Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Spam at 40: Still a Robust Security Threat in Middle Age

Four decades after the first such email was sent, attackers are still using spam to deliver their malware.

The more things change, the more they stay the same.

Four decades after the first email spam was sent out into the world, hackers continue to rely on such emails as a way to deliver their malware and malicious URLs, according to cybersecurity experts. Whether it's still the most popular vehicle is up for debate and methods have evolved over the years, the of sending out massive numbers of emails to unsuspecting people continues to reward the attackers who send them.

"Email spam is once again the most popular choice for sending out malware," Päivi Tynninen, threat intelligence researcher at F-Secure, wrote in a statement. "Of the spam samples we've seen over spring of 2018, 46 percent are dating scams, 23 percent are emails with malicious attachments, and 31 percent contain links to malicious websites."

F-Secure in June bought MWR InfoSecurity, which created phishd, a service designed to protect businesses against phishing and similar attacks. Adam Sheehan, behavioral science lead at MWR, said the success rate of spam continues to grow, from a 13.4% click rate in the second half of 2017 to 14.2% this year.

(Source: iStock)
(Source: iStock)

Other vendors also are seeing the continued strength of email campaigns.

In June, Barracuda Networks noted that almost nine in ten businesses sustain at least one phishing or other social engineering attack, while Palo Alto Networks found more than 150 phishing domains in being hosted in the United States. (See Email-Based Attacks Still Wreaking Havoc on Enterprises, Study Finds.)

Maria Vergelis, senior spam analyst at Kaspersky Lab, told Security Now in an email that while she has found that spam is the third most popular way of spreading malware -- the web and mobile platforms being more often used -- emails continue to be a useful tool for cybercriminals for multiple reasons. Those include the "mass character of email and great variability of fraudulent messages," the various methods and influence of social engineering and basic human weaknesses.

"People still fear something, believe in something and long for fast wealth or free stuff," Vergelis said.

Old wine and new bottles
Earlier this month, Kaspersky researchers showed how resilient spam is. As the 40th anniversary of the first spam email hit this week, the researchers announced they had discovered an ongoing campaignmostly focused in Russia where bad actors were flooding companies with fraudulent emails disguised as legitimate financial documents to steal money and data from the companies.

While spam might still be a preferred method of delivering malware, fraudulent email campaigns have become more sophisticated and hackers have matured in their methods.

"Computers and scam strategies evolve faster than people in general," David Monahan, managing research director for security and risk management at Enterprise Management Associates (EMA). "Spam is one of those things. Spam is written either very well or very poorly to attack two different groups of people. Poorly-written emails attack the poorly educated. They are for the masses, take little time to construct and distribute and are expected to reap about a quarter of a percent return at the most. (That estimate is slowly declining over time.) But they are sent to millions of people so returns are still good for the level of investment."

Conversely, well-written spear-phishing and whaling emails take more time and money as they target particular businesses, departments, roles or people, and the con has to be better created and has a smaller distribution at each level, Monahan said. He added that the investment is higher, but the return of that investment can be greater. (See Kaspersky: Phishing Attack Attempts Soared 59% in 2017.)

F-Secure officials said attackers have found certain tactics that can spam more likely to succeed.

For example, the probability of a victim opening up an email jumps 12% if the email claims to come from someone they know, and the success rate goes up 4.5% if the subject line is free of errors. In addition, a phishing email that says a call to action is urgent is less successful than one where the urgency is implied. (See Kaspersky: There's No Such Thing as a Free Gift Card Code.)

EMA's Monahan noted that the first spam was aimed at people new to computers and that has never ended. It tends to be aimed at human foibles and sensitivities, like greed or the desire to help others, and "most business attacks in the spear-phishing categories attempt to exploit the rush to get things done and a lack of attention to detail: 'Pay this invoice.' People don't look at the email headers, they just open the next email and attachment to get the next thing done and, BAM!, it's too late."

Among the technical adaptations was the introduction of special software for sending spam and botnets that enabled attackers to launch different campaigns and send massive numbers of emails at the same time, Kaspersky's Vergelis said, pointing to the six-year-old Necurs spam botnet that now uses 6 million computers worldwide.

"It delivers mostly ransomware (especially Locky) and penny stock pump-and-dump spam, but it's also been known to send out dating and job spam," Vergelis said.

Still fit at 40
Other ways spam has evolved include new technical ways of delivery, using various vulnerabilities, text and code obfuscation, and it's become more targeted, aimed at business and financial targets. In addition, there are new platforms for distributing spam, including social networks and mobile messengers, she said.

Technology has helped, Monahan said. Spam filtering and antimalware software have become common in businesses, though web filtering is not deployed as widely as it should. Any way to better screen out the bad stuff will help reduce the reliance on other options. That includes ongoing education for users -- 84% of those with in-work training said it helped them make betters at work and home -- reducing pressure on key personnel to get more done so they have more time to evaluate the mail coming into their inboxes, and removing human foibles.

Still, even as technology to both deliver spam and protect against it improve, the overall goal has remained the same.

"The main objective of scammers is still to persuade users to click on a fraudulent link or open and launch an executable file," Vergelis said. "To do it, they use different methods of social engineering combined with technical features. As for social engineering, it didn't evolve that much and still depends on a user's emotions. As for the technical side, it evolves constantly, as do security solutions."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file