Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Personalized Spam

Personalized Spam

  • Comments 3

The Times of India has an article entitled This Spam is Just For You!  The article is awkwardly written and I don't think that the point comes across very well, so I thought I'd rewrite some of it.

SAN FRANCISCO: Yes, guys, those spam e-mails for Viagra or baldness cream just might be directed to you personally.

So, too, are many of the other crafty come-ons clogging inboxes, trying to lure us to fake websites so criminals can steal our personal information.

A new study by Cisco Systems Inc found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use.

Unlike traditional spam, most of which is blocked by e-mail filters, personalised spam, known as "spear phishing" messages, often sail through unmolested. They're sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed websites that are bogus or immediately install malicious programmes.

The first part of the article is correct in that personalized spam comes harvested from other sources.  For example, a cyber-thief might steal your email address from a website you visit, like a Reunion website and find out where you went to school.  In this case, they might use a social engineering technique to harvest more information from you: "Hi So-and-so, your 15th reunion is coming up.  Please go to this web page to fill in more details!"

They might also hack into a bank's system and get a list of email accounts of all the users for that bank.   In this case, a clever spammer would target you while spoofing your own bank in an attempt to deceive you into providing your bank password.  A spammer with a list of email addresses for a specific bank has a better chance of getting a victim than a spammer with a general list spamming a million random email addresses.

The article does a poor case of drawing the link as to why personalized spam gets through filters and is sent in smaller chunks.  The reason it is sent in smaller chunks is that targeted advertising doesn't need to cut as wide a swath to get the desired response rate.  If you already know something about your audience, you don't have to waste time sending out millions of messages.  Do manufacturers of power tools advertise on the Oxygen network?  Do retailers who sell women's makeup advertise on Sunday afternoons during football season?  Of course not, because the target demographics aren't watching.  Similarly, if a spammer knows something about the victims he is intending to spam, he only needs to send out a small spam campaign, not the millions of messages he might normally do by slinging mud and hoping something sticks.

Now, the reason that these spear phishing messages get through unmolested is because the article assumes that most email filters today use reputation filtering as their main line of defense.  That's mostly true, but not strictly true.  If a spammer has to send a huge advertising campaign, then he needs to send it from a lot of sources.  These big spam volumes are easy to detect.  But if he sends only a small spam campaign, then that is tougher.  These smaller blips hide within larger IP ranges and therefore it is harder to build up a reputation on them and therefore, reputation filters don't work.

Of course, it doesn't follow that the message will sail through to the user's inbox.  At least in our case, we rely on a lot of content filtering to catch much of our spam.  So even if reputation filtering is evaded, the content filtering after that will detect the message as spam.

Finally, it doesn't logically follow that spear phishing messages are sent from reputable web-based mail services (like Gmail or Hotmail).  If you're a spammer, then sending from a reputable web service will increase your chances of delivery regardless of whether or not the attack is targeted.  However, sending a small chunk of messages from a web-based service makes reputation filtering very easy to evade.

Leave a Comment
  • Please add 4 and 7 and type the answer here:
  • Post
  • PingBack from http://www.codedstyle.com/personalized-spam/

  • Sorry, but the spam getting through my several filters (Exchange, Outlook, and SpamBully, are made to look like they're coming from me.  Unfortunately, Exchange/Outlook doesn't seem to have the ability to filter things, allegedly from me, coming from the outside world.

  • A really way to hack hotmail passwords! This service is absolutely 100% no bullsh*! They really do what they say they will do and they do it quick. My advice to anyone who uses this service, however, is to really take some time to think about if you really want to go digging; because when you go digging what you will usually find, as they say, is dirt. I personally feel very liberated having found out what I did, but i also had sort of prepared myself for it beforehand and had a gut feeling already. I needed absolute proof, though, and I got it. Be careful what you wish for because if its getting into your ex's email, http://www.ActiveHackers.com will grant your wish.

    I don't know what to say... I'm absolutely FLOORED. I hired them to hack into my ex's hotmail email. After about a week I became very skeptical. "OK, this guy's just making fake guestbook entries and collecting cash...". I emailed them asking if this was the case, he kindly responded that he was working on it. Next day, a screenshot. Not a doctored screenshot, because I remember what the inbox looks like and all the folders in it. No, it was real, with real emails from me. I was still skeptical, thinking, "OK, maybe he has some program that can do that, but can it really get passwords, can he hack hotmail email?" I paid, in reality it is not a lot of money in the end. The password even made me skeptical, it was so simple. Certainly it's possible, I've researched it, but could this guy really be who he says he is? But low and behold, it's the real one. I'm shocked from my doubt. This guy Active Hackers is the real thing. I'm still in shock. Thanks man, I can't thank you enough. My heart can breathe a little better, now.

    That is what of how to hack a password, hire them http://www.activehackers.com if you want to know how to get into someone's hotmail account. They provide the easy way to hack yahoo and easy way to hack msn messenger. Just to help other people who may need their facebook hacking services.

Page 1 of 1 (3 items)