The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.
There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.
Unfortunately, it was a repeating number.
Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.
Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.
That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.
Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.
There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.
“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”
Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.
Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.
These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.
Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”
Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.
What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.
Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.
Image: istock
April 11, 2023
Uncategorized
September 13, 2021
Uncategorized
August 4, 2021
Uncategorized