Not that long ago some officials were declaring the war against spam all but won. The Federal Trade Commission as recently as December 2006 published a “state of spam” report, citing research indicating spam had leveled off or even dropped during the previous year.
But lately there have been disturbing signs that spam is staging a comeback -- and becoming more widespread than ever. In fact, some reports suggest there is twice as much spam circulating today as a year ago. What’s worse, researchers attribute this resurgence in unwanted email to so-called “image spam” that is often tied to fraudulent penny stock schemes.
As this article will show, online fraud continues to evolve at a steady pace, forcing enterprises to be increasingly vigilant about this cyber menace.
The rise of image spam shows once more that, when traditional methods fail, spammers and fraudsters turn to more sophisticated techniques. Image spam, by using pictures instead of words, can evade filters set up to detect text-based ads. Concentrated stock spamming has the ability to send share prices of penny stocks soaring.
As John Reed Stark, chief of the Securities and Exchange Commission’s Office of Internet Enforcement, told MSNBC’s Red Tape Chronicles blog, attempts to manipulate stock prices through email are nothing new. The SEC has prosecuted some spam “pump and dumpers” and suspended trading in firms after it discovered a spam campaign. But the agency can hardly keep up with the millions of stock spams that are proliferating today.
Red Tape Chronicles’ Bob Sullivan writes: “Stock spam is effective because no Web link is required. In old-fashioned spam, criminals generally try to trick recipients into clicking on a link and buying something. Many email programs now block direct Web links from emails, rendering click-dependent spam much less effective. But stock messages merely have to make the recipient curious enough about a company to motivate him or her to buy a few shares through a broker.”
Symantec estimates that the monthly percentage of spam dedicated to touting stocks varies between 20 percent and 40 percent.
One way companies combat image spam is by turning off all images arriving in inboxes. But that can be an extreme measure as it bars harmless pictures as well. The best defense may be the delete key -- and a heavy dose of skepticism when investing based on anonymous tips. As the SEC’s Stark told Red Tape Chronicles: “Never invest based on spam.”
Spammers aren’t the only ones evolving their practices to entice the unwary. Phishers too are adding new variants to their list of scamming tricks — and doing so in record numbers.
New figures released by Netcraft in January show that the number of phishing URLs soared in 2006. Perhaps most alarming is that almost half the total came in a single month—December.
According to the company, which monitors the incidence of phishing sites through its browser toolbar, the number of phishing sites rose from 41,000 in 2005 to 609,000 in 2006. Of these, 277,000 unique URLs were detected in December alone, with 457,000 cumulatively in the last three months of the year.
Netcraft attributes this sudden rise to the availability of phishing-creation kits, known collectively as “Rockfish” (or “R11”), which automate the rapid creation of scam Web sites. These tools allow sophisticated domain management, including webs of sub-domains, as part of the battle to overwhelm anti-phishing systems with vast numbers of short-lived sites that are impossible to keep tabs on or block.
Researchers with Symantec Security Response speculate that this sharp increase may also be a result of attempts by attackers to bypass filtering technologies by creating multiple randomized messages. These messages attempt to phish the same brands, but include slight variances—such as variations in the URLs included in the phishing message—in order to bypass the use of basic email scanning techniques.
Traditionally, phishing has used a combination of spam, spyware, and bogus Web sites to lure unsuspecting victims into entering their credit card and bank account numbers into computer systems. In the latest variation on this scam, so-called “vishing” attacks bring voice systems into play.
Posing as a legitimate organization, a visher typically sends an email directing the recipient to place a phone call to a toll-free number to clear up an alleged problem with an account. Users who dial the specified number are then directed by an automated voice system to enter their account number and PIN on the phone keypad. The result: the scammer has gained access to the user’s personal data.
“It’s so easy to fall for this scam,” says Zully Ramzan, Senior Principal Security Researcher, Advanced Threat Research, for Symantec. “[Vishers] set up an interactive voice response system that sounds exactly like the one your bank uses — even matching the on-hold music!”
Clearly, with scammers employing increasingly sophisticated spamming and phishing techniques, data protection needs to extend beyond the reach of traditional anti-virus products. Fortunately, the latest security products now integrate protection not just from viruses and worms, but also from spam, spyware, and other malware. For example, the anti-phishing technologies that Symantec develops, such as those available in Norton Internet Security and Norton Confidential, include heuristic-based, zero-hour-protection mechanisms. These techniques allow phishing sites to be detected immediately without having to rely on so-called block lists.
For today’s enterprises, such techniques are essential because, as Symantec’s Ramzan has observed, phishers in 2006 “demonstrated that they really mean business. Their attacks have become more frequent, more varied, and quite frankly more innovative. At the same time, none of this is new. At Symantec we’ve seen such trends over and over again in many other threat areas for quite some time. Attackers are constantly adapting their approaches to increase their success rate. We must, therefore, continuously out-innovate them.”
Evasive, stealthy, and aggressive Internet threats are on the rise, and the speed of a security vendor alone isn’t enough. It’s a security vendor’s ability to catch tough, tricky threats in a timely manner that really counts.