Spam Morphs from a Nuisance to a Threat

WHITE PAPER

Spam Morphs From a
Nuisance to a Threat
ON An Osterman Research White Paper
Published December 2011

SPONSORED BY

sponsored by
SPON

sponsored by
Osterman Research, Inc.
P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman

Spam Morphs from a Nuisance to a Threat

Executive Summary
Spam volumes are substantially lower today than they were last year: as of late 2011, spam
accounts for roughly 75% of the email that traverses the Internet compared to about 90% in
2010. The result is billions fewer spam messages being received by end users every month,
leading some to believe that the spam problem is now less serious than it has been for many
years.

However, while spam volumes are lower than they have been in
many years, the threat that companies face from spam is
actually much greater than it was when spam volumes were “I don’t fear the
much higher. This is because a) the primary spam threat is no man who wants
longer about selling products but stealing information, b) twenty nuclear
spammers are getting smarter and more effective by improving
the ability of their phishing and spearphishing attacks to weapons, I fear
penetrate corporate security systems, and c) the payloads and the man who
links that spam delivers are more damaging. wants one”.
In short, the spam problem can be summarized by the quote in
George Clooney
the callout: the problem is not one of the sheer volume of the
The Peacemaker
threats, but of their effectiveness and intent.

KEY TAKEAWAYS
There are four key points made in this white paper:

• During the past 12 months, 37% of mid-sized and large organizations in North America
have had malware successfully infiltrate their corporate network through email. Many of
these attacks have been quite serious, resulting in the loss of millions of dollars, as well as
loss of sensitive financial data and intellectual property.

• The disappearance of the network perimeter that has been enabled by the consumerization
of IT has created more endpoints for incursion of spam and malware. This, coupled with
increasingly sophisticated and target phishing attempts, means that the problem of
malicious spam infiltration will become worse.

• As a corollary to the point above, the increasing sophistication of phishers’ targeting of
senders is heralding a new era in these criminals’ ability to focus their attacks, with a
corresponding decrease in these individuals’ ability to identify phishing attempts.

• Decision makers should view spam as a very serious threat and not minimize the severity of
the threat it poses because spam volumes are decreasing.

ABOUT THIS WHITE PAPER
This white paper is focused on helping decision makers to understand that the problem with
spam is more serious today than it was when spam volumes were higher. It also offers a brief
overview on the sponsor of this white paper, Abaca, and its anti-spam capabilities.

©2011 Osterman Research, Inc. 1


Some Background on Spam
THE PROBLEM OF MALICIOUS EMAIL
Spam is a problem – it wastes bandwidth, storage, and employee time, not to mention the cost
of deploying systems to deal with processing and deleting spam from corporate networks.
However, the dramatically more sinister side of the spam problem is malicious email –
messages that are sent with the specific intent of stealing content like banking credentials,
usernames and passwords for corporate applications, Social Security numbers, credit card
numbers and other sensitive information. The goal of those who send malicious email is
simple: a) steal money, b) steal data or c) cause serious disruption to networks or critical
systems.

MALICIOUS EMAIL IS DANGEROUS AND EXPENSIVE
The security risks from spam are quite real and they are no longer just a nuisance as in years
past. The growing variety of keystroke loggers, password-stealing Trojans and other threats
means that corporate data is increasingly at risk. Data theft can include sensitive content like
usernames and passwords, but also financial data, customer data, trade secrets and other types
of confidential information. The increasing end goals of stealing information (personal and
corporate), hijacking systems for a wide range of purposes and launching additional malicious
attacks all have serious business implications, in addition to the more traditional impacts to
bandwidth, infrastructure and other costs. For example, there have been a number of serious
spam-based incursions during the past year:

• In September 2011, Mitsubishi Heavy Industries was the victim of a spearphishing attack
that ended up compromising 83 different systems in 10 locations across the companyi.

• In June 2011, the International Monetary Fund (IMF) was the victim of a spearphishing
attack that may have been perpetrated by a rogue state. Although employees were warned
not to open attachments they were not expecting, open email from unknown senders or
click on video links, malware in an email successfully penetrated IMF defenses and
information was stolen from compromised computersii.

