‘Cyberwarfare,’ Extortion Join Old E-Mail Rackets

Truly harmful scams are emerging, including spam that supports terrorism and tries to incite cyberwars between countries, particularly in Eastern Europe, Internet Law Group partner Jon Praed said. Many attacks launch overseas, thanks to wider broadband adoption abroad than in the U.S., said Suresh Ramasubramanian, Outblaze Limited antispam manager.

Spam is “holding steady” at 60 to 70 billion messages a day, said Patrick Peterson, IronPort Systems vice president, Technology. “Any set of stats show that the problem is large enough that action is needed. Whatever the technology du jour is, we'll respond to that, and they'll come up with a new one.” Notorious spammer MyCanadianPharmacy.com changes its message every 12 minutes, using software that parses text from The Hobbit to fill message space, often fooling spam filters, he said. Fraudsters also embed site URLs in images to gull anti-spam tools, he said. Last year saw an “epidemic” of stock market scam spam erupted, and despite warnings many dupes fell for it, he said. Con artists still use botnets to launch spam attacks, but also are turning to major Internet service provider Web servers and online “contact us” Web forms to send spam, he said, noting that of every 1,000 e-mails, about 998 are spam.

The Internet is a “giant laboratory for spammers,” said University of Ore. Professor Joe St. Sauver. “They can just try things and see what works. We really need to go on the offense.” Spam technologies often evolve too quickly to nail, so why not “look at physical issues to track down” some of these “miscreants?” he said. Online criminals specialize; for example, “niche providers” harvest e-mail addresses, write malware or produce bots, St. Sauver said. “People no longer need to become experts” in general but “can buy what they need instead of building it themselves. Purchasing generates financial records which allow them to be tracked,” he said, calling the money trail “the biggest spammer vulnerability.”

Law enforcement could “focus on things like income tax liability” to pursue and prosecute spammers, St. Sauver said. “Envelopes with pills need to get to the customer. In the physical world we do have borders.” DEA and other agencies “should be able to start interdicting some of those shipments but may not have the staff to do so,” he said. With most botnets residing outside the U.S., international help is needed, but “we still have very primitive methods for international law enforcement cooperation,” he said. “Just as we would collect intelligence on terrorism, we need to collect intelligence on spam organizations… and tackle this as a system,” he said. - Alexis Fabbri

FTC Spam Summit Notebook…

Legitimate e-mail marketers fear harsh anti-spam rules will keep their messages from reaching people, said Trevor Hughes, executive director of the E-mail Sender & Provider Coalition. “E-mail is one of our fundamental means of communication and we need to make sure as we fight spam we also work to protect the very thing that we know and love so much,” he said. The e-mail industry should “mobilize consumers and give them more tools in the inbox to allow them to report, send feedback, unsubscribe… those tools would be embraced, based on the research we have,” Hughes said. “The legitimate e-mail community has developed best practices and authentication systems” so “that leaves the more malicious, fraudulent, criminal activities as being major problems for us.” But “e-mail marketers can follow all the rules and still be blocked,” said MediaBreakaway.com CEO Scott Richter. Suppression lists that block even legitimate e-mails “keep growing, so there needs to be some kind of time limit or a better system figured,” he said.

----

Do-it-yourself malware vendors set the standard for cheap, reliable customer support, Andrew Klein, SonicWALL senior product marketing manager, told the conference. A $17 spyware kit “comes with technical support,” he said. “You can’t get that from Microsoft or any other company” as cheaply. Phishing kits, around for years, only now are drawing wide attention, and their “breadth is really impressive,” ranging in price from hundreds of dollars to tens of thousands depending on features, Klein said. The software-as-a-service business model has jumped into botnets, where malicious users can rent time on compromised PCs for $300 to $700 an hour, he said. “Plug and play” phishing kits let a “newbie” launch an attack with a mouse click, and prices for such attacks have fallen from about $1,000 to $100, said Jens Hinrichsen, RSA product marketing manager for consumer solutions. It is a “rather telling takeaway” that nearly half of online users worldwide in a recent survey said they fear not only phishing, which is well publicized, but crimeware, which has hit Brazil and Germany but largely avoided the U.S., he said. Klein suggested that domain name registrars such as GoDaddy raise prices perhaps a dollar a registration, putting the money toward securing domain names to thwart phishing. Small businesses are in the worst security position, with even multiple layers of spam filters unable to prevent large-scale directory harvest attacks that can crash systems for days, said Heinan Landa, president of Optimal Networks, which provides Internet security for a fixed monthly price per PC. Too small to have their own information-technology security departments, small companies need outside services, spending proportionally more than large peers, he said. A client hit in 2003 by malware still is recovering, and another estimated it loses 10 days a year in employee productivity from malware attacks, he said. “Anything that can be done to mitigate the cost and the complexity” of IT security for small business will hurt the market for malware and improve the U.S. economy, he said. -- GP

----

Wireless is spammers’ “next frontier,” said Dave Champine, Cloudmark product marketing senior director. “If you look at different markets around the world where they've have 3G networks for longer, spam on those devices is incredibly high,” he said. In South Korea, where all cell phones are smartphones that connect to the Internet, spam is more prevalent on phones than desktops, he said. The U.S. is finally catching up in adopting such technologies, opening the door for similar spam attacks, said CTIA Senior Vice President Mike Altschul. More than half (56 percent) of U.S. wireless devices can access the Internet, he said. “The carrier gateways have been very effective in identifying and filtering out spam attacks, but as attacks increase and grow more sophisticated, users are going to have to start taking more responsibility as they do with their desktops” to battle spam, Altschul said. “Carriers and networks are going to have much less control over the user experience… as the industry responds to users desire for more open access,” he said.