Spam, phishing, IM attacks rise

By Rob Westervelt, News Editor 05 Feb 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

Heim, chief information security officer of McKesson Corporation, said critical corporate data must be protected with the right security controls to battle a scourge of spam-clogging email servers, targeted phishing attacks seeking gullible employees, and potential instant messaging woes. The trick is finding the right balance, Heim said, so employee productivity isn't handcuffed, but risk factors are still considered.

"If you deploy controls without proper education, end users will find ways of backdooring it," Heim said. "There is a certain amount of risk acceptance, but we're not going to take a Draconian stance to turn off capabilities for security sake."

Heim and other CISOs are increasingly finding themselves in a juggling act: Spam levels are rising with more sophisticated attacks using botnets, phishing has become more targeted, and instant messaging attacks are steadily rising, according to security researchers. U.K.-based security firm MessageLabs reported spam levels reaching almost 85 percent of all global email traffic at the end of 2006. New sophisticated spam techniques include embedding industry-related buzzwords into the body of the spam message to dupe antispam software that the message is legitimate, or complex image spam delivered like puzzle pieces or in obscure image file formats to slip by spam guards.

Spam is becoming even more noticeable as it slips through some of the toughest controls into unsuspecting inboxes. When botnets came on the scene in 2004 as an outgrowth from Internet Relay Chat (IRC) servers and clients, botnet Trojans were used to self-replicate mass mailers, blasting out spam to other email addresses.

"People use IM in the workplace, but a large majority of IT guys are leaving the IM space wide open. It's a massive avenue of attack." Chris Boyd, director of malware research at FaceTime Communications

The spam surge quickly caught the attention of corporate IT security pros and software vendors, who aggressively sought to root out botnets. But today, botnet spammers use their sophistication to remain undetectable, because the longer a botnet can send spam, the more lucrative the attack, said Mark Sunner, chief security analyst at MessageLabs. The botnets are beginning to force the hand of Internet service providers to start filtering spam, he said.

With the surge of spam is a spate of targeted phishing attacks. They have moved beyond online banking sites and significantly increased to e-commerce sites, such as eBay and PayPal, as well as social networking site MySpace, according to MessageLabs By late 2006, more than 50 percent of malicious emails intercepted by MessageLabs were phishing attacks.

"Raw phishing attacks have gone up significantly," said Alfred Huger, senior director of engineering at Symantec Security Response. "They're harvesting email addresses of people in the same geographical area and that has resulted in more people falling prey to it."

In the first half of 2006, Symantec detected nearly 900 unique phishing messages a day--up from about 500 per day over the previous six-month period. Symantec said that nine of the top 10 phished brands were financial institutions, the sector most likely to produce the greatest monetary gain for attackers.

As IM gains traction in corporate environments, the use of spim--spam over IM--is growing said Chris Boyd, director of malware research at IM security vendor FaceTime Communications. "IM is one of last great unknowns," Boyd said. "People use IM in the workplace, but a large majority of IT guys are leaving the IM space wide open. It's a massive avenue of attack."

Still, many businesses are addressing IM as part of compliance projects. Heim said McKesson will roll out a corporate instant messenger application in 2007, but until then, the risks are not great enough to prohibit employees from using IM, he said.

"We take threats one step at a time," he said. "Quite frankly, at the end of the day it has to come down to education--having employees that understand the need for what we're doing."

<< Return to our special coverage of RSA Conference 2007

Tags: Spam, phishing and social engineering attacks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam, phishing and social engineering attacks Research reveals success rate of phishing attacks Notorious spammer sentenced in stock fraud scam Judge rejects TD Ameritrade breach settlement FDIC warns of bogus emails Two Romanians suspected in phishing scheme extradited to U.S. Social engineering tests should make sense, not headlines Zeus Trojan hitting banking customers hard Five considerations for choosing network access control products Proposed expansion of top-level domains generates security concerns Online scammers exploit bank brands and consumers' financial woes

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary