse and repeat.

In the United States there has mostly been a wait and see mentality as it relates to mobile spam, but few who have gotten spam on their mobile phone would disagree that it isn't an issue that needs to be addressed. 

Let's look at it from the carrier's perspective first though.  The article states that "Communications companies say they are not interested in spam as a profit center."  I would say that "publicly" this is true, but if you look at it from a sheer numbers perspective, they carrier's are already making big money as a result of mobile spam.  Let's use the following statement from the article: "getting as few as 10 unsolicited text messages a month at 20 cents each would cost an extra $24 a year". 

Here is where the numbers game really kicks in. 

If you assume 10 unsolicited text messages per month (which is a lot in my opinion!) this equates to $2 per month (using their pricing model).  Surely some people will wait on the phone on principle alone in order to fight this additional $2 charge on their bill every month, however many will say that the long telephone waits in order to fight the charge and get it removed is simply not a productive use of their time and will leave it alone.  This, of course, begs the question what the breaking point is?  At what point do the lines cross whereby it is an efficient use of time to fight the charge.  The answer to that question will lie with each individual consumer.

Where was I?  Oh, yes!  Security!

The article mentions that "The carriers regularly adjust spam filters to block offending messages. At Sprint, more than 65 percent of all text messages sent over its network are identified and blocked as spam before they reach customers."  Spammers are aware that spam filtering for SMS spam is still not very mature.  As such, it is a target that is more easily exploited than spam over email.  To look at this as a cynic, is this also something that cell phone companies are putting considerable money towards stopping considering the amount of revenue being generated? 

I as well as many others across the security industry have been predicting the wider scale movement of spam to mobile devices for the past couple of years now and have also discussed how much easier that movement is becoming due to the inbox and the personal computer becoming a lot more mobile.  I wouldn't yet say that we have turned the corner as it relates to mobile spam nor would I say that we are on the verge of an epic increase, but the problem definitely continues to grow as the filtering technology lags behind.  Mobile malware continues to grow also, albeit not nearly at the same rate as personal computer based malware.   Now that most phones are coming with internet access, however the protections on those devices need to be at least on par with what is being provided for PCs. 

Bill Gates has predicted the demise of spam. Many others have developed feature-rich and not so feature-rich applications to defeat spam on a variety of platforms.

A question that I am asked by a lot of people when they find out not only who I work for, but what my role is with the company is "Will the spam war ever be won?" That's always a difficult question to answer because the definition of spam keeps changing. This means the rules of engagement and the war itself also keeps changing. For example, the classic definition of spam that most people think of when they hear the moniker is the type that appears in your email inbox. Over the past couple of years as more and more internet technologies have increased in wide-scale usage we have been graced with other spam related acronyms/terms like SPIM (Spam over Instant Messenger), SPIT (Spam over Internet Telephony), vishing, smishing, and bacn (most recently). One of the Storm Worm variants even dabbled in popup spam where infected machines displayed a stock pump and dump scam via a web browser popup window.

I would say that certain parts of the spam war are being fought better than others (such as the fight for the inbox), but in other areas the abuse technology is so new and measures to find ways to fight it are in such nascent stages that they aren't all that effective. They'll certainly improve, but while the technology to fight the problem evolves, so also changes the ways in which the technologies are being abused.

The words "personal computer" and "Inbox" are becoming more and more ambiguous every day with the advancing technologies of smart phones, PDAs, and other communication devices. There is very little from a business productivity perspective that you cannot do on your mobile device anymore. As such more and more people are using their phones and PDAs just as they would use any laptop or desktop PC. This creates additional avenues for abuse. Spammers have been and will continue to look for new and inventive ways to latch onto and take advantage of any emerging technology whether that be SMS, network and browser popups, voicemail injection, instant messenger, or whatever real-time communication technology comes next. With those changes, so continues and evolves the fight against spam.

Spammer Alan Ralsky, arrested back in April, has been indicted along with 10 accomplices for the spam ring that he was running which made money using stock pump and dump scams on lightly traded Chinese penny stocks.

I certainly applaud the fact that he is starting to move through the judicial system and my hope is that he and his gang are put away for a very long time. From an industry perspective though my position is and always has been that arresting individual spammers doesn't make any tangible difference, however. Our mail servers won't be processing any less spam because Ralsky, Soloway, or any other "Spam King" is off the streets. There are always more spammers-to-be waiting in the wings behind them.

So as unfortunate as it is, don't expect to see any difference in the amount of spam ending up in your spam folders.

