There may have been a drop in the amount of image spam recently, but messaging security providers are warning it’s merely the quiet before the storm.
There are new strains of image spam on the horizon, said Sam Masiello, director of Englewood, Co.-based MX Logic‘s threat management team.
Traditionally, attackers have created spam with images attached to the actual e-mail message. But Masiello said a recent shift from that tactic is leading attackers to specify an external URL in the background attribute as part of the HTML body tag.
“So it’s a way to have the image render within the message body without actually having it attached to the message itself. It’s sitting on an external host somewhere on a compromised Web server.”
According to Masiello, traditional image spam attacks decreased from 37 to 24 per cent in April, indicating that spammers’ attention was being directed elsewhere.
Specifically, he said, attackers are allocating effort to refining these new forms of image spam. “And [April] is when we started to see that shift from the traditional image spam tactic to the new tactic.”
It’s really an action/reaction game, said Larry Karnis, president of Toronto, Ont.-based XPM Software Inc. “Spammers are trying to respond to the growing effectiveness of anti-spam solutions. It’s a different twist in the same old game.”
Michael Peddemors, president and CEO of Surrey, BC-based Linux Magic Inc., agreed there is a decrease in attacks, however, he thinks the reason is the growing ineffectiveness of these approaches given stronger anti-spam tools.
Currently, these new forms, Masiello said, are only observed at a rate of 4 to 5 per cent – but as tactics get further refined, we should expect that number to rise within six months.
The new attacks will initially propagate given the amount of labour involved to protect against them, he said. “The impetus behind the movement towards this new tactic is that it’s harder to do that analysis because you have to analyze the message and realize where the image is being pulled from, then pull the image from that remote location.”
The idea here is that by not actually providing content to the anti-spam tool, it’s much less likely that the content will trigger a spam reject, said Karnis.
“We’re starting to see more of this kind of thing. The next wave of image spam will probably be based around this.”
Karnis said a lot of companies are bolstering messaging security products with this vulnerability in mind.
He believes this spamming tactic will enjoy short term success only, simply because, once identified, offending Web sites can be traced and blocked. “This strategy may in fact ultimately backfire on spammers because it says ‘this is who we are.'”
Enterprises are more vulnerable right now, said Masiello, given the lack of available security solutions to combat these new tactics. “It’s a constant cat and mouse game, we’re they’re trying to stay one step ahead of us and we’re trying to stay one step ahead of them.”
He recommends taking advantage of controls built into mail clients, such as Microsoft Outlook’s option to not download remote images.
But much of it comes down to user education, he added. “User education and user action is always the weakest link in the security chain.” He said the issue isn’t just about avoiding being scammed, but also avoiding having malware installed on the system. “You click on the image and suddenly you have malware injected on your PC.”
But the biggest issue, said Peddemors, is how the message reached the user in the first place – the buck should stop with the operators of mail servers and Internet service providers.
He recommends outsourcing the mail client, if a business doesn’t have the skills to maintain the messaging system.
“Even if we were to make all the tools in the world, users aren’t going to go through all that effort. They want something simple.”
Comment: [email protected]
