June 22, 2015 By Pamela Cobb 3 min read

IBM X-Force has been beating the drum for years on the hazards of spam. With the network capturing over 12 million spam and phishing attacks daily, X-Force researchers dissect and analyze trends and samples with a level of scrutiny that seems out of sync for a security hazard downgraded to mere annoyance by many organizations. Although less troublesome than a flesh wound, spam has evolved from scattershot personal medical enhancements to socially targeted campaigns sold by for-profit operators.

The Life of Spam

Back in the dark ages of 1978, the first unsolicited email was sent to all members of ARPANET, although the term “spam” was not applied to these messages until 1993. In the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, the U.S. Federal Trade Commission enacted a law that sets the rules for commercial email and requires opt-out processes in an effort to curtail the practice of sending spam.

Today, most spam is created by for-profit operators who can attach malware to the spam message to infect networks. Any sort of adversary with the right motivation can hire a spam operator that will build a custom campaign to trick users to open an attachment or click on a link, infecting the corporate network with ransomware or malware faster than an unladen swallow. This attack vector is just one way to create the inadvertent insider, which IBM identified as the source of 23.5 percent of attacks in 2014.

2013 to Now

When X-Force looked at spam in a 2014 report, we focused on the re-emergence of image-based spam, which was engineered to evade keyword detection-based filters. Image-based spam reached its heyday in 2006 to 2007, with 40 percent of all spam containing an image attachment. By the summer of 2007, however, those levels dropped to nearly zero until late 2013, when image attachment rates surged to prior levels.

One of the other hazards of spam is the potential for embedded or attached malware. Just before that image-spam surge in 2013, the rate of spam carrying malware rarely exceeded 1 percent of the total volume. In the “X-Force Threat Intelligence Quarterly – 2Q 2015,” however, X-Force showed that 2014 brought a quadrupling of that malware attachment rate. One such example is the Upatre downloader, which, when opened as an attachment, contacts a command-and-control (C&C) server and downloads Dyre malware, a particularly insidious advanced persistent threat (APT).

Always Look on the Bright Side of Spam

This rise and fall in attack vectors is unsurprising since it’s a common practice for attackers to recycle techniques as security practices become complacent. Often, to increase performance of security products via memory conservation or increased throughput, old signatures get removed or default blocking rules are turned off, paving the way for older attacks to slip through defenses.

Most spammers are operating as for-profit ventures, buying payloads for campaigns whether they are seeking financial gain or theft of intellectual property. The campaigns are cheaper to manufacture when they reuse techniques like image-based spam or infected RAR/ZIP attachments because older code can be recycled or updated with new malware. With an added bonus of a potentially increased success rate, the spammers have double the incentives to run back these techniques.

The bright side for your organization, however, is that spam has been around for such a long time that there are some solid practices to combat it.

There Is No Holy Grail

No one likes spam, but there are some basic steps you can take to minimize the threat to your organization:

  • Keep your spam and virus filters up to date, and revisit blocking rules based on your network traffic.
  • Block executable attachments. In regular business environments, executable attachments are rarely used, and most spam filters can be configured to block executable files even when they are within ZIP attachments.
  • Use mail client software that allows disabling the automatic rendering of attachments and graphics as well as the preloading of links.

Unfortunately, technology is not usually the weakest link in the chain for spam: It’s your people. User education should take as important a role as email protection technology, if not more so. Encourage users to exercise common sense and avoid opening attachments from unknown or expected sources. Given the prevalence of spam, not having rigorous user education in place is the equivalent to trying to cut down the mightiest tree in the forest with a herring.

More from X-Force

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today