Cyberoam announced the Q4 2008 email threat trend report, prepared in collaboration with its partner Commtouch. The main highlight of the report was a huge drop in global spam in November to its lowest levels at 59%, from an average of 90+% earlier, due to the shutdown of McColo, one of the largest and most notorious spam-friendly web hosting service provider. This decline, bringing spam levels to a third of the normal volumes, was marked by three weeks of significantly lower spam activity, and finally, a slow increase.
Another significant story was the global financial crisis which has become an important pretext for spammers trying to lure unsuspecting email recipients with fake job offers, instant loans and cash advances. Also, in the mean time, people received a flood of US election-related spam and malware, the attackers’ motive being to steal personal information through phishing links or to install malicious software in visitors’ computers.
Barack Obama, in particular, has caught the attackers’ fancy with several outbreaks of spam and malware messages disguised in purported Obama acceptance speech downloads and an Obama sex scandal. The messages were sent from zombies (botnets) which are typically home computers taken over by spammers and malware distributors and are used on and off as they are needed.
Says Abhilash Sonwane, VP-Product Management, Cyberoam, “These attacks are of very short duration and disappear before their signatures are detected. The only protection in such cases is a security solution like Cyberoam that blocks zombie-generated spam based on the sender’s reputation rather than rely on signatures.”
Topical themes that included Iran, Afghanistan, India, corporations like Sony, spam based on celebrities and known figures like Nicole Kidman, Bill Gates, Bill Clinton and Barack Obama, were all part of the attacks. In their efforts to randomize emails to avoid anti-virus and anti-spam solutions, attackers often changed subjects and bodies. But, sometimes these two didn’t match as in the message where a subject line was of Bill Gates and the content was related to Obama.
Spammers used legitimate sites and tools like web-based emails and Google Docs to spread malware. Leveraging Google’s strong reputation, attackers sent email messages with Google Docs hyperlinks inside to get past traditional anti-spam methods.
“Hence, it is important that the security solution is based on the pattern of message distribution to detect spam and malware like Cyberoam does with Rapid Pattern Detection (RPD),” says Abhilash Sonwane. “Secondly, content filtering solutions need to go beyond home pages and do run time scanning and categorizing of internal pages too, preventing visitors from entering malware-laden pages within legitimate sites.”
Web 2.0 media are seeing an increasing volume of user generated content turning into easy vectors for carrying malicious codes. Chinese characters and image-based spam have made a comeback with attackers devising innovative techniques to confuse anti-spam technologies, e.g. “bending the image at a slight angle”.
Streaming media and downloads were among the top 10 web site categories infected with malware and/or manipulated by phishing. Also, Brazil emerged as the leading region in zombie activity. The other top trends included the resurgence of Image spam, spread of Chinese language spam and high turnover of zombies with an average of 280,000 per day.
Cyberoam uses the Commtouch RPDTM technology to analyze large volumes of Internet traffic in real-time. Unlike traditional spam filters, it does not rely on email content, so it is able to detect spam in any language and in every message format (including images, HTML, etc.), non-English characters, single and double byte, etc. Its language and content agnostic nature enables it to provide effective spam blocking capabilities. Cyberoam incorporates this technology within its unique identity-based UTM appliances, which deploy user identity-based functionality across all of its features. A departure from traditional IP address-dependent solutions, Cyberoam determines precisely who is doing what in the network, providing IT managers with stronger policy control and clearer visibility of activity.