The Hindu Business Line : Beware masked intruder

In the past month, Symantec's anti-spam researchers have seen examples of multiple attacks that embed spam in the content of legitimate newsletters and e-advertisements. Often the spam content is a single image. Sometimes the message is constructed in a way that you see the legitimate newsletter first, and then the spam message `pops in' a few minutes later.

There also seems to be a measure of control to the attacks with never more than one message a day to any individual e-mail account, and always hijacking a different reputable merchant. The most frustrating thing is that these messages all look pretty much the same when reading them in your e-mail. However, they are very different in the raw, which is why it makes the creation of effective filters much more difficult.

Some of the techniques being employed by spammers to get these image-based ads into your Inbox are so subtle they are virtually imperceptible to the naked eye. These include, but are in no way limited to, slight changes in text size and colour, as well as image placement from one message to the next.

Image spam accounts for an average of 35 per cent of all spam on the Internet.

Telling us more about this is Anand Naik, Director - System Engineering, Symantec India and SAARC.

How did Symantec zoom in on this?

The security response lab in Pune is part of Symantec's Global Intelligence Network. This network monitors about 25 per cent of the e-mail traffic going on the Internet. The network contains more than three million decoy accounts for Symantec to get a global view of the origination of spam. By leveraging this information from the network, Symantec researchers are able to see the various types of spams, including image-spam variants as they evolve.

Why is image spam so frustrating? What makes this more difficult from other spams to detect and destroy?

Image spam is challenging as this type of spam does not contain any text. These messages look the same to a normal eye but are very different in composition. This makes it challenging for computers to identify and block them. Additionally, a lot of tools are available for free on the Internet to morph and change during the lifecycle of a spam campaign, which makes it difficult for anti-spam vendors to block them.

How does this work?

To the casual observer, this message appears to be a standard text-based e-mail complete with hyperlinks. Only a careful look reveals that the entire message is actually an image. The message does not contain any text, just the HTML code to display this image.

Most spam filters don't recognise the source of the message as a known `spammer' and there aren't any keywords to analyse, so it makes its way into the inbox. The majority of these messages are classic `pump and dump' stock scams, where the spammer invests in a stock and then sends out messages hyping the stock, hoping to inspire a quick, profitable run.

What is Symantec doing to tackle this threat?

Symantec's Global Intelligence Network enables it to address image spam, by continuously updating their filters, identifying the IP addresses generating these spams and blocking them.

Then there is Captcha. Captcha — Short for completely automated public Turing test to tell computers and humans apart, is a technique used by a computer to tell if it is interacting with a human or another computer. Because computing is becoming pervasive, and computerised tasks and services are commonplace, the need for increased levels of security has led to the development of this way for computers to ensure that they are dealing with humans in situations where human interaction is essential to security.

Captcha techniques — the wavy letters you have to decipher before continuing with your e-mail, for example — have traditionally been used for security purposes. The idea behind captcha (pronounced like `capture') is to present the user with an image (captcha) or mathematical equation (maptcha) in order to discriminate against computers and automated programs that collect e-mail addresses and send spam.

You have said "Spammers are experimenting with utilising Captcha technology to evade spam detection by systems that are heavily reliant upon OCR (Optical Character Recognition) technology." Please explain.

In the early days of image spam, spammers would start changing one pixel of an image to get past the filter. But one of the latest techniques spammers are experimenting with is captcha, since OCR technology has a hard time to recognise it. Spammers are now (knowing that some vendors rely heavily on OCR technology) testing the waters with captcha to actually defeat spam filters.

Just as captcha has been used to prevent spam, it can be used to send spam. Most of the algorithms are open source, therefore it is easy enough to port them over and create an image. Over the past 18 months or so, spammers have taken text messages and dropped them into a simple jpeg, which still looked like text. Later the OCR programs were added to spam filtering and that became easy enough to defeat. Spammers are thus using the captcha algorithm to add fuzziness to the background of an image.

You mention `Newsletter and Advertisement `Injection',' in your spam report. Is it like Imagespam?

This technique is an attempt to mask spam images in existing templates of newsletters and legitimate advertisements. The technique is designed to evade signature detection as the majority of the data in the message is legitimate data. It also challenges anti-spam filters to avoid false positives when analysing content that is nearly identical to legitimate bulk e-mail.

What can people do to protect themselves?

The real motive behind spammers is monetary. If people receiving spam disregard the messages, then automatically the `return on investment' on these campaigns goes down.Users must be careful and not open e-mails that they receive from unknown people and not fall prey to unsolicited offers. Companies can equip themselves with systems that use global intelligence to monitor and proactively prevent these types of spam attacks entering their networks. Spam is constantly evolving. If a new wave of spam is affecting a company in the US, consumers don't have to wait for it to hit their systems. The best way to handle evolving spam is to look for solutions with continuous filter updates based on global intelligence.

paromita@thehindu.co.in