Spam Filtering Tech Relevant Despite Rise of Spear Phishing

Written by Paul Mah on July 15, 2011

Spear phishing has once again appeared in the news, with reports emerging that cyber-criminals are abandoning “traditional” large-scale spamming runs in favor of more profitable spear phishing campaigns. The heart of the issue has to do with the low conversation rate derived from spam messages that spammers are experiencing. Another reason cited for spammers moving away from large-scale spamming is the recent decapitation of prominent botnets such as Rustock by Microsoft, a pertinent point considering the central role of modern botnets to spam campaigns.

Quoting from a new study, eWeek noted that:

“Worldwide revenues of high volume spamming decreased from $1.1 billion in June 2010 and $300 million in June 2011, or a drop of two-thirds. In comparison, revenues for targeted attacks quadrupled from $50 million to $200 million over the same time period.”

So what’s happening here?

The article pointed to the difficulty of protecting against spear phishing attacks, a point that I concede with. However, one important observation is that while spear phishing by definition suggests a degree of customization, there is no current evidence that the widespread sending of unique messages is happening. Aside from cases involving attempts to breach specific company networks, what scammers appear to be doing at the moment is simply fine-tuning spam techniques to autonomously send messages to dozens, or hundreds of targets.

For example, the education institution where I lecture has received at least two or three such attempts over the past few months. Purporting to be from the school IT department, a number of campus-wide emails were sent out that cited various official-sounding activities such as “Clearing of email space” to “Removing of redundant accounts.” The correct terms and designations gleaned from information obtainable from the education institution’s website were liberally used in order to lure readers into responding with their usernames and passwords.

The death of spam filters? Hardly

So is investing in anti-spam technology akin to throwing good money away? My personal opinion is no; spam filtering technologies continue to be relevant today. Recent research concluded that heavy email users are more susceptible to phishing scams. The logic here is inescapable: Eliminating as many of the “obvious” spam as possible means fewer items that a user is forced to sieve through when working via their inbox. This translates into a correspondingly lower likelihood of them falling for phishing attempts.

As mentioned earlier, aside for emails customized for individuals within a company, the majority of phishing emails today is automated and hence retains their “spammy” nature. This means that the bulk of such messages can still be identified and stopped using tools designed to stop spam messages. Moreover, while there is no doubt that phishing emails are gradually increasing in volume and in terms of monetary losses incurred, “traditional” spam remains a bug-bear that continues to plague all email users. For instance, I personally average about 60 spam emails per day – and would be left flustered (and more unproductive) without the existence of good spam filters.

And I’ve not even factored in more sophisticated vectors such as leveraging spam in attack against DNS infrastructure, or mistakes such as when Google inadvertently sent a “massive amount of notification email messages” from its Google+ service after a service ran out of disk space.

Higher quality spam coming up

Of course, one effect of lesser takings can only result in spammers at the lower-end of the profitability spectrum being pushed out of the game. This appears to dovetail with the assertion in the same report about how worldwide spam volumes have dropped 80% to just 300 billion spam messages a day – from a staggering 40 billion spam a day in the past. Yet a fixation on the absolute spam volume can only obscure our attention from the higher quality spam headed for inboxes. After all, users are known to be tricked about the legitimacy of an email and recover them from the spam folder.

Finally, the rise of phishing messages does mean that traditional ways of manually filtering and identifying such spam may not necessarily work. And given a recent large-scale study that pointed to outdated notions of security measures, it is clear that training users to identify the latest spam and phishing techniques is no longer an optional task.

In the final analysis, my take is that spam is here to stay. So how are you protecting yourself and your organization?

Albert Morione July 15, 2011

I’ve always said this before over and over again –

Spam will constantly evolve just to keep itself alive. Higher quality spams are not coming up – THEY’RE ALREADY HERE. One example is the random generation of three-letter word domain names, which can’t be filtered because they keep on changing. For instance, if you block, filter, and / or report yyy.com as a spam, the spammer will randomly generate another three-letter domain name, such as xyz.com.

This system has a great potential to grow rapidly. And it will become the grand daddy of higher quality spams.

Brendan Buckner July 15, 2011

Keeping filters and definitions updated regularly, and educating about targeting phishing here.

The bottom line is that for people to signal this as the death of spam is foolhardy. Spam is generic, it can be created once and distributed infinitely. The research and resources required to make more specific attacks takes away from the “see if it sticks” wide approach that spammers traditionally have taken. Sure, the numbers are going up, because it’s easier to dupe people when you look more legitimate, but not everybody is capable of such a move.

Pamela Reese July 15, 2011

Paul – great article! Unfortunately, we have to agree, spam is here to stay. I work for Symantec, and every day we see cybercriminals trying new spam and phishing tactics to try and trick end users into giving up personal info, or download malware onto a user’s machine. As long as there is money to be made, spammers and phishers will keep at their game of cat and mouse to try and stay one step ahead of security solutions. The best advice that we can give is to stay educated on the threats that are out there and employ security solutions to keep your machines protected.