Spam-fighting strategies used by ISPs and consumers might be turning the tide against unwanted e-mail. However, innovative phishing scams continue to target both corporate users and consumers.
Users of file-sharing networks are particularly vulnerable to attacks, a new industry analysis warns.
According to a recent report by Bigfoot Interactive, a provider of e-mail communications and marketing automation technologies, survey respondents said they get less spam in their in-boxes now than last year. However, 89 percent of the respondents said they want e-mail providers to be able to authenticate the e-mails they receive to lesson the risk of phishing attacks.
Spam, Phishing Very Successful
“Reports like this help to raise the public awareness. They show that the business community needs to be more aware, Jordon Cohen, director of ISP and government regulations for Bigfoot, told the E-Commerce Times.
Meanwhile, a first-of-its-kind report from Internet security firm Blue Security reveals that spammers and phishers continue to be very successful in exploiting Web sites to create visitor profiles for spamming and phishing attacks. The report details how e-mail providers and ISPs unknowingly hand over customer lists to spammers through a series of automated Web attacks.
“Some major Web sites are protecting visitors against these automated profile attacks, but most don’t have a clue,” Blue Security CEO Eran Reshef said.
Bigfoot Interactive’s nationwide survey, released in March, charts consumer perceptions of spam and Internet security. The survey shows positive signs that the war on spam is working.
Raising Public Awareness
A majority of consumers (57 percent) said they receive less spam and more relevant communications in their in-boxes today than they did one year ago. The results of the survey are in line with an announcement from America Online last December that it had experienced a substantial decline in spam sent to and received by its members.
Bigfoot’s Cohen said reports issued by market players such as AOL and Blue Security are more than just marketing hype.
“We view these reports as a way to raise the public profile on these security issues,” Cohen said. “These reports call attention to how bad phishing is getting.”
Even industry watchers readily admit that spam is getting under control.
“It continues to amaze me that spam still exists. We don’t spend much time on it from an annoyance standpoint,” J. T. Keating, vice president of marketing for Internet security firm Whole Security, said.
The Bigfoot survey disclosed that 65 percent of consumers currently use anti-spam filtering or challenge response software.
Phishing Main Net Problem
Pete Schlampp, senior director of product management for Internet security firm IronPort Systems, agrees with the survey results. He said that phishing is the most prevalent problem related to e-mail and is getting worse.
Respondents in the nationwide Bigfoot survey said phishing attacks were difficult to recognize. Thirty-four percent said they have received fraudulent or phishing messages disguised as a legitimate e-mail asking them to verify personal information.
The report revealed a lack of confidence among consumers in spotting bad e-mail. Sixty-eight percent said they doubted they could identify or detect a fraudulent “phishing” e-mail designed to look like those of legitimate businesses, financial institutions and government agencies.
From Bigfoot’s view, the industry is readying plans to give consumers the confidence they need in avoiding phishing. Schlampp said industry partnerships are working on adopting standards for an e-mail authentication system.
“I see the industry coming together with authentication protocols,” Cohen said. “The Blue Security report just proves that consumers are still vulnerable.”
E-Mail Code Blue
Consumers who doubt their own ability to avoid ID theft from bad e-mail will not get much solace from Blue Security’s survey results on how hackers are mining e-mail addresses and passwords.
The two newest phishing attack scenarios involve registration attacks and password reminder attacks.
Blue Security’s Hostile Profiling Report released late last month revealed that spammers and phishers are exploiting the automatic log-in reminder feature to gain access to valid user accounts on many popular commercial Web sites.
“It is very easy for hackers to create a script and run e-mail address requests to get reminders of passwords or to try registering with a stolen e-mail address,” Blue Security’s Reshef told the E-Commerce Times.
ID thieves can get very detailed user profile information on registered users of commercial Web sites and other online services just starting with an e-mail address, he said.
Automatic procedures in place at most Web sites enable the bad guys to harvest e-mail addresses and open new accounts. The same procedures help evil doers get help checking on available and unavailable new log-on names, Reshef said.
How Exploits Work
Blue Security found that by automatically attacking hundreds of Web sites, spammers and phishers can generate a detailed consumer profile from any e-mail address. This user profile includes the owner’s place of residence, hobbies, political views, purchasing preferences and health information.
With such easily acquired user information, the ID thieves can then target victims for spamming and phishing attacks.
The exploit is easy to use. Just enter a made up user name or a known e-mail address. Most Web sites will report back instantly if that is a valid user account. If the account is valid, find out the password by using the password help feature.
Reshef said that attackers who use registration and password reminder attacks can harvest user addresses from nine out of 10 major ISPs and Web-based mail providers in the U.S.
Sources noted that the registration and password reminder exploits worked at heavily visited Web sites such as Amazon, the American Heart Association, various basketball Web sites and partially at eBay. While eBay protects users against registration scams, it still provides a password reminder feature.
Attackers armed with knowledge of these registration and password reminder tactics can also retrieve a Web site’s entire customer list, according to the Blue Security report. This exposes innocent users to spam and to well-targeted phishing attacks.
Blue Security’s research team conducted a P2P harvesting test to find out how quickly spammers can access and steal e-mail addresses and personal information.
On two major P2P networks, it took the company’s researchers just three days to download all the personal information about 25 times each.
In that same time span, researchers received 700 spam messages from six different spammers, according to the report.
File Sharers at Risk
The Blue Security report concluded that P2P harvesting lets spammers easily bypass all existing protective methods.
What might be even worse for file sharing network users is that spammers can not only harvest e-mail addresses from P2P networks, they can also use P2P to share bulk-mailing software and harvested e-mail address lists among themselves.
“Every minute, tens of thousands of e-mail addresses are accidentally shared over P2P networks, exposing millions of users around the globe to unsolicited e-mail,” Reshef said. “Most users are unaware that this is happening to them and current technologies do not stop these types of attacks.”
Blue Security officials are using the results of the consumer study to fine tune a new software product designed to reduce spam and spyware attacks. The product will be useful for both consumers and enterprise.
CEO Reshef said the product is based on the Do-Not-Disturb registry concept.
He said hostile profiling is another example of how online criminals abuse the Internet.
“Obviously, existing technology is unable to provide adequate protection from the cunning new methods devised by spammers and phishers almost every day,” Reshef said. “There is a need for a viable solution to spam, a solution that will not just block but eliminate spam and that will allow consumers and enterprises alike to reclaim their Internet experience.”