Spam Morphs from a Nuisance to a Threat


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Spam Morphs from a Nuisance to a Threat

  1. 1. WHITE PAPER Spam Morphs From a Nuisance to a ThreatON An Osterman Research White Paper Published December 2011 SPONSORED BY sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • •
  2. 2. Spam Morphs from a Nuisance to a ThreatExecutive SummarySpam volumes are substantially lower today than they were last year: as of late 2011, spamaccounts for roughly 75% of the email that traverses the Internet compared to about 90% in2010. The result is billions fewer spam messages being received by end users every month,leading some to believe that the spam problem is now less serious than it has been for manyyears.However, while spam volumes are lower than they have been inmany years, the threat that companies face from spam isactually much greater than it was when spam volumes were “I don’t fear themuch higher. This is because a) the primary spam threat is no man who wantslonger about selling products but stealing information, b) twenty nuclearspammers are getting smarter and more effective by improvingthe ability of their phishing and spearphishing attacks to weapons, I fearpenetrate corporate security systems, and c) the payloads and the man wholinks that spam delivers are more damaging. wants one”.In short, the spam problem can be summarized by the quote in George Clooneythe callout: the problem is not one of the sheer volume of the The Peacemakerthreats, but of their effectiveness and intent.KEY TAKEAWAYSThere are four key points made in this white paper:• During the past 12 months, 37% of mid-sized and large organizations in North America have had malware successfully infiltrate their corporate network through email. Many of these attacks have been quite serious, resulting in the loss of millions of dollars, as well as loss of sensitive financial data and intellectual property.• The disappearance of the network perimeter that has been enabled by the consumerization of IT has created more endpoints for incursion of spam and malware. This, coupled with increasingly sophisticated and target phishing attempts, means that the problem of malicious spam infiltration will become worse.• As a corollary to the point above, the increasing sophistication of phishers’ targeting of senders is heralding a new era in these criminals’ ability to focus their attacks, with a corresponding decrease in these individuals’ ability to identify phishing attempts.• Decision makers should view spam as a very serious threat and not minimize the severity of the threat it poses because spam volumes are decreasing.ABOUT THIS WHITE PAPERThis white paper is focused on helping decision makers to understand that the problem withspam is more serious today than it was when spam volumes were higher. It also offers a briefoverview on the sponsor of this white paper, Abaca, and its anti-spam capabilities.©2011 Osterman Research, Inc. 1
  3. 3. Spam Morphs from a Nuisance to a ThreatSome Background on SpamTHE PROBLEM OF MALICIOUS EMAILSpam is a problem – it wastes bandwidth, storage, and employee time, not to mention the costof deploying systems to deal with processing and deleting spam from corporate networks.However, the dramatically more sinister side of the spam problem is malicious email –messages that are sent with the specific intent of stealing content like banking credentials,usernames and passwords for corporate applications, Social Security numbers, credit cardnumbers and other sensitive information. The goal of those who send malicious email issimple: a) steal money, b) steal data or c) cause serious disruption to networks or criticalsystems.MALICIOUS EMAIL IS DANGEROUS AND EXPENSIVEThe security risks from spam are quite real and they are no longer just a nuisance as in yearspast. The growing variety of keystroke loggers, password-stealing Trojans and other threatsmeans that corporate data is increasingly at risk. Data theft can include sensitive content likeusernames and passwords, but also financial data, customer data, trade secrets and other typesof confidential information. The increasing end goals of stealing information (personal andcorporate), hijacking systems for a wide range of purposes and launching additional maliciousattacks all have serious business implications, in addition to the more traditional impacts tobandwidth, infrastructure and other costs. For example, there have been a number of seriousspam-based incursions during the past year:• In September 2011, Mitsubishi Heavy Industries was the victim of a spearphishing attack that ended up compromising 83 different systems in 10 locations across the companyi.• In June 2011, the International Monetary Fund (IMF) was the victim of a spearphishing attack that may have been perpetrated by a rogue state. Although employees were warned not to open attachments they were not expecting, open email from unknown senders or click on video links, malware in an email successfully penetrated IMF defenses and information was stolen from compromised computersii.