Computer Crime Research Center


Terror Spam and Phishing

Date: August 17, 2006
Source: Computer Crime Research Center
By: Tomer Ben-Ari , Ron Rymon , The Interdisciplinary Center Herzliya, Israel

... technology environment provides i.e. giving guide to many people that are located in distance places. Exact orders can be given to all executers telling them precisely what to do in a specific time period or place, additional guidelines can be given via SMS. More over a special secured forum or chat room can be opened and enable the attackers to exchange information between themselves.
If at the same day a number of American symbols such as restaurants, entertainment chains etc…will be attacked the media effect will be very large.

The spam campaign can simply empower “Traditional” cyber terror actions
By encouraging users to DDOS web sites email addresses and other web based services of governments and private companies such as banks, e-com web site etc…and by that disrupt public services.

In some cases the potential users will prefer not to take an active role in terror actions but will be willing to volunteer critical information. Security leaks of critical infrastructure, governmental offices and public places can give a meaningful added value to the terror organizations. Terrorists can tempt users to “help” by offering money to any sensitive information that will be delivered to them.

In Some cases the spread of fear and instability is far more damaging then the physical act of terror itself. We assume there will be cases that will not end with a phisica action due to fear or second thoughts of the carrying person will have. In some cases suspicious activity will attract the eyes of the police who will prevent the action at the last minute. In such cases we believe terror organizations will get credit for reaching the person and manipulating him to execute terror acts, these cases will probably get a wide publicity and frighten the general public. If up until now we thought that a terrorist must come from a certain part of the world or alternative believe in certain things at this point we will have a problem of defining a terrorists due to the fact that it can be the next door neighbor that doesn’t believe in anything suspicious and revenge is the only thing that guides him.Separately, terrorist groups may also want to use spam to simply create panic, by targeting celebrities (e.g., the Madonna case) and otherwise people who may provide them with exposure in the mass media.

In the next section, we discuss the technical of aspects creating and running a terror spam campaign
6. Technical Implementation of Terror Spam Campaign
We propose an implementation blueprint for a Terror Spam System (TSS) that uses available spam technology, and simple modifications thereof that provide the additional security services that terrorists may need.
System Overview
The TSS is designed to enable terrorists to initially contact a wide target audience, and to then continue to communicate with respondents safely until and after the terror act is actually committed.

In the initial phase, the TSS enables the terrorist groups to reach as many potential agents (prospects) as possible. Some prospects may share the terrorist’s motivations, whereas others may simply want to leverage the terrorist’s capabilities and resources in order to achieve their own goals (which may partially coincide with the sponsoring terrorists). In this phase, the TSS provides some mechanisms that would reduce the risk of detection, and others that would help segregate communication channels.

Once the first responses are received, The TSS provides additional security mechanisms, and various controls on the communication with different prospects, including mechanisms designed to segregate communication channels, and to reduce the risks posed by informants and ingenuine respondents, as well as the risk of exposure of genuine respondents.

Figure 1 shows an overview of the TSS system and the flow of information and processing.

Figure 1. Overview of TSS System

Just like in a marketing spam campaign, the goal of the first phase is to mass mail to prospective "agents". The first step in this phase is to acquire lists of email addresses of potential prospects, based on a specified set of target audience criteria. This is done by the “Email address collection” component.

Next, the TSS “Message generation and personalization” component shall construct/design a message (or select one from a number of pre-designed alternatives) to match each of the targeted prospects. The goal here is to personalize a message that is likely to draw the attention and response of targets. Thus, different messages can be mapped to different target audiences.
Subsequently, each message shall be enhanced with security mechanisms using the "Security crafting" component. For example, we propose that messages contain a script, and recipients are requested to reply through this script rather than by clicking "Reply" and using the regular SMTP reply. This script may, for example, encrypt the reply using a public-key scheme. The security mechanisms shall make it more difficult for the ISP to record and track the response, and shall make it difficult for an eavedropper to interpret the actual message. The script may also collect some information about the recipient's machine, using spyware-like technologies. This information, together with the message unique ID, and a time stamp indicating when the message was sent, may later be used to authenticate the respondent and to detect possible "mischief". Finally, different batches of outgoing messages shall be designed to respond to different email addresses (collection points), for segregation reasons.

The next step is of course to send the messages, using the “Spam Sender” component. This component will use standard spamming techniques to distribute the email messages to the target addresses. As an example, to avoid detection, the Spam Sender may distribute the messages into several batches which will be sent through several mail servers and at different times.

This completes the first phase of mass mailing.

The expectation is that a small fraction of recipients will respond to the initial email campaign. The secured script that is embedded in the message will use the identifier, time stamp, and the unique public-key that is provided for this message to encrypt this communication. The reply will be sent to one of several receiving email addresses, per the above mentioned segregation policies. The receiving program will then use the "Detection prevention" component to review the responses for authenticity and for various tell-tales of possible risks. Replies in which there is a mismatch between the unique identifier and the address to which the original message was sent, and the address from which the response was received will be ignored. It is also possible to ignore responses that are not received within a certain time window from their time stamp, as ones that may have been tampered with, e.g., the received may have contacted law enforcement authorities. (of course this may result in some loss of genuine respondents). Filtered messages will be sent to human operators, who will then use a separate communication channel with each respondent.

In the beginning of this "second level communication", the prospect would be provided with software components that would enable the implementation of additional security mechanisms, e.g.
• confidentiality – through encryption using public and/or symmetric key schemes for the communications, as well as for communication traces and data stored locally on the propsect computer
• authentication – using cryptographic means, and also physical and OS identification of the prospect computer
• segregation – using a unique channel and communication address for each prospect
• detection avoidance – by frequent changing email addresses and other "meeting locations"
• detection of mischief – through a spyware component that would monitor the activities of the prospect, and his/her other communications

Description of Specific System Components
In this section, we provide a more granular description and discussion of each of the TSS components.

1. Email addresses collection
The role of this component (which will likely be implemented as a set of specific systems and procedures) is to acquire email lists according to the characterization of the target audience. Spammers are implementing similar systems, which use a variety of automatic and manual methods, e.g.,
• extracting email addresses from mailing lists, directories, chat rooms, and discussion forums
• automated harvesting of email addresses from web pages, who-is contact lists, etc.;
• guessing email addresses for a specific domain, e.g., as a combination of first and last name;
• using social engineering methods to obtain email addresses and other personal information;
• legitimate purchase, and/or bribing for, and/or breaking into consumer databases

2. Message generation/personalization
Mail messages should attract prospects to open and read, and if possible entice prospects to respond/act. Success chances can be improved if the message can be personalized to the specific characteristics and attributes of the targeted reader. As such a different message is likely to work on a devout religious fanatic vs. a disturbed or otherwise problematic teen. In general, messages should be short and to the point. As indicated, the message shall also collect necessary information and initiate second-level contact.

A possible implementation may start with a number of pre-composed message...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo