In the wake of the dramatic drop-off in spam volume following the shutdown of network hosting provider McColo and domain name registrar EstDomains, security pros should be on the lookout for spammers exploiting alternative vectors in 2009
January spam reports from McAfee Inc. and Symantec Corp. show that spam volume is creeping up, but still remains well below the levels before the November shutdowns of McColo and EstDomains. Depending on your perspective, the glass is half full or half empty. Under the headline "Memory of McColo Shutdown Fades as the Increase in Spam Volumes Continue in December," the Symantec spam report shows volume has crept up to 80% of pre-McColo levels. The McAfee spam report says volume was still 40% below those levels, despite expectations that December would have otherwise seen record numbers.
What are effective ways to stop instant messaging (IM) spam? In this expert Q&A, Michael Cobb reveals what techniques and tools can be used to stop instant messaing spam, or spim, in the enterprise.
Spam Blockers Losing Ground on Sophisticated Attackers: SPAM Spam hasn't been "solved"; in fact, the scourge has grown worse as attackers continually trump countermeasures and refine their focus on high-value targets.
But does the post-McColo increase reflect expected growth, or show that spammers are getting back in the game?
"It's difficult to ascertain, but that's a very short time for it to come back up," said Dermot Harnett, Symantec principle analyst for antispam engineering and one of the report's editors. "We wouldn't see this sort of bounce after the holidays. It is directly related to spammers going out and redeploying botnets, because at the end of the day they're still seeing a return on their investment," Harnett said.
What's surprising is not that spam is increasing, but that spammers didn't move quickly en masse to alternative hosts. That indicates that despite the pervasive image of the sophisticated, well-constructed infrastructure, the bad guys fell short on basic business continuity and disaster recovery planning. The evidence suggests that spammers didn't bounce back off the canvas because they couldn't.
"I would have thought certain things would have come back quicker, but I really do think they didn't expect a friendly provider to be taken offline," said Dave Marcus, director of security research and communications for McAfee Avert Labs. "The bad guys have been doing this with near impunity for years; I really think they were completely unprepared and didn't have resiliency built into their spam services."
Journalists will tell you that criminals are caught as much by their own stupidity as by sharp police work. At the very least, the spammers displayed a certain arrogance about their invulnerability. Time will tell if they learned a lesson and build in some redundancy against the next major host shut down.
McColo wasn't the only bad news for the spam industry. Last spring the ICANN board put the brakes (the limits are not permanent at this point) on the abusive practice of domain tasting, which allowed registrars to float millions of domains, exchanging them daily for ones that yield better search engine placement and generate more advertising revenue. (The abuse was possible because ICANN allowed a five-day grace period in which a domain can be registered and then returned for a full refund.)
In the wake of this action, McAfee and ICANN each said that AddGrace Period (AGP) domain deletions were down 84%.
"By taking away domain tasting, we're removing a vector they were fairly successful with," Marcus said. "This makes them transfer their vectors and look for new ways of sending out large quantifies. They'll simply transfer tactics."
The reports reflect new emphasis on some of these tactics. These victories have slowed the spam generation machinery, but the reports show that spammers are improving old techniques and developing new, more vulnerable vectors for both high-volume saturation spamming and targeted attacks.
For example, Symantec's December report showed a rise in "piggyback" spam attacks, in which a spam image, such as an ad for male performance-enhancing drugs, is inserted in a legitimate newsletter template in an effort to evade antispam engines.
Both McAfee and Symantec said the recession will be heavily exploited in 2009, with messages promising jobs, quick, easy money, and debt relief. McAfee believes spammers are timing diploma spam -- advertising diplomas and advanced education -- is on the rise and can be timed to coincide with major layoff announcements.
Pharmacy spam continues to be strong, according to McAfee, and Symantec reports an interesting variant, in which spam messages purport to sell illegal drugs -- for example a message with a subject that reads: "Subject: LSD (Best for Home Party, Enjoy With Best Friends)." Illicit drug users are apparently as gullible as the rest of the population -- or perhaps they're too high to exercise good judgment.
As corporate and paid email comes under tighter protection and its users become more savvy, phishing messages are being directed at free webmail service users as well. Symantec reports an upsurge in this vector, which first surfaced early in 2008. The phishing messages purport to come from the service and attempt to grab passwords and email contact lists by tricking users. For example, the message may say their email address is compromised and is used to send spam, or that they have to send information to continue their account during a planned maintenance outage.
As spammers try to shrug off their setbacks to exploit as many vectors as possible, McAfee made several predictions about 2009 trends:
Free Web-hosting/blogging services will be increasingly abused by spammers.
Allowing people to create public websites without the authentication necessary to purchase domain name websites like Geocities, Blogspot and Live will facilitate a spammer's ability to get their message across with a minimal expenditure of resources.
More targeted phishing and corporate blackmailing.
Botnets that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market. Browser-based attacks will increasingly be used as the least protected vector in order to transfer payload. Security breaches of confidential data managed by partner and subsidiary companies will force an overhaul of data security practices.
Scams involving home businesses.
"Legitimate" home-business scams generally involve either a pay up front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We'll see more of it on the television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and offer people new bait on the old check cashing scam.
Both Hartnett and Marcus expect the battle against spammers to continue to be one of act and react as security vendors develop better countermeasures, remove malicious hosts, and perhaps, score the occasional singular victory such as the McColo shutdown. For their part, the bad guys will continue to profit by drawing in suckers and spreading malware.
"As long as spammers can make money they will continue to put investments in place," Hartnett said. "If they get shut down, they'll just go somewhere else, redeploy botnets and send out more spam messages."