Of 200 billion e-mail messages sent every day around the world in 2008, 90 per cent are considered spam – double the previous year’s volume, according to Cisco Systems Inc.’s annual security report for 2008.
And as the nature of spam is changing, this menace is getting increasingly difficult to combat, the report suggests.
Many spammers still send out mass e-mails to millions, which security software is usually able to filter out.
However, over the past year, targeted spam – designed to elicit personal or financial information from very specific groups – has become more common.
These phishing e-mails are much more difficult to detect, according to the Cisco.
In 2008, there was more innovation around spam, with attacks directed at a range of organizations from educational institutions to credit unions, said Patrick Peterson, Cisco Fellow and engineer with Cisco IronPort.
(IronPort – acquired by Cisco in 2007 – offered messaging security appliances, focusing on providing protection from enterprise spam and spyware).
“Criminals,” said Peterson “are doing a lot more thinking about the social engineering aspect.”
He recalled how criminals used social engineering to elicit user name and password information from an employee of Salesforce.com – a vendor of customer relationship management apps delivered over the Web.
This gave the cyber crooks access to the company’s client list, so they could contact customers, asking them to update their account information.
Identity thieves are also stealing the profiles of unsuspecting users and using these to spread spam.
Recently Peterson received an e-mail message purporting to come from a friend in California, and directing him to a Chinese Web site for “all his holiday shopping needs.”
The e-mail was sent to 148 people from the friend’s Yahoo account. Investigation revealed that his friend was using a weak password, enabling spammers to break in and steal his identity.
Spam will continue to become more sophisticated, the Cisco executive said, and will encompass more targeted attacks on business executives and high-level civil servants.
Canada’s Privacy Commissioner, Jennifer Stoddart, has been pushing Canada to enact legislation to fight spam.
This would require a two-pronged strategy: a civil approach (to prevent and control spam cluttering up the Internet) and a sanction approach, ranging from civil to criminal.
Civil sanctions are often most effective.
If spam becomes unprofitable, that may be more effective deterrent than criminal prosecution, Stoddart noted.
“But we haven’t seen action on either one.”
She said there’s been some action on the identity theft front, which is not the same, though it’s also getting to be big business – and can be a prelude to spam.
“We’re the only major economic power with no anti-spam legislation,” said Stoddart. “There are concerted international efforts, but Canada is the gaping hole.”
She said if spammers around the world realized this, they would start coming here, so they could “prey on others.”
“I don’t think this does much for our international reputation to be a spam haven,” she said, adding it’s up to the government to move on this – and fast.
Ultimately, Canadians are paying the price through higher service fees levied by banks and other institutions, and it’s up to consumers and businesses to fend for themselves.
The Alberta Motor Association is an example of a Canadian organization that is successfully battling spam.
It’s gets about four million inbound e-mail messages a month for its 2,000 employees – and about 94 per cent of those messages are spam.
“All of that would be delivered to our employees’ Outlook accounts,” said Jim Gladden, director of technology services with the AMA.
He said IT department would inundate employees with virus warnings and e-mail alerts.
Deciding enough was enough, AMA signed up for Telus’ E-Mail Protection Services – on an annual subscription basis.
The service filters out spam and viruses – before they reaches AMA servers. Virus and software updates are managed by Telus.
“Traffic on our internal network has decreased substantially because we’re not delivering all of this garbage e-mail,” said Gladden. “Support requests to our help desk have declined, and overall our storage requirements for Microsoft Exchange have decreased as well.”
Around 200 employees are BlackBerry users, so these business benefits extend beyond desktop PCs and AMA’s Microsoft Exchange environment.
While the AMA can’t provide hard ROI numbers tied to the Telus service, the elimination of spam messages (94 per cent of the total messages) are being blocked, reduced bandwidth usage itself has produced huge savings.
” Off-the-cuff, we know it’s saving us significant time and money in terms of support requests, [and also] terms of overall IT infrastructure costs as well,” he said.
Since using the service, the AMA hasn’t had spam-related events of any significance.
In 2008, Cisco recorded more than 6,000 vulnerabilities, which means businesses have to keep up with a stream of 200 daily vulnerabilities.
In some surveys, people say they feel safer and more secure online than before, but as Cisco’s Peterson noted, criminal intent isn’t as readily apparent as it used to be.
Today’s criminals recognize the best crime is one that goes undetected for as long as possible, he said.
While it’s one thing to reduce the attack footprint, it’s another to secure the Web.
Web technology has moved so fast (allowing us to do mashups and pull photos off sites), a lot of Web servers are not being developed in a very secure way, Peterson said.
And that means spammers can steal data or attack a Web site and leave malware behind.
There’s also a huge discrepancy between what employees are doing and what IT thinks they’re doing, he said. He advocates employee that uses vivid examples to make the point.
IT and corporate security should refocus their efforts around working with employees, so they understand the nature of these attacks and can “up their spider sense.”
He says that’s even more important this year – given the uncertain economy. “With the economic [spiral] in 2009 there’s going to be more incentive.”
While spam continues to be a growing menace, Canada is the only G8 country without anti-spam legislation, leaving consumers and businesses to fend for themselves.