Skip to main content

Just when you thought spam was dead, it’s back and worse than ever

gmail app on phone
Image used with permission by copyright holder

Emails promising millions of dollars from a Nigerian prince, to malicious attachments, and nefarious links. All of it falls under the banner of spam. An incredible 40 years have passed since the first email spam was sent out over the progenitor of the internet, the ARPANET, but it remains a threat today. In fact, 2018 is becoming the year of spam.

When all else fails, spam

Spam is making a comeback because other attack vectors aren’t working like they used to. Throughout the history of malware, hackers have discovered many methods of attacking end users and businesses, but a new attack is usually met with a response. Methods that were effective a few years ago, like drive-by downloads, aren’t getting the job done any more.

As cyber-security company F-Secure pointed out in its recent blog post, killing off the Adobe Flash plugin support in browsers has clamped down on many browser-based attacks. By removing that potential attack vector, exploit kits have become far less effective and therefore far less common. Combined with the ever evolving abilities of anti-malware software utilizing machine learning and behavioral tracking, spam’s relative success rate is creeping back up.

“We’ve reduced criminals to spam, one of the least effective methods of infection.”

“We’ve reduced criminals to spam, one of the least effective methods of infection,” F-Secure’s security advisor, Sean Sullivan said. “Anti-malware is containing nearly all commoditized, bulk threats. And honestly, I don’t see anything coming over the horizon that could lead to another gold rush, so criminals are stuck with spam.”

That’s despite the fact modern email clients are better equipped than ever to identify and quarantine spam to prevent its malicious intent from being realized.

Fighting with filters

Just last year Google announced brand new features for its Gmail service that helped it detect 99 percent of spam emails and swiftly dump them into the junk folder. It still faces the odd issue though, like users finding spam emails in their sent folder just a few months ago.

Other companies offer similar services with their email clients. Outlook has a “Junk” folder that automatically scans messages and provides manual controls for blocking or whitelisting certain email addresses and top-level-domains. Thunderbird puts the power in the hands of the users by offering a junk filter that it asks you to “train” by showing it what you consider to be junk mail. Popular free email services like EM Client use open source platforms like Apache SpamAssassin.

outlook email
Image used with permission by copyright holder

There’re also several third-party services that can be used to augment existing anti-spam efforts. Mailwasher and SpamSieve are two of the most popular, and though the best versions of them aren’t free, they provide intelligent filtering systems which do a great job of blocking most spam emails.

Despite all of these built-in and add-on options for filtering out junk emails, some are still slipping through. That, combined with the ease of sending spam, is helping it proliferate, and as more malware authors and distributors resort to spamming to make their nefarious gains, they invented new ways to trick both spam filters and people who think they know better.

New spam for a new age

Spam was originally named after the luncheon meat of the same name due to a Monty Python sketch where the word was chanted in an annoying, incessant fashion. But the comparison of a heavily processed product is just as apt today. Modern spam is often smarter and more convincing than you’d expect.

Monty Python - Spam

“Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” said Adam Sheehan, Behavioral Science Lead at MWR InfoSecurity, told The Economic Times.

Spammers personalizing emails to make them seem to come from a legitimate source, or someone known to the recipient, is the most effective tactic, raising the chance of a click on a link or email attachment by 12 percent.

Other methods to increase spam’s efficacy include having a subject line that’s free from errors. That ups the chances of a successful attack by 4.5 percent. Phishing emails can be more successful if an emergency is implied, rather than explicitly stated.

“They are using links that are these crazy redirect loops, that are redirecting you from page to page.”

The requisite steps that the recipient must take to infect themselves with the content of spam emails are changing, too. Malicious email attachments now account for 23 percent of spam emails, as per F-Secure’s Päivi Tynninen. But a new wrinkle to that old attack vector is adding a password to the file which is provided in a second attachment. That means that automated detection tools may not be able to analyze the malicious file, as they can’t access it directly.

Modern spam emails frequently use malicious links. They make up 31 percent of spam emails according, to F-Secure. Those links will eventually lead the clicker to a malicious file download, often executing through some form of macro embedded in a document for Word, Powerpoint, or Excel. Even those links are changing. Where once the original link would send you straight to the malicious software, now your browser will jump through a few hoops first.

