Spam: we all know it and love to hate it. Our emails are clogged with it and our junk folders are overflowing. It’s the wasp at the picnic of the internet. Kind of annoying, but not all that dangerous – or so most of us think.
The recent revelation that a spam dump of 711 million email addresses highlighted that spam is one of the most prevalent forms of personal security breaches. Far from being a mere irritation, it is deserving of proper respect. The dump was compiled from databases from previous breaches – the likes of the LinkedIn and Badoo hacks. Although some of the addresses were corrupted as a result of the scraping methods used, it still included hundreds of millions of valid addresses. That’s the population of several countries.
What made this dump particularly interesting was the presence of several million email addresses with passwords attached to them. Addresses that could serve not just as the recipients of spam, but also as distributors. With major personal data breaches being announced almost every day, it’s only ever a matter of time before your email addresses are made available on the dark web for hackers to use at will. Once email addresses are out there, they can be shared and re-shared, and it only takes one service with poor encryption to compromise your favourite password.
SMTP credential harvesting
Take an example of when a major breach occurs in an organisation à la TalkTalk. The email database is only the first half of a successful operation for would-be hackers. To boost the profitability of the exploit, they ideally need to be able to re-send malicious emails from real accounts, widening the credibility and impact of the messages.
To gain entry, they need SMTP credentials – particularly passwords. If the passwords are stored in a simple or easily broken format, these can sometimes be scraped from breached databases. Yet, realistically the vast majority of email addresses in a given dump will not have credentials alongside them. Those that do must be verified through automated testing. This is usually performed by a programme which attempts to send a generic email to an owned destination in order to determine whether the password is still live and attached to the account.
This process has a limited success rate, but even a reduction from millions to thousands of functional email addresses can cause a major ripple effect. If a small fraction of those addresses successfully deliver their malware, that’s still hundreds of infected devices, each of which could open a pathway to more valuable targets.
In addition, if a company email is compromised in this way, the business’s reputation is then on the line. Imagine receiving a malware-loaded spam email from a trusted partner company. Not only would you be much more likely to click through on any attachments, but you’d likely begin to have serious doubts about that company’s due diligence on cyber security. If we assume that most companies hold at least some sensitive data on their partners and customers, this could seriously damage the relationship. Spam can have a much bigger effect than a low-level inbox annoyance.
Pixels: spam backdoor
Another key tactic related to spambots is the use of ‘fingerprinting’ emails. Some forms of malware require a particular target type. This could be a certain operating system, or the presence of an application prone to a particular bug or backdoor. To fine-tune their targeting, spammers need to know which email addresses are associated with these device attributes.
In order to find this out, innocuous-looking emails are sent out to targets with single-pixel-sized images embedded in them which scan the device and send back details about the operating system and IP address. This allows the spammer to decide whether the email address is worth targeting. You’d notice an unexpected attachment, but a single pixel is unlikely to draw attention, so there’s a considerable chance that your company could be scanned and identified as a potential target without your knowledge. This in turn increases the chance that subsequent attacks will be better targeted, and more successful.
Why should we care?
Why is all this so dangerous? The answer is simple: malware. The aim of most spam campaigns is to distribute malicious software to harvest credentials and track user activity. In the case of ransomware, it will even lock up the user’s computer until a fee is paid. The cyber security industry spends a lot of time discussing how best to defend against malware. Yet, more attention must be paid to how organisations can prevent their emails, and those of their customers, from being extracted for spam-based malware distributors in the first place.
Ultimately, good defence relies on intelligence – both in terms of well-educated staff and powerful automated security systems. It’s essential to ensure that employees know what to look for when it comes to spam. Most people can tell when an email is not genuine, but the number of people that fall for phishing attacks is still too high, and it only takes one mistake to cause a company-wide breach. Education programmes should cover how to spot, eliminate and escalate spam-based attacks. Users should avoid opening anything unusual, never click on attachments or links and be sure to notify their IT department every time.
Passwords should be updated on a regular basis, and IT teams may also want to take responsibility for forcing this issue with single-sign on tools or automated password updates. Multi-factor authentication is another way to reduce the human element of risk. It’s much harder for spammers to retrieve a correct security answer, for example, as well as a password and an email address.
It’s also key to have a comprehensive threat intelligence strategy in place to help security teams spot, identify and react to unusual behaviour on the network before it becomes a problem. By matching spam tactics, originating servers, domains and malicious attachments to known threat indicators, security analysts can improve their response time and tactics. For example, if an email server favoured by a particular spam organisation is found to be sending messages to the company system, a powerful threat intelligence system can flag a potential issue, as well as providing information on previous incidents involving the server and any known attack types.
This information, derived from other users of the platform and analyst intelligence feeds, helps teams to choose the appropriate course of action in response. Companies should also consider playbooking their defence against spam-related incidents. By pre-loading the security system with common incident types and responses, it’s possible to reduce the gap between detection and solution.
In short, it’s essential to be able to defend against spam – both in terms of deflecting malicious emails and protecting your details to prevent them falling into the wrong hands. Spam is the foundation for many highly dangerous cyberattack types. Companies need to treat it with greater respect, not overestimate the capabilities of their employees and ensure their security systems have the intelligence and agility to respond to a fast-moving and adaptable enemy.. Remember, the better you know your adversary, the more effective you can be in executing your countermeasures.
[su_box title=”About Adam Vincent” style=”noise” box_color=”#336588″][short_info id=’103568′ desc=”true” all=”false”][/su_box]
CEO
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.