June 22, 2015 By Pamela Cobb 3 min read

IBM X-Force has been beating the drum for years on the hazards of spam. With the network capturing over 12 million spam and phishing attacks daily, X-Force researchers dissect and analyze trends and samples with a level of scrutiny that seems out of sync for a security hazard downgraded to mere annoyance by many organizations. Although less troublesome than a flesh wound, spam has evolved from scattershot personal medical enhancements to socially targeted campaigns sold by for-profit operators.

The Life of Spam

Back in the dark ages of 1978, the first unsolicited email was sent to all members of ARPANET, although the term “spam” was not applied to these messages until 1993. In the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, the U.S. Federal Trade Commission enacted a law that sets the rules for commercial email and requires opt-out processes in an effort to curtail the practice of sending spam.

Today, most spam is created by for-profit operators who can attach malware to the spam message to infect networks. Any sort of adversary with the right motivation can hire a spam operator that will build a custom campaign to trick users to open an attachment or click on a link, infecting the corporate network with ransomware or malware faster than an unladen swallow. This attack vector is just one way to create the inadvertent insider, which IBM identified as the source of 23.5 percent of attacks in 2014.

2013 to Now

When X-Force looked at spam in a 2014 report, we focused on the re-emergence of image-based spam, which was engineered to evade keyword detection-based filters. Image-based spam reached its heyday in 2006 to 2007, with 40 percent of all spam containing an image attachment. By the summer of 2007, however, those levels dropped to nearly zero until late 2013, when image attachment rates surged to prior levels.

One of the other hazards of spam is the potential for embedded or attached malware. Just before that image-spam surge in 2013, the rate of spam carrying malware rarely exceeded 1 percent of the total volume. In the “X-Force Threat Intelligence Quarterly – 2Q 2015,” however, X-Force showed that 2014 brought a quadrupling of that malware attachment rate. One such example is the Upatre downloader, which, when opened as an attachment, contacts a command-and-control (C&C) server and downloads Dyre malware, a particularly insidious advanced persistent threat (APT).

Always Look on the Bright Side of Spam

This rise and fall in attack vectors is unsurprising since it’s a common practice for attackers to recycle techniques as security practices become complacent. Often, to increase performance of security products via memory conservation or increased throughput, old signatures get removed or default blocking rules are turned off, paving the way for older attacks to slip through defenses.

Most spammers are operating as for-profit ventures, buying payloads for campaigns whether they are seeking financial gain or theft of intellectual property. The campaigns are cheaper to manufacture when they reuse techniques like image-based spam or infected RAR/ZIP attachments because older code can be recycled or updated with new malware. With an added bonus of a potentially increased success rate, the spammers have double the incentives to run back these techniques.

The bright side for your organization, however, is that spam has been around for such a long time that there are some solid practices to combat it.

There Is No Holy Grail

No one likes spam, but there are some basic steps you can take to minimize the threat to your organization:

  • Keep your spam and virus filters up to date, and revisit blocking rules based on your network traffic.
  • Block executable attachments. In regular business environments, executable attachments are rarely used, and most spam filters can be configured to block executable files even when they are within ZIP attachments.
  • Use mail client software that allows disabling the automatic rendering of attachments and graphics as well as the preloading of links.

Unfortunately, technology is not usually the weakest link in the chain for spam: It’s your people. User education should take as important a role as email protection technology, if not more so. Encourage users to exercise common sense and avoid opening attachments from unknown or expected sources. Given the prevalence of spam, not having rigorous user education in place is the equivalent to trying to cut down the mightiest tree in the forest with a herring.

More from X-Force

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today