First, the good news: E-mail security threats like spam and phishing seem to be leveling off in number, and might even decline in the coming years, said Mark Sunner, chief technology officer at MessageLabs, which provides corporate clients with filtering services for e-mail, HTTP and instant messaging traffic. The bad news, though, is that the existing attacks are getting far more furtive and effective.
“We don’t see the overall volume necessarily rising—if anything, it’s starting to flatten,” Sunner said. “I think one of the overarching things that really stood out was in 2005, we really started to see a narrowing of focus from the bad guys’ perspective. In 2004 and throughout 2005, we saw botnets getting smaller. It didn’t necessarily mean that the spam or phishing numbers were going down, but it seemed to be that there were maybe more, smaller botnets. We think the bad guys are trying to stay under the radar longer and hit a more targeted audience. It seems like the bad guys might have sat on a lot of these technologies up until recently, and now they’re starting to better understand, refine and use those engineering techniques.”
For example, spam has been enhanced to fool a particular kind of audience. Now, attackers attempt to trick, say, seven out of 10 e-mail users as opposed to three out of 500. “Spam itself is starting to become much more localized, whereas not that long ago, the vast majority of spam was in U.S. English,” Sunner said. “Various areas around the world with their own language and dialects are now starting to see spam that is localized to the region, as with phishing.
“When people think about phishing, they tend to think about things like online banking scams,” he added. “Again, those have become much more tailored. It’s all part of a refining of the messages being sent out. From a social engineering standpoint, the more personalized it looks, the better it looks and the higher the chances are that someone’s going to fall for it.”
The issue here is one of scale, Sunner explained. The attackers have concluded that operations that are too big will get noticed, and hence, have spread themselves out more, going as far as creating viruses or Trojan horses with the expressed intent of infiltrating just a single organization. These smaller threats won’t always show up on the radar screens of the security community as a whole, he said.
In large part, organizations have failed to adequately address this problem. “Very few people are talking about this in depth,” Sunner said. “People in the corporate world might think that their current solution is providing them protection because they have a predominant antivirus solution. The problem with the traditional models available to tackle any of those factors is that they’re reactive in nature. Antivirus is probably one of the best examples because it’s been around the longest. I think there is a gulf at the moment between the level of threat, which is where the bad guys are, and the average level of understanding for not just corporate users, but corporate administrators as well.”
Sunner said he expects more companies to outsource e-mail, IM and overall Web security in the future, simply because most don’t have the time or resources to focus on the emerging threats. “I think that IT administrators will start to turn to outsourced services. I know I’m bound to say that, but I really believe this because it is such a specialist task that it’s nigh impossible to stay on top of these things.”
For more information, see http://www.messagelabs.com.