Computer Crime Research Center


Terror Spam and Phishing

Date: August 17, 2006
Source: Computer Crime Research Center
By: Tomer Ben-Ari , Ron Rymon , The Interdisciplinary Center Herzliya, Israel

... chemical and explosive weapons in texts such as
"Terrorist's Handbook" and "The Anarchist Cookbook". The anonymous authors of such Web sites often include a disclaimer that the processes described should not be carried out. According to the Bureau of Alcohol, Tobacco, and Firearms, Federal agents investigating at least 30 bombings and four attempted bombings between 1985 and June 1996 recovered bomb-making literature that the suspects had obtained from the Internet.
[Weimann, 2004]

Cyber Terror
There has been a lot of press around possible plans of terrorists to carry out actual cyber terrorist attacks, e.g., taking over computing networks that control infrastructure such as power plants, dams etc. Most researchers consider the risk of such incidents to be minimal, but of course administrators of such networks shall remain watchful.
[Vatism, 2004] [Lewis, 2002] [Denning, 2000]

Is Spam the Next Ultimate Tool in the Hands of Terrorists?
In this article, we claim that spam may become the important tool in the war against terrorism. Clearly spam can serve as a useful tool to spread terrorist’s messages and knowledge, and to raise funds for terrorist’s organizations. More interestingly, we claim that Spam can also serve as a tool for terrorists to influence individuals to act on their behalf or at least serving their purpose.

3. Spam and Spamming Methods
The Spam Phenomenon
Spam refers to one or more unsolicited messages, sent or posted as part of a larger collection of messages, all having substantially identical content. It usually manifests itself as an email campaign that targets millions of email accounts around the world, in an unsolicited fashion [Monkeys]. Experts estimate as many as 12 billion spam messages daily, making for over 75% of all email traffic [Spam Filter Review, 2004], or approximately 10 email messages a day per each internet user. Most spam is commercially motivated, trying to lure readers to purchase some type of goods or services. Since it is commonly perceived as intrusive and an invasion of privacy, not to mention that most email lists are obtained illegally, most legitimate companies shun away from using spam. Most spammers represent shady industries, primarily porn and gambling. Other operators are offering goods of reputed companies, but work at their own initiative without representing the original manufacturers or service providers.

Technically, spammers take advantage of inherent weaknesses in the common SMTP email protocol, where it is difficult to properly authenticate email senders. Economically, spammers enjoy the ease and measly cost of producing mass email campaigns. Whereas the response rate to spam is very low, large spammers may send as many as tens of millions of messages every day, in order to obtain a few hundreds of responders.

This economic advantage has also attracted fraudsters and other criminals, and we are now witnessing numerous "phishing" campaigns. In these campaigns, fraudsters try to lure unsuspecting people into providing secret codes and passwords to internet banking accounts, and then use this information to "clean up" these accounts. Authors of viruses are also using spam to spread their malicious code, often hidden behind luring bait. The total damage due to spam is estimated at 10 billion dollars in the US alone [Spam Filter Review, 2004]
In sum, spam proved itself as an easy way to reach a large audience, and an effective sales tool that works well despite the low apriority success rate of each individual email message.

Spamming Methods
In order to make sure that their spam campaigns are effective, spammers must overcome spam filters, and must craft their messages in a way that targeted recipients will actually read them, and so that a high enough percentage of the readers will be interested enough to respond and ultimately to buy. In addition, they must dodge local laws that forbid spam and efforts by law enforcement agencies, ISPs, and others to hunt them down [AOL Spam Lawsuit] [Microsoft Spam Lawsuit].
Since response rates to spam are very low (less than 0.05% according to France Mike), spammers often address a huge number of email addresses in a single campaign. There are many ways for spammers to collect email addresses, ranging from "harvesting" newsgroups and web sites, to outright purchase of mailing lists that cover different types of audiences.

