Spam-spyware combo will spawn targeted attack tools

The IT security landscape is about to be hit with a potentially devastating seismic shift, says Mark Sunner, CTO of Message Labs: the convergence of phishing-type spam e-mails and spyware. It is a combination of powerful social engineering techniques and stealthy information-gathering capabilities, he says, that will soon take the bad guys to a whole new level.

"I have no doubt that a year or so from now, we'll look back on this timeframe as a trigger point when threats started to shift in this direction," Sunner says. "We'll look back on this period in the same way we look back at 2003 as the year botnets went from an embryonic stage to the source of virtually all spam. We'll look back and say that this is when the threats truly became targeted."

Sunner issued his warning at the annual INBOX e-mail conference, held last week in San Jose, CA, during the "Savvy Spammer" panel discussion.

Peter Christy, principal analyst at the Internet Research Group and moderator of the panel, told conference attendees that "botnets"--those collections of compromised PCs running under a common command-and-control infrastructure employed by cybercriminals to send out spam or for denial of service (DoS) attacks—are now so prevalent that 90+ percent of the volume of spam messages originates from bot-infected machines.

"Sixty percent of home users on broadband networks are probably infected and in some degree controllable for the forces of evil," Christy said.

E-mail has become the most widely used method for hacking into corporate networks, stealing identities, crippling IT systems, and committing online crimes, Sunner says. Sunner's company scans 170 million corporate e-mails a day. That kind of volume gives the company a big-picture view that has revealed this spam-spyware convergence, he says. Sunner is on something of a mission to get the word out.

"In the early part of 2003, we were, in the same way, talking about the conversion of viruses and spam," he says, "and that trend didn't get picked up by the press until the end of the year. As a result, spam levels were being driven up very dramatically. This time around, we're looking at something that is going to be as significant an event, and I think we have a responsibility to be a bit more vocal about it, to sort of push it. We need to be aware of what's actually going on."

The spam-spyware combo will spawn sophisticated tools for increasingly targeted mischief, Sunner says. "When spyware was started it was about catching the browser as people were searching for keywords like 'car,' and delivering a related popup add," he says. "But the bad guys realized that they were getting back more data than they were looking for, and they began profiling what people were searching for and selling that information to commercial entities."

"Phishing"—the e-mail scamming technique designed to acquire sensitive info, such as passwords and credit card numbers, through messages that appear to be from a trustworthy person or official source—has already morphed into a more targeted species known as "spear phishing." The spam-spyware convergence has the potential to provide enough information for a detailed profile of individual users, enabling even more refined frauds. A fraudster could, for example, send an official-looking e-mail to an eBay user who just lost out on a bid, telling him that the winner backed out and that he has now won—and to send his payment info.

Sunner predicts that this convergence will pick up steam very quickly. It took roughly 16 years for viruses to evolve from early boot-vector malware to the modern, commercially motivated malware we see today. Spyware has gone through the same development cycle in a mere 4 years, he says.

Sunner also believes that this changing the threat landscape will affect the planning and resource allocation of ISVs. Unfortunately, these kinds of security trends tend to be missed by software developers, says security expert Gary McGraw, CTO of Cigital and author of Software Security: Building Security In, even when they become mainstream

"I’ve talked to tens of thousands of developers over the past few years," McGraw says, "and I know that they're not irresponsible, and they actually want to learn about this stuff. They’re just nice, very optimistic guys who are surprised that anyone would do those mean things to their code."

Keeping up with the practices of digital malefactors is one of the keys to beating them, says McGraw. "The only way to do software security is to have two hats," he says. "You’ve got to do some of the bad-guy stuff and some of the good-guy stuff. You’ve got to build it right, and you’ve got to attack it as though you were a bad guy. Good and bad, black and white; they're inextricably bound together."

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached at [email protected].