SPIT the next big spam threat

This being the end of the year, it’s an appropriate time to think about what the next big spam threats are going to be. Needless to say, spammers are getting more creative, and they’re getting better at defeating the spam filters. They’re using targeted attacks (phishing) a lot more, and they’re not deterred when we take down their ISPs. The shutdown of McColo recently, which was the largest hosting organization for spammers, caused only a temporary dip in the volume of spam. Will it ever stop? The more relevant question to ask is, “is there still money to be made in spamming?” And the answer is yes to both. It was recently reported that New Zealand caught and fined the head of an Herbal King spam gang, Lance Atkinson, $100,000. But the hundred grand is just a drop in the bucket for Lance, who was reported to have generated $7.5 million in revenue in less than nine months. That’s a heck of an incentive.

Lance relied on the old tried-and-true botnet technique to send out millions of spam emails. But, with the increase of voice-over-Internet (VoIP) communications, it’s evident that the next threat is going to be Spam over Internet Telephony (SPIT). To date, it’s not been a big threat, but it has potential, from a spammer’s point of view. It represents a whole new venue, and the ability to move from email to telephony–and bypass all of the email spam protections that have already been put in place. Of course, we already have junk phone calls and automated dialers that are used by solicitors trying to peddle their wares. But the use of VoIP allows a new twist. Because VoIP calls go over the Internet, it now becomes possible to utilize a whole new battery of techniques, including sending out millions of automated phone calls at once–something that couldn’t be done before, even with automated dialers.

SPIT calls are hard to detect. Although you can look at the source of the calls, it’s a lot easier to spoof a VoIP call than it is a standard phone call. The spammer, or “spitter” as the case may be, simply spoofs the caller ID to make it seem as though the call is coming from a trusted third party, such as a bank. The caller can then trick the recipient into revealing personal information, such as passwords or account numbers. SPIT will be worse than ordinary spam for a number of reasons, not the least of which is the fundamental difference between how each operates. Regular spam arrives in your email server, where it can be analyzed by antispam technology and filtered out before it reaches your email box. SPIT on the other hand, goes directly to your phone, and without some new type of technology, you wouldn’t know it until you pick up the phone.