June 22, 2015 By Pamela Cobb 3 min read

IBM X-Force has been beating the drum for years on the hazards of spam. With the network capturing over 12 million spam and phishing attacks daily, X-Force researchers dissect and analyze trends and samples with a level of scrutiny that seems out of sync for a security hazard downgraded to mere annoyance by many organizations. Although less troublesome than a flesh wound, spam has evolved from scattershot personal medical enhancements to socially targeted campaigns sold by for-profit operators.

The Life of Spam

Back in the dark ages of 1978, the first unsolicited email was sent to all members of ARPANET, although the term “spam” was not applied to these messages until 1993. In the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, the U.S. Federal Trade Commission enacted a law that sets the rules for commercial email and requires opt-out processes in an effort to curtail the practice of sending spam.

Today, most spam is created by for-profit operators who can attach malware to the spam message to infect networks. Any sort of adversary with the right motivation can hire a spam operator that will build a custom campaign to trick users to open an attachment or click on a link, infecting the corporate network with ransomware or malware faster than an unladen swallow. This attack vector is just one way to create the inadvertent insider, which IBM identified as the source of 23.5 percent of attacks in 2014.

2013 to Now

When X-Force looked at spam in a 2014 report, we focused on the re-emergence of image-based spam, which was engineered to evade keyword detection-based filters. Image-based spam reached its heyday in 2006 to 2007, with 40 percent of all spam containing an image attachment. By the summer of 2007, however, those levels dropped to nearly zero until late 2013, when image attachment rates surged to prior levels.

One of the other hazards of spam is the potential for embedded or attached malware. Just before that image-spam surge in 2013, the rate of spam carrying malware rarely exceeded 1 percent of the total volume. In the “X-Force Threat Intelligence Quarterly – 2Q 2015,” however, X-Force showed that 2014 brought a quadrupling of that malware attachment rate. One such example is the Upatre downloader, which, when opened as an attachment, contacts a command-and-control (C&C) server and downloads Dyre malware, a particularly insidious advanced persistent threat (APT).

Always Look on the Bright Side of Spam

This rise and fall in attack vectors is unsurprising since it’s a common practice for attackers to recycle techniques as security practices become complacent. Often, to increase performance of security products via memory conservation or increased throughput, old signatures get removed or default blocking rules are turned off, paving the way for older attacks to slip through defenses.

Most spammers are operating as for-profit ventures, buying payloads for campaigns whether they are seeking financial gain or theft of intellectual property. The campaigns are cheaper to manufacture when they reuse techniques like image-based spam or infected RAR/ZIP attachments because older code can be recycled or updated with new malware. With an added bonus of a potentially increased success rate, the spammers have double the incentives to run back these techniques.

The bright side for your organization, however, is that spam has been around for such a long time that there are some solid practices to combat it.

There Is No Holy Grail

No one likes spam, but there are some basic steps you can take to minimize the threat to your organization:

  • Keep your spam and virus filters up to date, and revisit blocking rules based on your network traffic.
  • Block executable attachments. In regular business environments, executable attachments are rarely used, and most spam filters can be configured to block executable files even when they are within ZIP attachments.
  • Use mail client software that allows disabling the automatic rendering of attachments and graphics as well as the preloading of links.

Unfortunately, technology is not usually the weakest link in the chain for spam: It’s your people. User education should take as important a role as email protection technology, if not more so. Encourage users to exercise common sense and avoid opening attachments from unknown or expected sources. Given the prevalence of spam, not having rigorous user education in place is the equivalent to trying to cut down the mightiest tree in the forest with a herring.

More from X-Force

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today