Spam Morphs from a Nuisance to a Threat

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published December 2011

SPONSORED BY

sponsored by

Spam Morphs From a Nuisance to a Threat

SPON

WH

ITE

PA

PER

SP

ON

Spam Morphs from a Nuisance to a Threat

©2011 Osterman Research, Inc. 1

Executive Summary Spam volumes are substantially lower today than they were last year: as of late 2011, spam accounts for roughly 75% of the email that traverses the Internet compared to about 90% in 2010. The result is billions fewer spam messages being received by end users every month, leading some to believe that the spam problem is now less serious than it has been for many years. However, while spam volumes are lower than they have been in many years, the threat that companies face from spam is actually much greater than it was when spam volumes were much higher. This is because a) the primary spam threat is no longer about selling products but stealing information, b) spammers are getting smarter and more effective by improving the ability of their phishing and spearphishing attacks to penetrate corporate security systems, and c) the payloads and links that spam delivers are more damaging. In short, the spam problem can be summarized by the quote in the callout: the problem is not one of the sheer volume of the threats, but of their effectiveness and intent. KEY TAKEAWAYS There are four key points made in this white paper: • During the past 12 months, 37% of mid-sized and large organizations in North America

have had malware successfully infiltrate their corporate network through email. Many of these attacks have been quite serious, resulting in the loss of millions of dollars, as well as loss of sensitive financial data and intellectual property.

• The disappearance of the network perimeter that has been enabled by the consumerization

of IT has created more endpoints for incursion of spam and malware. This, coupled with increasingly sophisticated and target phishing attempts, means that the problem of malicious spam infiltration will become worse.

• As a corollary to the point above, the increasing sophistication of phishers’ targeting of

senders is heralding a new era in these criminals’ ability to focus their attacks, with a corresponding decrease in these individuals’ ability to identify phishing attempts.

• Decision makers should view spam as a very serious threat and not minimize the severity of

the threat it poses because spam volumes are decreasing. ABOUT THIS WHITE PAPER This white paper is focused on helping decision makers to understand that the problem with spam is more serious today than it was when spam volumes were higher. It also offers a brief overview on the sponsor of this white paper, Abaca, and its anti-spam capabilities.

“I don’t fear the man who wants twenty nuclear weapons, I fear the man who wants one”.

George Clooney The Peacemaker



Some Background on Spam THE PROBLEM OF MALICIOUS EMAIL Spam is a problem – it wastes bandwidth, storage, and employee time, not to mention the cost of deploying systems to deal with processing and deleting spam from corporate networks. However, the dramatically more sinister side of the spam problem is malicious email – messages that are sent with the specific intent of stealing content like banking credentials, usernames and passwords for corporate applications, Social Security numbers, credit card numbers and other sensitive information. The goal of those who send malicious email is simple: a) steal money, b) steal data or c) cause serious disruption to networks or critical systems. MALICIOUS EMAIL IS DANGEROUS AND EXPENSIVE The security risks from spam are quite real and they are no longer just a nuisance as in years past. The growing variety of keystroke loggers, password-stealing Trojans and other threats means that corporate data is increasingly at risk. Data theft can include sensitive content like usernames and passwords, but also financial data, customer data, trade secrets and other types of confidential information. The increasing end goals of stealing information (personal and corporate), hijacking systems for a wide range of purposes and launching additional malicious attacks all have serious business implications, in addition to the more traditional impacts to bandwidth, infrastructure and other costs. For example, there have been a number of serious spam-based incursions during the past year: • In September 2011, Mitsubishi Heavy Industries was the victim of a spearphishing attack

that ended up compromising 83 different systems in 10 locations across the companyi. • In June 2011, the International Monetary Fund (IMF) was the victim of a spearphishing

attack that may have been perpetrated by a rogue state. Although employees were warned not to open attachments they were not expecting, open email from unknown senders or click on video links, malware in an email successfully penetrated IMF defenses and information was stolen from compromised computersii.

