Spammers step up “hit-and-run” operations

They were all the rage last year, but image and file attachment spam is definitely out in 2008, as spammers abandon complex techniques for simpler URL-based methods.

Around 90 per cent of all spam messages are now URL based, according to a recent report from IBM’s Internet Security Systems (ISS) X-Force, Big Blue’s Internet threat research and development team.

ISS tracks Web-based security threats by monitoring online traffic via combination of research, honey pots, Web crawlers, and other devices.

“These simpler [methods] rely on Web links and short text messages [within] spam e-mails, which may be more difficult for some anti-spam technologies to detect,” according to X-Force’s 2008 Mid-Year Trend Statistics report.

It says the lifespan of URLs associated with such spam also continues to shrink as spammers step up hit-and-run operations to make it more difficult for security experts to catch up.

Image-based spam – which uses complex images with random pixels, random borders, or text on wavy lines to obscure spam messages from filters – peaked in the first quarter of 2007, said X-Force researcher, Thomas Cross.

At the time, image spam comprised around 50 per cent of all spam.

The percentage kept progressively dropping, Cross said, until it plummeted to nearly zero per cent in the second quarter of this year.

By contrast, URL Spam (spam e-mail that contains little more than a link to a Web site that delivers a spam message to the victim) rose from 60 per cent during the first quarter of 2007, to around 90 per cent in the second quarter of 2008.

There is a bright side to all this, the X-Force researcher said. “URL spam comes in very small packages compared to image spam, so these [spam e-mails] don’t eat up too much storage space, which is at a premium.”

From 2005 to 2006 the average size of spam messages grew from 6KB to more than 10KB due to the popularity of image-based and HTML spam.

With the rise of plain text and URL spam, that number has shrunk to less than 4KB, said Cross.

One Toronto-based security expert, however, says there is nothing extraordinary about this shift in technique.

Spammers, much like hackers, will always alter their strategy to stay one step ahead of security companies, according to David Senf, director of Canadian security and software research at IDC Canada.

As most spam filters have been calibrated to spot image spam and other complex specifies of spam, Senf said, spammers have switched back to pared-down messages to slip under the radar.

X-Force research has witness the ascendance of very brief plain text spam e-mail messages that don’t have any attachments. The technique, the report said, was used for stock spam and simply contained a stock symbol.

“Using as little text as possible or trusted domain names is very effective because some anti-spam tools may not be able to identify spam that only uses a few words and a link to a Web site,” said Cross of X-Force.

He said spammers, increasingly, are using legitimate sites to host spam messages that contain various types of malware. They often post blogs on social networking or Web hosting sites, which are guaranteed traffic generators.

“Because these sites are often very popular they become a fishing ground for the spammers.”

And as these sites are also legitimate, most spam filters are less likely to block them.

According to the X-Force report, among the popular legitimate sites that have become spam magnets are:

Googlepages.com – Google’s popular Web site creation and hosting service.

Dogpile – A meta-search engine that fetches results from Google, Yahoo!, Live Search, Ask.com, About.com and several other search engines. It was awarded the Best Residential Online Search Engine Service in 2006 and 2007 by J.D. Power and Associates

Blogspot.com – a high-traffic blog publishing site.

DoubleClick – A company that develops and provides Internet ad serving services to agencies and marketers, including those that work with the likes of Microsoft, General Motors, Coca-Cola and Visa.

GeoCities – Yahoo’s! Web-hosting service.

The most common top level domain (TLD) found in spam messages are: .com; .cn (for China); .net; .it (for Italy) and .uk (for United Kingdom).

The .com TLD is popular with spammers because it is the most innocuous looking TLD – nearly 55 per cent of all domains use it.

The top six spam subject lines are:

  • Replica Watches
  • Free porno DVD’s to download
  • Downloadable porno DVDs for free
  • Re:
  • Exquisite Replica
  • Hi

Spammers are exploiting the popularity of Web hosting sites, Internet forums and social networking sites, according to Senf.

“They know these sites are a hub for Web traffic. This is where their prey is.”

By having their spam messages hosted on legitimate sites, spammers also manage to decrease their likelihood of being taken down. “The chances are very slim that authorities will shut down a site that is being used by millions of people.”

Share on LinkedIn Share with Google+