Cloud

2/1/2017
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spam Now Makes Up Nearly Two-Thirds Of All Email

Spam spikes, and nearly three-fourths of all organizations worldwide have suffered adware-borne infections, according to Cisco's annual cybersecurity report.

Spam now accounts for 65% of all email worldwide, and up to one-fifth of spam is malicious, according to new data from Cisco Systems.

Massive spamming botnets such as Necurs are behind this recent spike in junk and malicious email, Cisco found and noted in its 2017 Annual Cybersecurity Report published this week. Why the revival in spam campaign volume? It's becoming more of a commercial business enterprise, which in part is driving its explosion, says Cisco vice president and CISO Steve Martino.

"There are organizations building tools and technologies that let other people use and build spam campaigns without knowledge of how to build a spam campaign. As a service model, it's proliferating and allowing more people with less technical skills participate and leverage the technical skills of somebody who has" those skills, Martino says.

Cisco found that the DNS-based blackhole list, the Composite Blocking List, shows spam volume reaching the record highs last seen in 2010. The Necurs botnet, which has been used to spread Locky ransomware as well as the Dridex banking Trojan, is the main driver of the spam spike: around June of last year, Necurs added over 200,000 IP addresses in under two hours after a brief respite in the wake of a cybercrime crackdown of the Lurk Trojan in Russia.

"New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years," Cisco said in its report. That is, until Necurs started to change the game with more malicious activity.

Another relatively old-school cybercrime method had a big year in 2016: adware. Some 75% of organizations have been infected via adware, according to Cisco. "Sadly, this is not a big surprise. We have seen a proliferation and move to malvertising" on legitimate websites, says Franc Artes, architect for Cisco's Security Business Group. There are plenty of malvertising development kits available to would-be criminals that, like spam kits, make it easy for a non-technical bad guy to spread malicious adware.

Malicious adware is used for so-called click fraud to make money off of online ads, and is also used as an initial vector for other attacks. Of 130 organizations across various industries, Cisco found 80 different adware variants that conducted everything from ad injection to malware download duties. Three-fourths of those organizations had been hit by an adware infection.

Driving malvertising attacks are so-called "bad bots" that pose as real humans. "The environment is changing and bots are getting more and more sophisticated as more tools are out there to detect them," says Edward Roberts, director of product marketing at Distil Networks. "Across the board, there are silent victims across industries."

Even so, malvertising and spam are nothing new. "We're seeing a return, I think, to the classics. What was old is new again, using techniques we've forgotten about because they were low-profile and are [now] becoming high-profile," Cisco's Martino says.

"Where the attackers can maximize profits, they collaborate with each other, buying and selling services like we sell cloud services. This is giving them opportunities to move faster and to leverage various experts to attack organizations," Cisco's Martino says.

Meanwhile, 44% of security alerts are ignored, according to Cisco's findings. The study found that security pros say they can only investigate 56% of the security alerts they receive each day. About half of those they investigate are real issues (not false alarms), and some 46% of legitimate alarms investigated get fixed. Nearly 45% of security operations managers say they receive some 5,000 security alerts per day.

Cisco's Artes says there are several reasons why SOC managers can't keep up with security alerts. For 35% of those in the study, budgets are the biggest obstacle, he says. "Some 55%  of respondents have anywhere from six to 50 different security vendors [products]," which can complicate proper correlation and alarms, he notes.

"In every breach that I've seen or looked at or know about, there's been more than one alert. More than one piece of data – had someone seen it or if the system had been able to react, it would've deterred that particular attack," Martino says.

Time to detection is a big issue for organizations today, notes Julien Bellanger, CEO and Co-Founder of Prevoty. "The time to detection is critical. The more relevant the intelligence that's coming from security tools at the network, the endpoint and the application, the faster that detection can happen," he says. "A lot of information is generated, but too little is correlated to other events to make sense and be actionable."

Then there's the business fallout of missing that needle in the haystack. According to the Cisco report, nearly half of organizations say they lost "substantial" business opportunities after a breach: one in five lost customers and 30% lost revenue.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.