• In April 2011, hackers sent phishing emails to a number of lower level employees at RSA. These emails contained the subject line “2011 Recruitment Plan” and included an Excel spreadsheet as an attachment that contained a zero-day flaw in Adobe Flash. Although the emails were successfully diverted to these users’ spam quarantines, the emails were opened and a Trojan was installed that successfully harvested credentials from a large number of employee accounts, compromising RSA’s SecurID tagsiii. As of late 2011, 760 organizations have been attacked using the same command and control, including IBM, Google, Microsoft and about one-fifth of the Fortune 500iv.• On April 7, 2011, a spearphishing attack directed at the Oak Ridge National Laboratory was able to steal a few megabytes of data before IT administrators cut off Internet access. The email sent to employees was purportedly from the lab’s HR department and was received by 530 employees, 57 of whom clicked on a malicious link contained in the emailv.• In November 2010, a 26-year-old Hungarian citizen, in a bizarre attempt to be hired by Marriott International, sent an infected email attachment to various Marriott employees that©2011 Osterman Research, Inc. 2
  4. 4. Spam Morphs from a Nuisance to a Threat allowed him to steal sensitive information from the company. Marriott estimates that the cost of analyzing the extent of the compromise of its network cost it between $400,000 and $1 millionvi.• In November 2010, employees at France’s Ministry of Economics, Finances, and Industry received spearphishing emails that contained a Trojan. A minimum of 150 computers were compromised and sensitive documents related to the G-20 were stolenvii.It is also important to note that information stolen as a result of phishing attacks can be used togenerate new phishing attacks, exacerbating the problem. For example, data hijacked in theEpsilon breach earlier in 2011 is now being used to target customers of Chase Bank.SPAMMER TECHNIQUESSpammers use a variety of techniques to deliver their content:• Botnets Spammers use botnets that consist of millions of ‘zombie’ computers – computers in homes and the workplace that are infected with a virus, worm or Trojan that permits them to be controlled by a remote entity. Spammers can rent botnets for content-distribution campaigns. Using botnets, a small number of messages can be sent from each of thousands of computers, effectively hiding each zombie from detection by ISPs or network administrators using conventional tools. Botnets are a critical problem not only because they are responsible for the vast majority of spam sent across the Internet today, but also because they are used for a wide range of purposes beyond just spam delivery. These include hosting malware sites, perpetrating distributed denial-of-service attacks, click fraud and credit card fraud. Botnets can be hard to detect and hard to remove.• Spam filter-avoidance techniques The simpler of these techniques involves text obfuscation, such as misspelling keywords; Bayesian poisoning (the process of including specific keywords into spam messages in an attempt to trick Bayesian filters into thinking a message is legitimate); introducing valid text into spam messages; using various HTML techniques to fool filters into not recognizing offensive content; and other techniques. These techniques typically can bypass many traditional content-filters, and those using a Bayesian approach.• Spam with attachments Similar to image spam, but using PDF files, spreadsheets or ZIP files as payloads to carry the spam content, often malware. One technique is to send calendar invitations as malicious email attachments.• Image-based spam Image-based spam is represented as one or more images that typically use non-standard fonts, background ‘snow’, randomized backgrounds, slanted lines of text, blurriness and other distortions to defeat more conventional spam-filtering technologies, as shown in the example at right. Image spam is a particularly serious problem for mail servers and recipients, since each message is typically much larger than a conventional, text-based spam message. Image spam, while still used by spammers, is less of a problem today than it was in 2007.©2011 Osterman Research, Inc. 3