What makes spamming so profitable is the fact that sending millions of messages costs next to nothing. This compares to (physical) direct mail where the cost of each mailing dictates a more selective approach. Indeed a typical email list may contain millions of email addresses, and spammers can simply flood all addresses. Still, good spammers prefer more focused lists because smaller batches reduce their chances of being filtered out, and increase their response rates.

Spammers are then required to craft an attractive message. Effective messages are use attractive subject lines, are short and hit on the prospect needs or pains. Some messages are highly personalized, e.g., naming the recipient or providing a possibly familiar name as the presumed sender.

Finally, spammers must also cope with spam filters. Some filters are based on keywords, so spammers often hide keywords using various tricks such as letter replacement, spacing, use of images that contain words, use of java scripts that generate the message on the client side on-the-fly, etc. Other spam filters are based on the frequency of the message across all recipients of a given mail server, and to fool those spammers are often generating slightly different messages, including planting of random strings of letters, etc. Spammers may also try to disguise by sending small batches from multiple ISPs and email servers around the world, spoofing email addresses and IP addresses.

Whereas most spam is commercially motivated, "phishing" is a relatively new form of spam that is probably closest to the terror spam that we introduce next. Phishing is spam, used by fraudsters to get access to the passwords and other private or financial information of unsuspecting users. Fraudsters first duplicate a legitimate web site, e.g., of a bank's internet site, and then use spam to trick users to fill in their details on the fraudulent page. In this way, millions of Internet users have received messages claiming to be from their bank (of course most recipients never had an account in said bank), asking for their personal information, and using various pretexts, e.g., a crash in the bank system as a result of which account setup information was lost, and even claiming that this would allow the bank to provide greater security to its customers. Some phishing emails require even less cooperation of the victim, and try to plant a Trojan Horse – a program that when installed on the victim machine will record key strokes, including login information, and will then send these to their master [Phishing report 2004], [Drake, Jonathan & Eugene 2004]..

Fighting Spam and Phishing
Several technologies have been proposed and used to fight spam:

On the client side, we find spam filters that are based primarily on keywords, signatures of known spams that are updated from a server much like anti-virus definitions, and on black and white lists of senders. These solutions are relatively weak and are easily manipulated by skilled spammers.

On the server side, we find gateway technologies that leverage information that can be obtained from scanning email messages that are addressed to a large number of recipients, to better block spam. Also on the server side, ISPs are trying to prevent spammers from using their own accounts and email servers, e.g., by fighting robotic enrollment by spammers, retricting the amount of outgoing email from a given account, etc. As such, ISPs are also reviewing the amount of spam that comes from other ISPs and mail gateways, putting exploitable servers whose operators may not be taking enough precaution to prevent outgoing spam on DNS black lists.

A newer approach is to augment the current Simple Mail Transfer Protocol (SMTP), which is the common standard for sending and receiving email messages. Several new suggestions were made, some of which by industry giants such as Microsoft and Yahoo, which essentially try to add a Sender ID field to the message, and then authenticate the sending server. This should in principle prevent spammers from easily setting up their own email bombarding servers [ASTA 2004].

However, with all these tools, and even though a huge number of email spams are blocked (AOL claims to block 2.5 billion messages every day), spammers and our own mailboxes can still attest that spam is still thriving and on the increase.

4. Terror Spam
We believe that spam can become attractive to terrorist groups, not merely as a tool to spread their messages, but also to raise funds and recruiting members. More importantly, we speculate that spam can be used by terrorists to influence non-members to carry out attacks that coincide with the terrorist’s goals and plans, and to coordinate activities of a dispersed heterogeneously motivated network of activists. Whereas today, it is commonly assumed that some Islamic terrorist organizations will only recruit staunch believers to carry out attacks (especially suicide attacks), we believe that in the future they may use "outsourcing" techniques, and will find the right justification to doing so. The trigger may be lack of resources, or the clear logistical and operationaly benefits of "outsourced" activity, but in any event this...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo