• E-mail
• Print
• Comment
• Font Size
• Digg
• del.icio.us
• Discuss article

Spam's Noir Side Invades the Net Cybercriminals Are Targeting Organizations for Extortion

Posted on: Wednesday, 25 January 2006, 09:00 CST

By Thomas Crampton

Watch what you say at Davos. During a late-night session of the World Economic Forum in 2004, Bill Gates said the Internet spam problem would be solved within two years. "We all maybe cringed a little bit when Bill made that statement," said Ryan Hamlin, who heads anti-spam activities for Microsoft as general manager for Technology Care and Safety. "But one great thing about Bill's statement was the call to action for the industry to work on it." The statement did cause a great deal of excitement at the time, and Hamlin perhaps not surprisingly argues that Gates was correct. "I won't say spam is dead, but we can say spam is contained," Hamlin said. "If you use the latest anti-spam technologies and educate yourself on how to use them, you should not have a problem." Not everyone agrees. Many e-mail users would argue that spam is still going strong, and some spam fighters even warn that the number of unsolicited e-mails is rising. What is more, a fundamental shift is under way in the world of cybercrime toward using spam to make specific organizations targets for extortion, a report from IBM that was released Monday warned. "I would go so far as to say that, not only is Microsoft wrong about the reduction of spam, but they are actually part of the problem," said Richard Cox, chief information officer of the Spamhaus Project, a self-financed group in London that distributes free data to combat spam. "Microsoft could, for example, more aggressively attack spammers operating off Microsoft- owned Hotmail accounts." Spamhaus estimates that the total amount of spam on the Internet has more than doubled since Gates made his statement two years ago, and Cox added that any measure of spam reaching a user's desktop misses the point. "Even when spam doesn't get to your inbox, it uses up bandwidth," Cox said. "The necessary increased filtering also risks blocking genuine e-mails." The unwanted commercial messages circulating on the Internet far outnumber legitimate e-mails

. Outblaze, a company that manages more than 40 million e-mail accounts around the world, calculated a ratio of more than 14 spam messages to each genuine message when the company took a snapshot of more than 1.4 million messages received during a single minute late last year. "It used to be that when you built a better mousetrap, the world beat a path to your door," said Suresh Ramasubramanian, a spam fighter for Outblaze. "With spam, I find that when I build a better mousetrap, the mouse just gets smarter." One dangerous new development, Ramasubramanian said, is the proliferation of spam carrying automated programs that install themselves on computers without the knowledge of the users. Once in place, the hidden programs, known variously as worms, viruses or simply "malware," harness the computer's processing power and bandwidth to send out spam in a highly automated and decentralized way, without the user's knowledge. Such programs sometimes also steal personal data and e-mail addresses. "Spammers now have zombie armies of networked computers that can send out spam messages from thousands of computers at the same time," Ramasubramanian said. "This started with the SoBig worm in 2003 and brought an industrial revolution to spamming." The IBM security report warned that malware over the past year has become more potent and dangerous. The Organization of Economic Cooperation and Development also has warned that spam tactics are becoming more criminal. "Some feel the perception of spam as an annoyance has decreased because of filters and because people are getting used to it," said Claudia Sarrocco, a policy analyst at the organization's Information Computing and Communications Policy division. "But the bad news is that spam is changing from an annoyance into something actually very dangerous." Spam began as a relatively harmless means of commercial promotion. The very first spam message, it is generally agreed, was sent by a marketing representative of the DEC computer company on May 3, 1978, over the Arpanet, a computer network that preceded the Internet. The message, urging Arpanet users on the West Coast of the United States to attend a DEC product presentation, prompted a predictably angry response, with one user even hinting legal action or sanctions. In the past few years, however, spam has entered a more criminal phase, and new words like "phishing" and "spearphishing" have been invented to describe the evolution. "Spam has shifted from basement amateurs to hard-core criminal enterprises," Sarrocco said. "True criminals have started getting into the spam game." In a phishing scam, an e- mail request for passwords, credit card numbers or other personal information seems to come from a bank, government official or network administrator. To enhance credibility, phishing e-mails often link back to Web sites that closely resemble real Web sites. The IBM study released on Monday reported that in 2005 phishing represented an average of one in every 304 e-mails, up from one in every 943 the previous year. The report added that phishing or spearphishing against specific targets was on the rise. Spearphishers attack a company or a specific group of users to make the request for information seem more legitimate. "This is a very powerful new technique and very worrying," Sarrocco said. "Spearphishing can be used effectively for industrial espionage or identity theft on a grand scale." Such techniques are particularly pernicious, Sarrocco said, because they undermine confidence in e- commerce. "Threats to Internet security diminish trust and slow economic development," Sarrocco said. "We view this as a real risk to confidence in the Internet and something we need to urgently combat." Fighting spam, Sarrocco and other spam fighters said, requires educating the public, further technical innovation and the creation and enforcement of anti-spam laws. Legal approaches to fighting spam already have had effects in some parts of the world, Sarrocco said. In Europe, for example, the law requires a company to have explicit permission to send an unsolicited commercial message to a user. By contrast, in the United States and most other parts of the world, laws require only that companies offer a way for users to request to be taken off mailing lists.

Source: International Herald Tribune

More News in this Category