Spam levels dropped last year by nearly a third following the takedown of several botnet operations, including Rustock, SpamIt, Bredolab and Mega-D. But spammers are making more money than ever before. What has happened?
In the past, after a botnet was disabled, spam levels dropped noticeably, but then recovered quickly as spammers got new botnets started and resumed their mass mailings. But, this past year the rates are holding steady at their lowest in three years, according to a July report from Commtouch. In fact, spam levels are significantly down – from 300 billion messages a day in June 2010 to 40 billion a day in June 2011, according to a recent report from Cisco.
“On the one hand, because there is such a small number of actual spammers, their activity can vary greatly from period to period, and taking down a hosting provider or botnet can impact the numbers greatly,” said Richard Stiennon, chief research analyst at IT-Harvest.
However, that's not the end of the story. Both reports found that as a result of law enforcement efforts at shutting down botnets, spammers have shifted their tactics to more focused, email-borne malware attacks. As criminals recognize that their zombie IP addresses are getting blacklisted, they have evolved their strategy to deliver targeted email campaigns that attempt to dupe users into clicking on links that load malware onto their machines, the Commtouch report found. Once accounts are compromised and personal information harvested, personalized spam is sent. The shift into more, targeted attacks, Cisco found, has resulted in significantly higher user click rates.
As a result, though the amount of email has significantly dropped, the money being made by spammers has grown from $50 million to $200 million over the last year on an annualized basis, according to Cisco.
Steinnon (left) agrees that there does seem to be a shift. “Most of the spam I see now tries to get the victim to click on a link that infects them with malware,” he said. “This is because of new value being assigned to botnets.” Attackers can rent them for DDoS attacks or even as proxy hosts to launch more direct hacking, he said.
User education cannot completely protect organizations from these threats, Cisco's report found. Instead, entities require a multifaceted defense that includes firewalls, web proxies and intrusion-prevention sensors.“The motivation is shifting away from selling shady products to harvesting zombies,” Steinnon said.