Spammers dump images, switch to PDF files

Cat-and-mouse

By Robert Lemos, SecurityFocus, 23rd July 2007

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Foiled by increasingly accurate corporate spam filters, spammers have dumped pictures for PDFs in their bulk emailings, according to the latest data from security firms.

Image spam, which at the beginning of the year accounted for nearly 60 per cent of all junk email, has plummeted and now accounts for only about 15 per cent of spam.

Taking its place, the number of junk email messages using an attachment in the Portable Document Format (PDF) has steadily climbed since mid-June, accounting for as much as a third of spam.

"It went from zero to - when the spammers started experimenting - 50-50 image spam and PDF spam," said Matt Sergeant, senior anti-spam technologist for email security firm MessageLabs. "Now, it's gone to wholesale PDF spam."

The ebb and flow of different types of spam is an indicator of the arms race between spammers and network defenders. Image spam took off in late 2006, primarily as a way to tout penny stocks and manipulate the volatile over-the-counter markets. Yet, other types of spam, advertising products from fraudulent pharmaceuticals to sexual enhancement devices, soon started using embedded images as well. The growth of image spam peaked earlier this year, making up as much as two-thirds of all spam in January.

Companies have adapted to the attack, however, detecting the unwanted images and blocking them, said MessageLabs' Sergeant.

"The volume of image spam was so great that a number of large businesses took to wholesale blocking of emails coming in with image attachments," he said.

The better filtering has led spammers to change tactics and experiment with PDF files.

While security firms agreed that PDF files started regularly appearing as spam attachment about mid-June, estimates for the volume of PDF spam varied somewhat between companies.

MessageLabs, which filters out virus-laden and spam email messages for its clients, estimated that about 30 per cent of all spam now uses PDF files.

Security firm McAfee had a more modest estimate that 2.6 per cent of all junk email messages carried PDF files. While Symantec, the owner of SecurityFocus, has found the fraction varies between two and seven per cent.

"The spammers are doing the old cat-and-mouse game," said Guy Roberts, senior research manager for anti-spam at McAfee. "Vendors have caught up to spammers and detection is pretty good for image spam, so (the spammers) are changing tactics in order to get their message across."

The growth of spam email messages with PDF attachments have also caused the total bandwidth of spam to grow quickly, because PDF files tend to be much larger than the GIF images that the files are replacing.

From a spammers point of view, the strength of PDF is that many companies require that their email systems allow the documents to be passed to the user, said Menashe Eliezer, director of anti-spam research for security firm CommTouch. Because PDFs are ubiquitous in the business world, such attachments are more likely to reach the users, he said.

"Now, they are using professional looking PDFs, and if it doesn't look like spam, that's even better," Eliezer said.

While moving unwanted advertisements from images to PDFs may make it more likely that the message reaches the intended recipient, whether or not that person opens the attachment is another question, said Doug Bowers, senior director of anti-spam engineering for Symantec.

"We are interested in seeing if this is really effective in getting a spam message, not just delivered, but also read," Bowers said.

In the end, if PDF spam cannot deliver more eyeballs to spammers, the trend may end up being a short-lived phase, he said.

This article originally appeared in Security Focus.

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections

All Reader Comments (15)

Latest Comments

Posted Friday 3rd August 2007 11:48 GMT

Dam

Re: pdfs

Quote:

By Jason Hall

Posted Monday 23rd July 2007 11:20 GMT

Wow... I must have the slowest spammers ever.

Only over the last week have I even started receiving pdfs as part of my daily spam regimen.

Ah no, you don't, that would be me.

I ain't received a PDF spam yet.

Posted Thursday 26th July 2007 15:44 GMT

tim

Title

We too have a slow spam provider (or our filter are working quite well) However the only two of these I have seen have contained only random text without trying to sell anything.

Posted Tuesday 24th July 2007 16:00 GMT

A J Stiles

Ministry for Information Technology

A new Ministry for Information Technology would be an excellent idea. We could actually make RFCs law, and oblige ISPs to disconnect users whose machines are so badly configured as to compromise the security of the network.

However, the best thing a hypothetical new Ministry for Information Technology could do would be to mandate that *all* software is to be made available in Source Code form, whether or not it is intended to be distributed by users.

Concealing the Source Code has done *nothing* to prevent widespread unauthorised copying of Windows and Office. It has, however:

* Wasted countless person-hours as people, denied the ability to adapt the software to suit the way they do business, have been forced to adapt the way they do business to match what the software expects.

* Created a situation where drivers for devices soldered to the SAME motherboard can conflict with one another, because the drivers are being written by people who do not get to see each other's code and hence are not able to check for hidden pitfalls they might be creating for each other; and where accidentally-stumbled-upon hidden APIs can be used for mischief.

* It has also created a situation where hardware manufacturers can decree obsolescence by stopping providing drivers for new Operating Systems (if the Source Code were available, drivers could easily be written), and make inaccurate claims which cannot be disproved because the Source Code is hidden (e.g. the use of a 2Mpx sensor in a so-called "6 megapixel" digital camera, whose firmware then creates JPEG images containing the claimed number of pixels; the source code for converting the RAW image format would reveal this duplicity, hence it is kept hidden from users).

* It has tied customers to vendors by creating artificial barriers; the reason why there is no credible competition for MS Office is the closed save-file format, which is hard to decipher without information which Microsoft deliberately withhold and which Microsoft change with every release to thwart competitors (and to persuade users of older Office versions to update to the latest version, for no better reason than because they can no longer load files saved by their contacts using the latest version; old versions of Microsoft software pose a greater threat to Microsoft than Open Source).

If Microsoft, Adobe and all the rest of the Closed Source vendors don't like it, then let them go and jump. Users outnumber vendors; and our right to inspect and modify the Source Code of programs we run on OUR computers must trump their right to keep secrets and tell lies. Perhaps a few years ago, consumer power alone would have been enough to create a regime which was favourable to users at the expense, if necessary, of rich corporations; but today, ONLY a government can do this.

Even if the players decided to "take their ball home" and stopped selling their wares in the UK, the resulting setback to the UK's IT industry would be only a temporary one; and, following the recovery, we would be in a far better position than countries where the bully-boy tactics of the big closed-source vendors were still being tolerated.