Spam in the Neighborhood

Spam in the Neighborhood
http://securitywatch.eweek.com/spam/spam_in_the_neighborhood.html

“Among others, experts at messaging security vendor Sendio have called out the recent trend toward local spam campaigns. In a recent research summary, the company’s CTO, Tal Golan, highlighted the use of methods including the spoofing of local news events, and regional news portal domains, to convince people to click on the (frequently malware-infected) URLs that spammers are trying to pawn off on them.”

Google: Spammers Rally Back From McColo Shutdown

Google: Spammers Rally Back From McColo Shutdown

http://www.eweek.com/c/a/Security/Google-Spammers-Rally-Back-From-McColo-Shutdown-639980/

“Location-based spam is the latest technique being used by ‘bad guys’ to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message,” explained Tal Golan, CTO of e-mail security firm Sendio. “This new methodology is the next salvo in the spam arms race, but is really just an extension of the ‘social engineering’ threat vector that has become so popular and effective in the last three years.”

Location Based Spam

Location based spam is the latest technique being used by “bad guys” to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message. This new methodology is the next salvo in the spam arms race, but is really just an extension of the “social engineering” threat vector that has become so popular and effective in the last 3 years.

Here is how this works…

Thanks to IP addressed based geolocation (see http://en.wikipedia.org/wiki/Geolocation_software), it is a trivial exercise for a bad guy to determine, with a surprisingly high degree of accuracy, the physical location where a company or organization’s email server is hosted. With this information in hand, the spammer has enough information to design a targeted attack.

For example:

Let’s assume you work for Google. Using a simple IP check, the spammer can determine that one of Google’s email servers has the IP address 74.125.67.100. Thanks to IP based geolocation (http://www.ip2location.com/free.asp), the location of this IP address can easily be determined to be in Mountain View, CA.

Using this data, the spammer will then query the website of a local newspaper, in this case the San Jose Mercury News, and will pick a local “hot topic” headline to be used as the subject for the message.

Finally, the spammer will extract actual content from the news and will insert it into the spam message and will include links that appear to provide the recipient with more information about the topic, but are actually links to dangerous, threat laden web sites. Unfortunately, social engineered attacks, specifically those using location, are proving to be highly effective at soliciting the all important “click” from the unsuspecting victim.

At Sendio we have seen all types of social engineering based attacks increasing steadily. While it is difficult to determine exact figures, our best estimates place social engineered location-based attacks between 10% – 30% of all unsolicited email.

What effect did the November 2008 “McColo” shutdown have on spam (http://www.securityfocus.com/brief/855).

The McColo shut down had a measurable impact, but Sendio’s customers, the vast majority of whom are small, medium and large enterprises, did not see anywhere near as dramatic a change as the major free email providers (Gmail, Yahoo, AOL, MSN, etc.) The levels of spam/uce have, based on our estimates, moved beyond the level seen immediately prior to the McColo shutdown.

As we have seen over the course of the last 6+ years, the bad guys are extremely well organized, motivated, and appear to be well funded. Unfortunately, thanks to the reactive nature of the current status quo spam countermeasures, the arms race continues in favor of the bad guys.