• In April 2011, hackers sent phishing emails to a number of lower level employees at RSA.
These emails contained the subject line “2011 Recruitment Plan” and included an Excel
spreadsheet as an attachment that contained a zero-day flaw in Adobe Flash. Although the
emails were successfully diverted to these users’ spam quarantines, the emails were opened
and a Trojan was installed that successfully harvested credentials from a large number of
employee accounts, compromising RSA’s SecurID tagsiii. As of late 2011, 760 organizations
have been attacked using the same command and control, including IBM, Google, Microsoft
and about one-fifth of the Fortune 500iv.

• On April 7, 2011, a spearphishing attack directed at the Oak Ridge National Laboratory was
able to steal a few megabytes of data before IT administrators cut off Internet access. The
email sent to employees was purportedly from the lab’s HR department and was received by
530 employees, 57 of whom clicked on a malicious link contained in the emailv.

• In November 2010, a 26-year-old Hungarian citizen, in a bizarre attempt to be hired by
Marriott International, sent an infected email attachment to various Marriott employees that



allowed him to steal sensitive information from the company. Marriott estimates that the
cost of analyzing the extent of the compromise of its network cost it between $400,000 and
$1 millionvi.

• In November 2010, employees at France’s Ministry of Economics, Finances, and Industry
received spearphishing emails that contained a Trojan. A minimum of 150 computers were
compromised and sensitive documents related to the G-20 were stolenvii.

It is also important to note that information stolen as a result of phishing attacks can be used to
generate new phishing attacks, exacerbating the problem. For example, data hijacked in the
Epsilon breach earlier in 2011 is now being used to target customers of Chase Bank.

SPAMMER TECHNIQUES
Spammers use a variety of techniques to deliver their content:

• Botnets
Spammers use botnets that consist of millions of ‘zombie’ computers – computers in homes
and the workplace that are infected with a virus, worm or Trojan that permits them to be
controlled by a remote entity. Spammers can rent botnets for content-distribution
campaigns. Using botnets, a small number of messages can be sent from each of
thousands of computers, effectively hiding each zombie from detection by ISPs or network
administrators using conventional tools. Botnets are a critical problem not only because
they are responsible for the vast majority of spam sent across the Internet today, but also
because they are used for a wide range of purposes beyond just spam delivery. These
include hosting malware sites, perpetrating distributed denial-of-service attacks, click fraud
and credit card fraud. Botnets can be hard to detect and hard to remove.

• Spam filter-avoidance techniques
The simpler of these techniques involves text obfuscation, such as misspelling keywords;
Bayesian poisoning (the process of including specific keywords into spam messages in an
attempt to trick Bayesian filters into thinking a message is legitimate); introducing valid text
into spam messages; using various HTML techniques to fool filters into not recognizing
offensive content; and other techniques. These techniques typically can bypass many
traditional content-filters, and those using a Bayesian approach.

• Spam with attachments
Similar to image spam, but using PDF files, spreadsheets or ZIP files as payloads to carry
the spam content, often malware. One technique is to send calendar invitations as
malicious email attachments.

• Image-based spam
Image-based spam is represented as one or more images that typically use non-standard
fonts, background ‘snow’, randomized backgrounds, slanted lines of text, blurriness and
other distortions to defeat more conventional spam-filtering technologies, as shown in the
example at right. Image spam is a particularly serious problem for mail servers and
recipients, since each message is typically much larger than a conventional, text-based
spam message. Image spam, while still used by spammers, is less of a problem today than
it was in 2007.



• Alternative spam languages
Spammers will often target their content to users who speak specific languages. There is a
growing trend for more localized distribution with diversified languages. For example, in
early 2010 96% of spam was in English – as of early 2011 it was 90%viii.

“DECENT” SPAM CAPTURE RATES ARE NOT ENOUGH
A spam filtering solution that catches the “vast majority” of spam simply isn’t acceptable in an
era of spamming that is specifically targeted to employees using social engineering and other
techniques. For example, a 98% capture rate – while seemingly acceptable – will increase the
chance of infection by 200 times compared to a solution that captures 99.99% of spam.

