SPAM: stupid pointless annoying…malware?
What comes to mind when you think about spam? Miracle pills from digital doctors and Internet pharmacies that guarantee to grow your hair and other things? How about chain emails like the one that promised you a portion of Bill Gates’ fortune if you forwarded the email to your friends? What about the ubiquitous advertisements for XXX, hardest of the hardcore adult video sites? Or do you hear the word “Spam” and think, what’s for lunch?
This article is all about spam—and that’s spam with a lowercase “s.” Not to be confused with the polarizing luncheon meat. Because a lot of people around the world love Spam (especially Guam), but everyone hates spam.
Despite the great strides the world has made in the fight against spam, as of 2018 Cisco Talos reports spam makes up 85% of all daily email, with most originating in the United States, followed closely by Brazil, and China. According to Forbes, advertising about products and services comprise 98 percent of all that junk being sent.
But it’s the remaining two percent of spam email that keeps cybersecurity researchers up at night. Things like phishing emails that steal our logins. So-called Nigerian princes that promise us vast riches and end up stealing our money. And malspam that tricks us into downloading attachments loaded with destructive malware.
We tend to think of cybercrime as something that happens to other people—people who simply weren’t careful about their online activities. The reality is that we’re all constantly under attack from cybercriminals and the proof is in your inbox.
So read on and learn everything you ever wanted to know about spam, what you can do to stop it, and the do’s and don’ts of managing your inbox.
Recent news on spam
Phone spampocalypse: fighting back in the age of unwanted callsEmotet on the rise with heavy spam campaign
A month of giveaway spam on Twitter
What is the definition of spam?
Spam is any kind of unwanted, unsolicited digital communication, often an email, that gets sent out in bulk. Spam is a huge waste of time and resources. The Internet service providers (ISP) carry and store the data. When hackers can’t steal data bandwidth from the ISPs, they steal it from individual users, hacking computers and enslaving them in a zombie botnet. Software providers invest resources creating email applications that try to filter most of the spam out. Consumers waste time sifting through whatever makes it past the spam filters. According to Oracle Dyn the total cost of spam, in terms of productivity, energy and technology, adds up to $130 billion. It’s an annoying and endless cycle.
If there’s an inbox, spammers will find a way to clog it. Spam can also be found on Internet forums, text messages, blog comments, and social media. Email spam, however, is by far the most prevalent, and often the most threatening to consumers.
Before we address the dangers looming in your inbox, let’s take a step back and look at the spam of yesteryear, and figure out how we got here.
"Spam is any kind of unwanted, unsolicited digital communication, often an email, that gets sent out in bulk."
What is the history of spam?
The history of spam starts in 1864, over a hundred years before the Internet, with a telegram sent en masse to a number of British politicians. In a prescient sign of things to come, the telegram was an advertisement for teeth whitening.
The first example of an unsolicited email dates back to 1978 and the precursor to the Internet—ARPANET. This proto-Internet spam was an advertisement for a new model of computer from Digital Equipment Corporation. It worked—people bought the computers.
By the 1980s, people came together on regional online communities, called bulletin boards (BBSes), run by hobbyists on their home servers. On a typical BBS, users were able to share files, post notices, and exchange messages. During heated online exchanges, users would type the word “spam” over and over again to drown each other out. This was done in reference to a Monty Python sketch from 1970 in which a husband and wife eating at a working-class café find that almost everything on the menu contains Spam. As the wife argues with the waitress over the preponderance of Spam on the menu, a chorus of Vikings drowns out the conversation with a song about Spam.
The use of the word “spam” in this context, i.e. loud annoying messaging, caught on—to the chagrin of Hormel Foods, the maker of Spam.
Over on Usenet, a precursor to the Internet that functions much like today’s Internet forums, “spam” was used to refer to excessive multiple posting across multiple forums and threads. The earliest Usenet spam included a fundamentalist religious tract, a political rant about the Armenian Genocide, and an advertisement for green card legal services.
Spam didn’t start in earnest until the rise of the Internet and instant email communication in the early 90s. Spam reached epidemic proportions with hundreds of billions of spam emails overwhelming our inboxes.
In 1999, Melissa, the first virus that spread via macro-enabled Word documents attached to emails was let loose upon the digital world. It spread by ransacking victims’ contact lists and spamming itself to everyone the victim knew. In the end, Melissa caused $80 million in damages, according to the FBI.
Without any anti-spam legislation in place, professional spammers rose to prominence, including the self-proclaimed “Spam King” Sanford Wallace. True to his nickname, Wallace was at one time the biggest sender of spam emails and social media spam on sites like Myspace and Facebook.
It wasn’t until the early 2000s that governments around the world started to get serious about regulating spam. Notably, all member countries of the European Union and the United Kingdom have laws in place that restrict spam. Likewise, in 2003 the United States put a set of laws in place cheekily called the CAN-SPAM Act (once again, Hormel just can’t get a break). These laws, in the US and abroad, place restrictions on the content, sending behavior, and unsubscribe compliance of all email.