• In April 2011, hackers sent phishing emails to a number of lower level employees at RSA.

These emails contained the subject line “2011 Recruitment Plan” and included an Excel spreadsheet as an attachment that contained a zero-day flaw in Adobe Flash. Although the emails were successfully diverted to these users’ spam quarantines, the emails were opened and a Trojan was installed that successfully harvested credentials from a large number of employee accounts, compromising RSA’s SecurID tagsiii. As of late 2011, 760 organizations have been attacked using the same command and control, including IBM, Google, Microsoft and about one-fifth of the Fortune 500iv.

• On April 7, 2011, a spearphishing attack directed at the Oak Ridge National Laboratory was

able to steal a few megabytes of data before IT administrators cut off Internet access. The email sent to employees was purportedly from the lab’s HR department and was received by 530 employees, 57 of whom clicked on a malicious link contained in the emailv.

• In November 2010, a 26-year-old Hungarian citizen, in a bizarre attempt to be hired by

Marriott International, sent an infected email attachment to various Marriott employees that



allowed him to steal sensitive information from the company. Marriott estimates that the cost of analyzing the extent of the compromise of its network cost it between $400,000 and $1 millionvi.

• In November 2010, employees at France’s Ministry of Economics, Finances, and Industry

received spearphishing emails that contained a Trojan. A minimum of 150 computers were compromised and sensitive documents related to the G-20 were stolenvii.

It is also important to note that information stolen as a result of phishing attacks can be used to generate new phishing attacks, exacerbating the problem. For example, data hijacked in the Epsilon breach earlier in 2011 is now being used to target customers of Chase Bank. SPAMMER TECHNIQUES Spammers use a variety of techniques to deliver their content: • Botnets

Spammers use botnets that consist of millions of ‘zombie’ computers – computers in homes and the workplace that are infected with a virus, worm or Trojan that permits them to be controlled by a remote entity. Spammers can rent botnets for content-distribution campaigns. Using botnets, a small number of messages can be sent from each of thousands of computers, effectively hiding each zombie from detection by ISPs or network administrators using conventional tools. Botnets are a critical problem not only because they are responsible for the vast majority of spam sent across the Internet today, but also because they are used for a wide range of purposes beyond just spam delivery. These include hosting malware sites, perpetrating distributed denial-of-service attacks, click fraud and credit card fraud. Botnets can be hard to detect and hard to remove.

• Spam filter-avoidance techniques

The simpler of these techniques involves text obfuscation, such as misspelling keywords; Bayesian poisoning (the process of including specific keywords into spam messages in an attempt to trick Bayesian filters into thinking a message is legitimate); introducing valid text into spam messages; using various HTML techniques to fool filters into not recognizing offensive content; and other techniques. These techniques typically can bypass many traditional content-filters, and those using a Bayesian approach.

• Spam with attachments

Similar to image spam, but using PDF files, spreadsheets or ZIP files as payloads to carry the spam content, often malware. One technique is to send calendar invitations as malicious email attachments.

• Image-based spam Image-based spam is represented as one or more images that typically use non-standard fonts, background ‘snow’, randomized backgrounds, slanted lines of text, blurriness and other distortions to defeat more conventional spam-filtering technologies, as shown in the example at right. Image spam is a particularly serious problem for mail servers and recipients, since each message is typically much larger than a conventional, text-based spam message. Image spam, while still used by spammers, is less of a problem today than it was in 2007.



• Alternative spam languages Spammers will often target their content to users who speak specific languages. There is a growing trend for more localized distribution with diversified languages. For example, in early 2010 96% of spam was in English – as of early 2011 it was 90%viii.

