Spam or Malware: can you tell the difference?
Date: Nov 4, 2013
Guest post: Proofpoint Essentials.
Ongoing studies (thank you, Dark Reading) show that an increasing portion of ‘spam’ is in fact malicious – as much as one in every three spam messages with attachments and nearly 100% of the .zip attachments.
Our observations agree – we’ve observed peak periods where more than 30% of total “spam” caught was actually part of a malicious attack, featuring either an embedded malicious URL or malware attachment.
But worse, “harmless” spam (advertising, solicitations) and actively malicious threats are increasingly indistinguishable to the naked eye, or even to link-following technologies and individual researchers.
Why: attackers have begun to utilize sophisticated Traffic Distribution Systems (TDSs) as a front-end filter to malware hosted on websites. This technology transparently checks and filters incoming browser requests generated by users clicking on links embedded in email, redirecting researcher and automated requests to harmless sites while allowing targeted users’ browsers to proceed to malware compromise. (For more detail on the attacker infrastructure, see our prior post here…)
In short, this multi-stage obfuscation means that it’s exceptionally difficult for an individual end-user or system to make a judgment that any single email message will always be ‘benign’, especially if based on a single check at point of entry.
Given that conclusion, we’d question whether any URL – or attachment-containing email should ever be treated as simple SPAM.
In fact, we’d suggest treating all unsolicited email messages that make it to end-users as potentially dangerous, and not leaving the email in end-users inboxes (or releasable quarantine) hoping users won’t click, or that it won’t really matter if they do click… because as our research shows, people will click!
Protect your end users – find out more about our email security service