Nonsense Spam is More Dangerous than You ThinkWritten by Malcolm James on January 30, 2013
Suppose you meet an alien from a far distant galaxy, and she asks you to explain the identifying features of email spam. At face value, it sounds like a simple proposition, but if you think about it, the answer might be more difficult than you realize.
Spam comes in so many forms and flavors that it’s hard to nail down a definitive set of characteristics. When you toss marketing and retail spam into the mix, the definition for spam morphs from a laundry list of all that’s despicable about human nature into a veritable cornucopia of moronic nonsense. Nonsense, however, can be as dangerous as ignorance, and if you’ve ever wondered “what’s the point?” of those nonsensical emails that occasionally invade your inbox, you may want to pay attention.
You know the email messages. Like so many spam messages, they have a meaningless subject line; but the content seems more pointless than usual. It’s jabberwocky: meaningless mishmashes of words, even partial passages from books. In the space of a day, you may receive a string of these messages, each one different in its subject line and contents. The passages in the body of each email seems random, and if you took the time to examine them in their entirety, you’d be hard-pressed to find two exactly the same. One long stream of uselessness with no apparent purpose, unless maybe to annoy. So you ignore them and move on, shaking your head and wondering why somebody bothered.
As it turns out, there’s more to these messages than you might think. A nefarious purpose, in fact, and receiving a stream of these messages may be a warning signal for you to check your bank accounts right away.
In an interesting article at NetworkWorld, a blog post by security analyst Fred Touchette discusses the phenomenon of these nonsense messages, and it turns out they may have a very deliberate and despicable purpose. The messages are seemingly random, although they’re anything but. In fact, the article reports, the targets “are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails – as many as 60,000 during a 12- to 24-hour period – that contain no links, no graphics, and no advertisements.” The contents are, according to Touchette, “nothing but mash-ups of words and phrases from literature.” He points out that every email is different, seemingly perfectly randomized, although searching through the messages can reveal repeated content. Obviously, the emails are delivered by botnets, with each message coming from different email and IP addresses. The emails also arrive in a fast and furious fashion, often at a mind-boggling rate. In fact, the incoming data is so persistent, that using the email account during the flood is nearly impossible. That, however, is not the ultimate goal of the messages, Mr. Touchette says.
The real purpose of the messages, says Touchette, is to distract users from valid emails arriving in their inboxes. When identity fraud or theft occurs, it’s not uncommon for receipts and transaction emails to show up, and the sudden onslaught of nonsense mail is a great way to hide these emails amidst the ongoing wave of messages. If a cybercriminal is using your credentials, this method can be an effective way of prolonging the time period before you discover the fraud. Once the crooks are done draining your accounts, they turn off the flood and move on to another victim.
To make matters even worse, the technique isn’t limited to email. There have been instances of people receiving continuous phone calls, in an effort to keep the fraud departments of financial institutions from reaching the victims. Although the practice of nonsense email is not new, this new approach could be devastating to anyone caught in its web. Security experts point out that this type of campaign is still not a common occurrence, and as such this could only be the beginning of a painful new headache for anyone who’s vulnerable to identity theft.
There’s another possible angle that the article doesn’t pick up on. Spam filters, like most security monitoring methods, work on a combination of heuristics and libraries that, while far more sophisticated than anything we had ten years ago, is still fallible. That’s what definition updates are for. It’s not a stretch to imagine that these campaigns may be using the botnet messages to confound the spam filters while a fraud is being perpetrated, perhaps in an attempt to get the legitimate receipts and transactions dumped to the junk folder.