The more things change, the more they stay the same.
Four decades after the first email spam was sent out into the world, hackers continue to rely on such emails as a way to deliver their malware and malicious URLs, according to cybersecurity experts. Whether it's still the most popular vehicle is up for debate and methods have evolved over the years, the of sending out massive numbers of emails to unsuspecting people continues to reward the attackers who send them.
"Email spam is once again the most popular choice for sending out malware," Päivi Tynninen, threat intelligence researcher at F-Secure, wrote in a statement. "Of the spam samples we've seen over spring of 2018, 46 percent are dating scams, 23 percent are emails with malicious attachments, and 31 percent contain links to malicious websites."
F-Secure in June bought MWR InfoSecurity, which created phishd, a service designed to protect businesses against phishing and similar attacks. Adam Sheehan, behavioral science lead at MWR, said the success rate of spam continues to grow, from a 13.4% click rate in the second half of 2017 to 14.2% this year.
Other vendors also are seeing the continued strength of email campaigns.
In June, Barracuda Networks noted that almost nine in ten businesses sustain at least one phishing or other social engineering attack, while Palo Alto Networks found more than 150 phishing domains in being hosted in the United States. (See Email-Based Attacks Still Wreaking Havoc on Enterprises, Study Finds.)
Maria Vergelis, senior spam analyst at Kaspersky Lab, told Security Now in an email that while she has found that spam is the third most popular way of spreading malware -- the web and mobile platforms being more often used -- emails continue to be a useful tool for cybercriminals for multiple reasons. Those include the "mass character of email and great variability of fraudulent messages," the various methods and influence of social engineering and basic human weaknesses.
"People still fear something, believe in something and long for fast wealth or free stuff," Vergelis said.
Old wine and new bottles
Earlier this month, Kaspersky researchers showed how resilient spam is. As the 40th anniversary of the first spam email hit this week, the researchers announced they had discovered an ongoing campaign
mostly focused in Russia where bad actors were flooding companies with fraudulent emails disguised as legitimate financial documents to steal money and data from the companies.
While spam might still be a preferred method of delivering malware, fraudulent email campaigns have become more sophisticated and hackers have matured in their methods.
"Computers and scam strategies evolve faster than people in general," David Monahan, managing research director for security and risk management at Enterprise Management Associates (EMA). "Spam is one of those things. Spam is written either very well or very poorly to attack two different groups of people. Poorly-written emails attack the poorly educated. They are for the masses, take little time to construct and distribute and are expected to reap about a quarter of a percent return at the most. (That estimate is slowly declining over time.) But they are sent to millions of people so returns are still good for the level of investment."
Conversely, well-written spear-phishing and whaling emails take more time and money as they target particular businesses, departments, roles or people, and the con has to be better created and has a smaller distribution at each level, Monahan said. He added that the investment is higher, but the return of that investment can be greater. (See Kaspersky: Phishing Attack Attempts Soared 59% in 2017.)
F-Secure officials said attackers have found certain tactics that can spam more likely to succeed.
For example, the probability of a victim opening up an email jumps 12% if the email claims to come from someone they know, and the success rate goes up 4.5% if the subject line is free of errors. In addition, a phishing email that says a call to action is urgent is less successful than one where the urgency is implied. (See Kaspersky: There's No Such Thing as a Free Gift Card Code.)
EMA's Monahan noted that the first spam was aimed at people new to computers and that has never ended. It tends to be aimed at human foibles and sensitivities, like greed or the desire to help others, and "most business attacks in the spear-phishing categories attempt to exploit the rush to get things done and a lack of attention to detail: 'Pay this invoice.' People don't look at the email headers, they just open the next email and attachment to get the next thing done and, BAM!, it's too late."
Among the technical adaptations was the introduction of special software for sending spam and botnets that enabled attackers to launch different campaigns and send massive numbers of emails at the same time, Kaspersky's Vergelis said, pointing to the six-year-old Necurs spam botnet that now uses 6 million computers worldwide.
"It delivers mostly ransomware (especially Locky) and penny stock pump-and-dump spam, but it's also been known to send out dating and job spam," Vergelis said.
Still fit at 40
Other ways spam has evolved include new technical ways of delivery, using various vulnerabilities, text and code obfuscation, and it's become more targeted, aimed at business and financial targets. In addition, there are new platforms for distributing spam, including social networks and mobile messengers, she said.
Technology has helped, Monahan said. Spam filtering and antimalware software have become common in businesses, though web filtering is not deployed as widely as it should. Any way to better screen out the bad stuff will help reduce the reliance on other options. That includes ongoing education for users -- 84% of those with in-work training said it helped them make betters at work and home -- reducing pressure on key personnel to get more done so they have more time to evaluate the mail coming into their inboxes, and removing human foibles.
Still, even as technology to both deliver spam and protect against it improve, the overall goal has remained the same.
"The main objective of scammers is still to persuade users to click on a fraudulent link or open and launch an executable file," Vergelis said. "To do it, they use different methods of social engineering combined with technical features. As for social engineering, it didn't evolve that much and still depends on a user's emotions. As for the technical side, it evolves constantly, as do security solutions."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.