Google: Spammers Rally Back From McColo Shutdown

Google: Spammers Rally Back From McColo Shutdown

http://www.eweek.com/c/a/Security/Google-Spammers-Rally-Back-From-McColo-Shutdown-639980/

“Location-based spam is the latest technique being used by ‘bad guys’ to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message,” explained Tal Golan, CTO of e-mail security firm Sendio. “This new methodology is the next salvo in the spam arms race, but is really just an extension of the ‘social engineering’ threat vector that has become so popular and effective in the last three years.”

Location Based Spam

Location based spam is the latest technique being used by “bad guys” to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message. This new methodology is the next salvo in the spam arms race, but is really just an extension of the “social engineering” threat vector that has become so popular and effective in the last 3 years.

Here is how this works…

Thanks to IP addressed based geolocation (see http://en.wikipedia.org/wiki/Geolocation_software), it is a trivial exercise for a bad guy to determine, with a surprisingly high degree of accuracy, the physical location where a company or organization’s email server is hosted. With this information in hand, the spammer has enough information to design a targeted attack.

For example:

Let’s assume you work for Google. Using a simple IP check, the spammer can determine that one of Google’s email servers has the IP address 74.125.67.100. Thanks to IP based geolocation (http://www.ip2location.com/free.asp), the location of this IP address can easily be determined to be in Mountain View, CA.

Using this data, the spammer will then query the website of a local newspaper, in this case the San Jose Mercury News, and will pick a local “hot topic” headline to be used as the subject for the message.

Finally, the spammer will extract actual content from the news and will insert it into the spam message and will include links that appear to provide the recipient with more information about the topic, but are actually links to dangerous, threat laden web sites. Unfortunately, social engineered attacks, specifically those using location, are proving to be highly effective at soliciting the all important “click” from the unsuspecting victim.

At Sendio we have seen all types of social engineering based attacks increasing steadily. While it is difficult to determine exact figures, our best estimates place social engineered location-based attacks between 10% – 30% of all unsolicited email.

What effect did the November 2008 “McColo” shutdown have on spam (http://www.securityfocus.com/brief/855).

The McColo shut down had a measurable impact, but Sendio’s customers, the vast majority of whom are small, medium and large enterprises, did not see anywhere near as dramatic a change as the major free email providers (Gmail, Yahoo, AOL, MSN, etc.) The levels of spam/uce have, based on our estimates, moved beyond the level seen immediately prior to the McColo shutdown.

As we have seen over the course of the last 6+ years, the bad guys are extremely well organized, motivated, and appear to be well funded. Unfortunately, thanks to the reactive nature of the current status quo spam countermeasures, the arms race continues in favor of the bad guys.

Here comes “Conficker”

I just read the following article…

Computer Virus ‘Time Bomb’ Could Go Off April 1
(http://www.foxnews.com/story/0,2933,510296,00.html)

My thoughts…

The Internet is a dangerous place. It seems highly likely that “Conficker” is going to do something, and it should be of great concern to everyone, but particularly IT people, that we know about this worm, but still have no idea what it is designed to do. Talk about a weakness of the “filtering” mentality. Don’t forget… It is nearly impossible to filter for something that is not yet known.

With history as our guide, it is highly likely this worm will include an e-mail based component. The bad news for people who are protected by current anti-spam filtering technologies is that they will be left virtually naked until the worm actually starts working. Only then will the developers of the filters be able to design rule sets to deal with the worm. This is the definition of being reactive. In addition, once the rule sets are defined, they do no good until they are pushed out (deployed).

It would not surprise me if we saw an exponential increase in threat-laden email when this worm comes to life. However, I do not think the people that design these sorts of worms are targeting the email infrastructure. I believe email is used as a virtual “smoke screen” these days. This virtual “smoke screen” is used to mask the real targets of the worm or virus.