  5. 5. Spam Morphs from a Nuisance to a Threat• Alternative spam languages Spammers will often target their content to users who speak specific languages. There is a growing trend for more localized distribution with diversified languages. For example, in early 2010 96% of spam was in English – as of early 2011 it was 90%viii.“DECENT” SPAM CAPTURE RATES ARE NOT ENOUGHA spam filtering solution that catches the “vast majority” of spam simply isn’t acceptable in anera of spamming that is specifically targeted to employees using social engineering and othertechniques. For example, a 98% capture rate – while seemingly acceptable – will increase thechance of infection by 200 times compared to a solution that captures 99.99% of spam.Spams Received Daily per 1,000 EmployeesAssuming 100 Emails Received per Employee per Day Likelihood of Potentially Infection Malicious Spam Compared to Capture Rate Emails Received 99.99% 95.0% 5,000 500x 98.0% 2,000 200x 99.0% 1,000 100x 99.5% 500 50x 99.9% 100 10x 99.99% 10 -Spam Isn’t an Issue Anymore…Right?A BIT OF GOOD NEWS: SPAM VOLUMES ARE DECLININGSpam volumes dropped significantly in late 2010, followed by a rapid increase in the volume ofspam partway through March 2011. However, since the seemingly permanent takedown of theRustock botnet in March 2011, spam volumes are now at significantly lower average levels thanthey have been for many years. The elimination of the Rustock botnet was significant, since itwas the largest of the many botnets in operation with anywhere from 1.1 million to 1.7 millioncompromised computers in operationix. As evidence of the decreasing proportion of spamtraversing the Internet relative to valid email are statistics that show spamdecreasing from 92% in August 2010 to 79% in January 2011 to 74% in October 2011x.LOTS OF BAD NEWS: SPAM IS MORE SERIOUS THAN EVERIn a recent Osterman Research surveyxi of mid-sized and large organizations in North America,three out of four respondents have experienced some form of security compromise during thepast 12 months, with malware ingress through email a predominant avenue for theseincursions. Moreover, 34% of the IT decision makers surveyed are concerned or seriouslyconcerned about the amount of spam their organization receives, while 26% are this concernedabout the number of false positives they get in their current anti-spam filtering systems.©2011 Osterman Research, Inc. 4
  6. 6. Spam Morphs from a Nuisance to a ThreatSecurity Incidents That Have Occurred During the Previous 12 MonthsNETWORKS ARE ALREADY COMPROMISEDIn an Osterman Research survey conducted during January 2011, decision makers andinfluencers demonstrated that they were relatively pessimistic about the future of spam andmalware problems as they entered 2011, as shown in the following figure.©2011 Osterman Research, Inc. 5
  7. 7. Spam Morphs from a Nuisance to a ThreatPredictions About Global Spam and Malware Problems in 2011Decision makers were right to be pessimistic. Despite the decreases in spam volumes, therehas been relatively little good news in the context of threats directed against messaging andWeb users. Further, while many decision makers are taking messaging and Web securitythreats quite seriously, a soft economy coupled with threats that are rapidly increasing insophistication and severity, means that many organizations are not keeping pace with thethreats they face.A Zero Tolerance Approach to Malicious MailSPAM VOLUMES ARE NOT THE FUNDAMENTAL ISSUESomewhat predictably, many members of the press, analyst and IT community have assumedthat the significant decrease in the amount of spam over the past several months indicates thatthe spam problem is much less serious than it was when volumes were much higher. However,because the decrease in spam volumes has been accompanied by more serious threatsdelivered through spam, the spam problem is actually more critical now that volumes are lower.YOU ARE A TARGET FOR THE BAD GUYSMoreover, there are a variety of less catastrophic problems caused by spam, but these issuesare serious nonetheless:©2011 Osterman Research, Inc. 6
  8. 8. Spam Morphs from a Nuisance to a Threat• Data breaches A breach of customer or consumer data caused by a successful phishing attempt can lead to a number of serious consequences. Because there are data breach notification laws in 46 of the 50 US states, one Canadian province, and in many nations around the world, organizations that lose this data are liable not only for the direct costs of notifying victims, but they may also be liable in legal actions, they may have to pay for credit reporting services, and they will almost certainly suffer a loss of reputation and brand damage.• Advanced persistent threats An advanced persistent threat (APT) is serious in that it represents a protracted attack against a company, government or some other entity by one or more hackers. The seriousness of APTs is underscored by the fact that these threats are generally directed by humans that are intent on penetrating corporate or other defenses, not simply automated threats that are looking for targets of opportunity. Consequently, those directing APTs will change tactics as they encounter resistance to attacks among their targets, such as the deployment of new defense mechanisms. One example of an APT is a distributed denial-of-service (DDoS) attack aimed at mining interests in China, the United States, Singapore and Hong Kongxii. This attack, which began in September 2009, uses a specialized piece of malware identified as JKDDOSxiii for which more than 50 variants have been identified. This malware can be distributed in a variety of ways and, with sizes as small as 17Kb, can easily be distributed via email.