“DECENT” SPAM CAPTURE RATES ARE NOT ENOUGH A spam filtering solution that catches the “vast majority” of spam simply isn’t acceptable in an era of spamming that is specifically targeted to employees using social engineering and other techniques. For example, a 98% capture rate – while seemingly acceptable – will increase the chance of infection by 200 times compared to a solution that captures 99.99% of spam. Spams Received Daily per 1,000 Employees Assuming 100 Emails Received per Employee per Day

Capture Rate

Potentially Malicious Spam Emails Received

Likelihood of Infection

Compared to 99.99%

95.0% 5,000 500x 98.0% 2,000 200x 99.0% 1,000 100x 99.5% 500 50x 99.9% 100 10x 99.99% 10 -

Spam Isn’t an Issue Anymore…Right? A BIT OF GOOD NEWS: SPAM VOLUMES ARE DECLINING Spam volumes dropped significantly in late 2010, followed by a rapid increase in the volume of spam partway through March 2011. However, since the seemingly permanent takedown of the Rustock botnet in March 2011, spam volumes are now at significantly lower average levels than they have been for many years. The elimination of the Rustock botnet was significant, since it was the largest of the many botnets in operation with anywhere from 1.1 million to 1.7 million compromised computers in operationix. As evidence of the decreasing proportion of spam traversing the Internet relative to valid email are Symantec.cloud statistics that show spam decreasing from 92% in August 2010 to 79% in January 2011 to 74% in October 2011x. LOTS OF BAD NEWS: SPAM IS MORE SERIOUS THAN EVER In a recent Osterman Research surveyxi of mid-sized and large organizations in North America, three out of four respondents have experienced some form of security compromise during the past 12 months, with malware ingress through email a predominant avenue for these incursions. Moreover, 34% of the IT decision makers surveyed are concerned or seriously concerned about the amount of spam their organization receives, while 26% are this concerned about the number of false positives they get in their current anti-spam filtering systems.



Security Incidents That Have Occurred During the Previous 12 Months

NETWORKS ARE ALREADY COMPROMISED In an Osterman Research survey conducted during January 2011, decision makers and influencers demonstrated that they were relatively pessimistic about the future of spam and malware problems as they entered 2011, as shown in the following figure.



Predictions About Global Spam and Malware Problems in 2011

Decision makers were right to be pessimistic. Despite the decreases in spam volumes, there has been relatively little good news in the context of threats directed against messaging and Web users. Further, while many decision makers are taking messaging and Web security threats quite seriously, a soft economy coupled with threats that are rapidly increasing in sophistication and severity, means that many organizations are not keeping pace with the threats they face.

A Zero Tolerance Approach to Malicious Mail

SPAM VOLUMES ARE NOT THE FUNDAMENTAL ISSUE Somewhat predictably, many members of the press, analyst and IT community have assumed that the significant decrease in the amount of spam over the past several months indicates that the spam problem is much less serious than it was when volumes were much higher. However, because the decrease in spam volumes has been accompanied by more serious threats delivered through spam, the spam problem is actually more critical now that volumes are lower. YOU ARE A TARGET FOR THE BAD GUYS Moreover, there are a variety of less catastrophic problems caused by spam, but these issues are serious nonetheless:



• Data breaches A breach of customer or consumer data caused by a successful phishing attempt can lead to a number of serious consequences. Because there are data breach notification laws in 46 of the 50 US states, one Canadian province, and in many nations around the world, organizations that lose this data are liable not only for the direct costs of notifying victims, but they may also be liable in legal actions, they may have to pay for credit reporting services, and they will almost certainly suffer a loss of reputation and brand damage.

• Advanced persistent threats

An advanced persistent threat (APT) is serious in that it represents a protracted attack against a company, government or some other entity by one or more hackers. The seriousness of APTs is underscored by the fact that these threats are generally directed by humans that are intent on penetrating corporate or other defenses, not simply automated threats that are looking for targets of opportunity. Consequently, those directing APTs will change tactics as they encounter resistance to attacks among their targets, such as the deployment of new defense mechanisms. One example of an APT is a distributed denial-of-service (DDoS) attack aimed at mining interests in China, the United States, Singapore and Hong Kongxii. This attack, which began in September 2009, uses a specialized piece of malware identified as JKDDOSxiii for which more than 50 variants have been identified. This malware can be distributed in a variety of ways and, with sizes as small as 17Kb, can easily be distributed via email.

