Cellopoint 2008 Third Quarter Email Security Report

The quantity of spam continues to grow, attack methods are evolving rapidly

The overall quantity of spam is continuing to grow steadily, and now accounts for roughly 90% of all e-mail. Cellopoint's Global Anti-spam Center (CGAC) has observed that hackers' preferred attack method has shifted to social engineering. There are fewer ordinary product advertisements than before, but there has been an increase in attention-getting subject line messages concerning political and news events, such as the American presidential election and world financial crisis. Since May 2008, we have paid close attention to the growing problem of spam containing malicious links or malicious programs.

Combinations of malicious programs and spam

Starting in the third quarter of 2008, our tests have found that more and more e-mails have contained malicious programs. The vast majority of these malicious programs are compressed in the form of ZIP or RAR files, and sometimes malicious program code is embedded in the e-mail itself. This kind of spam attempts to induce the user to download malicious programs, such as Trojan horses or zombies, and ultimately infect the user's computer, allowing the hackers to steal personal information or make the computer part of a "botnet," which can be used to send even more spam. The following are a couple of the most common recent attacks:

Example 1: Phony Facebook e-mail

Hackers have been sending phony notices from the well-known social web site Facebook to users. These e-mails contain a ZIP attachment. If a recipient opens this attachment, a Trojan horse program will be quietly installed on the user's computer, Cellopoint's e-mail analysis specialists have found that the hackers are very good at copying the style of Facebook's notices. The sender's domain and all links are legitimate, and the style and content are extremely similar to real Facebook e-mails, so ordinary users are sure to have trouble telling real and bogus e-mails apart.

Example 2: CNN phishing e-mail

CGAC's has discovered that hackers have been sending out large quantities of phony CNN phishing e-mails since this August. The subject line has been changed from "CNN.com Daily Top 10" to "CNN Alerts: My Custom Alert," and the content has replaced normal links with links that purport to be to CNN, but are actually to malicious web sites. These phishing e-mails attempt to induce recipients to click on links to phony web sites and download malicious programs.

Combinations of current affairs and social engineering attacks

The recent global economic crisis has given hackers a golden opportunity to defraud users. These hackers are sending out spam containing phony debt negotiation or loan offers in hope of obtaining users' personal information. As long as the crisis continues to monopolize news headlines, these small-scale spam attacks may continue to step up their extent of operations and become large-scale attacks.

Flash spam attacks become a new tool

Because many anti-spam products can filter e-mail and quickly update URL blacklists, they can block spam messages containing malicious URLs before they enter users' mailboxes. Hackers have responded to this situation by using flash files to evade e-mail filter engines. The hackers embed links to malicious programs in these flash files; as soon as a recipient executes the flash file, the file will automatically download a malicious program and install it on the user's computer. The program will then either steal personal information or cause the computer to become part of a botnet sending out more spam unbeknownst to the user.