• Increased storage requirements As more malicious content comes into a network, more of this content must be stored for review in quarantines and archives. Given that this content is normally preserved for at least 30 days in order to give employees time to review it for false positives, increases in malicious content entering a network inevitably lead to increased storage requirements. Further, storage spikes add significant volatility to storage needs, making it difficult to plan storage capacity accurately.What Should You Do Next?Osterman Research recommends that organizations of any size undertake a four-step programto address their issues with spam:1. First and foremost, understand that you still have a spam problem Even though absolute spam volumes are decreasing, the threats from spam entering your network are becoming more severe and stealthier over time. One way to think about this is from the perspective of physical security: if you formerly had 100 people using brute force in an attempt to break into your home and today you have only 50 people doing so, but with more sophisticated tools, your problem is actually getting worse, not better.2. Understand the nature of the threats While spam used to be a nuisance – albeit an expensive one – today it is a major threat vector that can result in the loss of hundreds of thousands or millions of dollars in funds. The problem is becoming more serious not only because of the consequences of a©2011 Osterman Research, Inc. 7
  9. 9. Spam Morphs from a Nuisance to a Threat successful incursion into your network, but because there are more endpoints through which criminals can gain access to your data, funds and intellectual property.3. Train your users, but protect them from themselves Users are clearly the first line of defense in any security scheme. They must be trained about the appropriate way to handle emails from unknown sources, why they should not click on links contained in email, what to do with attachments in email, and so forth. Training programs should be thorough and updated with sufficient frequency to address new threats as they arise. It is important to note that while users are a useful step in preventing the infiltration of malicious content by carefully evaluating the content they receive, even the most careful and experienced user can still be fooled by social engineering and other spammer techniques.4. Finally, deploy very robust anti-spam technology No amount of training or user awareness will protect an organization from the onslaught of threats they face from spam. As a result, every organization should deploy capabilities that will capture the highest possible proportion of spam entering their network with as low a false positive ratio as possible. For example, as shown in the previous table, increasing the spam capture rate from 95% to 99% will reduce the potential for malicious email infiltration by 80%. It is important to evaluate spam-filtering vendors based on their ability to capture very high rates of malicious content. However, it is also important to focus on high-performance spam filtering capabilities that will enable the processing of large amounts of spam, such as during spikes in spam activity, as well as energy efficiency to minimize power requirements for the overall security infrastructure. Moreover, consider layered email filtering using a combination of cloud- based and on-premise solutions that will make deployment easier and minimize the risks from malicious email.SummarySomewhat ironically, spam volumes are decreasing while the threat from spam is increasing.Where spam used to be a nuisance, today it represents an enormous threat vector because itcarries malware and links to malware-laden sites. Just one user clicking on one link in onespam message can set in motion a massive data breach, the loss of funds or the loss ofintellectual property. Consequently, organizations should pursue best practices with regard totraining users about how to manage email, but they should also deploy highly effective anti-spam technologies that will block as much spam as possible from reaching end users.©2011 Osterman Research, Inc. 8
