Reports Building a False Sense of Security

Over the past couple of days, security companies that sell anti-malware protection have released reports that while malware infections are on the rise, the levels of spam have begun to plummet. While there is plenty of data to back up the statements, is a bit irresponsible that journalists and bloggers  use the fact that the number of unique malware samples has increased to over six million in the first quarter of 2011, to make appear that the risk posed by spam is increasingly insignificant. It’s like saying that since heart disease kills more people each year we no longer have to worry as much about cancer.

Examining the facts

When it comes to the levels of spam being tracked in this report, I take no comfort in the fact that spam is down to the levels reported back in 2007 because:

1. The sophistication of spam has evolved.
2. Spam has not been clearly defined in any of the posts or articles I read.
3. Although the level of “spam” was cut in half from a year ago, it still equals 1.5 trillion email messages sent that are considered spam.

More sophisticated

While the take down of the larger botnets are definitely a factor in the reduction of spam emails sent out, it takes away a bit of the credit from companies that work to block spam and the efforts of the users themselves.

With less zombie computers available to send email spam, the numbers have gone down. However, traditional email spam isn’t as effective as it once was either and that too is a factor that should be considered.

Users are simply more aware of how to recognize email spam and what to do when they encounter it. Organizations also see the need to stop spam before it can infiltrate their users’ inboxes so more technology is put in place to block it. Well aware of this, the spammers have stepped up their levels of sophistication.

Techniques like spear-phishing, link injections and targeting Facebook’s like button show just what lengths spammers are willing to go to in order to continue turning a profit. Simply blanketing millions of users with promises of lottery winnings just doesn’t cut it like it used to.

Looking for a clear definition

When we talk about spam, we almost immediately think of email spam because it is what we are most accustomed to seeing. However spam is much broader than a Nigerian prince asking for help. The Wikipedia article on spam defines it as the use of electronic messaging systems to send unsolicited bulk messages indiscriminately. It lists the following media, in addition to email, as ways in which spam is spread:

• Instant messaging
• Newsgroups
• Internet forums
• Web search engines
• Blogs (comments and links)
• Wikis
• Online classified ads
• Mobile phone messaging
• Fax transmissions
• File sharing networks
• Online games
• Social networking

So yes, while email spam may be down, other methods of spamming users are on the rise. In fact Google had to revamp much of its search algorithm just recently to address spam found in search engines and web pages.

1.5 trillion = quite a bit

Yes, cutting the amount of email spam in half looks great on paper but the fact that 1.5 trillion email spam messages were sent shows that there is still a good deal of work to be done when it comes to fighting email spam.

So it’s rather inaccurate to say that spam, when speaking of it as a whole, is down. The battle front has just shifted.

Again, I am one of the first to applaud the work of those who work towards lessening cyber security threats. And having worked with web application security I know firsthand that malware is a serious threat that is growing at record numbers.

However, users need to understand the whole picture when it comes to spam, malware and any other security threat they face. Simply stating that spam is down and malware is up can easily lead to people letting their guard down when it comes to spam. While the responsibility ultimately falls on the user to get all the facts, it is important as a writer to convey the facts in a way that shows all sides and cut down on the level of misunderstanding for your readers.