We posed this question to security experts: If leading email filtering products detect and block 95 percent to 99 percent of unwanted email messages, with few if any false positives, why can't we declare victory?
The answer is simple: spam still pays. So do phishing scams and links in email messages to compromised websites.
"The return on investment is still very high for a very low click-through rate," says Paul Ferguson, threat researcher for Trend Micro. "If [attackers] get one person to go to a discount pharmacy site, they've made their money back in spades."
Messaging platforms remain a viable attack vector for hackers who primarily rely on botnets of hijacked PCs to flood the Internet with bogus messages. The messages ply on users with the same kinds of social engineering tactics attackers used in 2004, pushing suspect drugs and knock-off watches. However, rather than using executable email attachments, attackers are luring users to phishing sites or bogus sites, infecting users with malicious drive-by downloads.
The implications for business are enormous -- damage to corporate branding; the loss of customer and business personal information; and the undermining of confidence in Internet commerce.
McCOLO SHUTDOWN A SMALL VICTORY
Messaging threats remain a thorn in the side of security managers, and are growing in sophistication as they target specific industries, businesses or individuals within a corporation. And even noteworthy victories against spammers, such as the shutdowns of McColo and EstDomains, criminals still buy, use and dump domains by the thousands with relatively little risk. Service providers and domain registrars are often unwilling or unable to move against them or even investigate complaints, experts say, especially outside of North America and Western Europe.
And they're moving into new attack arenas. As social networks enjoy explosive growth--Facebook just passed 300 million users--for individual and business communication, attackers are spamming and phishing those trusted and relatively unprotected users.
"Spammers try to evade filters by throwing more and more legitimate content into email messages," says Dylan Morss, Symantec's senior manager for antispam engineering. "Malware toolkits leverage search engine dumps, and enter random chunks of content from Web pages into the message body, html code and subject lines."
They will also switch domains, trying to stay a step ahead of Web reputation filters, which vendors say stop 70 percent to 80 percent of unwanted messages before they hit the corporate gateway.
"They recycle new domain names; that's how they get by the filters," says Garth Bruen, owner of KnujOn ("no junk" spelled backwards), which analyzes known bad messages to detect electronic fraud, protect clients' branding and attempt to shut down illicit domains. "They buy thousands of domains--they're all redirected to just a handful of actual transaction domains -- use them and dump them."
This dynamism makes antispam unique in the security world. For example, consider how dynamic the arms race is between malware creators and antivirus vendors, with new malware variants appearing in unprecedented numbers. ICSA Labs, tests AV products monthly to see if they continue to maintain certification standards.
"We test certified antispam products for effectiveness and false positives every single day," says Jack Walsh, the labs' antispam and network IPS program manager. "Antispam products are different because spam is changing all the time."
Spammers are working constantly to keep that small window open. Common techniques include dynamically randomizing messages, putting pressure on email security vendors to update their filters.
|Messaging Security Tips|
If you think your antispam filter is enough, think again. As with all areas of security, secure messaging depends on a combination of sound policies and processes, education and technology.
Spell out safe email practices in your policies. Don't assume your employees know what and what not to do. As a matter of policy, employees should not open attachments or click on links unless they are absolutely sure who the email is from. This also means the employee is accountable for their actions.
Formulate and enforce a Web 2.0 policy. Conduct a risk assessment of allowing both casual social networking and potential business uses versus threats. Then create a policy designed to minimize security risks. You may want to have different policies for employees with legitimate business uses and recreational users.
Have an email format. This spells out how emails should be constructed, including what should be included in signatures. There are non-security benefits, but it will help also help users distinguish between legitimate emails and targeted phishing attacks.
Patch client applications. Many messaging attacks exploit application vulnerabilities, using, for example, specially crafted Word or PDF documents, rather than executables, which users are more likely to avoid.
Invest in strong email security technology. Get that 95 percent to 99 percent spam detection and strong antimalware components. Compare product reports and certifications. Consider cloud-based services as well as software or appliance products.
