'Image Spam' and VoIP Scam Attacks on Rise

So-called "image spam" is on the rise once again -- as clever hackers try to sneak by spam screening software that tests messages for spam based on keywords.

After declining steadily throughout 2005 -- from about 12 percent of all spam at the beginning of the year, down to about 5 percent in November -- the use of image spam jumped dramatically in December 2005, to 25 percent of all spam. It has remained at that level fairly consistently for the last six months, according to Postini, a messaging management company based in San Carlos, Calif.

"Postini attributes this increase to spammers testing the deliverability of image spam in early 2005 and realizing that many older spam filters are helpless when messages contain text to analyze, so the use of images helps get their spam delivered," said Postini spokesperson Catherine Leahy. "Upon seeing the positive results, they converted much of their spam to image spam."

Spam Filters

To be sure, up-to-date spam filters, like the patented PTIN technology, can detect and block image spam based on other attributes of the sending computer, message envelope and headers, Leahy explained.

There are other, emerging threats too -- like VoIP spam scams. Scammers pretending to be banks e-mail people and ask them to dial a telephone number, then enter the personal information needed to gain access to their finances. These fake VoIP services are reducing the costs associated with conducting such attacks, providing the perpetrators with a lower risk of discovery.

This spring, San Francisco-based Cloudmark detected two new VoIP-specific attacks. It is advising clients against dialing phone numbers received in e-mails that appear to be from banks and dial the numbers printed on their ATM cards instead.

The company has seen two separate "VoIP attacks hit our network, the first we've been able to analyze in detail," according to Adam J. O'Donnell, a senior research scientist at Cloudmark. "In these attacks, the target receives an e-mail, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem."

'Personally Devastating' Attacks

Callers are then connected over VoIP to a PBX -- private branch exchange -- running an IVR system that sounds exactly like their own bank's phone tree, directing them to specific extensions, O'Donnell said.

In these VoIP phishing attacks, the phone system identifies itself to the target as the financial institution and prompts them to enter their account number and PIN. "The result," O'Donnell surmises, "can be personally financially devastating."

Surprisingly, traditional content and identity rules based on volume analysis for capturing spam do not work for these phishing threats -- phishers move quickly to avoid detection, using and breaking down multiple phony sites to launch the same attack in different form. VoIP-based services allow phishers to cheaply add and cancel phone numbers that are harder to trace than conventional numbers.

Scientists are using fingerprinting algorithms that are able to identify the phone numbers used in VoIP phishing attacks, however. Researchers first spotted and began to block these threats this spring.

These attacks are "highly sophisticated, targeted, transient and dynamic, thereby making it far more difficult to uncover and capture the perpetrators," according to Dr. Jose Nazario, a senior security engineer and member of the Arbor Security Engineering & Response Team (ASERT) at Arbor Networks, a network security leader for global business networks.