Email Security in 2011: Spamming spammers and spam
Orlando Scott-Cowley, Internet & Messaging Security & Compliance expert, Mimecast
A big surprise for the end of 2010 was the global decline in spam from August through to December. The surprising thing was that there isn’t an obvious reason for the three biggest spamming botnets – Rustock, Lethic and Xarvester – to reduce their numbers. There are a lot of theories but the one that makes the most sense is that there isn’t enough cash in traditional email spam anymore.
But what does that mean? Here are some thoughts on what we can expect in 2011:
- Spam won’t go away: Even with the apparent fall in the spam rate at the end of 2010, this menace will still bother us. Opportunities to buy herbal ‘enhancements’, wristwatches and the chance to receive an inheritance, which has been deposited in the Prudent Trust Bank of London England (where?) will continue. But…
- Spam will go away: From our inboxes at least. We’ll see a continued drop in the amount of spam we receive to our inboxes. Why? Two reasons really; firstly the technology protecting those inboxes will improve dramatically, and secondly because the spammers know this – they will start to invade our blogs, our twitter streams, and our social networks instead.
- Adverts or spamverts?: If Google can target ads for you, so can spammers. Try tweeting about a car loan or mortgage and see how many spam tweets you receive back. This will only get worse.
- There will be at least one significant social breach: We already know that many high profile sites suffer at the hands of attackers daily. The Gawker Media breach will no doubt be the turning point as attackers look for a larger pile of personal data to plunder.
- Conspiracies will continue: Conspiracy or not, the release of Stuxnet into the wild demonstrated a very well researched, constructed and targeted threat agent. Stuxnet showed the world that clandestine activity can have an invisible but far reaching impact and be far more subtle that traditional spy-craft of warfare. I expect that 2011 will see similar infrastructure integrity attach by a cousin of Stuxnet, which may well have been a noisy proof of concept. Whether the next attack makes the headlines or not depends on the stealth of the coders.
- Botnets (again): With the demise of the boisterous botnets of yesteryear a new breed of botnet will emerge where command and control is so distributed that it uses many common mechanisms to communicate & infect. Using services like Twitter as a dead letter box are likely to be the levels of deviousness we’ll see, and this tactic will be very hard to defeat.
- Spear Phishing will rise: Specifically targeted attacks against individual organisations will increase, why? Because the rewards can be so great. In fact we’ve already seen a wonderful example of this with the Zeus Trojan downloaded from a fake White House ecard, where numerous government employees were duped into ‘clicking the link.’ This successful attack demonstrates that social engineering is still the attack vector of least resistance.
As with all security threats there is only so much technology can do – educating users is always the best line of defense. With the increase of targeted, socially engineered and ruthless attacks businesses need to run consistent awareness campaigns with all staff. My hope is that 2011 is the year that common sense prevails.