Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spam Victims Get the Picture

Vendors warn of growing threat of spam embedded with image files that circumvent filters

Security vendors and researchers are reporting a marked increase in image-based spam, including a couple of new exploits designed to bypass currently available anti-spam applications.

Image spam, in which an attacker camouflages a message in a picture or some other graphical form, has shown incredible growth in the past few months, researchers say. Symantec estimates that image spam currently makes up about 25 percent of all spam; Tumbleweed Communications puts that number as high as 36 percent. Vendors generally agree that image spam made up less than 15 percent of spam traffic during the first half of this year.

"In the past few weeks, Marshal's TRACE team has recorded a nearly 40 percent increase in the overall volume of spam sent," said security software vendor Marshal in a statement issued yesterday. "This increase is partly due to a rise in image spam, which jumped from 22 percent to 30 percent and has lasted over three weeks."

"Image spam has become a top concern and frustration for our customers in recent months," says John Menezes, president of Cyberklix, a managed security services provider based in Ontario, Canada.

Image spam began simply, as attackers embedded their messages in JPEG or other graphical images to avoid text-only spam filters. In recent months, however, vendors such as BorderWare Technologies, Marshal, and TumbleWeed have developed anti-spam tools that use optical character recognition (OCR) or other filtering techniques to find and block graphical images containing suspected spam.

In recent weeks, however, attackers have responded with a variety of exploits designed to circumvent these graphics filters. The simplest of these use unusual fonts or image formats, such as PNG, which often are not spotted by currently available image-scanning anti-spam tools.

But the exploits don't stop there. Symantec and Marshal this week have both reported attacks that break up the spam message into a number of graphical pieces that can circumvent anti-spam applications and then reassemble to present a spam message to the end user.

Symantec was one of the first to spot this trend earlier this year when it identified an exploit that cuts a text image into nearly-arbitrary slices -- meaningless message fragments -- and then reassembles them in an email program or browser. The company called this exploit "Mr. Puzzle."

"We've also seen a new strain of image spam that acts as a kind of 'ransom note,' says Penny Freeman, director of software sales engineering at Marshal. "Spammers use individual images of letters that they then assemble to form words and sentences. Random text is inserted to fool text-only anti-spam products. Each letter has a slightly different background color, which we suspect is a randomization technique designed to fool signature-based anti-spam products."

The result is a message that looks something like the old-style ransom notes, in which kidnappers created messages from cut-and-pasted letters out of many different magazines to avoid detection.

Image spam is a thorny problem, not only because of its complexity, but because of the size and volume of messages that it generates, experts say. Symantec gives the example of one image spam attack that generated 683 bytes just to represent the letter "p."

"Throw in the HTML that coerced the image parts into the right order, and you're talking about 700 times more bandwidth required [to send image spam] than to send the same spam as text," said a Symantec research report. This type of message could create real problems for organizations that are required to collect and store all email messages due to regulatory mandates, the company says.

The good news is that image spam is fairly easy to find, experts say. "The irony is that the spammers are making it easier for us to spot spam," says Marshal's Freeman. "Image spam is very distinctive. It has unusual properties that normal business email does not have, and this makes it easier for us to identify."

BorderWare, Marshal, Tumbleweed, and Symantec in recent weeks all have introduced tools that claim to locate and block image spam. However, it is likely that spammers will periodically find ways to circumvent these tools, just as they do with other anti-spam applications, experts say.

— Tim Wilson, Site Editor, Dark Reading

  • BorderWare Technologies Inc.
  • Marshal Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Tumbleweed Communications Corp. (Nasdaq: TMWD)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.