Personalized Spam

  • Article

The Times of India has an article entitled This Spam is Just For You!   The article is awkwardly written and I don't think that the point comes across very well, so I thought I'd rewrite some of it.

SAN FRANCISCO: Yes, guys, those spam e-mails for Viagra or baldness cream just might be directed to you personally.

So, too, are many of the other crafty come-ons clogging inboxes, trying to lure us to fake websites so criminals can steal our personal information.

A new study by Cisco Systems Inc found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use.

Unlike traditional spam, most of which is blocked by e-mail filters, personalised spam, known as "spear phishing" messages, often sail through unmolested. They're sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed websites that are bogus or immediately install malicious programmes.

The first part of the article is correct in that personalized spam comes harvested from other sources.  For example, a cyber-thief might steal your email address from a website you visit, like a Reunion website and find out where you went to school.  In this case, they might use a social engineering technique to harvest more information from you: "Hi So-and-so, your 15th reunion is coming up.  Please go to this web page to fill in more details!"

They might also hack into a bank's system and get a list of email accounts of all the users for that bank.   In this case, a clever spammer would target you while spoofing your own bank in an attempt to deceive you into providing your bank password.  A spammer with a list of email addresses for a specific bank has a better chance of getting a victim than a spammer with a general list spamming a million random email addresses.

The article does a poor case of drawing the link as to why personalized spam gets through filters and is sent in smaller chunks.  The reason it is sent in smaller chunks is that targeted advertising doesn't need to cut as wide a swath to get the desired response rate.  If you already know something about your audience, you don't have to waste time sending out millions of messages.  Do manufacturers of power tools advertise on the Oxygen network?  Do retailers who sell women's makeup advertise on Sunday afternoons during football season?  Of course not, because the target demographics aren't watching.  Similarly, if a spammer knows something about the victims he is intending to spam, he only needs to send out a small spam campaign, not the millions of messages he might normally do by slinging mud and hoping something sticks.

Now, the reason that these spear phishing messages get through unmolested is because the article assumes that most email filters today use reputation filtering as their main line of defense.  That's mostly true, but not strictly true.  If a spammer has to send a huge advertising campaign, then he needs to send it from a lot of sources.  These big spam volumes are easy to detect.  But if he sends only a small spam campaign, then that is tougher.  These smaller blips hide within larger IP ranges and therefore it is harder to build up a reputation on them and therefore, reputation filters don't work.

Of course, it doesn't follow that the message will sail through to the user's inbox.  At least in our case, we rely on a lot of content filtering to catch much of our spam.  So even if reputation filtering is evaded, the content filtering after that will detect the message as spam.

Finally, it doesn't logically follow that spear phishing messages are sent from reputable web-based mail services (like Gmail or Hotmail).  If you're a spammer, then sending from a reputable web service will increase your chances of delivery regardless of whether or not the attack is targeted.  However, sending a small chunk of messages from a web-based service makes reputation filtering very easy to evade.