Spam – so what have we learned?

By Greg Day, Security Analyst, McAfee International Ltd

Earlier this year, McAfee asked 50 people from ten countries around the world to spend a whole month living with spam with the aim of understanding what the impact of 30 days of unprotected surfing would be. During this time, the brave participants in the SPAM (Spammed Persistently All Month) Experiment were encouraged to break all the rules they had come to abide by in order to protect themselves from the deluge of junk mail that invades so many inboxes today – entering their email addressed on web forms, not ticking boxes to say that their email address can be shared with “select” partners, and generally taking the risks that we have come to learn to avoid. Each participant was invited to blog about their experiences to really show the impact spam has on individuals and how it influences the way they use the Internet. These blogs can be read online at: http://www.mcafeespamexperiment.com/.

Spam has been around for 30 years now and we’ve grown use to the irritating messages that can at times outnumber the valid ones in our inboxes. Whether they’re offering incredible deals on credit cards, telling us we can earn big money just by giving our bank account details or promising to cure just about any medical ailment with a range of magical pills and potions, spam messages hit pretty much all of us at one time or another and although spam filtering technologies have come a long way, so too have spamming techniques so this remains one of those subjects guaranteed to get anyone hot under the collar from time to time. However, part of the problem with spam is that we see it as annoyance but don’t really have a view of the impact beyond its ability to irritate and outside of security labs, it’s rare that anyone lets it run wild in order to understand the consequences. However, spam is known to be more than just a pest - as well as its less alarming ability to annoy, spam doesn’t always come from the person you think is sending it, will do all it can to can to evade detection and can carry malware.

There is some debate over who sent the first spam message, but it is thought by many to an email from a member of the DEC marketing team, sent in 1978. Since then, things have changed considerably. Exploding use of email created a very clear channel for messages to be communicated and gave rise to the use of email as a marketing tool – and a very cost efficient one. While many large organisations have very clear policies regarding the distribution of marketing emails, there are many spammers – far from legitimate – who know that if they send an email out to thousands of people then one or two may well take the bait and earn them some money, and with email being so cheap there is a clear route to a strong return on investment. However, not everyone sending out spam messages has something valid to sell. Spam has proved a valuable tool for cybercriminals who can use social engineering techniques to trick unsuspecting recipients into parting with their hard-earned money, whether that’s just through a scam or by offering goods that don’t exist. A good example of this type of spam is the well-known “419 scam” or “Nigerian scam” which tries to present a business opportunity in order to convince recipients that they will receive a significant sum of money, often millions of dollars, if they pay a smaller amount up front. The stories from these tricksters are usually told with the aim of generating sympathy and enough guilt to fool people into helping them, and one SPAM Experiment participant who received a real deluge of such mails commented that they couldn’t believe how low some people will go in order to deceive. Unsurprisingly, there is no business opportunity and rather than ending up considerably richer, the “up-front investment” is never seen again. This darker side of spam is the one that now poses the greatest concern, as we’re no longer just looking at something that can be the cause of short-term irritation but at a phenomenon that can result in financial loss and fraud.

So it’s clear that spam has evolved considerably since that first message in 1978 but has our perception of it evolved at the same pace? For many people, spam is a mere irritation – like its physical predecessor junk mail, that piled up on our door mats whenever we were away for more than a few days. However, spam mails are now being sent out fully loaded, with more malicious intentions than just telling as many people as possible about something in the hope that a few of them will take the bait. The participants in McAfee’s SPAM Experiment certainly found that there was more to spam than meets the eye: once they got up and running, spam started to flow into the participants’ inboxes pretty quickly, showing how even just a few careless mistakes online can have a considerable impact. The volume of messages they received – 104,832 messages in total during the course of the experiment – made spam step beyond the boundaries of annoying as it became stifling for some participants, with an average of 70 messages per person each day.

The experiment demonstrated some interesting variations as we look at spam across the globe: the US participants in McAfee’s experiment received more spam than their counterparts elsewhere, topping the global spam league in which Brazil was second, followed by Italy, Mexico and the UK, while Germany received less spam than any other country taking part in the study. Perhaps the most alarming discovery was how spam has become far more than just a cause of irritation, with two of the people taking part in the study receiving malware. This demonstrates how spam has evolved as a tool, having started out as a marketing tool which was generally perceived to be the cause of considerable annoyance, but has become a weapon deployed by cybercriminals in order to make money and exploit unsuspecting victims. In both cases, the participants received emails containing files and had they tried to open the attachments, their PCs would have been added to a botnet and then used to spam out viruses, making these innocent people not only spammers but also distributors of malware. This really highlights how behaving carelessly with your email address can result not only in a deluge of spam in your inbox but also in potential malware infections.

As well as highlighting the risk of becoming infected with malware, the SPAM Experiment demonstrated that phishing continues to create challenges for email users. The percentage of phishing emails varied significantly from country to country, with 22% of messages received by participants in Italy being identified as spam, compared to 18% in the US, 9% in Australia, 8% in the UK, 7% in the Netherlands, 3% in France and 1% in Germany. In recent years, phishing has grown to present a real threat to Internet users, whose personal bank account details are the valuable treasure that the phishers are trying to get their hands on. Phishing emails emulate legitimate communications from banks, so it can be easy to be fooled, although people are now becoming more aware of this risk. Many Internet users have now grown to understand that banks will not ask for information in this way, so they should treat any such requests with a considerable degree of suspicion.

The SPAM Experiment generated some interesting comments from the participants that really explain the impact that 30 days of non-stop spam had on them and on their computers. Many of those taking part noted the way that their system had slowed down during the course of the study. The potential for spam to progress from a mild irritation to a major annoyance and then into the domain of the damaging was highlighted by Australian participant Sue, who commented “I didn’t realise how easy it was to contract a virus and how dangerous some of these sites are! I think my computer may have been damaged by the spam, as it keeps warning about fatal errors!” Spam certainly took it’s toll and at the end of the month, UK participant Simon concluded, “everyone here in Spamville wants to burst in to song to celebrate the end of this project”.

So it’s clear that spam is not something that’s going to go away – 30 years on from that initial email, electronic messages are still being used to try to raise awareness and sell – often to an incredible number of people and with great frequency – and because of the broad coverage it provides, it is increasingly being used to trick and defraud people. Certainly, the SPAM Experiment made it very clear that spam has gone from being an annoyance to being something altogether darker and which must be acknowledged in the same way as other threats faced by those using the Internet, rather than seen simply as something innocuous yet inconvenient. Having conducted an experiment inspired by Morgan Spurlock’s “Super Spam Me”, one thing is clear – just as living on a diet of burgers and fries can have a real impact on your health, 30 days of spam won’t do you much good either, with all manner of undesirable elements hidden in messages and waiting to attack you and your system.

McAfee International Ltd is exhibiting at Infosecurity Europe 2009, Europe’s number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Source: InfosecurityPR
<>