I realize that I have been a bit lax in my posting over the past couple of weeks with the holidays and having been sick for a goodly amount of time (is any time that you are sick really "good" time?) as well. I thought I would take some time to attempt to bring 2007 to a close with a wrap up of what we have seen this year. I'll probably make some references to our 2008 predictions blog posting as well since some of what we have seen this year will carry over to next and beyond.

2007 will most certainly be known in the anti-spam and anti-malware worlds as the year of the Storm Worm. From late January when Storm was first discovered all the way through the end of the year where even up to this weekend we continued to see additional Christmas e-card variants popping up, Storm Worm volumes not only eclipsed every other piece of malcode that we saw in our Threat Center, but it also surpassed volumes seen previously only by the outbreaks of the Sober worm back in 2005. Since the Storm Worm has been so adept at refining its social engineering tactics and has primarily been releasing new variants around major events like holidays, expect this to continue into 2008 likely morphing into political spam as the presidential races continue to heat up.

Speaking of social engineering, we saw several refinements this year not only in how it is used as a lure to attempt to get a user to open a message, but in how spam mail itself is targeted. Starting in late May and continuing through June (there was another that popped up in December also) spammers were forging emails purporting to be from government agencies like the FTC and non-profits like the Better Business Bureau in an attempt to make the message look like a complaint was being filed against the target company. What made these messages so unique and effective is that they were targeted and sent directly to C-level executives. If the target opened the attachment/clicked the link within the message body they were infected with a keylogger which would log any information input into the infected machine and upload it to a web site where cyber criminals were then selling that information for profit.

We also saw a significant shift away from image based spam, a tactic that had been prevalent in larger volumes since December, 2005. Image spam had been the big spam story throughout all of 2006 and even into the early parts of 2007, reaching almost 40% of spam volumes in April of this year. As it reached its peak, however, it quickly started to decline. As image spam waned, we saw the dawn of a new spam: PDF spam!

PDF spam forced the industry to react quickly and make sure that it was treating messages as holistic entities examining not only message headers and body content, but the content of attachments to ensure that spam content was not being hidden in there.

Although PDF spam volumes were short lived, they highlighted the rapid movement away from image spam to the point where image spam is currently less than 3% of all spam volume that we see. PDF spam also introduced additional challenges that image spam did not. Not only were messages larger due to the existence of the PDF attachment (this was a similar characteristic of what we saw with image spam so at least this in itself did not introduce any new challenges), but since PDFs need to be scanned for potential malcode they required the additional system resources of a virus scan. Many more CPU cycles were being chewed by processing PDF spam as opposed to its image based predecessor. PDF spam lasted in large quantities for only about a month.

As PDF spam waned we have been seeing some minimal increases in other types of attachment based spam with spam sometimes appearing within the body of a Word doc or an Excel spreadsheet. Volumes of this type of spam are still quite low, but could easily be leveraged for a wide scale attack similar to how PDF spam was used. Most of the tactics now have gone back to what I call "old school" style spam where spammers have been resorting back to text obfuscations in an effort to get their junk through spam filters.

So, as you can see, a lot has happened in 2007 and the forecast for 2008 looks to bring about some new challenges as these existing threats evolve and as new ones emerge. If you'd like some more information on what we expect to see next year and forward, feel free to read my 2008 predictions blog. In the meantime, here's to hoping everyone has a safe and wonderful holiday season.

As we near the end of another year I can say with surety that 2007 will be remembered among spam and malware filtering companies as the year of the Storm Worm. In 2005 it was the year of the Sober worm, but 2007 has most definitely been owned by Storm and its many variants.

So, as we close out 2007 we start to look forward to 2008. What are some of the 2007 trends that we expect to continue in 2008? What will be new? How will current trends evolve?

Here are some of my random thoughts:

-- We will see an increased prevalence of Web 2.0 attacks.

When we talk about "Web 2.0" we are talking mostly about interactive communities like blogs, wikis, and social networking sites like MySpace and Facebook. Web 2.0 sites provide a richer, more interactive internet experience for its users which extends the internet beyond just your typical "download content and view pages" approach and puts users in more control over the content.

From a user experience perspective, this is a great idea, but typically what makes things easier for the user carries along with it some level of security implication.

