Computer Crime Research Center


Terror Spam and Phishing

Date: August 17, 2006
Source: Computer Crime Research Center
By: Tomer Ben-Ari , Ron Rymon , The Interdisciplinary Center Herzliya, Israel

... may start with a number of pre-composed message templates in several languages that will support localization, and then select and fill out the template that best fits each targeted recipient. A matching function shall be constructed to maximize the match between the features of the message and those of the prospective recipient. Dynamically adapting matching functions may be programmed to learn from past response rates.

3. Security crafting
This component adds a security response script to each message. The script shall support automated encryption of the response, and taregeting of the response directly to one of the collection centers. The script shall also verify that response does not exceed the valid time window. In addition, the script shall collect and send back some identifiers from the user’s machine like the user and machine names, MAC, and IP address. The script may also collect more subtle information such as email correspondence, browsing information, bookmarks, etc, and may even install a spyware component (or even a trojan) that will continue monitoring the activity on the machine.

4. Spam Sender
The spam sender is fed with a list of email addresses and the message templates that were selected for each. Before sending, the spam sender attaches a time stamp to each message, to start its validity window. The main challenge of the spam sender is to avoid its detection and the blocking of its messages. Spammers have specialized in this, and use methods such as:
• use many and frequently changing IP addresses, as well as use of spoofed addresses;
• use third-party outgoing mail relays that were left open
• sending smaller batches from each outgoing mail server;
• adapt the templated messages to a form that would be less detectable by filtering programs (this shall probably be done in the messages database itself, rather than in the sender, but we bring it here because it is one of the ways to avoid detection)
• use HTML messages with Java script-encrypted frame tags that launch the body text only at the email client
• use web beacons, and deceptive opt-out links to verify which addresses are active (again, this shall probably be fed back into the email addresses database)
• use Trojans on some of the recipients to send more messages from their machines

5. Detection prevention
The role of the receiver is to detect responses from law enforcement and other impersonators. Responses that are not well encrypted with the originally provided keys (in the script) will be rejected. Several rules in the detection prevention component shall seek suspicious information in the machine-specific data returned from script. This data shall also be stored and compared to future communication with same prospect. In case of serious suspicion, the receiver may abandon the entire communication associated with this email collection center, assuming it was compromised.

7. Some Recommendations
In order to prevent and/or minimize terrorist’s success in achieving their goals by using spam we’ll suggest a few actions that could be taken.

1) Create a “Terror Spam Tracing Center” that will monitor all terror transportation.
This center will gather data from all ISP’s and publish domains, ISP’, IP’s etc…of mails that are suspected to be from terror organizations and publish them to all ISP’s. The ISP’s will be obliged to block all mails from the terrorists list.
2) Send a follow up email to every address that receives a “spam-terror” email saying that you just received an email from a terror organization, please delete it, Indicating that cooperating with terror organizations is a felony, letting the recipient understand that is actions are being watched and he’s will be better off if he stops the contact with terrorist organization.
3) Create a unit that will detect and follow the traces of terror spam, in order to reach the perpetrators. Detectives in this unit shall respond to terror spam, and shall create contact where possible (under cover of course) with the relevant cells, with the goal of gathering intelligence and making arrests
4) Shut down servers that were used to send terror spam using either legal or semi-legal means depending on the location of those servers.
5) Some thought should be taken in order to protect the mobile phone industry from SMS terror Spam.

8. Conclusion
There is evidence today that religions terror organizations are linking with other terror organization in order to join forces against common enemies. For example Al Qaeda and far right groups such as neo-nazis and skinheads in Europe, these links are suspected to be both on the financial and action carrying levels. If terror organization will decide to further extend there links to individuals whom not necessarily believe in their organization ideology but are willing to take actions that might serve it than Spam email might serve as a perfect tool to achieve those links. By using this simple tool we showed how terror organizations can easily cause more violent incidents and increase the terror level world wide. Spam can reach civilians inside a target population that want to harm their own population provides a perfect communication tool. The spam will allow individuals to contribute both silently and actively to terro organzitions dependent on each individuals preference. We showed that spam is hard to stop and detect, Although the industry is taking more meaningful and aggressive approaches verse spam still spam is diffucult to detect and many spam emails reach the users mailbox at the end of the day. By using spam terror organization will spread the knowledge of creating dangerous weapons, as technology is getting better and better the task of creating explosives is getting to be unbelievably simple in a way that teenagers can easily build explosives and activate them, Moreover spam can help coordinate between people who do not interact directly and by that increase the level of the terror actions and the public insecurity and fear. Finally we showed a few actions that can be taken in order to fight the phenomena of spam terror.

1) [France2002] France, Mike “Commentary: Needed Now: Laws to can spam Business Week September 26, 2002
2) [Weimann 2004] Weimann, Gabriel “How Modern Terrorists use uses the internet 2004
3) [Wanger 2004] Thomas, Wanger: “Internet Emerges As Potent Terrorist Tool”
September 24, 2004
4) [SearchSecurity 2004] Definitions - distributed denial-of-
service attack,,sid14_gci557336,00.html
5)[Prichard &MacDonald, 2004] Prichard, Janet and MacDonald, Laurie:
"Cyber Terrorism: A Study of the Extent of Coverage in Computer Security
6) [Wikipedia] Wikipedia: "Spam Definition"
7) [Leung 2003] Leung, Andrew: "Spam The Current State"
August 8, 2003
8) [Monkeys] Monkeys, Spam Defined
9) [Spam Filter Review 2004] Spam Filter Review : Spam Statistics
10) [Vatis 2004] Vatis, Michael : "Cyber Attacks: Protecting America’s Security
Against Digital Threats" June 2004
11) [Lewis 2002] Lewis, James: "Accessing the risk of cyber-terrorism cyber war and
other cyber threats" December 2002
12) [Denning, 2000] Denning, Dorothy: "Testimony before the Special Oversight Panel on Terrorism Committee on Armed Services U.S. House of representatives
May 23, 2000
13) [Erica, 2004] Erica, Bozzi "Expectations of social behavior and cognitive
dissonance among college freshman as influenced by mass media"
14) [Phishing report, 2004] Anti fishing working group “Phishing attack trend report 2004”
15) [Prashanth, 2003] Prashanth , Srikanthan “An overview of spam handling techniques” 2003
16) [Drake, Jonathan & Eugene 1004] “Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz Anatomy of fishing email”
17) [ASTA, 2004] ”Anti-Spam Technical Alliance Publishes Industry Recommendations to Help Stop Spam”
18) [AOL Spam Lawsuit] “AOL signs on to anti-spam lawsuit” 2004
19) [Microsoft Spam Lawsuit] Microsoft spam lawsuits
20) [EL Qaeda 2004] “How El Qaeda uses the internet” 2004

21) [Garfinkel, 2003] Simson L. Garfinkel "Enabling Email Confidentiality through the use of Opportunistic Encryption" 2003
22) [Adabi, Glew, Horne &Pinkas, 2002] Matrin Adabi, Neal Glew, Bill Horne &Benny Pinkas"Certified Email with a Light Onlinerusted Third Party:Design and Implementation" 2002
23) [First Data Phishing Survey, 2005]. Survey: 43 Percent of Adults Get 'Phished'.
24) [Hinnen ] Todd M. Hinnen “The cyber-front in the war on terrorism: curbing terrorist use of the...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo