Often in the media you will see statistics from security vendors that state that spam makes up over 90% of all email sent over the internet these days.  To some people that sounds like an unrealistic number.  I received about 30 emails at work today, does that mean another 270 spam emails were sent my way as well?  Well according to the statistics, yes it does.

While I was performing some maintenance checks on a customer I decided to see if their statistics matched up with what is quoted in the press.  As it turns out they are right on target for the amount of spam that they receive.  In the reporting period that I checked about 21,000 emails had been processed, over 19,000 of which were detected as spam.  That’s around 92% spam for this small business.

But the more interesting statistic was the breakdown of overall threats.  Of the over 19,000 emails blocked only 3 were blocked for containing viruses.  It would appear, at least for this customer, that email-borne viruses are not much of a problem these days.

This is in stark contrast to the early days of my career in IT, going back more than 10 years now to March 1999 when the Melissa virus struck and took down email systems across the world.  This simple Word macro virus was the first in a wave of serious viruses that could spread using email.  Virus infections were visibly destructive, trashing files and computers that they came in contact with.  Email viruses were seen as one of the biggest threats to IT systems and were the topic of many mainstream media stories.

At the time spam was relatively non-existent, for a few simple reasons – home internet access was slow and uncommon (especially in countries well known as spam havens today), and online commerce was nearly non-existent.  Amazon and eBay had launched in the mid-1990s and online banking had also emerged but they were far from mainstream.  Malicious email was the domain of people who wanted to cause mischief or make a statement; it was not seen as a way to make a lot of money with fraud and scams. Continue reading Remember When Email Viruses Were the Big Problem?»

Despite the economic downturn, spam is still as profitable as ever. A new report says that the group of spammers behind most Viagra spam rakes in an average of $4000 a day. The average order for the drug totals around $200 so they only need 50 sales a day out of the millions of spam messages they send to make a handsome profit.

The report says that most of the spam is the work of “the partnerka” a group of Russian spammers that work on behalf of Canadian pharmacies. The group gets a 40% commission on each sale, and that is where the $4000 a day profit comes from. One of the biggest pharmacies is a company called GlavMed. While it claims to be strongly anti-spam, it has a sister company called SpamIt, a group of affiliates that are suspected to be responsible for several botnets including Waledec and Conficker.

Think getting those sales can’t be easy with all the spam filters and tools available? Unbelievably, Messaging Anti-Abuse Working Group conducted a report of their own and found that a whopping 52% of email users admitted to clicking on a spam email and 12% actually bought the product!

While email spam is still profitable, the proliferation of tough new spam filters and blacklists has led many spammers to move over into web based spam, which is becoming an increasing problem on sites like Twitter and Facebook. Spammers seem to think it’s easier than traditional email spam.

It’s clear that spam is a vital part of the booming underground economy of cybercrime, and it’s not going anywhere. As long as there are still people out there who are not only willing to read spam but to visit spam sites and actually buy the product, there will be spammers doing all they can to cash in on them.

A new study has awarded Idaho the dubious honor of Most Likely to Be Spammed. The state known best for potatoes and film festivals is also the most spammed state in the union. 93.8% of all its email traffic is spam, which is nearly 7.5% higher than the global spam rate of 86.4%. The honor is surprising considering that last year it came in at number 44 on the list!

Kentucky, New Jersey, Alabama, Illinois, Indiana, Massachusetts, Pennsylvania, Arizona, and Maryland, North Carolina, New Mexico (tied for 10th round out the list of the top 10 most spammed states. The least spammed state? Montana.

Experts say one thing those states also share is a high concentration of small and midsize businesses, while the least spammed states have a high concentration of large businesses. This suggests that spammers are targeting SMB owners, and this is likely because those types of businesses are less likely to have security measures such as firewalls or encrypted networks in place or even software solutions. A recent survey of over 1400 such businesses revealed that almost 60% had no endpoint protection and 42% didn’t even run anti-virus software!

Judging by the list of most spammed states and how they all have high concentrations of small and midsize businesses, it appears that spammers already knew that, which shows that they really seem to do their homework; so make sure that your company does its own and is protected!

Security researchers have discovered that the Zbot Trojan is undetectable by most anti-virus programs because it is continually morphing. Zbot is one of the most widespread banking Trojans on the net and has been around since 2006. It uses a rootkit to penetrate deep within operating systems. A recent study of Zbot infected computers revealed that only 14% had outdated or no anti-virus software. The rest were running fully updated software

Over the summer Zbot showed up in spam that was made to look like a critical update to Microsoft Outlook. Once downloaded, it unleashed a keylogger that captured log in credentials when the computer visited a banking or credit card website. The Trojan also scans infected computers for financial information and is programmed with a long list of sites to steal log ins from including Facebook, Bank of America, Paypal, Amazon.com, and eBay.

Most recently it is being delivered in a new campaign featuring fake IRS and shipping spam. The IRS spam attempts to scare the recipient by telling them they were discovered as having underreported their income and are now under investigation for fraud. An included link claims to direct them to the IRS site where they can review their tax return. Instead it downloads Zbot. The shipping spam involves a fake shipping confirmation and label from UPS. The label is supposedly located in the attached Excel file but that file is really a hidden executable that downloads Zbot.

In my line of work I support a lot of email users at a lot of different companies, and that means I am ultimately responsible for two things – the successful delivery of legitimate email, and the prevention of spam.

Over the years this means I have heard a fairly regular list of complaints about email and spam, some of which are due to misunderstandings about the capabilities and limitations of anti-spam products.  Here are some of the most common ones I hear.

This Spam Filter Isn’t Blocking Spam

The first complaint by the customer is usually that their spam filter is not working.  The event that raises this complaint can be as simple as the CEO’s assistant noticing a single spam email in her boss’s inbox.

I quickly remind them that no anti-spam protection is 100% effective, and that the one or two spam they receive each week is a drop in the bucket compared to the flood of spam that is actually being rejected.

Fortunately all good anti-spam systems come with comprehensive reporting features so I can show them that even though they or their Help Desk has reported a few spam emails reaching user mailboxes, the anti-spam system blocked thousands of them in that same time period.

This Spam Filter Is Blocking My Emails

The opposite complaint to the first is usually from someone who did not receive an email that they were expecting and it was subsequently found in the spam quarantine.  I’ve had single occurrences of this lead to people declaring the anti-spam software broken and demanding it be removed so that their important emails aren’t blocked again.

Once again I remind them that 100% accuracy is non-existent in the spam prevention game, that removing the anti-spam software would mean thousands of spam emails get through (the reporting comes in handy here again), and that the occasional false positive is best dealt with by utilizing end user self-service features.  These allow users to manage and release their own quarantined items, usually those items that are only slightly “spammy”. Continue reading Common Spam Complaints»

A new phishing attack has added a surprising twist to the traditional scheme. The messages themselves are nothing new. They are made to look like they came from a major U.S. bank and direct the victim to click on the included link to verify/update their account. The twist comes when they arrive at the faked site. When they log in or click any link on the site a chat window opens and an “operator” explains that due to new security procedures they must provide even more information such as name, address, phone number and email address. The chat works via the open source Jabber IM protocol and is browser based.

Security experts have named this new technique “chat-in-the-middle” and say it is hosted on a fast flux network that allows cybercriminals to host their malicious sites and malware on it in exchange for a monthly fee. These networks work like botnets with thousands of computers at the ready to take over to serve up the malicious page when another is shut down or blocked.

This type of attack is brand new but if it’s successful you can bet that it will become more and more widespread and perhaps be used in other types of attacks as well.

A phony Windows alert is used to defeat CAPTCHA.

A new variant of one of the Internet’s most widespread pieces of malware, Koobface, has surfaced in the wild, according to academic security researchers. In this latest twist on a familiar theme, the worm’s authors have added new ways to siphon cash into their coffers through click fraud and scareware.

University of Alabama, Birmingham, researchers discovered the variant of the worm, which first appeared in 2008 and since that time has infected an estimated 2.9 million machines, during their continuing study of the abhorrent application aimed at victimizing members of social networking and blogging sites.

