Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Spam Victims Get the Picture

Vendors warn of growing threat of spam embedded with image files that circumvent filters

Security vendors and researchers are reporting a marked increase in image-based spam, including a couple of new exploits designed to bypass currently available anti-spam applications.

Image spam, in which an attacker camouflages a message in a picture or some other graphical form, has shown incredible growth in the past few months, researchers say. Symantec estimates that image spam currently makes up about 25 percent of all spam; Tumbleweed Communications puts that number as high as 36 percent. Vendors generally agree that image spam made up less than 15 percent of spam traffic during the first half of this year.

"In the past few weeks, Marshal's TRACE team has recorded a nearly 40 percent increase in the overall volume of spam sent," said security software vendor Marshal in a statement issued yesterday. "This increase is partly due to a rise in image spam, which jumped from 22 percent to 30 percent and has lasted over three weeks."

"Image spam has become a top concern and frustration for our customers in recent months," says John Menezes, president of Cyberklix, a managed security services provider based in Ontario, Canada.

Image spam began simply, as attackers embedded their messages in JPEG or other graphical images to avoid text-only spam filters. In recent months, however, vendors such as BorderWare Technologies, Marshal, and TumbleWeed have developed anti-spam tools that use optical character recognition (OCR) or other filtering techniques to find and block graphical images containing suspected spam.

In recent weeks, however, attackers have responded with a variety of exploits designed to circumvent these graphics filters. The simplest of these use unusual fonts or image formats, such as PNG, which often are not spotted by currently available image-scanning anti-spam tools.

But the exploits don't stop there. Symantec and Marshal this week have both reported attacks that break up the spam message into a number of graphical pieces that can circumvent anti-spam applications and then reassemble to present a spam message to the end user.

Symantec was one of the first to spot this trend earlier this year when it identified an exploit that cuts a text image into nearly-arbitrary slices -- meaningless message fragments -- and then reassembles them in an email program or browser. The company called this exploit "Mr. Puzzle."

"We've also seen a new strain of image spam that acts as a kind of 'ransom note,' says Penny Freeman, director of software sales engineering at Marshal. "Spammers use individual images of letters that they then assemble to form words and sentences. Random text is inserted to fool text-only anti-spam products. Each letter has a slightly different background color, which we suspect is a randomization technique designed to fool signature-based anti-spam products."

The result is a message that looks something like the old-style ransom notes, in which kidnappers created messages from cut-and-pasted letters out of many different magazines to avoid detection.

Image spam is a thorny problem, not only because of its complexity, but because of the size and volume of messages that it generates, experts say. Symantec gives the example of one image spam attack that generated 683 bytes just to represent the letter "p."

"Throw in the HTML that coerced the image parts into the right order, and you're talking about 700 times more bandwidth required [to send image spam] than to send the same spam as text," said a Symantec research report. This type of message could create real problems for organizations that are required to collect and store all email messages due to regulatory mandates, the company says.

The good news is that image spam is fairly easy to find, experts say. "The irony is that the spammers are making it easier for us to spot spam," says Marshal's Freeman. "Image spam is very distinctive. It has unusual properties that normal business email does not have, and this makes it easier for us to identify."

BorderWare, Marshal, Tumbleweed, and Symantec in recent weeks all have introduced tools that claim to locate and block image spam. However, it is likely that spammers will periodically find ways to circumvent these tools, just as they do with other anti-spam applications, experts say.

— Tim Wilson, Site Editor, Dark Reading

  • BorderWare Technologies Inc.
  • Marshal Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Tumbleweed Communications Corp. (Nasdaq: TMWD)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11697
    PUBLISHED: 2020-06-05
    In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
    CVE-2020-13646
    PUBLISHED: 2020-06-05
    In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.
    CVE-2020-13868
    PUBLISHED: 2020-06-05
    An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.
    CVE-2020-13869
    PUBLISHED: 2020-06-05
    An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name.
    CVE-2020-13870
    PUBLISHED: 2020-06-05
    An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.