Uh-oh. Welcome to my lair, said the spider to the fly. And we all know how that worked out: spider meets fly, fly gets busy with spider, spider eats fly. Ick. And if you haven’t been following the most recent exploits of those intrepid spammers – you know the ones, the ones who annoy, invade, attempt to steal and generally bug the hell out of us – then be prepared to say double ick.
This week, several media outlets are reporting a change in the way spammers do their, uhm, business, and if the reports are true, it looks like the scam artists are easing up on those predictably bad appeals aimed at only the most vulnerable among us. Typically, your average spammer relies on the stupidity and/or ignorance of the recipient, requiring the person reading the mail to pry open the mouth of the lion and stick his head in. Usually based on a theme requiring some urgency, these e-mails attempt to scare the user into thinking that the tax man is about to seize his house, shut down his PayPal account or permanently block him from purchasing fake Viagra. It’s a scheme that fails to snare most of us, but when someone does get fooled by these messages, the results can be disastrous.
Fortunately, most of us have been able to rest easy in the knowledge that these things can be spotted by a blind man from a mile away. Poor grammar, egregious misspelling and suspicious-looking pages that clearly don’t belong to the pretended institution; all clear giveaways that can be easily spotted by spam filters and dumped in the trash. Now, however, the buzz on the street is unsettling and a little creepy, if you stop to think about the implications.
Researchers are saying that the Blackhole exploit kit, purported to be the most popular web threat in terms of usage, is being used in conjunction with smarter and more believable spam e-mails to douse any unfortunate user who clicks a link with a tidal wave of harsh reality. Blackhole, developed in Russia and licensed out to any enterprising young scammer who wishes to purchase it, is based on PHP and MySQL and uses malicious links fueled by JavaScript to identify and take advantage of security flaws on the target computer. Blackhole appeared in 2010 and sells for $1,500 for an annual license. To date, the most successful Blackhole exploit is said to be a hack of the US Postal Service’s Rapid Information Bulletin Board System (RIBBS) in April 2011.
According to Help Net Security, the most popular use of Blackhole is the impersonation of “social networking sites (Facebook, LinkedIn, MySpace), e-payment and e-commerce companies (PayPal, eBay), airlines (US Airways, Delta Airlines), financial institutions (AmEX, Citibank, Bank of America) and logistics services companies such as FedEx, UPS, etc.”
Unlike ‘traditional’ spam e-mails, which often convey a sense of urgency, recent spam methods are looser, according to the same article. “The phishing messages of today have far less urgency and the message is implicit: ‘Your statement is available online’; or ‘Incoming payment received’, or ‘Password reset notification.’” The implication, of course, is that users may be lulled into a false sense of security by something that doesn’t threaten unreasonable earth-shattering consequences if the user doesn’t act immediately.
According to the researchers, this new use of e-mail spam creates “difficulties for traditional antispam methods. Content-based filters, for instance, have a problem with the attacks because these use modified versions of legitimate emails, making detection and blocking more difficult to do.”
This newer, looser approach to spam e-mail, combined with links to Blackole infested sites, ups the ante for IT professionals, since users need to be aware that just because a spam e-mail looks more legitimate – say, than one which uses poor writing and bad grammar – it’s no safer to click on links in e-mails that purport to be from a financial institution, or a social media site for which they happen to have an active account. Humans are creatures of habit, and if they happen to read an e-mail that looks exactly like a legitimate e-mail that they may have received in the past, they’re more apt to click the link without a second thought.
As always, user education is paramount. If you’re holding an information session with your staff, fabricate an e-mail from a legitimate site, swapping out the link for something else. Show them how a link can say one thing but be something totally different, using simple techniques like hovering over the link to see its true nature. And, as always, tell them to stop and think about what they’re doing before they click.