Just when you thought spam was dead, it’s back and worse than ever

gmail app on phone

Emails promising millions of dollars from a Nigerian prince, to malicious attachments, and nefarious links. All of it falls under the banner of spam. An incredible 40 years have passed since the first email spam was sent out over the progenitor of the internet, the ARPANET, but it remains a threat today. In fact, 2018 is becoming the year of spam.

When all else fails, spam

Spam is making a comeback because other attack vectors aren’t working like they used to. Throughout the history of malware, hackers have discovered many methods of attacking end users and businesses, but a new attack is usually met with a response. Methods that were effective a few years ago, like drive-by downloads, aren’t getting the job done any more.

As cyber-security company F-Secure pointed out in its recent blog post, killing off the Adobe Flash plugin support in browsers has clamped down on many browser-based attacks. By removing that potential attack vector, exploit kits have become far less effective and therefore far less common. Combined with the ever evolving abilities of anti-malware software utilizing machine learning and behavioral tracking, spam’s relative success rate is creeping back up.

“We’ve reduced criminals to spam, one of the least effective methods of infection.”

“We’ve reduced criminals to spam, one of the least effective methods of infection,” F-Secure’s security advisor, Sean Sullivan said. “Anti-malware is containing nearly all commoditized, bulk threats. And honestly, I don’t see anything coming over the horizon that could lead to another gold rush, so criminals are stuck with spam.”

That’s despite the fact modern email clients are better equipped than ever to identify and quarantine spam to prevent its malicious intent from being realized.

Fighting with filters

Just last year Google announced brand new features for its Gmail service that helped it detect 99 percent of spam emails and swiftly dump them into the junk folder. It still faces the odd issue though, like users finding spam emails in their sent folder just a few months ago.

Other companies offer similar services with their email clients. Outlook has a “Junk” folder that automatically scans messages and provides manual controls for blocking or whitelisting certain email addresses and top-level-domains. Thunderbird puts the power in the hands of the users by offering a junk filter that it asks you to “train” by showing it what you consider to be junk mail. Popular free email services like EM Client use open source platforms like Apache SpamAssassin.

outlook email

There’re also several third-party services that can be used to augment existing anti-spam efforts. Mailwasher and SpamSieve are two of the most popular, and though the best versions of them aren’t free, they provide intelligent filtering systems which do a great job of blocking most spam emails.

Despite all of these built-in and add-on options for filtering out junk emails, some are still slipping through. That, combined with the ease of sending spam, is helping it proliferate, and as more malware authors and distributors resort to spamming to make their nefarious gains, they invented new ways to trick both spam filters and people who think they know better.

New spam for a new age

Spam was originally named after the luncheon meat of the same name due to a Monty Python sketch where the word was chanted in an annoying, incessant fashion. But the comparison of a heavily processed product is just as apt today. Modern spam is often smarter and more convincing than you’d expect.

“Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” said Adam Sheehan, Behavioral Science Lead at MWR InfoSecurity, told The Economic Times.

Spammers personalizing emails to make them seem to come from a legitimate source, or someone known to the recipient, is the most effective tactic, raising the chance of a click on a link or email attachment by 12 percent.

Other methods to increase spam’s efficacy include having a subject line that’s free from errors. That ups the chances of a successful attack by 4.5 percent. Phishing emails can be more successful if an emergency is implied, rather than explicitly stated.

“They are using links that are these crazy redirect loops, that are redirecting you from page to page.”

The requisite steps that the recipient must take to infect themselves with the content of spam emails are changing, too. Malicious email attachments now account for 23 percent of spam emails, as per F-Secure’s Päivi Tynninen. But a new wrinkle to that old attack vector is adding a password to the file which is provided in a second attachment. That means that automated detection tools may not be able to analyze the malicious file, as they can’t access it directly.

Modern spam emails frequently use malicious links. They make up 31 percent of spam emails according, to F-Secure. Those links will eventually lead the clicker to a malicious file download, often executing through some form of macro embedded in a document for Word, Powerpoint, or Excel. Even those links are changing. Where once the original link would send you straight to the malicious software, now your browser will jump through a few hoops first.

“Attackers are adding additional layers to avoid automatic analysis and researchers trying to intercept their potentially good infections and creating detections for those,” Tynninen said during a recent episode of the Security Sauna podcast. “They are using these links that are these crazy redirect loops that they are redirecting you from page to page, and after a couple to maybe seven different page redirections you get the final payload, which is only the downloader document with macros. ”

statista spam by category

That number of redirects might seem excessive, but if researchers try to retrace the steps to provide better detection for such attacks, the attackers can take down just one of the redirect websites. That breaks the chain and makes investigation more difficult.

