Google Says Spam, Virus Attacks to Get More Clever

eweekhickins writes "Google's Postini team says new attacks will take the form of sneaky viruses that will blend with spam, leveraging specific current events, such as the Super Bowl or the Summer Olympic Games. Better yet, virus attacks will target executives at companies whose intellectual property is deemed valuable on the black market. A lot of these attacks will masquerade as legitimate business agencies, such as the Internal Revenue Service, the Better Business Bureau and the SEC."

And you know

that these will be successful. So many suckers, so little time.

Re:And you know

I'm thinking the suckers are the ones paying these guys to wildly speculate about things everyone suspects..

Re:

Absolutely. The IRS ones, especially, are bound to be extremely successful this year, as everyone knows about the little bonus coming sometime in May, so a little phishing trip to "confirm your details" on an official-looking website will likely take in a

Re:

A few hundred? You are aware that there are at least ten thousand people connected to the internet..

phishing attacks against irs.gov

I've already seen two of these.
One was an ordinary phishing attack.
The other gave a URL in a valid subdomain of irs.gov
So either
- the attack was broken (certainly possible)
- the attack was relying on DNS cache poisoning or compromised servers

Its kinda ironic

how at the end it asks you to click a link to download the full report. (ITS A TRAP!!)

SSDD

These attacks will masquerade as legitimate business agencies

The bastards!! I'd better warn my associates in South Africa.

Seriously, TFA comes off as a padded version of "uhm, so...they're probably going to keep finding new ways to do this...since that's what they already do". The report itself looks to hold a little more substance, but then, I guess it's hard to make news out of spam that doesn't involve a big shift in the court, because it's pretty boring by definition.

You don't say?

Damn, my entire security plan really depended on them suddenly getting really really stupid. If the scammers suddenly forgot how to send email, switch on a computer, or breathe air my life would be so much easier.

What happened to "Bayesian Filters"...

Whenever I mentioned spam a few years ago all the geeks would tell me that Bayesian Filters would totally solve the problem.

What happened?

Crims get more entrepreneurial

Who's suprised that the crims get more clever about the way they craft their attacks? As it gets harder to fool people with fake Viagra ads and bank phishing and other lower hanging fruit, it makes sense to start putting more effort into targeting the bigger prizes. More effort sure, but better prizes too.

Crims have always been good at adapting and exploiting conditions. The Mafia really got their power due to exploiting the prohibition. Cable thieves in South Africa are using rolling blackout schedules to plan their cable thefts.

As more business services are done online it makes sense to phish for more than some lame paypal accounts.

Re:

No one should be surprised at all. Everything in that /. topic that google says is going to happen has already happened. Those exploits have already been tried. This is not news. This is not a prediction. This is a newsflash that the sky is likely to

/. emails.

Soon we will have /. phishing e-mails like "Cmdr. Malda wants to know your password so he can test something with your account!"

Google? Don't you just mean Postini?

Postini's a relatively recent Google acquisition. I'm not sure it's fair to say "Google this" and "Google that" when the agreement to acquire Postini is less than a year old. The spokesperson was probably just speaking for their own team and from their own culture.

Well, which is it?

A lot of these attacks will masquerade as legitimate business agencies, such as the Internal Revenue Service, the Better Business Bureau and the SEC.

Will these attacks masquerade as legitimate business agencies, or as agencies such the Internal Revenue Service, the Better Business Bureau, and the SEC?

ASCII art

I've been getting a few spams lately that are ASCII art advertising for "viagra". Fairly clever way of getting past the filters, anyway.

Wait, isn't this already the case?

We already see this behavior. Phishing anybody? How many of us get "BRITTAANNYIES OUT LATE NIGHT PARTYING" emails?

YAWN

This is a sales pitch, there's nothing new in that article. Google is just fishing for more business for postini...

Re:

This is a sales pitch, there's nothing new in that article. Google is just fishing for more business for postini...

You mean TFA is just a sophisticated form of spam :-)

Rich.

Human Intelligence

It seems odd that spammers will need to start using more complicated techniques, as it doesn't seem like people are getting any smarter.

Like a firehose....

I use Gmail for one of my email accounts, and have used this address (without obfuscation) on the Internet for eight years or so. Therefore, I get a lot of spam. Recently, I've noticed more and more getting through Google's spam filters lately.... but what really amazes me is the volume.

Here's a simple example: most Gmail users know they have a Spam folder, into which Gmail transfers any messages which appear "spammy." This works pretty well, and I keep around 30 days worth in there, as I used to occasionally look through for false positives (which happened sometimes.)

The problem now is just that there is too much spam to do this. Let's compare: here is the count of spam in ONE Gmail account, for the past 30 days -- can anyone match it?

Spam (84194)

I figure that's a rate of 2,800 per day, or 116 per hour. Nearly two spam messages, every minute, 24x7.... and most of it consists of duplicates. Why are the spammers doing this? Unless they are paid per message they send, I don't see it improving their chances of getting a message past filters.

Time for PGP/SMIME to go mainstream?

Decent cryptographic technologies have been with us for a while. I wonder about someone like Verisign making an EV-like system for E-mail certificates, where people/companies/organizations can apply, and after a thorough vetting, get a certificate (preferably on a hardware cryptographic token) that that person is whom they claim to be. Of course, E-mail clients like Thunderbird, mail.app, and Outlook would have to be updated to show that a mail is authentic.

This would help against spam similar to how anti-phishing technologies in IE and Firefox protect against bad websites, but its still not perfect.

S/MIME and PGP are strong technologies to help against fraud. I just wish more companies would send out mail with it. For example, one could register a PGP public key with a shop, and when the shop would send E-mail, it would send it signed, and encrypted to that key. Even just using S/MIME's signing capability which works with virtually any E-mail client [1] would help matters greatly.

[1]: Even pine and mutt support S/MIME. A lot of cellphones support this functionality as well, such as all recent Windows Mobile devices and Blackberries.

Good idea, however...

The underlying concept of your idea is good.

However, I can see a few issues that would impact the rate of adoption and the overall utility of your approach (assuming, for the sake of simplicity, that the cryptographic aspects are implemented in a truly secure manner, the crypto itself is strong, etc. I fully realize that this is like the proveribial "frictionless surface" and the proverbial "ideal conductor" used in science books. I'm just trying to cover the big points here, OK?):

1. It will not happen until Verisign (for example) decide that there is enough of a market that they can make a decent profit.

2. It will either price small businesses out of the market (given Verisign's prices, this is likely) or it the price will be such that small businesses can afford it and then so can the spammers. Before you start claiming that is why there is a vetting process, I would suggest that hurdles low enough for small "mom-and-pop" businesses to jump will be low enough for a determined spammer.

3. Either we need a "Root CA" mechanism like other certificates (again, profit and "are you sure you can trust this") or the whole "web of trust" thing from PGP. The web of trust would be difficult in that it would make legit messages appear fake until you can determine it. Also, how would "Joe Sixpack" know the difference between a legit cert for the IRS and a faked one?

Your idea is good. Unfortunately, the current environment is not ready for it. I hope we will see the day when it will work.

Like the numbers stations

I've sometimes wondered how much (if any) spam is actually just a numbers station [wikipedia.org].

By the Power of Grayskull NO.....

Better yet, virus attacks will target executives at companies whose intellectual property is deemed valuable on the black market.

They found the biggest security weakness of every single company... The Pointy Haired Ones.
 

Re:How?

Everybody knows that Google is so |337 that even the spammers grace them with beta copies of new spam.