Spam Slayer: Next-Generation Spam

ByTom Spring, PC World

— -- Tip of the Month Beware of instant messages that contain hyperlinks. In early January a virus spread via America Online's AIM. The message, which appeared to be from someone on the recipients' buddy list, contained an invitation to view photos at People who clicked on the link unknowingly downloaded spyware.

Spammers adapt quickly. One day they're sending out mortgage leads using a computer server in Shanghai. The next day, they're sending pitches for Viagra using a zombie PC in Detroit. It's all part of their efforts to avoid getting caught, and to trick ISPs' spam filters into letting their messages through.

Spam exterminators know this cat-and-mouse game all too well. Nonetheless, they say that 2005 was a good year in the fight against spam. In 2005, the volume of spam being sent stopped growing at double-digit rates, and many ISPs and e-mail providers claimed to have prevented more than 90 percent of unwanted e-mail from reaching their customers' inboxes.

But in the anti-spam world, there is barely time to rest on your laurels. Reps at several ISPs whom I spoke with say they are gearing up for new challenges in 2006, when they expect spammers to grow more sinister.

What follows is a list of what spam experts and ISPs say will be keeping them on their toes in 2006.

AOL spam fighters say that 2006 will be the year of the zombie networks. Zombie PCs are computers that have been infected by malicious code that allows spammers to use them to send e-mail. A zombie network is not just one zombie PC spewing spam, but an army of them working together. By routing junk e-mail through these PCs, spammers can hide their identity and can also save money on the bandwidth required to send large volumes of e-mail.

When spammers use a network of PCs instead of just one zombie, it becomes much harder for an ISP to block the messages. Instead of having to block e-mail from just one PC, the ISP is overwhelmed with messages from as many as 20,000 zombie PCs. A million messages sent from one PC can be easily detected and often quickly blocked. However, a trickle of spam from 20,000 PCs is much harder to detect and block. Even if only 50 messages from each PC get past an ISP's spam defenses, that's still a million spam messages.

Identity thieves will get more cunning in 2006, say representatives from Microsoft's MSN Internet service. Phishers attempt to trick e-mail recipients into clicking on a link in an e-mail that appears to be from a trusted company. Once recipients go to the counterfeit Web site, they are lured into providing their personal information.

Phishing spam is getting far more targeted, MSN representatives say, noting that a technique dubbed spear phishing will become more frequent this year.

Spear phishing is a highly targeted phishing attack typically sent to everyone associated with a certain company, government agency, affinity group, or organization. The idea is that recipients would be more apt to respond to an e-mail from the alumni committee of their old college than they would be an e-mail from eBay asking them to update their billing information.

AOL reps say that in 2006 we'll also be seeing more "special-order" spam, in which phishers play off of your security concerns, especially the fear that your identity has already been stolen.

Already, AOL is seeing messages with the subject line "here is your order conformation" or messages that look like completed orders that ask you to "'click here' if this isn't your order."

Clicking on the link in the messages typically leads you to a site that tries to download malicious code onto your PC or tries to trick you into handing over personal or financial information.

Viruses and worms that take advantage of security holes in Microsoft's Outlook and Internet Explorer are a given for 2006, say experts.

"I'll eat my hat if we don't see another IE exploit in 2006," says Richi Jennings, analyst at Ferris Research.

Jennings says the recent Windows Metafile Format flaw, which allowed hackers to install spyware, adware, and other malicious programs, is a perfect example. Immediately following these types of exploits and virus outbreaks, there are typically large upticks in the number of new zombie PC infections, anti-spam experts say.

In December 2004, about 35 percent of spam originated from zombies, says Gregg Mastoras, an analyst at the security firm Sophos. Today 60 percent of spam is sent from zombie PCs, he says. Mastoras says 2006 will only see more infections.

Just as fashion trends change yearly, so, apparently, do spam themes. In 2005 spam pitches ranged from cable descramblers to "free" iPods. But in 2006 spammers will be promoting things like investment opportunities and pumping penny stocks instead of pushing products. Why? Likely because it's extremely hard to differentiate a real stock tip from your broker as opposed to a fake one from a spammer, AOL says.

Phishing attacks will stay in vogue for 2006 and so will spam pumping online pharmacies. But because of increased enforcement of spam laws, namely CAN-SPAM, more spammers are afraid to drive traffic to product-oriented Web sites. Sites selling products make it easier for law enforcement to track who is behind them--and who is sending the spam. Product-related spam also often contains blacklisted URLs that trigger spam filters to block the e-mail.

"Many spammers are reinventing themselves," says Paul Judge, chief technical officer for Cipher Trust. In 2006, spammers will increasingly target everything from blogs to instant-messaging networks, he says.

"Whatever messaging paradigm that consumers are using, spammers will be right there," Judge says.

Because spammers are increasingly challenged by more-effective spam filters, they are forced to shift their business tactics. While the spam message hasn't changed, the online medium has.

IM spam is up, according to Cipher Trust. Judge says 10 percent of IM traffic is spam: "It is where e-mail traffic was several years ago."

Another trend growing in popularity is the spam blog, or splog, which can take on various forms. Most splogs are produced by spammers who create hundreds of Web logs promoting everything from gambling sites to diet plans and pornography.

Splogs are full of links to Web sites, plagiarized or nonsensical content, and sometimes advertisements. Spammers who set up these sites are hoping to trick search engines into thinking the sites that the splog points to are very popular. Search engines base page ranking, in part, on how many other sites link to that site.

Other splogs are designed to show up high in search results. Splog creators hope you will click onto their site so that they can earn a few pennies by getting you to view a few online ads. Other splogs may link to a site that offers a commission for referring traffic.

By some estimates, anywhere from 2 to 8 percent of the 70,000 new blogs created daily are splogs. The shady blogs have become a major headache for host companies that offer Web log services for free, such as Google, Microsoft, and Yahoo. Many are fighting back with special software designed to combat splogs. Still others in the anti-spam community are taking action and creating anti-splog sites like SplogSpot and Splog Reporter, where you can report abuses.

Ryan Hamlin, general manager of technology care and safety at Microsoft, is optimistic: "If you think of solving the spam problem as a marathon, we have passed the 20-mile marker."

Let's hope that he's right--and that the last few miles aren't the most grueling.