As part of the Web 2.0 experience, more code execution is being pushed to the client browser. This doesn't necessarily change the types of attacks that exist in Web 2.0 applications versus Web 1.0 applications (attacks like XSS, SQL Injection, and CSRF still exist just as they did before), but now will manifest themselves in different ways. As such it will be the responsibility of the application developer to be more aware of client side input validation and make sure that potentially malicious code never makes it from the "untrusted" user environment to a site's "trusted" backend infrastructure. Cyber criminals will try to exploit these potential vulnerabilities in code validation as much as possible.

-- We will see an increase in "blended threats" in 2008.

If you are not familiar with the term "blended threat" it is a combination type of threat which will mix the data stealing capabilities of malware with backdoor botnet capabilities. What this means is that if you are infected with one of these hybrid types of malware you could have a keylogger installed on your machine which is logging your keystrokes and sending your potentially confidential and personally identifiable information to a cyber crook for sale in the underground community, but your machine is also available as a spam zombie such that botnet herders can rent time on your computer to send out spam/viruses/etc.

The holiday season is a particularly interesting time to potentially see these types of threats also because of the amount of online shopping that takes place in the 5 weeks between Thanksgiving and Christmas. comScore recently released their Cyber Monday 2007 Statistics which showed that $733 million dollars was spent online on Cyber Monday (the Monday after the Thanksgiving weekend) alone. This is obviously a target that is too large for criminals to ignore.

-- Abuse will continue to move into other forms of communication

We've already seen some of this in 2007, but is something that we expect to continue not only into 2008 but beyond.

Mobile phone and PDA abuse is already a big problem in places like Europe and Japan. It isn't so much so yet in the United States, but as smartphones make more of a movement into the space where they allow the development and installation of third party applications users will need to be continually wary of the security implications of these new conveniences. The line between the PC and the phone is becoming blurrier every day and as such mobile computing devices will soon need to deploy the same types of security suites that should be installed on every desktop and laptop PC.

We also expect to see more tele-spam (spam sent via VoIP technologies) and voicemail injection (the compromising of vulnerable VoIP systems to inject spam voicemail directly into a user's voicemail inbox.

In the vein of "targets too large for criminals to ignore" the smartphone industry is expected to be a $250B industry by 2011. You can be sure that cyber criminals will do whatever they can to get a piece of that pie!

-- Continued movement of malware away from email as a primary distribution vector.

This is another one of those trends that we have seen shift over the past year or two. Malware authors have already begun the movement from the "push" based method of infection that we have talked about previously (where static malware content is pushed to the user via an email attachment) to a "pull" based model where users pull the content from a web site, typically lured to by a link in either an email or an instant message.

The Storm Worm is actually a great example of this transition in action. Early versions of the Storm Worm pushed executable file attachments to unsuspecting users when opened would infect the user's PC with Storm. Later variants used social engineering tactics like fake, malicious e-cards to lure people to web sites to download more dynamic pieces of malware.

More and more viruses have been following this trend over the last year or two and we expect this trend to continue. By 2009 or 2010 we expect malware distribution by internet pull based methods to surpass email as a distribution vector making it the primary method of infection. The email virus is likely to never completely go away, but the dynamic nature of the web as a way to distribute malware carries many advantages that email's static nature does not.

-- More targetted phishing/malware attacks

What discussion about social engineering would be complete without a mention of the evolution of tactics by cyber criminals in an effort to establish legitimacy with their targets?

Social engineering has always been the key ingredient to the success or failure of any cyber crime campaign. If you can do it well, you will have a significant greater chance of success than if you don't. The Storm and Sober worms (the last two really successful email-borne malware campaigns) were successful because of the social engineering tactics they used (Paris Hilton videos, free World Cup tickets, and e-cards as a few examples). As cyber criminals continue to launch new campaigns, you can be certain that they will refine their social engineering tactics to the point where even the trained eye will have trouble quickly determining the (il)legitimacy of an email.

These attacks will also become more targeted similar to the government agency scams from earlier this year that were sent primarily to high C-level executives. Effective social engineering combined with good targeting methods virtually ensure that there will always be people who will fall for these scams which will always leave spam as a virtually 100% profitable venture.

It's going to be a wild last 3 months of the year for ISPs of all kinds.

Over the last 2-3 months we have seen over a 60% increase in mail traffic (mostly attributed to the Storm Worm and its many variants). Since the Christmas marketing season will soon be upon us I would not be surprised if internet email traffic at least doubled on top of where it is now before the year is out.

If you don't believe that you are equipped to handle this kind of additional load, NOW is the time to act!

Protect your mail infrastructure!

Protect your network!

Most of all, protect your business!

(We now return you to your regularly scheduled programming)