IBM X-Force has been beating the drum for years on the hazards of spam. With the network capturing over 12 million spam and phishing attacks daily, X-Force researchers dissect and analyze trends and samples with a level of scrutiny that seems out of sync for a security hazard downgraded to mere annoyance by many organizations. Although less troublesome than a flesh wound, spam has evolved from scattershot personal medical enhancements to socially targeted campaigns sold by for-profit operators.

The Life of Spam

Back in the dark ages of 1978, the first unsolicited email was sent to all members of ARPANET, although the term “spam” was not applied to these messages until 1993. In the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, the U.S. Federal Trade Commission enacted a law that sets the rules for commercial email and requires opt-out processes in an effort to curtail the practice of sending spam.

Today, most spam is created by for-profit operators who can attach malware to the spam message to infect networks. Any sort of adversary with the right motivation can hire a spam operator that will build a custom campaign to trick users to open an attachment or click on a link, infecting the corporate network with ransomware or malware faster than an unladen swallow. This attack vector is just one way to create the inadvertent insider, which IBM identified as the source of 23.5 percent of attacks in 2014.

2013 to Now

When X-Force looked at spam in a 2014 report, we focused on the re-emergence of image-based spam, which was engineered to evade keyword detection-based filters. Image-based spam reached its heyday in 2006 to 2007, with 40 percent of all spam containing an image attachment. By the summer of 2007, however, those levels dropped to nearly zero until late 2013, when image attachment rates surged to prior levels.

One of the other hazards of spam is the potential for embedded or attached malware. Just before that image-spam surge in 2013, the rate of spam carrying malware rarely exceeded 1 percent of the total volume. In the “X-Force Threat Intelligence Quarterly – 2Q 2015,” however, X-Force showed that 2014 brought a quadrupling of that malware attachment rate. One such example is the Upatre downloader, which, when opened as an attachment, contacts a command-and-control (C&C) server and downloads Dyre malware, a particularly insidious advanced persistent threat (APT).

Always Look on the Bright Side of Spam

This rise and fall in attack vectors is unsurprising since it’s a common practice for attackers to recycle techniques as security practices become complacent. Often, to increase performance of security products via memory conservation or increased throughput, old signatures get removed or default blocking rules are turned off, paving the way for older attacks to slip through defenses.

Most spammers are operating as for-profit ventures, buying payloads for campaigns whether they are seeking financial gain or theft of intellectual property. The campaigns are cheaper to manufacture when they reuse techniques like image-based spam or infected RAR/ZIP attachments because older code can be recycled or updated with new malware. With an added bonus of a potentially increased success rate, the spammers have double the incentives to run back these techniques.

The bright side for your organization, however, is that spam has been around for such a long time that there are some solid practices to combat it.

There Is No Holy Grail

No one likes spam, but there are some basic steps you can take to minimize the threat to your organization:

  • Keep your spam and virus filters up to date, and revisit blocking rules based on your network traffic.
  • Block executable attachments. In regular business environments, executable attachments are rarely used, and most spam filters can be configured to block executable files even when they are within ZIP attachments.
  • Use mail client software that allows disabling the automatic rendering of attachments and graphics as well as the preloading of links.

Unfortunately, technology is not usually the weakest link in the chain for spam: It’s your people. User education should take as important a role as email protection technology, if not more so. Encourage users to exercise common sense and avoid opening attachments from unknown or expected sources. Given the prevalence of spam, not having rigorous user education in place is the equivalent to trying to cut down the mightiest tree in the forest with a herring.

More from Threat Research

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis.Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last few…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read