Tech Bitch

Google has met its match. Analysis of spam by men with machines has shown that 4.6% of all spam originates from Web mail-based services and the proportion of spam from Gmail increased two-fold from 1.3% in January to 2.6% in February, mainly promoting adult-oriented Web sites.Yahoo! Mail was the most abused Web mail service responsible for sending 88.7% of all Web mail-based spam.

Hackers have recently relied on new techniques for evading spam detection which involves computationally solving anti-spam CAPTCHAs, mechanisms designed to eliminate automated sign up tools used by spammers by requiring the user to perform a task that can only be performed by a human.

Once hackers develop a computational method with a 20- to 30% success rate they can use their botnets to create unlimited numbers of accounts on compromised services for spamming and phishing. Yahoo! Mail and Hotmail CAPTCHAs were first broken in July 2007. The increase in spam from Gmail this month may be indicative of similar success.

There are several approaches a spammer can take to defeat a CAPTCHA. Whether they do so using an algorithm, a ‘mechanical turk’ or combination of the two, e-mail providers are feeling the pressure to keep pace but are limited to what a human can realistically solve creating ever more doubt surrounding the long-term effectiveness of the CAPTCHA as a security mechanism for protecting email services from abuse.

Also in February, targeted Trojan attacks increased to approximately 30 per day, an increase of around 200% since the end of 2007. These attacks focus specifically on small numbers of targets in each incident, thus keeping below the radar of the wider security industry. One particular attack this month involved up to 900 targeted Trojans, primarily intended for named senior business executives worldwide, and made use of multiple attack vectors including compromised websites and malicious downloads.

It’s obvious online shifties are going to greater lengths than ever before to reach their targets. Not only are we seeing a significant increase in the number of targeted Trojan attacks, but they often appear to be based on prior intelligence gathered about their targets. At the same time though, more and more businesses are protecting themselves against potential threats by only allowing employees to access pre-approved Web sites.

In fact, there’s an increase in the number of Web sites blocked by businesses because they did not fall within an allowed list, rising by 12.9% from last month. By blocking unclassified Web sites, businesses can safeguard themselves against both new and existing potential threats. This is especially true of those Web sites which appear and disappear within 24 to 48 hours which are often used for phishing, spam, Trojans and other fraudulent activities. In fact, 62.2% of all Web-based viruses and 82.5% of all spyware and adware were from this kind of Web site.

The Storm botnet has also continued to be a significant force in driving spam in February. For the first time it has been used to send spam touting VXPL, a drug promising male sex organ enlargement (don’t bother, I’ve tried it and it doesn’t work -Ed!), and nicotine patches, likely tapping into a seasonal increase in smokers trying to quit. At the same time, there was an increase of activity from Storm to further compromise computers, making up more than 96% of this month’s email-borne malware linking to malicious sites.

Security boffins at SoftScan whispered into my ears this morning. Instead of sweet nothings they said that spam levels have remained steady, accounting for 96.47% of all e-mail scanned by their infallible servers. What a disappointment!

However, some eagle-eyed white costs noted in the last couple of weeks subtle changes to the delivery and format of ‘bulk mail’ spam, which may indicate that spam levels will increase once again in the near future.

The change is in messages sent out in vast quantities apparently by the same few providers. Similarities observed in the past in the technical makeup of the messages have led SoftScan to conclude that these messages are written on templates specifically designed to have maximum effect on bypassing anti-spam filters.

“It’s too early yet to be absolutely certain, but a change in the template indicates that the spammers are trying out new tactics, which is normally a precursor to a larger blitz of spam,” comment Diego d’Ambra, CTO of SoftScan.

“Junk mail from these few providers seems to come in waves and from the distribution you can see that there are some very successful spammers that cover a large part of the market. In addition, we’ve also seen a change in the delivery of these messages. This may mean that the botnets have been recruiting significant numbers of new zombies or that the spammers are trying to find new ways to bypass blacklist technology.”

Virus levels remained typically low during the month accounting for just 0.09% of all e-mail scanned. The top five virus families in February were:

1. Phishing (85.92%)

2. Dropper (7.07%)

3. Diehard (2.14%)

4. Netsky (1.37%)

5. Downloader (0.97%)

Adding another trick to their toolkit, spammers are now abusing the ‘out of office’ feature of Web-based e-mail services to relay their junk messages into the inboxes of unsuspecting Internet users. I can’t believe it has taken so long. Anti-virus boffins have recently seen several instances where spammers set up Web-based e-mail accounts and configure auto responders with spammy messages. The miscreants then sent e-mail with fake ‘from’ addresses - the spam targets - to their newly created Web-mail accounts. The ‘from’ addresses subsequently receive the spammy ‘out of office’ notices.

This may sound like a convoluted way to send spam, but spammers do it to trick spam filters. An automatic reply from a well-known Web-based e-mail service will look legitimate to many spam filtering tools. Unlike spam sent by botnets, the auto reply spam will have a legitimate sender and will be signed with the correct signatures used to sign e-mail messages, such as DKIM, DomainKey or Sender ID.

One spammer seen using this technique is advertising an adult Web site - no surprises here! The auto-responder spam does not look like a typical out of office reply. The message subject does always contain ‘Re:’ because that’s added by the Web mail service, but the spammer controls the rest of the subject line and the message body text. In the examples a popular anti-virus manufacturer could only determine that the mail is an auto responder by carefully looking at the e-mail headers.

I suspect the spammer has a program that automatically creates accounts and sets the responder text, all with no manual work required. This gives the spammer the capability to have lots of Web-mail accounts, all used to spam lots of people. All is not lost: the spam should be blocked by a decent anti-spam product through a combination of header and message content checks.