At the same time, top email providers Microsoft and Google worked hard to improve spam filtering technology. Bill Gates famously predicted spam would disappear by 2006.
Under these laws a rogue’s gallery of spammers, including the Spam King, were arrested, prosecuted and jailed for foisting penny stocks, fake watches and questionable drugs on us. In 2016 Sanford Wallace was convicted, sentenced to 30 months in prison, and ordered to pay hundreds of thousands in restitution for sending millions of spam messages on Facebook.
And yet spam is still a thing. Sorry, Bill.
In spite of the best efforts of legislators, law enforcement and technology companies, we’re still fighting the scourge of unwanted, malicious email and other digital communication. The fact of the matter is that the business of spam requires little effort on behalf of spammers, few spammers actually go to jail, and there’s lots of money to be made.
In a joint study on spam between University of California, Berkeley, and University of California, San Diego, researchers observed a zombie botnet in action and found the operators of the botnet sent out 350 million emails over the course of a month. Out of these hundreds of millions of emails the spammers netted 28 sales. This a conversion rate of .00001 percent. That being said, if the spammers continued to send out spam at that rate, they would pull in 3.5 million dollars in the span of a year.
So what, exactly, are the types of spam that continue to fill our inboxes to the brim and what can we do about it?
What are the types of spam?
There are several types of spam to consider. On one end of the spam spectrum, you have mostly benign marketing spam from unscrupulous sellers haranguing us with dubious get-rich-quick schemes, and various pills that haven’t been approved by the FDA.
On the other end of the spam spectrum, you have the serious threats—cybercriminals attempting to break into your online accounts, steal your data, steal your money and spread malware.
While marketing spam is annoying, it’s not a significant threat. Emails of this type are mostly filtered out by your email software, and whatever makes it past the filters is easy enough to identify as spam and flag for removal.
The latter group of threats is harder to combat and far more dangerous.
Advance-fee scams
First in our lineup of email threats are advance-fee scams. Also known as the Nigerian scam or 419 scam, because the scam originated in Nigeria (419 refers to the section of the Nigerian criminal code the scams violate). Despite lending its name to the infamous scam, only a small fraction of spam originates from Nigeria. The country ranks number 68 in top spam senders according to Cisco Talos.
Apropos of the name, the advance-fee scam involves a mysterious sender offering you a vast reward in exchange for a cash advance, usually as some sort of processing fee, required to unlock the larger sum. Once you wire the cash to the cybercriminal, the sender disappears with your money. There never was a princely fortune or secret inheritance to begin with.
Another variant of the advance-fee scam turns unsuspecting victims into money mules. Often described by scammers as “payroll management” jobs, victims’ bank accounts are used to launder and transfer dirty money. In exchange, victims get to keep a portion of the ill-gotten gains for acting as the middleman. When the police come knocking, it’s usually on the door of the unfortunate middleman as the criminal masterminds are nowhere to be found.
Scams like these seem fairly transparent, yet people fall for them every day due in large part to the deep bag of tricks scammers have at their disposal. These tricks are called social engineering. Social engineering refers to the methods scammers use to pressure victims into taking some sort of action. Social engineering often involves psychological manipulation, playing to the victim’s greed, vanity, or empathy.
“Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind,"
Adam Kujawa
Director of Malwarebytes Labs
Phishing emails
Adam Kujawa, Director of Malwarebytes Labs, says of phishing emails: “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”
Phishing emails trick victims into giving up sensitive information, e.g. website logins, and credit card info, by way of social engineering and email spoofing. Spoofed emails mimic, or spoof, an email from a legitimate sender, demanding some sort of action. Well executed spoofs will contain familiar branding and content, and sound urgent—even threatening. Common phishing ploys include:
- A request for payment of an outstanding invoice.
- A request to reset your password or verify your account.
- Verification of purchases you never made.
- A request for updated billing information.
By tricking us into giving up valuable information, cybercriminals are able to hack the online services we use every day without any real technological savvy. To put it another way, why pick the lock when you can just steal the key?
Malspam
Malspam is any kind of malware spread via spam. Much like advance-fee and phishing emails, malspam relies on social engineering to trick recipients into taking some kind of action, often against our better judgment, like clicking a download link, or opening an attachment contained in the email that infects your computer with malware.
In either case, these downloads and attachments often come in the form of Word, Powerpoint or PDF files with malicious code hidden in the scripts/macros (i.e. automated tasks). When the document is opened the scripts run, retrieving the malware payload from the command and control (C&C) servers run by the cybercriminals.
Malware payloads vary greatly. The malware payload may enslave your computer into a botnet for the purposes of sending out more spam. More often than not the payload will be a Trojan. As we noted in our Cybercrime Tactics and Techniques Report, the majority of malware attacks in 2018 for both businesses and consumers were identified as Trojans of some kind.
