Although email spam has long been around, it has only recently become increasingly widespread and advanced. One would think that with the ever-advancing technology, there would be a way to combat these annoying pieces of email bombarding our inboxes. But as computer technology becomes more sophisticated, so too does spam.
Spam is aggravating for obvious reasons such as data and email loss and rising costs due to the need for increased bandwidth and archiving of unnecessary emails, but it also poses a real security threat, making anti-spam protection an important tool to maintain.
First of all, spam is often the primary source of phishing. The typical phishing attack attempts are sent out as mass emails to home users aimed at retrieving sensitive data, such as bank account login information. However, dedicated and targeted attacks are becoming more common, too. While the "look" of these targeted phishing attacks may vary, the purpose of email spam is the same: pretend to come from someone with one intention but actually do something different. Using this type of spam to target a specific group and steal data significantly raises the criminal level of this act.
Spam, then, turns from being an unpleasant nuisance and a possible security risk into focused attacks specifically crafted for individuals and organizations, who then need protection. The more dedicated and skilled the attacker, the more difficult it is for ordinary users to safeguard themselves. In some cases, the protection by traditional tools is almost impossible. Take the following situations as examples:
Receiving an email that looks almost identical to a message that would come from your administrator requesting a password to be changed
Emails designed specifically to mimic messages or the behavior of the mail system and/or rules of the organization. For instance, a delivery-failure report requesting to resend the last document using a special link. This may seem absurd to IT professionals but not to ordinary users if the message looks similar to what the users normally receive. Generally, such users tend to follow any understandable instruction that they find in emails with a lot of technical jargon
An attacker using social engineering, a non-technical type of invasion that depends immensely on human interaction, to gain access past a network's security. If the attacker is truly determined, this type of attack will most likely be successful in extracting the internal information needed to bypass network security.
Traditional anti-spam and email protection systems are usually ineffective against the above types of attacks. Bayesian and other content processing filters will not find anything suspicious. If the volume of emails sent out in an attack is kept low, statistical processing is also futile.
The only chance to trigger at least some alarms is when the email has a forged header.
Checking for sender domain names and source SMTP verification could be useful in this case. However, the only true protection against email tampering and header modification is to use encryption and cryptographic signatures, which can be problematic on mobile devices, as they typically do not support encryption standards.
Finally, plain, old, yet still valuable, user education can aid to deter phishing attacks.
As if phishing assaults are not enough, there are still other threats arising from unsolicited emails that land in users' mailboxes. While the vast majority of existing email clients are currently relatively safe (at least in the moment at which I write this text), various exploits are on the rise, some of which are also difficult or even impossible to detect in real-time. And these exploits do not include those that may exist but are not known publicly.
Spam emails can carry executable code stored in a large office document that deploys a particular bug in the program that opens the document. Any program can contain bugs and thus it is almost impossible to guarantee that any program will be completely bug-free, and Microsoft Office programs are no exception. Through spam, many of these bugs may also be manipulated to spawn malicious code on the target system. Full scanning of all streams in a data file can be extremely time consuming and it also increases the probability of false alarms. Again, this is most often a problem with targeted attacks, specifically aimed at a particular user or company.
To understand why spam still exists and why we cannot realistically expect security threats resulting from spam to change in the near future, it is necessary to realize that the real driving power behind this is money and organized crime.
I'm sorry to say that this means we should not believe the situation will improve any time soon. One also has to understand that there will most likely never be any magic silver bullet, any cure-for-all security tool - not with technology constantly evolving.
We have to continuously improve our protection, our security shields, and continue educating users, explaining the risks and why it is so important to follow all those annoying rules.
Finally, while there are law enforcement agencies with specialized cybercrime task forces, some of these groups need to become more proactive at patrolling cybercrime.
However, we can take an active role by constantly informing these agencies what cybercrimes are being committed and what aid we need from them. Together with our feedback and protection from these agencies, we can vie for a better future.
- Karel Obluk is CTO of GRISOFT