The biggest spam attack vector of them all? Tugging at the heart strings of email users. A full 46 percent of spam emails focus on some form of dating scam. These trick recipients into thinking someone has found their profile on a dating site and wants to chat or meet up.

Old advice still stands

While new methods of attack from spammers and scammers are always a little scary, spam remains as easy to avoid as it is to send.

Unless you specifically requested to receive a certain email attachment from a specific person – don’t open it. Better yet, don’t open anything and have your friend or work colleague send you the file in a more secure platform like a cloud storage service. Don’t click links in emails, either. Always go to the source. If you do have to click a link for whatever reason, check where it’s sending you first by hovering over the link. Chrome, Firefox, and Edge all showcase the raw link in the bottom-left of your screen when you do so. Make sure it’s not sending you somewhere unexpected.

Don’t click links in emails, either. Always go to the source.

F-Secure also highlights a number of brands that are commonly spoofed in spam emails. UPS, Amazon, FedEx, Apple, and Paypal are the companies most often faked, so be wary when receiving emails from those companies.

Above all else, take heart that the effort you put into digital security is paying off. Spam isn’t an effective foodstuff, and it’s not a great way to spread malware either — but when it’s all scammers have to work with, they’ll gladly scoop out another gelatinous spoonful. Don’t join them at the table.


The Andromeda botnet still lingers as nations struggle to clean infected PCs

A report by Fortinet suggests that although the FBI and Europe ended the Andromeda botnet’s reign in late 2017, there are still infected PCs. Cleaning up these PCs isn’t progressing at the same pace across various regions.
Smart Home

White-hat Chinese hackers turn Alexa into a spy, briefly

A team of Chinese researchers revealed this week that they were able to use a cracked Amazon Echo to exploit a series of Alexa interface flaws to take control over an unteuched Echo running on the same network.

A brand-new Mac can be hacked remotely during its first Wi-Fi connection

Researchers discovered a security flaw affecting versions of MacOS prior to 10.13.6 that allows hackers to take control of a Mac during first-time setup and device provisioning. Malicious code can then be injected into the Mac.

3 easy ways to capture a screenshot on your Windows computer

Capturing a screenshot of your desktop is easier than you might think, but it's the kind of thing you'll probably need to know. Here are the three basic ways take a screenshot on a PC, using both built-in utilities and free software.

What's the best laptop? We've reviewed a lot of them -- and this is our answer

The best laptop should be one that checks all the boxes: Great battery life, beautiful design, and top-notch performance. The laptops we've chosen for our best laptops you can buy do all that — and throw in some extra features while…

Researchers hack John McAfee’s ‘unhackable’ Bitfi cryptocurrency wallet

Researchers have successfully hacked John McAfee's Bitfi cryptocurrency wallet. Researchers show that the device can be hacked, as they have gained access to the device's private keys and passphrase despite McAfee's security promotion.

Pricing and lack of content are still barriers against the adoption of VR

A recent survey questioned 595 VR and AR professionals about business growth in the consumer and enterprise markets. Only 24 percent report strong sales in the enterprise while 18 percent show strong sales in the consumer market.

Tired of choosing between Windows and Mac? Check out these Chromebooks instead

We've compiled a list of the best Chromebooks -- laptops that combine great battery life, comfortable keyboards, and the performance it takes to run Google's lightweight Chrome OS. From Samsung to Acer, these are the Chromebooks that really…
Emerging Tech

The world’s first practical quantum computer has cash and a timeline

The dream of building a practical quantum computer could be closer than ever, thanks to a $15 million grant from the National Science Foundation to seven universities around the United States.

Nvidia teases new GeForce RTX 2080 launch at Gamescom next week

Gamers will have something exciting to look forward to next week when Gamescom starts. Nvidia posted a teaser video to YouTube containing hints that it could use the venue to announce the new GeForce RTX 2080 graphics chip.

Nvidia introduces its eighth-generation ‘Turing’ design, but not in gaming cards

Nvidia revealed its new graphics chip design called “Turing” during SIGGRAPH 2018. Rumored to be the foundation of Nvidia’s next family of GeForce cards, the company instead showcased Turing in Quadro RTX-branded cards for pros.
Home Theater

HDMI 2.0b is a whole lot more than just a connection to your TV

HDMI 2.0b is the backbone for many of the latest updates in 4K UHD technology. And while a new cable standard can often involve a bunch of changes for consumers, that is not the case this time around.

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.

For work or for play, these are the 5 best laptop deals for college students

Whether you're getting ready for a new school year, shopping for a special student, or just need a new computer, we've got you covered: These are the five best laptop deals going right now, from discounted MacBooks to an on-the-go gaming…