It’s a Good News, Bad News Thing: Spam Down, Malware Up

google-page-rank-1024x768As the old adage goes, we have some good news and some bad news; which do you want first? Let’s start with the good. Security firm Proofpoint has released their threat report for 2014, and as the firm points out, the report offers a good opportunity to compare year-over-year data to see where we’ve been and how far we’ve come. Right off the bat, the statistic that’s going to make everyone happy is the overall volume of spam email messages. Now, this isn’t news, in the sense that we’ve reported the trend before this. This time last year, we reported on a Kaspersky Security Bulletin for early 2014, and the results showed that spam volume is on the decline. Indeed, we’ve been seeing that trend for a long time, but it was difficult to get too excited. The spam decline in 2013, according to Kaspersky, was 2.5 percent, with overall spam numbers still representing about 70 percent of all email messages.

Proofpoint, however, is reporting an overall decline in the average daily volume of spam emails between 2013 and 2014 of 56 percent. Granted, we’re always careful not to read side-by-side reports from different firms as comparative, for a number of reasons. Each firm has its own methodologies for the collection and processing of numbers. In many cases, it could be an apple to oranges comparison to treat the numbers equally because they may represent different things using information extracted from different areas. In addition, sample sizes may vary, locations tracked may be disparate, and methods used for identifying spam might have different touchpoints. As Proofpoint points out in their report, they track “spam volumes via a system of honeypots. The volumes historically track with that of our customer base.”

However, there is good reason to trust Proofpoint’s numbers. As InfoSecurity Magazine points out, the drop in spam volume is due in no small part, says Proofpoint, to disruption to the GameoverZeus botnet, which was taken down in July. Proofpoint’s site and several other sources (which appear to use the information from Proopoint at face value) also report a takedown of Kelihos in September; but the link provided by Proofpoint points to the 2011 Microsoft takedown of the botnet and we’re unaware of any significant event in 2014 relating to Kelihos. If you’re familiar with it, you know it just refuses to go away, and in fact we’ve seen a resurgence in Kelihos late in the year.

Now for the bad news, and it’s a three-pronged threat. First, malicious software is on the rise. What we gained with the reduction in email spam, Proofpoint writes, “was more than made up for in maliciousness…Proofpoint detected a surge in the percentage of malicious URLs in unsolicited emails: that is, a higher proportion of the URLs contained in unsolicited emails were determined to be malicious. After a sustained surge in mid-2014, the average returned to longer-term levels (approx. 10 percent) but with the “new normal” of extremely high spikes over multiple days, including multiple occasions where the percentage of malicious URLs in unsolicited emails exceeded 40 percent.”

In addition to the increase in malicious URLs, Proofpoint also notes that “attackers were generating a larger number of URLs (and sending each to a smaller number of recipients) in order to improve their chances of evading blocking by URL reputation filters, and URLs pulled in malware that was generally more sophisticated. (We saw a similar pattern with attachments in the case of the 305 Dridex botnet that we described recently.)”

Spear phishing is also on the move. “Spear phishing was linked to numerous high-profile cyberattacks in 2014, [and] hackers are now increasingly channeling their energies into phishing campaigns against bank employees rather than bank customers. Essentially, they are going after the bank itself.” The hackers are using “convincing e-mail ruses” to trick bank employees into clicking malicious links or providing client information, and that spells extra trouble for those of us who prefer that our banks protect our money.

Finally, botnets represent an ongoing yet evolving threat to users. “The use of botnets is becoming an increasingly popular tool, and as noted in the Spamhaus project’s Botnet Summary for 2014, botnet activity appears to be on the rise. The perpetrators behind botnets can precipitate the acquisition of sensitive financial, banking, and personal data, which then may be sold on the black market. As financial and personal data increases in value, botnet use rises.”

Proofpoint asks a valid question, one that we all need to ask ourselves, and one that we’ll likely visit and revisit in the future. “Are companies doing enough to stem the flow?”