Spams Received Daily per 1,000 Employees
Assuming 100 Emails Received per Employee per Day

Likelihood of
Potentially Infection
Malicious Spam Compared to
Capture Rate Emails Received 99.99%
95.0% 5,000 500x
98.0% 2,000 200x
99.0% 1,000 100x
99.5% 500 50x
99.9% 100 10x
99.99% 10 -

Spam Isn’t an Issue Anymore…Right?
A BIT OF GOOD NEWS: SPAM VOLUMES ARE DECLINING
Spam volumes dropped significantly in late 2010, followed by a rapid increase in the volume of
spam partway through March 2011. However, since the seemingly permanent takedown of the
Rustock botnet in March 2011, spam volumes are now at significantly lower average levels than
they have been for many years. The elimination of the Rustock botnet was significant, since it
was the largest of the many botnets in operation with anywhere from 1.1 million to 1.7 million
compromised computers in operationix. As evidence of the decreasing proportion of spam
traversing the Internet relative to valid email are Symantec.cloud statistics that show spam
decreasing from 92% in August 2010 to 79% in January 2011 to 74% in October 2011x.

LOTS OF BAD NEWS: SPAM IS MORE SERIOUS THAN EVER
In a recent Osterman Research surveyxi of mid-sized and large organizations in North America,
three out of four respondents have experienced some form of security compromise during the
past 12 months, with malware ingress through email a predominant avenue for these
incursions. Moreover, 34% of the IT decision makers surveyed are concerned or seriously
concerned about the amount of spam their organization receives, while 26% are this concerned
about the number of false positives they get in their current anti-spam filtering systems.



Security Incidents That Have Occurred During the Previous 12 Months

NETWORKS ARE ALREADY COMPROMISED
In an Osterman Research survey conducted during January 2011, decision makers and
influencers demonstrated that they were relatively pessimistic about the future of spam and
malware problems as they entered 2011, as shown in the following figure.



Predictions About Global Spam and Malware Problems in 2011

Decision makers were right to be pessimistic. Despite the decreases in spam volumes, there
has been relatively little good news in the context of threats directed against messaging and
Web users. Further, while many decision makers are taking messaging and Web security
threats quite seriously, a soft economy coupled with threats that are rapidly increasing in
sophistication and severity, means that many organizations are not keeping pace with the
threats they face.

A Zero Tolerance Approach to Malicious Mail
SPAM VOLUMES ARE NOT THE FUNDAMENTAL ISSUE
Somewhat predictably, many members of the press, analyst and IT community have assumed
that the significant decrease in the amount of spam over the past several months indicates that
the spam problem is much less serious than it was when volumes were much higher. However,
because the decrease in spam volumes has been accompanied by more serious threats
delivered through spam, the spam problem is actually more critical now that volumes are lower.

YOU ARE A TARGET FOR THE BAD GUYS
Moreover, there are a variety of less catastrophic problems caused by spam, but these issues
are serious nonetheless:



• Data breaches
A breach of customer or consumer data caused by a successful phishing attempt can lead to
a number of serious consequences. Because there are data breach notification laws in 46 of
the 50 US states, one Canadian province, and in many nations around the world,
organizations that lose this data are liable not only for the direct costs of notifying victims,
but they may also be liable in legal actions, they may have to pay for credit reporting
services, and they will almost certainly suffer a loss of reputation and brand damage.

• Advanced persistent threats
An advanced persistent threat (APT) is serious in that it represents a protracted attack
against a company, government or some other entity by one or more hackers. The
seriousness of APTs is underscored by the fact that these threats are generally directed by
humans that are intent on penetrating corporate or other defenses, not simply automated
threats that are looking for targets of opportunity. Consequently, those directing APTs will
change tactics as they encounter resistance to attacks among their targets, such as the
deployment of new defense mechanisms.

One example of an APT is a distributed denial-of-service (DDoS) attack aimed at mining
interests in China, the United States, Singapore and Hong Kongxii. This attack, which began
in September 2009, uses a specialized piece of malware identified as JKDDOSxiii for which
more than 50 variants have been identified. This malware can be distributed in a variety of
ways and, with sizes as small as 17Kb, can easily be distributed via email.