Complement email with Web gateway security. Since most threats, including many social networking, email and webrmail attacks, are Web-based, select a product or service that employs multiple antimalware engines, dynamic URL filtering and Web reputation evaluation.
Train, train, train. Keep your users up to date on the latest phishing, targeted attack and social engineering techniques. Pay particular attention to social networking site risks, because employees will be more trusting there. Train new employees in safe email practices as part of their orientation.
Despite other attack vectors, such as webmail, social networks, and the use of search engine optimization to boost search results of compromised sites, up to 90 percent of email is spam, underscoring its continued value despite high detection rates.
Many business users have a high level of protection in the workplace, and major ISPs filter most of the spam headed for home networks. On the other hand, the effectiveness of antispam filters may give users a greater sense of trust in the messages that do appear in their inboxes, and there are still small businesses and home users whose email is not 95 percent to 99 percent clean.
Botnets, each comprising thousands of' virtually undetectable PC zombies have lowered operating costs dramatically for attackers. Sophos reports that almost all spam is sent from bots on home user computers.
Significantly, one of the worst botnets, Srizbi, initially distributed by drive-by downloads, was subsequently spread through spam, according to a Cisco Systems report. The spammers used the usual type of social engineering tricks to get readers to click on an executable. Srizbi was particularly effective because of its sophisticated spam acceleration engine, which, Cisco reports, was sold to botnet owners on a software-as-a service basis.
Another prime example is Waledac, from the creators of the Storm botnet, which was spread early in the year in spam referencing the Obama inauguration, as well as holiday-related lures.
If this sort of thing still works, it's easy to see why spammers keep spamming.
HOSTING COMPANIES, DOMAIN REGISTRARS SHARE BLAME
The bad guys can't do business without the acquiescence or at least benign neglect of certain hosting providers and domain registrars. Last year's shutdown of McColo and EstDomains put a big if temporary dent in illicit messaging activity, showing what can be accomplished when bad actors are exposed.
However, experts agree that identifying domains that host malicious activity isn't always easy, and shutting them down is a complex problem that involves politics and, of course, money. The bad guys are unlikely to repeat the arrogant mistake of putting so many eggs in one basket again.
Upstream providers Hurricane Electric and Global Crossing cut off McColo when presented with the evidence of its practices, and ICANN moved quickly to revoke EstDomain's accreditation, but this doesn't necessarily mean we'll see a lot more of these kinds of actions any time soon.
The economics are compelling for hosting companies and registrars, which typically operate on thin margins.
"ISPs and domain registrars, especially those operating on thin margins in a competitive market, are not incentivized to care," says Trend Micro's Ferguson. "Every time they pick up a customer support phone, they lose money."
Some ISPs and registrars look the other way, and some are not aware of the criminal activity, but there's a lot at stake, says Bruen.
Criminals buy domains in bulk, use them and then quickly dump them to avoid detection by security vendors' email-sender and Web-reputation filters. (Bruen says one vendor is considering raising the reputation filtering stakes by blocking delivery at provider level for ISPs and registrars that hit a specified threshold for IP addresses or domains being used in spam campaigns.)
"There's a considerable amount of corruption in the domain name industry," he says. "A typical spam campaign uses at least 10,000 domain names, abuse them for a week and throw them away. Registrars don't have other customers like that."
Lysa Myers, director of research at West Coast Labs, says that major ISPs in the U.S. and Europe tend to be cooperative when presented with evidence of bad behavior and turn it over to their abuse departments.
"But those in other parts of the world -- Eastern Europe, China, East Asia are not as responsive, and that's a real problem," she says. "They may not have the power to shut them down, or the activities may not be illegal in that country."
Ferguson says Trend Micro has agreements in place with the top-level domains--.com, .net, .org, .info--to analyze copies of entire domain zone files several times a day, looking for changes that raise red flags.
You have to negotiate with each registry, because each has its own policies on what constitutes suspicious action, how to put a domain on a watchlist etc. This is easy with the top-level domains, but can be tougher with some country-level registries.
