Spammers and hackers join forces in ‘spam economy’

25 Aug 2004

A combination of spam and virus threats is creating a new ‘spam economy’ where junk emailers, virus writers and hackers are increasingly pooling their resources to make money from illegal activity, a new report has shown.

According to a white paper from the security software company Sophos, spam’s success to date has led to this unholy trinity, which aims to profit from unsolicited commercial email. With more organisations now using anti-spam systems, making money has become harder for spammers. This has resulted in the emergence of an elaborate industry that constantly develops, tests and adapts new tactics to defeat an organisation’s filters. This practice, said Sophos, is something virus writers have been doing for years.

Outlining the interdependence of the various groups involved, the report lists relationships including: virus writers and hackers supplying the infrastructure needed to deliver spam; spammer services supplying specialised skills and resources; and spamming software co-ordinating spammer services and managing campaigns.

“While it is true that people still write viruses for other reasons, an economic incentive is driving innovation in the virus and hacker communities in a different direction – namely quietly hijacking rather than noisily vandalising computer systems,” said Sophos. “Previously, these groups just wanted to gain notoriety, which meant causing obvious damage. Now they have a financial incentive, which changes the aim of viruses and makes everyone a target.”

Many recent viruses have been created with the purpose of opening ‘back doors’ in computers so that they can be used as relays for sending spam. By using legitimate email addresses for sending spam, virus writers also improve the chances of junk email getting past filters which are usually set up to look for suspect addresses rather than ones belonging to actual users.

Spamming tactics have also evolved from relatively simple techniques to avoid detection through to disguising messages, disabling spam filter software and ultimately hijacking systems which can then be used to send emails. According to Sophos, spammers are now relying on virus writers and hackers to provide a constant supply of servers to hide their identity and generate huge volumes of mail.

Several techniques are to be found in the typical spam mail. The message could include multiple redirected URLs to avoid detection of known spam websites. By using text and HTML message obfuscation, the content of the mail can be disguised from filter technology. Other techniques for avoiding detection are to incorporate multiple hashbuster strings in the message or to add a ‘word salad’ to poison statistical filters.

As a safeguard against these new threats, Sophos favours educating users, “but the best route that organisations can take is to ensure that they have implemented multi-tier, multithreat defences that block spam, detect viruses and enforce email policies. In addition, they should harden email systems,” the company recommends.

Far from being a mere annoyance, spam presents serious security and resource risks, Sophos added. It can affect an organisation’s infrastructure by overloading systems, clogging mailboxes, reducing productivity, defrauding recipients and draining morale. It may also increase the frequency, severity and cost of virus attacks and related threats.

Although figures vary, spam is clearly an increasing problem. Internationally, spam is believed to represent more than 60pc of all email traffic, according to research from Symantec. In Ireland, data from IE Internet found that spam mail accounted for 26pc of indigenous emails in July.

Separately, it has emerged that several US federal and state law enforcement agencies have arrested or charged dozens of people with crimes related to junk e-mail, identity theft and other online scams in recent weeks. Authorities in the US increased their efforts to crack down on spammers since Congress passed a law last year (the CAN-SPAM Act) that criminalised fraudulent and deceptive e-mail practices. The law subjects spammers to fines and jail terms of up to five years.

By Gordon Smith