Suckers for Spam: When Will They Ever Learn?

The old adage about a sucker being born every minute is no less true among respondents to spam. Dishonest people have always been trying to make a fast buck by duping others into confidence scams, and the Web has give those people an easy way to communicate with more potential marks. However, modern-day scam artists may be capable of making a faster buck from a lot fewer suckers.

A recent study on spamming operations conducted by computer scientists from the University of California in Berkeley (Cal) and San Diego (UCSD) showed that spammers only need a response from one sucker out of every 12.5 million e-mails sent, usually by way of botnets and malware-infected computers. The study concluded that even a small response rate to a spam message can generate windfall profits.

"Spam works because suckers are still born every minute. People still pursue the dream of being somebody they are not. The want to acquire wealth they'll never get. The method for delivering the message is changed. That's all," Brad Gross, attorney in the Law Business Technology Practice Group and partner in the law firm of Becker & Poliakoff, told the E-Commerce Times.

Born to Click

Spam works because enough computer users are not aware of its dangers. Spam also works because many computer users are ignorant of Internet security practices.

"A certain percentage of people will always click on things. We've seen a lot of spam in the last two years lead to serious intrusions," Brian Dykstra, senior partner in the law firm of Jones Dykstra and Associates, told the E-Commerce Times.

Despite widespread public distaste for junk e-mail, the odds are still in a spammer's favor if he or she crafts the message right. Profitable spammers use highly sophisticated messages that pique recipients' curiosities. In addition, the messages are sometimes so cleverly designed to resemble real correspondence that unaware computer users are caught off guard, whether opening e-mail at home or in the workplace.

Spammers' Goal

"No matter how many times you tell workers not to click on links found in e-mail, a certain percentage of workers will still click," Dykstra said.

It only takes one office worker one click to give away access to the network. This is the aim of hackers, he cautioned.

In fact, it's easier for spammers to get access to sensitive information such as passwords and account numbers through enticing an e-mail recipient through spam than by hacking into the the corporate network by traditional means, he said.

Targeting Suckers

Dykstra's firm is involved in electronic evidence discovery and computer intrusion response. A vast majority of the computer intrusions going on right now involve phishing user groups via e-mail attachments or e-mail links to gain access to their computers or corporate networks, he explained.

"While some people do respond to the ever-popular cheap Viagra and Cialis adds, a lot of what we see is very targeted and repeated attacks on end-users," he said. "People always fall for repeated attempts."

Spam victims often get sucked into clicking for no other reason than the e-mail looks real and pertains to their work. Even when an e-mail recipient is aware of the spam threat, with some messages, it just seems like clicking makes sense.

"Spam is often very targeted to the receiver's specific work or social interests. If the e-mail fits their interest level, they click. I've seen some really believable e-mails," Christopher Ciabarra, security specialist at Network Intercept, told the E-Commerce Times.

Awareness Helps

Many people find it difficult to not click a link in an e-mail. Especially if the message is about an item of interest, the recipient clicks away, Ciabarra noted, adding that too many people just don't know any better.

Users who are at least partially aware of spam often fall into a false sense of safety. They think that having up-to-date anti-virus and anti-spyware products will protect them. They also think that e-mail filters block dangerous spam.

"Every time we build a fence [to protect against spam], the bad guys figure out how to get around it," said Ciabarra.

Getting Speared

"Spear phishing" is a term used to describe a very targeted spam attack. This highly focused e-mail barrage aims at workers in a particular organization or profession. The message looks authentic. For instance, an e-mail is sent to a group of researchers who would be unsuspecting of a news announcement on an upcoming conference.

The goal is always the same. The message is designed to get the recipient to click on a link or to respond with specific information. Ultimately, the click results in a malicious download -- perhaps a virus that infects the user's computer to reveal account numbers and passwords.

Dykstra's legal practice involved representing companies that have been accused of spamming as well as companies that have been the victims of spamming by others. These cases involved denial of service attacks and flooding e-mail inboxes, for instance.

"We are seeing a surge in other scams related to peoples' jobs, for instance, job seeking sites. Some spam messages look so real that workers are convinced it is from the company," Dykstra said.

No Click Training

Training programs for workers about the dangers of spam often reveal how prone some people are to falling victim. Some companies have conducted self-phishing experiments with a message sent by the in-house IT department to workers' inboxes.

The IT staff tracks who clicks on the bait in the message. The results are used to educate workers about spam, according to Dykstra.

At a company meeting, the results are divulged. Often, when repeat messages containing spam elements are sent to the same workers, the same workers are again the ones clicking on the spam.

When done the second time, the click rate is much lower -- often 10 to 15 percent of the workers, he said.

Legal Stuff

One reason that people respond to spam is that they receive so much of it. The potential threat from spam, aside from its annoyance, is masked by the fact that laws meant to prevent spam have in some cases made it easier for spammers.

When Congress passed the Can-Spam Act in 2002, it took power away from the 34 individual states that had regulations restricting spam and put it in the hands of the federal government, according to Gross.

"The Act makes it easier for spammers. Before the Act passed, for commercial e-mail, a company needed an attorney to analyze state law and get an opinion on what it can and can't do," he said.

The Can-spam Act took away all state regulations, has only a handful of requirements and gives spammers almost carte blanche, said Gross.

For instance, a message cannot have false or misleading header information. Also, a message cannot have a deceptive subject line, and it must have an opt-out method.

To be legal, spammers must display their commercial address of the sender. However, if the e-mail is outsourced, the receiver doesn't know who the sender really is, Gross noted.

"None of these rules is difficult for spammers to meet," said Gross.