"Some have a lot of policy loopholes that bad guys can exploit," Ferguson says. "They register with a top level that has a history of not working abuse issues.
"For example, they'll go to registrars in China and bulk-register all kinds of English language domains, like BestPetMeds.cn, set the DNS pointer to some IP in the Ukraine or the Netherlands, and they're off to the races."
Bruen says shutting down domains not only hurts criminals' infrastructure, but minimizes the value of spam.
"You can't buy anything if you click on a dead link," he says. "The goal of a spam campaign is to complete transactions. You reduce the value of junk mail because the value of the site is reduced."
And, while law enforcement faces a real challenge.
"We've had some success when the bad actors are in the United States," says Ferguson, "but in Eastern Europe, really dangerous criminals operate brazenly in the open without any fear of retribution. And, it's hard to get a subpoena on information based on 'persons unknown' in Eastern Europe."
"Law enforcement has to jump through hoops," says Myers, director of research at West Coast Labs. "And, the speed with which law works is in days, weeks or months, while the Internet works in seconds and minutes. You're working on something and poof, it's gone, and there goes a big chunk of evidence."
SOCIAL NETWORKS GROWING PLATFORM FOR SPAM, PHISHING
It's no longer just about email. Our definition of Internet messaging is evolving rapidly. Your customers and your employees are communicating via social networking sites such as Facebook and Twitter. After investing heavily in email security technology and training users to be cautious, businesses have to deal with the new threats and business opportunities posed by these sites.
Most business users are wary of socially engineered email messages, and enterprises and ISPs counter email threats with security measures to reduce the opportunities to make bad choices. Facebook, MySpace, Twitter, LinkedIn et al have changed all that.
Hundreds of millions communicate and share information in highly insecure and yet trusted Web environments. "The general user community thinks because it's new, it's safe," Myers says. "Criminals see the trends and stay on the leading edge of people's understanding and comfort levels so they can get in before people get wary."
Scammer use social engineering ploys to exploit this implicit trust by:
- Setting up fake profiles, which they use to launch phishing attacks on other users and/or post malicious links.
- Using phished accounts of real users to distribute spam to contacts, phish other accounts, and, again, send malicious links.
- Gathering sufficient intelligence about a user to launch a targeted attack. Symantec's MessageLabs has reported that this type of profile spoofing was moving into the corporate world.
"You are privy to a lot more details about that person than you would have if you just sent an email," says Knujon's Bruen. "You have a lot more tools in your toolbox to hack someone's life rather than just hack their mailbox."
There have been numerous reports of attacks on social networking sites, including worms such as the Koobface worm on Facebook, redirects on Twitter because of a URL-shortening service hack and phishing attacks on Twitter. Last month, fake Twitter accounts were used to trick users into downloading fake antivirus software, or "scareware." The scammers were able to create the accounts by breaking CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) technology designed to prevent automated account registration. (Attackers also use CAPTCHA-busting techniques, which can be automated by bots, to create fake webmail accounts, that they use to distribute spam.)
But companies don't have the kind of control they can exercise over corporate email. Antispam tools became popular because of operational and productivity issues first, security a more recent and distant second. Spam was overwhelming mail servers and eating up employees' time. Social networking sites present similar security issues, but not the same operational concerns. (Some companies have responded by limiting employee time on these sites, but that's analogous to using URL filtering to reduce casual Web browsing.)
The messaging threats environment is more dangerous than ever. Spam and phishing attacks are still paying off, as botnets spawn millions of messages at virtually no cost. Criminals operate with impunity almost a year after McColo and EstDomains. We're warned that smartphones are a coming attack vector, but certainly social networking and webmail are very real security problems.
"What defines messaging is completely evolving," says Trend Micro's Ferguson. "What keeps people awake at night is, 'Do I have the next vector covered? Am I covered not only through email, but all the other ways that people are communicating?"
Neil Roiter is senior technology editor of Information Security. Send comments on this article to firstname.lastname@example.org.