“Attackers are adding additional layers to avoid automatic analysis and researchers trying to intercept their potentially good infections and creating detections for those,” Tynninen said during a recent episode of the Security Sauna podcast. “They are using these links that are these crazy redirect loops that they are redirecting you from page to page, and after a couple to maybe seven different page redirections you get the final payload, which is only the downloader document with macros. ”

statista spam by category
Image used with permission by copyright holder

That number of redirects might seem excessive, but if researchers try to retrace the steps to provide better detection for such attacks, the attackers can take down just one of the redirect websites. That breaks the chain and makes investigation more difficult.

The biggest spam attack vector of them all? Tugging at the heart strings of email users. A full 46 percent of spam emails focus on some form of dating scam. These trick recipients into thinking someone has found their profile on a dating site and wants to chat or meet up.

Old advice still stands

While new methods of attack from spammers and scammers are always a little scary, spam remains as easy to avoid as it is to send.

Unless you specifically requested to receive a certain email attachment from a specific person – don’t open it. Better yet, don’t open anything and have your friend or work colleague send you the file in a more secure platform like a cloud storage service. Don’t click links in emails, either. Always go to the source. If you do have to click a link for whatever reason, check where it’s sending you first by hovering over the link. Chrome, Firefox, and Edge all showcase the raw link in the bottom-left of your screen when you do so. Make sure it’s not sending you somewhere unexpected.

Don’t click links in emails, either. Always go to the source.

F-Secure also highlights a number of brands that are commonly spoofed in spam emails. UPS, Amazon, FedEx, Apple, and Paypal are the companies most often faked, so be wary when receiving emails from those companies.

Above all else, take heart that the effort you put into digital security is paying off. Spam isn’t an effective foodstuff, and it’s not a great way to spread malware either — but when it’s all scammers have to work with, they’ll gladly scoop out another gelatinous spoonful. Don’t join them at the table.

Jon Martindale
Jon Martindale is a freelance evergreen writer and occasional section coordinator, covering how to guides, best-of lists, and…
Final Fantasy 7 Rebirth proves, once again, that 8GB GPUs are on their way out
Final Fantasy VII Rebirth running on the Steam Deck.

Final Fantasy 7 Rebirth is headed to PC in a few short weeks, and ahead of the release, Square Enix has released the PC requirements for the game. There are a couple of interesting specs, but one stands out in particular. Even some of the best graphics cards, particularly those packing 8GB of VRAM, might struggle to run the game.

You can see the full system requirements below. At the bottom of the list for each of the configurations, there's a note about VRAM capacity. For 1080p and 1440p, the requirements call for a GPU with at least 12GB of video memory when used with a 4K monitor, while at proper 4K, the requirements call for a GPU with 16GB of memory.

Read more
Don’t get your hopes up for next-gen GPUs just yet
Two RTX 4060 graphics cards stacked on top of each other.

The list of the best graphics cards will probably look a lot different in a month's time. We're standing on the edge of the next generation of graphics cards, and it looks like Nvidia, AMD, and Intel all have big plans in store. At least from the conversations I've had, all eyes are on what the next generation of graphics cards has to offer before making an upgrade decision.

That's generally good advice -- if new hardware is about to launch, there isn't much reason to spend up for last-gen components. You'll likely pay a higher price, and you could be missing out on some big performance gains. This generation, however, it's important to temper expectations. Although the next generation of graphics cards is exciting, it probably won't be a reality for most gamers anytime soon.
Always start with the flagships

Read more
Yes, it’s real: ChatGPT has its own 800 number
1-800-chatgpt

On the 10th of its "12 Days of OpenAI" media event, the company announced that it has set up an 800 number (1-800-ChatGPT, of course) where anyone in the U.S. with a phone line can dial in and speak with the AI via Advanced Voice Mode. Because why not.

“[The goal of] OpenAI is to make artificial general intelligence beneficial to all of humanity, and part of that is making it as accessible as possible to as many people as we can,” the company's chief product officer, Kevin Weil, said during the Wednesday live stream. “Today, we’re taking the next step and bringing ChatGPT to your telephone.”

Read more