For a brief instant in November 2008, the spam-industrial complex—that amorphous machine that sends out some 62 trillion junk emails a year—suffered a blow. McColo, a Web hosting firm based in San Jose, Calif., known as a safe haven for some of the Internet’s most virulent spammers, was knocked offline. Overnight, global spam, which by then totalled 100 billion messages daily, plummeted by 70 per cent. Purveyors of emails about cheap Viagra were beaten back; techies in the know rejoiced. But within three months, spam levels were back to where they had been. And if anything, the spammers had gotten wiser. After the next rogue-company takedown, last June, spam levels fell by a more modest 30 per cent, and crept back up in a matter of weeks. By the time the Latvian-based firm Real Host was disconnected in August, says Adam Swidler, product marketing manager for Google, “it only took them three days to get spam volumes back.”
Since the first known spam message was sent more than three decades ago, junk email has gone from mere nuisance to actual danger. Today, almost all spam is part of an organized criminal activity, says Gordon Cormack, a University of Waterloo computer science professor and a spam researcher. And it’s no longer limited to email: blogs, search engines and social networking sites, which exploded in popularity before developers could prepare their defences, have given spammers lots of room to grow. All it takes is a few clicks on an email or a perfectly legitimate-seeming Web page to download a virus. According to a recent Sophos security report, a new infected website was detected every 3.6 seconds last July, a fourfold increase from a year earlier.
Thanks to advances in spam-filtering and anti-virus technology, most of us see only a fraction of the junk destined for our inboxes. But the war on spam rages on. According to Microsoft, which blocks 4.5 billion emails a day from reaching its Hotmail accounts, 97 per cent of all email sent is unwanted. It’s kept out of mailboxes thanks to round-the-clock surveillance by automated systems and thousands of human experts—at great cost. Analysts at California-based Ferris Research predicted that in 2009, the worldwide cost of spam in IT expenses, anti-spam software and lost productivity would amount to US$130 billion—a 30 per cent increase over 2007.
All of which simply spurs more innovation in the spam world. “Every time there have been efforts to try and control spam, there have been responses that have made for more spam,” says John Arquilla, director of the U.S. Naval Postgraduate School’s information operation centre and a pioneer of the cyberwarfare field. Canada’s first anti-spam bill is set to go before the Senate this year. If adopted, it will bring Canada in line with the majority of G8 countries. The bill, says Industry Canada, seeks to “deter the most damaging and deceptive forms of spam” by allowing businesses and consumers to sue those who violate its terms. But in the meantime, it’s user beware. According to Arquilla, the Internet remains a new frontier. And while the wilderness is virtual, he says it’s “as risky as living in the Mohawk valley in the 18th century.”
Our feelings toward electronic junk mail trace back to 1970, and a Monty Python sketch that had nothing to do with the Internet. It featured a restaurant diner whose frustration mounts as her order is repeatedly overwhelmed by a group of Vikings, among others, shouting “SPAM!”—the brand name of the canned-meat product popularized during the Second World War. The scene captured perfectly the experience of a hapless Internet user hit with an arsenal of unsolicited messages. In the early ’90s, with the advent of the World Wide Web, the word began to appear in chat rooms, where members would inundate newcomers with an endless stream of “spamspamspam,” to keep them out.
It didn’t take long for more money-minded individuals—and scammers—to harness intrusion for personal gain. To expand their reach, online hawkers and fraudsters began letting mass emailing software do the heavy lifting. By 1999 the world had its first known mass-mailing virus, called “Melissa,” dispensed as an email attachment. Spammers have now graduated to using junk email—or fraudulent Facebook links or website ads for bogus cash rewards—to steal information and money from users curious enough to open attachments or click on a link—what Arquilla calls “the weaponization of spam.” In taking the bait, says Cormack, we grant spammers access to our personal data, contacts, passwords and, in some cases, every keystroke we make. In 2007, the Storm campaign, aimed at Microsoft Windows users, tricked people into following malicious links disguised as provocative news videos. One fake headline read: “230 dead as storm batters Europe.”
The war on cyberterror, of which spam is one part, isn’t entirely unlike the war on terror. The bad guys “attack from a hidden position,” leaving security experts scrambling, says Arquilla. So-called “firewalls,” meant to arm a computer’s operating system with a defensive shield, are, in fact, penetrable to new viruses and spam until they are detected. “There is no such thing as a firewall,” says Arquilla. “It only recognizes what it knows.”
The rise of botnets in the past few years has, without question, been the most significant tactical shift in this fight. Rather than simply using malware (malicious software) to invade and control individual systems, botnets, or “zombies,” link networks of compromised computers, which are then used in massive spam campaigns and coordinated cybercrime attacks. Storm was one campaign; Steve Santorelli, a director of global outreach for Chicago-based IT security non-profit Team Cymru, estimates there are several thousand such networks, stretching across tens of millions of infected computers. (When the Conficker botnet made headlines last year, it included an estimated 15 million systems.) Santorelli says there’s a specialization akin to that of pseudo-professional bank robbers in the ’70s and ’80s. There used to be getaway drivers and stick-up guys. Likewise, in encrypted chatrooms, expert virus writers, botnet creators and virtual money launderers subcontract their services. Says Cormack, “The person who delivers the email is not necessarily the one who runs the compromised computers, and isn’t the one who knows how to use credit card numbers that get captured.”
Pages: 1 2
