Monday, 5 December 2011

It's Not Junk Email That Is The Worry But What Lies Behind Them

It’s quite scary how many home computers are unwittingly aiding and abetting cyber criminals: 6% according to the latest study reported by the BBC. And it’s not just spam email that is the problem.

One of the issues that those tackling the problem have is that spammers are becoming ever more cunning in their use of email content.  Whilst spam filters look for obvious content, often through key word monitoring, the spammers subtly change the content so that it might appear readable to a recipient but not to an automated process.  The classic is replacing a letter (say “l”) with a number (say “1”).

With the latest estimates saying that spam, and malware laden emails, account for over 70% of all email traffic, this is undoubtedly significant problem. Although, attempts over the last year have seen some inroads into reducing the volumes.  Microsoft report in their latest Security Intellignce Report that machines running their software (and despite the wishes of the Apple lobby the vast majority of PCs run Microsoft operating systems) have seen a significant decrease in spam emails.

Having said that, there it is a valid debate as to who should be trying to stop the email.  With landmark cases such as that in European Court of Justice two weeks ago which relieved ISPs of responsible for ensuring traffic does not contravene copyright laws, who is to say that the ISPs should stop spam.  After all, the Post Office does not stop junk mail by default.  There is a view that we should all take more responsibility for our own machines and have email clients that can stop junk email and catch malware before it jumps from our email to our PCs.

This volume of spam does not mean great economic loss through reading adverts for illegal Viagra, cheap loans or free legal advice.  Rather, the criminal activity comes from so called “phising” emails.  You might think it rather daft to respond to, for example, someone calling themselves the ex-President for Nigeria who, if only you would deposit £1000 in his account, could release millions and he would reward you tenfold.  We’ve all had them.  But if you send enough of them, then someone will fall for the scam. 

There is classic hacker trick where you obtain a phone book for a company. Then you ring around each number in the book saying you are “technical support” and that you have called to help them with their problem.  Eventually you will reach someone who has a problem and lodged a call for help.  You then ask for the username and password, which of course they are happy to provide as you have proven you are technical support by responding to their call.  How else woul dyou have known to call them? The current equivalent are the emails. We all receive emails from banks saying that they are responding to our call for assistance and would you just click this link and enter your details in the very authentic looking website.  The medium is different but the con is the same.  With billions of spam emails each day, the spammers can collect a frightening number of credentials.

However, in my opinion, the fact that such large proportion of home machines host unknown malware hides a bigger threat than simply spreading large volumes of annoying and phising emails.  By hijacking so many PCs it is possible to mount a massive probing operation that can seek out high value targets that are susceptible to classic hacking attacks.  A good example is what is known as “SQL Injection” attacks.  If an attacker had to manually probe every system using SQL to see if it was vulnerable his/her arms would fall off before they found a victim.  But, automate the process across many thousands of “bots”, each of which is reporting success or failure back to some master criminal machine, and you’ll have an embarrassment of victims from which to choose.  In fact, this is so effective that an industry is growing up in which one set of criminals will find the vulnerable machines and then sell the list to other criminals.

So, am I worried about junk email?  No.  Am I worried about those same hijacked PCs supporting criminal hacking.  Yes.  The graphs show that the junk email is beginning to be tackled but what is less clear is if the hidden activity of these botnets is being tackled.  My guess is not.