IBM X-Force has been beating the drum for years on the hazards of spam. With the network capturing over 12 million spam and phishing attacks daily, X-Force researchers dissect and analyze trends and samples with a level of scrutiny that seems out of sync for a security hazard downgraded to mere annoyance by many organizations. Although less troublesome than a flesh wound, spam has evolved from scattershot personal medical enhancements to socially targeted campaigns sold by for-profit operators.
The Life of Spam
Back in the dark ages of 1978, the first unsolicited email was sent to all members of ARPANET, although the term “spam” was not applied to these messages until 1993. In the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, the U.S. Federal Trade Commission enacted a law that sets the rules for commercial email and requires opt-out processes in an effort to curtail the practice of sending spam.
Today, most spam is created by for-profit operators who can attach malware to the spam message to infect networks. Any sort of adversary with the right motivation can hire a spam operator that will build a custom campaign to trick users to open an attachment or click on a link, infecting the corporate network with ransomware or malware faster than an unladen swallow. This attack vector is just one way to create the inadvertent insider, which IBM identified as the source of 23.5 percent of attacks in 2014.
2013 to Now
When X-Force looked at spam in a 2014 report, we focused on the re-emergence of image-based spam, which was engineered to evade keyword detection-based filters. Image-based spam reached its heyday in 2006 to 2007, with 40 percent of all spam containing an image attachment. By the summer of 2007, however, those levels dropped to nearly zero until late 2013, when image attachment rates surged to prior levels.
One of the other hazards of spam is the potential for embedded or attached malware. Just before that image-spam surge in 2013, the rate of spam carrying malware rarely exceeded 1 percent of the total volume. In the “X-Force Threat Intelligence Quarterly – 2Q 2015,” however, X-Force showed that 2014 brought a quadrupling of that malware attachment rate. One such example is the Upatre downloader, which, when opened as an attachment, contacts a command-and-control (C&C) server and downloads Dyre malware, a particularly insidious advanced persistent threat (APT).
Always Look on the Bright Side of Spam
This rise and fall in attack vectors is unsurprising since it’s a common practice for attackers to recycle techniques as security practices become complacent. Often, to increase performance of security products via memory conservation or increased throughput, old signatures get removed or default blocking rules are turned off, paving the way for older attacks to slip through defenses.
Most spammers are operating as for-profit ventures, buying payloads for campaigns whether they are seeking financial gain or theft of intellectual property. The campaigns are cheaper to manufacture when they reuse techniques like image-based spam or infected RAR/ZIP attachments because older code can be recycled or updated with new malware. With an added bonus of a potentially increased success rate, the spammers have double the incentives to run back these techniques.
The bright side for your organization, however, is that spam has been around for such a long time that there are some solid practices to combat it.
There Is No Holy Grail
No one likes spam, but there are some basic steps you can take to minimize the threat to your organization:
- Keep your spam and virus filters up to date, and revisit blocking rules based on your network traffic.
- Block executable attachments. In regular business environments, executable attachments are rarely used, and most spam filters can be configured to block executable files even when they are within ZIP attachments.
- Use mail client software that allows disabling the automatic rendering of attachments and graphics as well as the preloading of links.
Unfortunately, technology is not usually the weakest link in the chain for spam: It’s your people. User education should take as important a role as email protection technology, if not more so. Encourage users to exercise common sense and avoid opening attachments from unknown or expected sources. Given the prevalence of spam, not having rigorous user education in place is the equivalent to trying to cut down the mightiest tree in the forest with a herring.