As is typical with this kind of scheme, it starts with spam. Unlike the common cookie cutter junk sprayed across the Net into inboxes, pitches from Koobface have a devious similarity to a genuine message from a Facebook friend. One of the suspect subject lines identified by White Hats is, “Wow! Are you realy in this video?” Since the message contains the name of a Facebook friend, a recipient’s inclination is to click on the link in the missive’s body. A close examination of the link, though, will reveal that it contains a colon.  Colons in Web addresses usually mean redirection to another URL. Facebook links don’t do that.

Continue reading New Koobface varient in the wild»

Spammers are using a new hit and run technique to get past filters. Instead of long prolonged attacks, they are using brief floods of spam to get malicious spam past filters and blacklists. The latest campaign to use this technique was a message that claimed to be from the IRS informing the recipients that there may be a problem with under-reported income. The included link directs them to a site where they can download a “government form”. Instead it downloads malware that adds the recipient’s computer to a botnet and sends the same spam to everyone in their address book.

Continue reading Spammers Using New Hit and Run Technique»

From time to time a customer, friend or family member will ask me about spam.  The conversation will follow a fairly predictable path from “Why do I get so much spam?” all the way to “How do these spammers make money anyway?”  It is a big question with lots of different answers so usually I will just walk them through one specific example of a spam technique and how it can result in profit for the spammer.

Today I was forwarded some spam by a customer wondering whether it was legitimate or not and so came across one excellent example of how a spammer can profit from their malicious endeavors.

Slipping Through the Defenses

The first step towards profit for a spammer is email delivery.  With many businesses and home users protected by anti-spam systems, a spammer needs to either blast out so much junk email that they eventually find an unprotected email address, or they need to craft their email such that it passes through a spam filter undetected.

In this case the latter was true, which actually raised the perception of authenticity to the end user who was not used to very many spam emails reaching their inbox at all.  The quality of the writing also caused it to slip through the recipient’s own mental defenses, convincing them that it was legitimate and that they should follow the actions it suggested.

This spam email contained a link to an affiliate landing page for a piece of utility software.  The domain name included a well known brand name for this particular type of software.  Everyone uses this software, or something like it, so an email announcing a new version of it would appear relevant to most people.

The Affiliate Landing Page

For those that are new to the topic, affiliate marketing is basically a system whereby marketers will promote various products or services in return for a commission on a per-sale or per-lead basis.  Affiliate marketing systems are not necessarily scams, it is a thriving and legitimate business online and many household names on the web have affiliate programs in place.

The landing page for this affiliate was very professionally designed and would lead most people to believe they were on the official website for the software in question.  Only a small disclaimer at the bottom of the page says otherwise, “This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software“. Continue reading Behind the Curtain of an Affiliate Marketing Spam Email»

A new report  has found that non-delivery receipt spam is rising dramatically. In August the amount of such spam rose a whopping 2000% over levels from January to June, and it’s responsible for 20% of all global spam sent.

The spams being sent look exactly like traditional bounce back messages except the person receiving them never actually sent the message they are being told couldn’t be delivered. The spam message itself is contained in the attachment that comes along with the fake error message. The spammer is counting on people being curious or alarmed enough to open it to see what they supposedly sent.

         According to the report, “there is presently no consensus on whether NDRs are a technique to evade anti-spam filters or a collateral effect of dictionary attacks; either way, this technique is now among the most widely used. These waves of spam are usually generated through botnets (infected PCs controlled by attackers to launch spam, etc.). Since most NDRs are legitimate emails and, part of the mail server functionality, many traditional anti-spam techniques did not detect or block them up until now”.

So far this kind of spam hasn’t been found to be carrying malware but the fake messages can give less tech savvy individuals the impression that their email account has been compromised. Email spoofing, another technique often used by spammers, also generates non-delivery messages (but these are real, sent from servers where the spam with the spoofed header was sent to invalid addresses).

Experts say spammers have turned to non-delivery receipt spam because error messages are not commonly blocked by spam filters or blacklists.