• Increased storage requirements

As more malicious content comes into a network, more of this content must be stored for review in quarantines and archives. Given that this content is normally preserved for at least 30 days in order to give employees time to review it for false positives, increases in malicious content entering a network inevitably lead to increased storage requirements. Further, storage spikes add significant volatility to storage needs, making it difficult to plan storage capacity accurately.

What Should You Do Next? Osterman Research recommends that organizations of any size undertake a four-step program to address their issues with spam: 1. First and foremost, understand that you still have a spam problem

Even though absolute spam volumes are decreasing, the threats from spam entering your network are becoming more severe and stealthier over time. One way to think about this is from the perspective of physical security: if you formerly had 100 people using brute force in an attempt to break into your home and today you have only 50 people doing so, but with more sophisticated tools, your problem is actually getting worse, not better.

2. Understand the nature of the threats

While spam used to be a nuisance – albeit an expensive one – today it is a major threat vector that can result in the loss of hundreds of thousands or millions of dollars in funds. The problem is becoming more serious not only because of the consequences of a



successful incursion into your network, but because there are more endpoints through which criminals can gain access to your data, funds and intellectual property.

3. Train your users, but protect them from themselves

Users are clearly the first line of defense in any security scheme. They must be trained about the appropriate way to handle emails from unknown sources, why they should not click on links contained in email, what to do with attachments in email, and so forth. Training programs should be thorough and updated with sufficient frequency to address new threats as they arise. It is important to note that while users are a useful step in preventing the infiltration of malicious content by carefully evaluating the content they receive, even the most careful and experienced user can still be fooled by social engineering and other spammer techniques.

4. Finally, deploy very robust anti-spam technology

No amount of training or user awareness will protect an organization from the onslaught of threats they face from spam. As a result, every organization should deploy capabilities that will capture the highest possible proportion of spam entering their network with as low a false positive ratio as possible. For example, as shown in the previous table, increasing the spam capture rate from 95% to 99% will reduce the potential for malicious email infiltration by 80%. It is important to evaluate spam-filtering vendors based on their ability to capture very high rates of malicious content. However, it is also important to focus on high-performance spam filtering capabilities that will enable the processing of large amounts of spam, such as during spikes in spam activity, as well as energy efficiency to minimize power requirements for the overall security infrastructure. Moreover, consider layered email filtering using a combination of cloud-based and on-premise solutions that will make deployment easier and minimize the risks from malicious email.

Summary Somewhat ironically, spam volumes are decreasing while the threat from spam is increasing. Where spam used to be a nuisance, today it represents an enormous threat vector because it carries malware and links to malware-laden sites. Just one user clicking on one link in one spam message can set in motion a massive data breach, the loss of funds or the loss of intellectual property. Consequently, organizations should pursue best practices with regard to training users about how to manage email, but they should also deploy highly effective anti-spam technologies that will block as much spam as possible from reaching end users.



About Abaca Abaca, founded in 2005 by Steve Kirsch, a respected Silicon Valley entrepreneur and philanthropist, is a privately held company headquartered in San Jose, California. Abaca is an innovator in email protection and messaging security. The company’s next generation technology, ReceiverNet®, offers a revolutionary approach in the fight against spam – providing an unprecedented level of performance and guaranteeing a minimum of 99% accuracy. Abaca has created a portfolio of advanced products and services based upon this core technology, thereby assuring users unparalleled messaging protection from spam, virus and phishing attacks. HOW IT WORKS Unlike conventional email filters that narrowly focus on detecting spam-like content or known senders of spam, Abaca takes a multi-dimensional approach. It works in real-time to analyze a number of factors to create an extremely accurate probability model of whether or not a message is spam. Because it does not rely on content inspection, the Abaca solution is completely language independent and immune to many of the most sophisticated tricks that spammers use to mask commercial or malicious content. Key to the revolutionary Abaca Solution is a multi-layered approach that combines several techniques to deliver unparalleled effectiveness: • Deep Envelope Inspection

There is more to an email header than meets the eye. A deep analysis of the header reveals critical information such as how it got to the receiver—e.g., did it come directly from your bank or was it in the hands of someone bad in the middle. Experience gained from processing billions of messages a month has enabled Abaca to develop automated forensics that look for telltale signs of forged headers and obfuscated sender addresses—all in real time. This automated intelligence validates the envelope and detects who sent it and who handled it in between.