  10. 10. Spam Morphs from a Nuisance to a ThreatAbout AbacaAbaca, founded in 2005 by Steve Kirsch, a respected Silicon Valley entrepreneur andphilanthropist, is a privately held company headquartered in San Jose, California.Abaca is an innovator in email protection and messaging security. The company’s nextgeneration technology, ReceiverNet®, offers a revolutionary approach in the fight against spam– providing an unprecedented level of performance and guaranteeing a minimum of 99%accuracy. Abaca has created a portfolio of advanced products and services based upon thiscore technology, thereby assuring users unparalleled messaging protection from spam, virusand phishing attacks.HOW IT WORKSUnlike conventional email filters that narrowly focus on detecting spam-like content or knownsenders of spam, Abaca takes a multi-dimensional approach. It works in real-time to analyze anumber of factors to create an extremely accurate probability model of whether or not amessage is spam. Because it does not rely on content inspection, the Abaca solution iscompletely language independent and immune to many of the most sophisticated tricks thatspammers use to mask commercial or malicious content.Key to the revolutionary Abaca Solution is a multi-layered approach that combines severaltechniques to deliver unparalleled effectiveness:• Deep Envelope Inspection There is more to an email header than meets the eye. A deep analysis of the header reveals critical information such as how it got to the receiver—e.g., did it come directly from your bank or was it in the hands of someone bad in the middle. Experience gained from processing billions of messages a month has enabled Abaca to develop automated forensics that look for telltale signs of forged headers and obfuscated sender addresses—all in real time. This automated intelligence validates the envelope and detects who sent it and who handled it in between.• Receiver Reputation Although the ingenuity of spammers is unlimited, Abaca has developed a revolutionary technology that relies on the fact that they will always need someone to receive their mail. The patented Abaca ReceiverNet™ Protection Network rates individual receivers based on a number of factors, including how much spam they attract. By applying this reputation rating to approximately 50 other variables—including information gleaned from deep envelop inspection—Abaca achieves a 99.997 percent catch rate as verified in independent tests.• Instant Intelligence Because the ReceiverNet network is based in the cloud, information on a large number of receivers can be leveraged to more accurately establish the reputation of the individual receivers. It all works automatically without the need for administrators to manually update lists of bad senders, the latest malware, or other email-borne threats. The cloud-based system also uses this large pool of data to learn, so that unlike conventional solutions that degrade over time, it becomes more accurate with each email. It also remembers feedback from individual users to learn what email they want to receive.©2011 Osterman Research, Inc. 9
  11. 11. Spam Morphs from a Nuisance to a Threat• Deterministic Algorithm When an email arrives at the Abaca filter—whether in the cloud, a private cloud, or installed in front of a corporate email server or at an ISP—a small portion of the critical header message is stripped and sent to the ReceiverNet network. The advanced ReceiverNet algorithm instantly computes the odds that the message is spam by a using mathematical analysis that combines receiver reputation with other variables. Depending on whether the customer has deployed Abaca Cloud as a filter or prefilter, the message is then either blocked or marked as probably spam for the local filter to make a determination.ABACA’S CUSTOMERSAbaca’s customer base represents leading businesses and Abaca’sorganizations from all industries, including: banking/finance, technology iseducation, energy, healthcare / pharmaceuticals,manufacturing, technology, and telecommunications. Abaca’s used to protectcustomer base also includes a growing list of regional and Yahoo! custom-international Internet service providers. ers’ 250 million mailboxes andAbaca’s technology is used to protect Yahoo! customers’ 250million mailboxes and blocks more than 80,000 emails per blocks more thansecond. 80,000 emails per second.Abaca is 100% focused on customer success with customersuccess the cornerstone of the business. The companyassesses its own corporate success by that of its customers. For more information on Abacacustomers, read the company’s customer testimonials and selected success stories©2011 Osterman Research, Inc. 10
  12. 12. Spam Morphs from a Nuisance to a Threat© 2011 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission ofOsterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without priorwritten authorization of Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this documentor any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Lawsreferenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of theinformation contained in this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.i,2817,2382970,00.asp#fbid=uW9bd7GksLRiv Ibidx Messaging and Web Security Market Trends, 2011-2014, Osterman Research, Inc.xii©2011 Osterman Research, Inc. 11