In 2003, we had SARS. In 2006, we had bird flu. This year we have swine flu. These potential pandemics are global news, and it's quite natural that people want to learn more about them. It's no surprise, too, that spammers have picked up on employees' curiosity. An April spam report from MessageLabs Ltd. showed a leap of nearly 10% from March in unsolicited spam messages – 85% of all email sent.
But it's not just pandemics that spammers react to. They hook into any popular global theme, including the recent financial credit crunch, U.S. presidential election, Olympics, or any other major news event that people want the latest information about. Stories that induce fear, like pandemics, however, greatly increase their success rate.
Spam campaigns usually start with harmless email messages, before turning more malicious, to test what types of subject heading or message content get the best responses. The fact that the volume of swine flu spam is so high indicates that it's a very successful campaign. Medical spam, or medspam, has always been a money-spinner for spammers, and an event like the swine flu provides a convincing backdrop to peddle a story.
Because antivirus programs are likely to block any malware programs actually attached to an email, most spammers tend to put links in their messages and entice people to click on them. The links often point to a page that will attempt to install malware on the user's computer. Spammers are always looking at new ways of defrauding or tricking users, though, and many are using phishing and social engineering techniques. For instance, one swine flu spam message has a .pdf document of swine influenza FAQs attached. When users attempt to open the PDF file, malcode within the PDF attempts to exploit an old Adobe vulnerability in order to install a Trojan on the computer.
To stop spam emails and combat these types of threats, IT administrators need to be aware that current events are likely triggers for spam and phishing campaigns and preempt them with some security awareness reminders. When users log on to the corporate network, they can be reminded not to open attachments from unknown sources and to treat with suspicion any emails pertaining to the latest major news event, particularly if they require any user action, such as visiting a site.
Certainly employees should be warned about visiting sites with domain names relating to the latest news story, such as swine flu medications. These are more than likely to have been set up to host malware, spam campaigns or phishing attacks.
Instead, provide them with validated sites that they can visit for more information. In the case of the flu epidemic, employees can be advised to consult official sites such as Directgov which has all the information they may need. Pointing to accurate and secure information doesn't involve a lot of work, but the effort can improve the security of your network and its users.
There are few effective technical security controls that work against phishing and social engineering attacks. By preparing your staff on how to handle potential attacks, however, you can build up their resistance to the psychological triggers used and make them less susceptible to being tricked into breaking security procedures or ignoring common sense. Users that follow typical best practices don't have much to worry about, but it never does any harm to look ahead and remind them of what best practices are to stop spam emails. Forewarned is forearmed.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in July 2009