They were the scourge of the Internet during the Holiday Season, but security experts say image-based spam messages are quickly becoming as unfashionable as last year’s Mukluk boots.
Spam messages that embed text in graphical images to mask themselves from e-mail filters might have a successor in the form of URL (uniform resource locator)-based spam, according to Symantec Corp.
The Cupertino, Calif-based security software firm said graphical spam peaked in January when it accounted for nearly 52 per cent of world-wide spam.
That figure plunged dramatically to 16 per cent in May, according to the latest Symantec’s The State of Spam monthly report released this week.
The company is able to regularly track spam trends using customer feedback, and two million dummy e-mail accounts called the Symantec Probe Network that collects spam samples from around the world.
Without listing specific numbers, the report said Symantec “has observed an increase in spam that uses links and embedded URLs to reference images” contained in the message.
“Spammers, it seems, have found a new way to get their messages out,” said Doug Bowers, senior director, anti-abuse engineering, Symantec.
He said the method involves sending potential victims an enticing e-mail message containing a hyperlink which “references” an image of the advertisement the spammer is spreading.
The image, which pops up on the computer screen when the link is clicked, is not contained in the message itself but hosted on a separate site.
The preponderance of image-based spam led companies to deploy filters that target this type of unwanted e-mail, the Symantec security expert said.
However, filters set to sift out messages with attached or embedded images are likely to let URL-based spam through “because to the filter the spam is an HTML message that appears to be legitimate.”
While Symantec has noted an increase in the use of embedded URLs only in spam ads, Bowers said, it is possible cybercrooks will use the method for Web-based crime such as pump-and-dump schemes and phishing attacks.
The Symantec exec said his company has a host of software products that can help users block both image-based and URL-based spam. He said these products are designed to analyze e-mail messages based on three key factors:
• Message structure – The configuration of the message is analyzed to determine if it is legitimate
• Content search – The body of the message is scanned for suspicious content such as a malicious code or suspicious URLs.
• Reputation of sender – The software checks the origin of the message
The use of reputation technologies to counter e-mail spam and viruses is also being actively touted by other security vendors such as TrendMicro Inc. also based in Cupertino, Calif. “We see reputation services as another way to counter these new types of Web threats,” TrendMicro CEO Eva Chen told IT World Canada in a recent interview.
Chen noted that the nature of Web threats is changing significantly. She said in previous years, once a virus in a spam message, it functioned independently of the virus writer. “But today hackers use viruses included in spam e-mails as their tools – their agents, to control computer networks.” She said her company’s strategy is not just to remove “agents” detected on a computer, but to trace them back to the bot master, and cut off the IP address controlled by the bot master.
“By doing this, in one shot you also protect hundreds of botted computers out there, which may be being used vehicles to send out spam.” To this end, Chen said her company offers TrendProtect, as a free “Web reputation” service.
“That’s a browser plug-in meant for end users. We’re also about to launch the same services in our corporate desktop product called Office Scan 8.0. And we have the same protection in our Web Gateway product for the enterprise.”
At least one IT industry analyst believes the decrease in image-based spam can be attributed to an attitudinal change of Internet users.
“It (image-based spam) was proven to be simply not effective anymore,” says Darin Stahl, lead analyst for Info-Tech Research Inc. in London, Ont.
Following numerous media reports or after being “adequately annoyed”, users “refused to click on image-based spam,” he said.
It’s still too early to determine if we’ve seen the last of image-based spam or if URL-based spam will supplant it, according to the Info-Tech analyst. “Spammers will use whatever works and brings in the money.”
Deploying anti-spam software to filter out URL-based spam is only effective as long as spammers are not able to create new addresses to launch the messages from, Stahl said. He said organizations can adjust their filters to bar messages with hyperlinks but that could hamper normal operations.
The simplest technique for combating unwanted mail appears to be the hardest to implement, according to Stahl. “All users have to do is to refuse to click on the message.”
“But despite the US$61 billion spend on Internet security in North America last year Bot Nets persist because individual users refuse to be more careful.”
The Symantec report also indicated that overall spam levels remained consistent for the month of May at around 65 per cent. Scam and fraud spam combined rose from nine per cent in March to 13 per cent in May.
Stahl sees a “bright spot” in the report.
He notes that while unwanted e-mail accounts for about 5O per cent of North America’s e-mail traffic, the volume of legitimate mail in the region is 10 per cent higher than spam.