Application security, Malware, Phishing

The evolution of image spam: Why your network needs heavy prescription eye-glasses

Although image spam is not new, it continues to grow both in sophistication and at alarming rates, so much so that it has become a major topic of concern among security industry experts.

Two years ago, image-based spam was thought to represent five percent of global spam. Most agree the number now ranges between 30 and 40 percent and, according to CommTouch, consumes 70 percent of global bandwidth and storage capacities on days when image-based spam achieves a distribution peak. The explanation behind the recent proliferation is obvious: spammers recognized an inherent weakness in computers (they can't “see” like humans do) and began exploiting this flaw in innovative ways with great success.

Dangers and motives
Image spam presents clear and present dangers both in the office and at home. First, the content can be offensive, but more importantly, the spam can also be used in conjunction with phishing, pharming and other identity-theft practices. The size alone of a typical image spam causes concern as well, for it is roughly three times as large as text-based spam. This size creates a serious drain on IT resources as bandwidth and data storage capabilities are sacrificed.

Further, spam can lure victims into downloading spyware/adware and making ill-advised purchases. For example, a common tactic is to entice recipients into “pump and dump” stock schemes. In this scenario, spammers promote cheap “penny” or “pink sheet” stocks traded on “over-the-counter” (OTC) bulletin boards that typically don't get a lot of volume. They consist of niche companies with no profit and no products, and when recipients purchase their stock, its value increases. Knowing the stock is bogus, the spammer quickly sells and leaves a little bit richer while victims take longer to realize they've been duped.  

Reports in July 2006 indicated a great deal of money can be made from these schemes. The study found that spammers who buy thinly-traded stocks and promote them in millions of spam can make 5.79 percent returns in a single day. The victims who bought the touted stocks lost an average of 5.5 percent within two days before paying brokerage fees. Repeating this process over and over can yield real profits, and herein lies the ultimate motive for spammer behavior; with that kind of money at stake, this business becomes quite lucrative.

But consequences are not too far behind. Notorious U.S.-based spammer Jeremy Jaynes was convicted by a Virginia court in November 2004 and sentenced to nearly a decade in prison (the decision was recently upheld). Jaynes' testimony during the trial reports that his spam consistently netted between $400,000 and $700,000 a month, despite the fact that only one in 30,000 recipients purchased anything.

So how are these spammers so successful? Spammers have found they can often thwart security technologies with just slight variations in the images they use. They can change border or background shade, alter the line spacing or margins, slant text and even add tiny, randomized, confetti-like pixel-salad to the image. Others have found success in splitting words into separate groups, and in a similar fashion, split a single image into smaller, broken ones that fit together like puzzle pieces. All of these concepts, also known as “layering,” rely on the premise that computers don't have human eyes or a brain. Computers and content-based security technologies are trained to recognize patterns (in zeros and ones) and high volumes of identical images. Making every message unique, ever so slightly, can comprise the legibility of the information from the computer's perspective, even though a person can still read the message.

Available solutions
Although traditional anti-spam technologies (content-based, signature-based, Bayesian, Heuristic, URL Filtering, etc.) have proved to be inadequate, there are some solutions available on the market today with better success rates. Optical Character Recognition (OCR), for example, works by measuring geometries in images, searching for shapes that match letter shapes, and then translating a matched geometric shape into real text. It is the closest to human-like sight computers get, and would likely be able to recognize that “pharmacy!,” “phArm'acy!” and “pH@rm'@cY!” and so forth are the same legible message.

There are drawbacks to OCR, however. It's expensive, its resource requirements reduce server performance and it often has difficulty catching messages containing color variations, human handwriting or minimal text. Some programs offer Rule-Based Engines that prohibit attached images of a certain size or quantity of colors. This solution leads to a high number of false positives, where legitimate messages are quarantined and go unseen by their intended recipients. A new approach anti-spam technologies are using involves switching the focus to detecting structure and distribution patterns in the outbreaks rather than lexical content analysis of individual email messages. Such technologies extract patterns in real-time from the message envelope, headers and body, and send them to detection centers where these patterns are logged and used for comparison purposes. If the pattern matches a known spam pattern, it is blocked immediately. So far, these approaches have yielded improved detection rates while maintaining lower false-positive rates. There are a number of such content-agnostic technologies available in today's market, and promise to be the next wave of defense in fighting spam.

Image spam is on the rise and the spammers' complexity is evolving just as naturally as the technology designed to stop it. Image spam may be curbed in the coming decade, but new forms of spam can just as easily surface, such as video spam. Enterprises, vendors and the general public are more aware of the growing threat image spam presents, but whether or not our computers will receive a vision prescription powerful enough to rid the problem completely remains to be seen.

- By Joshua Block, vice president of North American Operations, Cyberoam

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.