• Increased storage requirements
As more malicious content comes into a network, more of this content must be stored for
review in quarantines and archives. Given that this content is normally preserved for at
least 30 days in order to give employees time to review it for false positives, increases in
malicious content entering a network inevitably lead to increased storage requirements.
Further, storage spikes add significant volatility to storage needs, making it difficult to plan
storage capacity accurately.

What Should You Do Next?
Osterman Research recommends that organizations of any size undertake a four-step program
to address their issues with spam:

1. First and foremost, understand that you still have a spam problem
Even though absolute spam volumes are decreasing, the threats from spam entering your
network are becoming more severe and stealthier over time. One way to think about this is
from the perspective of physical security: if you formerly had 100 people using brute force
in an attempt to break into your home and today you have only 50 people doing so, but
with more sophisticated tools, your problem is actually getting worse, not better.

2. Understand the nature of the threats
While spam used to be a nuisance – albeit an expensive one – today it is a major threat
vector that can result in the loss of hundreds of thousands or millions of dollars in funds.
The problem is becoming more serious not only because of the consequences of a



successful incursion into your network, but because there are more endpoints through
which criminals can gain access to your data, funds and intellectual property.

3. Train your users, but protect them from themselves
Users are clearly the first line of defense in any security scheme. They must be trained
about the appropriate way to handle emails from unknown sources, why they should not
click on links contained in email, what to do with attachments in email, and so forth.
Training programs should be thorough and updated with sufficient frequency to address
new threats as they arise.

It is important to note that while users are a useful step in preventing the infiltration of
malicious content by carefully evaluating the content they receive, even the most careful
and experienced user can still be fooled by social engineering and other spammer
techniques.

4. Finally, deploy very robust anti-spam technology
No amount of training or user awareness will protect an organization from the onslaught of
threats they face from spam. As a result, every organization should deploy capabilities that
will capture the highest possible proportion of spam entering their network with as low a
false positive ratio as possible. For example, as shown in the previous table, increasing the
spam capture rate from 95% to 99% will reduce the potential for malicious email infiltration
by 80%. It is important to evaluate spam-filtering vendors based on their ability to capture
very high rates of malicious content.

However, it is also important to focus on high-performance spam filtering capabilities that
will enable the processing of large amounts of spam, such as during spikes in spam activity,
as well as energy efficiency to minimize power requirements for the overall security
infrastructure. Moreover, consider layered email filtering using a combination of cloud-
based and on-premise solutions that will make deployment easier and minimize the risks
from malicious email.

Summary
Somewhat ironically, spam volumes are decreasing while the threat from spam is increasing.
Where spam used to be a nuisance, today it represents an enormous threat vector because it
carries malware and links to malware-laden sites. Just one user clicking on one link in one
spam message can set in motion a massive data breach, the loss of funds or the loss of
intellectual property. Consequently, organizations should pursue best practices with regard to
training users about how to manage email, but they should also deploy highly effective anti-
spam technologies that will block as much spam as possible from reaching end users.



About Abaca
Abaca, founded in 2005 by Steve Kirsch, a respected Silicon Valley entrepreneur and
philanthropist, is a privately held company headquartered in San Jose, California.

Abaca is an innovator in email protection and messaging security. The company’s next
generation technology, ReceiverNet®, offers a revolutionary approach in the fight against spam
– providing an unprecedented level of performance and guaranteeing a minimum of 99%
accuracy. Abaca has created a portfolio of advanced products and services based upon this
core technology, thereby assuring users unparalleled messaging protection from spam, virus
and phishing attacks.

HOW IT WORKS
Unlike conventional email filters that narrowly focus on detecting spam-like content or known
senders of spam, Abaca takes a multi-dimensional approach. It works in real-time to analyze a
number of factors to create an extremely accurate probability model of whether or not a
message is spam. Because it does not rely on content inspection, the Abaca solution is
completely language independent and immune to many of the most sophisticated tricks that
spammers use to mask commercial or malicious content.