Banking Trojans, for example, are designed to steal sensitive financial information off your computer. And in an interesting twist, some Trojans, e.g. Emotet and TrickBot, are now being used as a delivery mechanism for other malware, like ransomware, adware, spyware, or cryptojackers.
Spam on mobile/Android
Have you ever received a robocall? That’s call spam. What about a text message from an unknown sender attempting to sell something, maybe even containing a link to who knows what? That’s text message spam. Welcome to the hellacious world of mobile spam.
Now that mobile devices are commonplace, and Internet calling (VOIP) is cheap, spammers have a whole new way to spew out unwanted communication. The Android userbase alone includes more than 2 billion users for cybercriminals to target.
The most common mobile phone scams, as reported by USA Today, are prerecorded scam messages purportedly from banks, credit card companies, cable companies, and debt collectors. Another robocall scam targeting the Chinese-American community, involves a pre-recorded message claiming to be from the Chinese consulate, telling the recipient there’s an important document for them. Naturally, retrieving the document costs money. All told, this scam took in approximately $3 million.
Unless coming from a charity, political campaign, healthcare provider or purely informational call from a business or service you use, robocalls are illegal. Ditto for text messages.
How can I stop spam?
Now that you’re informed about spam, here are some tips on how to identify phishing emails and malspam and prevent yourself from becoming a victim.
Don’t respond to spam. Our first tip for stopping spam is: stop responding to spam. Have you ever read a comically bad spam email and wondered “Who actually clicks or responds to these things?” Well, wonder no more. In a spam survey conducted by the Messaging, Malware and Mobile Anti-Abuse Working Group, 46% of respondents said they clicked or replied to spam out of curiosity, to unsubscribe, or to learn more about the products/services being offered. Don’t be one of these people. By responding to spam you demonstrate to spammers that your email is valid and they will send you more spam.
The same advice applies to mobile phone spam. Just hang up and add the caller to your smartphone’s blocked numbers list. If it’s a text message you can copy and forward it to the number 7726 (SPAM), doing so improves your phone carrier’s ability to filter out spam messages.
By pressing “one” to opt-out or engaging with scammers in any way, you’re demonstrating that your phone number is valid and that you will respond. Moreover, by speaking, scammers can record your voice and use audio samples of you saying “yes” to authorize charges for things and services you don’t want.
Turn your spam filter on. The email providers do the hard work when it comes to stopping spam. Most bulk email never even makes it past our email filters and into our inbox. Granted, legitimate emails sometimes make their way, erroneously, into the spam folder, but you can prevent this from happening in the future by flagging these emails as “not spam,” and adding legitimate senders to your contacts list.
Turn macros off. Definitely don’t enable macros by default. And if someone emails you an attachment and the document asks you to “enable macros,” click “no”—especially if you don’t know the sender. If you suspect it may be a legitimate attachment, double check with the sender, and confirm that they, indeed, sent you the file.
Learn how to spot phishing emails. Here are the five red flags for spotting a phishing email. If you see any of these, then you’re probably looking at a phishing email.
- The sender’s address isn’t correct. If it’s a legitimate email the sender’s address should match the domain for the company they claim to represent. In other words, emails from PayPal always come from example@paypal.com and emails from Microsoft always come from example@microsoft.com.
- The sender doesn’t seem to actually know who you are. Legitimate emails from companies and people you know will be addressed to you by name. Phishing emails often use generic salutations like “customer” or “friend.”
- Embedded links have unusual URLs. Vet the URL before clicking by hovering over it with your cursor. If the link looks suspicious, navigate to the website directly via your browser. Same for any call-to-action buttons. Hover over them with your mouse before clicking. If you’re on a mobile device, navigate to the site directly or via the dedicated app. Text message spam often includes links to spoofed sites designed to capture your login.
- Typos, bad grammar, and unusual syntax. Does it look like the email was translated back and forth through Google Translate several times? It probably was.
- The email is too good to be true. Advance-fee scams work because they offer a huge reward in exchange for very little work. But if you take some time to actually think about the email, the content is beyond reason.
- There are attachments. In the world of email communication and marketing, attachments are a big no-no, and businesses generally don’t send emails with attachments.
You can read more about phishing emails and how to spot them on the Malwarebytes Labs blog.
Use multi-factor authentication. With two-factor or multi-factor authentication, even if your username and password are compromised via a phishing attack, cybercriminals won’t be able to get around the additional authentication requirements tied to your account. Additional authentication factors include secret questions or verification codes sent to your phone via text message.
Install cybersecurity. In the event that you click a bad link or download malware sent to you via spam, good cybersecurity software will recognize the malware and shut it down before it can do any damage to your system or network. With products for home and business, Malwarebytes has got you covered wherever technology takes you. Not to mention threat protection on the go—Malwarebytes for iOS blocks all unwanted calls and text messages. And if you click a malicious link in a spam text, Malwarebytes will stop the bad site from loading.
Side note for Mac users—don’t go thinking you can click links and open attachments with impunity. You too can be a victim of malware. Malwarebytes for Mac protects you from the growing threat of Mac malware.
