Spammers make complete recovery from McColo takedown

31 Mar 2009

Spammers continue to prove their resilience, whether bouncing back from the biggest takedown on record or exploiting new communications methods for malicious purposes, Google subsidiary Postini warned today.

Data drawn from the Google enterprise security and archiving security network – which protects 50,000 businesses and 15 million business users – has found that spam has returned to pre-McColo takedown levels, and is the strongest its been since 2009, rising 1.2pc per day.

Spam levels worldwide saw a massive drop of 75pc in the number of spam emails in the aftermath of the shut-down of a controversial Californian ISP (internet service provider), McColo.

The shut-down took place following a research report by several security vendors, which alleged McColo helped cyber-criminals promote spam, online fraud and child pornography.

By the second half of March 2009, seven-day average spam volume was at the same volume prior to the blocking of the McColo ISP in November 2008.

Spammers have clearly rallied following the McColo takedown, and overall spam volume growth during Q1 of 2009 was the strongest it has been since early 2008, increasing an average of 1.2pc per day.

To put that number into context, the growth rate of spam volume in Q1 2008 was approximately 1pc per day – which, at the time, was a record high.

Like every year before it, 2008 set a new record for overall spam volume. But in 2008, spam growth flattened over the summer and early autumn, and then fell off a cliff after the McColo takedown (daily growth declined to 0.8pc, 0.3pc, and then .01pc in the last three quarters of the year).

“This pattern raises some interesting questions regarding what we can expect in the rest of 2009: will spam growth once again flatten or decline after a strong first quarter? Or have spammers – as part of their recovery from the McColo takedown – rebuilt botnets to be capable of sustaining or even accelerating this early growth spurt?,” asked Amanda Kleha of Google’s security and archiving team.

“It’s difficult to ascertain exactly how spammers have rebuilt in the wake of McColo, but data suggests they’re adopting new strategies to avoid a McColo-type takedown from occurring again.

“Specifically, the recent upward trajectory of spam could indicate that spammers are building botnets that are more robust but send less volume – or at least that they haven’t enabled their botnets to run at full capacity because they’re wary of exposing a new ISP as a target,” Kleha said.

According to Postini, the most significant development in spam vectors this quarter was the appearance of location-based spam. In this type of attack, users click on a link in a spam message and are directed to a page that contains a fraudulent news headline describing a crisis or disaster in a major city nearby.

The attack customises the location for each user by determining the geo-location of the user’s source IP and then identifying the nearest major city. The addition of location creates a heightened level of interest, and the user is tempted to click on the embedded video – which, in turn, downloads a virus to his or her machine.

Meanwhile, the economy, financial markets, job cuts, and resume help continue to be the most prominent topics spammers are employing as lures for more traditional attacks.

Postini also saw increased spam activity around the US presidential inauguration and St Patrick’s Day, in keeping with the recent propensity spammers have demonstrated for reading the news and keeping their eyes on the holiday calendar in targeting their attacks.

In early 2008, a trend emerged in which spam messages with attached viruses (otherwise known as ‘payload viruses’) spiking every Sunday, possibly targeting a maintenance window to catch corporate defences when they were undergoing scheduled updates.

In the month of March, there was a 900pc increase in the number of payload viruses from February.

“Viruses delivered as a blended threat (when a spam message directs a user to a malicious website, which then results in a virus being downloaded to the user’s computer) continue to be popular with spammers. E-cards are one of the best examples of this vector, and Valentine’s Day saw a flurry of activity using e-cards to direct users to malicious websites,” Kleha wrote in the Official Google Enterprise Blog.

By John Kennedy