Cloud

2/1/2017
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spam Now Makes Up Nearly Two-Thirds Of All Email

Spam spikes, and nearly three-fourths of all organizations worldwide have suffered adware-borne infections, according to Cisco's annual cybersecurity report.

Spam now accounts for 65% of all email worldwide, and up to one-fifth of spam is malicious, according to new data from Cisco Systems.

Massive spamming botnets such as Necurs are behind this recent spike in junk and malicious email, Cisco found and noted in its 2017 Annual Cybersecurity Report published this week. Why the revival in spam campaign volume? It's becoming more of a commercial business enterprise, which in part is driving its explosion, says Cisco vice president and CISO Steve Martino.

"There are organizations building tools and technologies that let other people use and build spam campaigns without knowledge of how to build a spam campaign. As a service model, it's proliferating and allowing more people with less technical skills participate and leverage the technical skills of somebody who has" those skills, Martino says.

Cisco found that the DNS-based blackhole list, the Composite Blocking List, shows spam volume reaching the record highs last seen in 2010. The Necurs botnet, which has been used to spread Locky ransomware as well as the Dridex banking Trojan, is the main driver of the spam spike: around June of last year, Necurs added over 200,000 IP addresses in under two hours after a brief respite in the wake of a cybercrime crackdown of the Lurk Trojan in Russia.

"New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years," Cisco said in its report. That is, until Necurs started to change the game with more malicious activity.

Another relatively old-school cybercrime method had a big year in 2016: adware. Some 75% of organizations have been infected via adware, according to Cisco. "Sadly, this is not a big surprise. We have seen a proliferation and move to malvertising" on legitimate websites, says Franc Artes, architect for Cisco's Security Business Group. There are plenty of malvertising development kits available to would-be criminals that, like spam kits, make it easy for a non-technical bad guy to spread malicious adware.

Malicious adware is used for so-called click fraud to make money off of online ads, and is also used as an initial vector for other attacks. Of 130 organizations across various industries, Cisco found 80 different adware variants that conducted everything from ad injection to malware download duties. Three-fourths of those organizations had been hit by an adware infection.

Driving malvertising attacks are so-called "bad bots" that pose as real humans. "The environment is changing and bots are getting more and more sophisticated as more tools are out there to detect them," says Edward Roberts, director of product marketing at Distil Networks. "Across the board, there are silent victims across industries."

Even so, malvertising and spam are nothing new. "We're seeing a return, I think, to the classics. What was old is new again, using techniques we've forgotten about because they were low-profile and are [now] becoming high-profile," Cisco's Martino says.

"Where the attackers can maximize profits, they collaborate with each other, buying and selling services like we sell cloud services. This is giving them opportunities to move faster and to leverage various experts to attack organizations," Cisco's Martino says.

Meanwhile, 44% of security alerts are ignored, according to Cisco's findings. The study found that security pros say they can only investigate 56% of the security alerts they receive each day. About half of those they investigate are real issues (not false alarms), and some 46% of legitimate alarms investigated get fixed. Nearly 45% of security operations managers say they receive some 5,000 security alerts per day.

Cisco's Artes says there are several reasons why SOC managers can't keep up with security alerts. For 35% of those in the study, budgets are the biggest obstacle, he says. "Some 55%  of respondents have anywhere from six to 50 different security vendors [products]," which can complicate proper correlation and alarms, he notes.

"In every breach that I've seen or looked at or know about, there's been more than one alert. More than one piece of data – had someone seen it or if the system had been able to react, it would've deterred that particular attack," Martino says.

Time to detection is a big issue for organizations today, notes Julien Bellanger, CEO and Co-Founder of Prevoty. "The time to detection is critical. The more relevant the intelligence that's coming from security tools at the network, the endpoint and the application, the faster that detection can happen," he says. "A lot of information is generated, but too little is correlated to other events to make sense and be actionable."

Then there's the business fallout of missing that needle in the haystack. According to the Cisco report, nearly half of organizations say they lost "substantial" business opportunities after a breach: one in five lost customers and 30% lost revenue.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...