• Receiver Reputation

Although the ingenuity of spammers is unlimited, Abaca has developed a revolutionary technology that relies on the fact that they will always need someone to receive their mail. The patented Abaca ReceiverNet™ Protection Network rates individual receivers based on a number of factors, including how much spam they attract. By applying this reputation rating to approximately 50 other variables—including information gleaned from deep envelop inspection—Abaca achieves a 99.997 percent catch rate as verified in independent tests.

• Instant Intelligence

Because the ReceiverNet network is based in the cloud, information on a large number of receivers can be leveraged to more accurately establish the reputation of the individual receivers. It all works automatically without the need for administrators to manually update lists of bad senders, the latest malware, or other email-borne threats. The cloud-based system also uses this large pool of data to learn, so that unlike conventional solutions that degrade over time, it becomes more accurate with each email. It also remembers feedback from individual users to learn what email they want to receive.



• Deterministic Algorithm When an email arrives at the Abaca filter—whether in the cloud, a private cloud, or installed in front of a corporate email server or at an ISP—a small portion of the critical header message is stripped and sent to the ReceiverNet network. The advanced ReceiverNet algorithm instantly computes the odds that the message is spam by a using mathematical analysis that combines receiver reputation with other variables. Depending on whether the customer has deployed Abaca Cloud as a filter or prefilter, the message is then either blocked or marked as probably spam for the local filter to make a determination.

ABACA’S CUSTOMERS Abaca’s customer base represents leading businesses and organizations from all industries, including: banking/finance, education, energy, healthcare / pharmaceuticals, manufacturing, technology, and telecommunications. Abaca’s customer base also includes a growing list of regional and international Internet service providers. Abaca’s technology is used to protect Yahoo! customers’ 250 million mailboxes and blocks more than 80,000 emails per second. Abaca is 100% focused on customer success with customer success the cornerstone of the business. The company assesses its own corporate success by that of its customers. For more information on Abaca customers, read the company’s customer testimonials and selected success stories at www.abaca.com.

Abaca’s technology is

used to protect Yahoo! custom-ers’ 250 million mailboxes and

blocks more than 80,000 emails per

second.



© 2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.eweek.com/c/a/Security/Mitsubishi-Heavy-Network-Most-Likey-Compromised-by-SpearPhishing-Attack-335314/ ii http://www.eweek.com/c/a/Security/IMF-Breach-May-Be-StateSponsored-Spear-Phishing-Attack-526401/ iii http://www.pcmag.com/article2/0,2817,2382970,00.asp#fbid=uW9bd7GksLR iv http://money.cnn.com/2011/10/27/technology/rsa_hack_widespread/index.htm v http://www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/ vi http://www.courthousenews.com/2011/11/29/41751.htm vii http://arstechnica.com/security/news/2011/03/hackers-spear-phish-infiltrate-french-ministry-of-finances.ars viii http://royal.pingdom.com/2011/01/19/email-spam-statistics/ ix Ibid x http://www.symanteccloud.com/globalthreats/charts/spam_monthly xi Messaging and Web Security Market Trends, 2011-2014, Osterman Research, Inc. xii http://news.hostexploit.com/cyber-security-news/4827-understanding-advanced-persistent-threats.html xiii http://ddos.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/

Date post:	05-Dec-2014
Category:	Technology
Upload:	osterman-research-inc
View:	998 times
Download:	1 times

Spam Morphs from a Nuisance to a Threat

Technology