Key to the revolutionary Abaca Solution is a multi-layered approach that combines several
techniques to deliver unparalleled effectiveness:

• Deep Envelope Inspection
There is more to an email header than meets the eye. A deep analysis of the header reveals
critical information such as how it got to the receiver—e.g., did it come directly from your
bank or was it in the hands of someone bad in the middle. Experience gained from
processing billions of messages a month has enabled Abaca to develop automated forensics
that look for telltale signs of forged headers and obfuscated sender addresses—all in real
time. This automated intelligence validates the envelope and detects who sent it and who
handled it in between.

• Receiver Reputation
Although the ingenuity of spammers is unlimited, Abaca has developed a revolutionary
technology that relies on the fact that they will always need someone to receive their mail.
The patented Abaca ReceiverNet™ Protection Network rates individual receivers based on a
number of factors, including how much spam they attract. By applying this reputation rating
to approximately 50 other variables—including information gleaned from deep envelop
inspection—Abaca achieves a 99.997 percent catch rate as verified in independent tests.

• Instant Intelligence
Because the ReceiverNet network is based in the cloud, information on a large number of
receivers can be leveraged to more accurately establish the reputation of the individual
receivers. It all works automatically without the need for administrators to manually update
lists of bad senders, the latest malware, or other email-borne threats. The cloud-based
system also uses this large pool of data to learn, so that unlike conventional solutions that
degrade over time, it becomes more accurate with each email. It also remembers feedback
from individual users to learn what email they want to receive.



• Deterministic Algorithm
When an email arrives at the Abaca filter—whether in the cloud, a private cloud, or installed
in front of a corporate email server or at an ISP—a small portion of the critical header
message is stripped and sent to the ReceiverNet network. The advanced ReceiverNet
algorithm instantly computes the odds that the message is spam by a using mathematical
analysis that combines receiver reputation with other variables. Depending on whether the
customer has deployed Abaca Cloud as a filter or prefilter, the message is then either
blocked or marked as probably spam for the local filter to make a determination.

ABACA’S CUSTOMERS
Abaca’s customer base represents leading businesses and Abaca’s
organizations from all industries, including: banking/finance, technology is
education, energy, healthcare / pharmaceuticals,
manufacturing, technology, and telecommunications. Abaca’s used to protect
customer base also includes a growing list of regional and Yahoo! custom-
international Internet service providers. ers’ 250 million
mailboxes and
Abaca’s technology is used to protect Yahoo! customers’ 250
million mailboxes and blocks more than 80,000 emails per blocks more than
second. 80,000 emails per
second.
Abaca is 100% focused on customer success with customer
success the cornerstone of the business. The company
assesses its own corporate success by that of its customers. For more information on Abaca
customers, read the company’s customer testimonials and selected success stories at
www.abaca.com.



© 2011 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of
Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior
written authorization of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document
or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws
(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws
referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the
information contained in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,
CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

i
http://www.eweek.com/c/a/Security/Mitsubishi-Heavy-Network-Most-Likey-Compromised-by-SpearPhishing-Attack-335314/
ii
http://www.eweek.com/c/a/Security/IMF-Breach-May-Be-StateSponsored-Spear-Phishing-Attack-526401/
iii
http://www.pcmag.com/article2/0,2817,2382970,00.asp#fbid=uW9bd7GksLR
iv
http://money.cnn.com/2011/10/27/technology/rsa_hack_widespread/index.htm
v
http://www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/
vi
http://www.courthousenews.com/2011/11/29/41751.htm
vii
http://arstechnica.com/security/news/2011/03/hackers-spear-phish-infiltrate-french-ministry-of-finances.ars
viii
http://royal.pingdom.com/2011/01/19/email-spam-statistics/
ix
Ibid
x
http://www.symanteccloud.com/globalthreats/charts/spam_monthly
xi
Messaging and Web Security Market Trends, 2011-2014, Osterman Research, Inc.
xii
http://news.hostexploit.com/cyber-security-news/4827-understanding-advanced-persistent-threats.html
xiii
http://ddos.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/


Spam Morphs from a Nuisance to a Threat

More Related Content

What's hot

Similar to Spam Morphs from a Nuisance to a Threat

More from Osterman Research, Inc.

Recently uploaded

Spam Morphs from a Nuisance to a Threat