theDocumentId => 745131 Spam at 40: Still a Robust Security Threat in ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Spam at 40: Still a Robust Security Threat in Middle Age

Four decades after the first such email was sent, attackers are still using spam to deliver their malware.

The more things change, the more they stay the same.

Four decades after the first email spam was sent out into the world, hackers continue to rely on such emails as a way to deliver their malware and malicious URLs, according to cybersecurity experts. Whether it's still the most popular vehicle is up for debate and methods have evolved over the years, the of sending out massive numbers of emails to unsuspecting people continues to reward the attackers who send them.

"Email spam is once again the most popular choice for sending out malware," Päivi Tynninen, threat intelligence researcher at F-Secure, wrote in a statement. "Of the spam samples we've seen over spring of 2018, 46 percent are dating scams, 23 percent are emails with malicious attachments, and 31 percent contain links to malicious websites."

F-Secure in June bought MWR InfoSecurity, which created phishd, a service designed to protect businesses against phishing and similar attacks. Adam Sheehan, behavioral science lead at MWR, said the success rate of spam continues to grow, from a 13.4% click rate in the second half of 2017 to 14.2% this year.

(Source: iStock)
(Source: iStock)

Other vendors also are seeing the continued strength of email campaigns.

In June, Barracuda Networks noted that almost nine in ten businesses sustain at least one phishing or other social engineering attack, while Palo Alto Networks found more than 150 phishing domains in being hosted in the United States. (See Email-Based Attacks Still Wreaking Havoc on Enterprises, Study Finds.)

Maria Vergelis, senior spam analyst at Kaspersky Lab, told Security Now in an email that while she has found that spam is the third most popular way of spreading malware -- the web and mobile platforms being more often used -- emails continue to be a useful tool for cybercriminals for multiple reasons. Those include the "mass character of email and great variability of fraudulent messages," the various methods and influence of social engineering and basic human weaknesses.

"People still fear something, believe in something and long for fast wealth or free stuff," Vergelis said.

Old wine and new bottles
Earlier this month, Kaspersky researchers showed how resilient spam is. As the 40th anniversary of the first spam email hit this week, the researchers announced they had discovered an ongoing campaignmostly focused in Russia where bad actors were flooding companies with fraudulent emails disguised as legitimate financial documents to steal money and data from the companies.

While spam might still be a preferred method of delivering malware, fraudulent email campaigns have become more sophisticated and hackers have matured in their methods.

"Computers and scam strategies evolve faster than people in general," David Monahan, managing research director for security and risk management at Enterprise Management Associates (EMA). "Spam is one of those things. Spam is written either very well or very poorly to attack two different groups of people. Poorly-written emails attack the poorly educated. They are for the masses, take little time to construct and distribute and are expected to reap about a quarter of a percent return at the most. (That estimate is slowly declining over time.) But they are sent to millions of people so returns are still good for the level of investment."

Conversely, well-written spear-phishing and whaling emails take more time and money as they target particular businesses, departments, roles or people, and the con has to be better created and has a smaller distribution at each level, Monahan said. He added that the investment is higher, but the return of that investment can be greater. (See Kaspersky: Phishing Attack Attempts Soared 59% in 2017.)

F-Secure officials said attackers have found certain tactics that can spam more likely to succeed.

For example, the probability of a victim opening up an email jumps 12% if the email claims to come from someone they know, and the success rate goes up 4.5% if the subject line is free of errors. In addition, a phishing email that says a call to action is urgent is less successful than one where the urgency is implied. (See Kaspersky: There's No Such Thing as a Free Gift Card Code.)

EMA's Monahan noted that the first spam was aimed at people new to computers and that has never ended. It tends to be aimed at human foibles and sensitivities, like greed or the desire to help others, and "most business attacks in the spear-phishing categories attempt to exploit the rush to get things done and a lack of attention to detail: 'Pay this invoice.' People don't look at the email headers, they just open the next email and attachment to get the next thing done and, BAM!, it's too late."

Among the technical adaptations was the introduction of special software for sending spam and botnets that enabled attackers to launch different campaigns and send massive numbers of emails at the same time, Kaspersky's Vergelis said, pointing to the six-year-old Necurs spam botnet that now uses 6 million computers worldwide.

"It delivers mostly ransomware (especially Locky) and penny stock pump-and-dump spam, but it's also been known to send out dating and job spam," Vergelis said.

Still fit at 40
Other ways spam has evolved include new technical ways of delivery, using various vulnerabilities, text and code obfuscation, and it's become more targeted, aimed at business and financial targets. In addition, there are new platforms for distributing spam, including social networks and mobile messengers, she said.

Technology has helped, Monahan said. Spam filtering and antimalware software have become common in businesses, though web filtering is not deployed as widely as it should. Any way to better screen out the bad stuff will help reduce the reliance on other options. That includes ongoing education for users -- 84% of those with in-work training said it helped them make betters at work and home -- reducing pressure on key personnel to get more done so they have more time to evaluate the mail coming into their inboxes, and removing human foibles.

Still, even as technology to both deliver spam and protect against it improve, the overall goal has remained the same.

"The main objective of scammers is still to persuade users to click on a fraudulent link or open and launch an executable file," Vergelis said. "To do it, they use different methods of social engineering combined with technical features. As for social engineering, it didn't evolve that much and still depends on a user's emotions. As for the technical side, it evolves constantly, as do security solutions."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...