Since the McColo takedown, a new generation of sleeker, more decentralized botnets has emerged. “Hackers were out there, essentially having to rebuild their networks,” says Google’s Swidler. “They were rebuilding them with the latest and greatest technology.” Despite a fix from Microsoft for the Storm virus, for instance, the botnet remained a powerful force. In 2008, it took aim at customers of several British banks through email, marking the first time botnets were used in a major phishing attack. (The emails were identified by bank security before they did any real damage.) Recently, cybercriminals have been hooking victims through the very fear their presence generates. According to Symantec, in 2009 an estimated 40 million of us have been coaxed into purchasing fake anti-virus software, forfeiting our credit card numbers, personal information and, quite possibly, our computers.
In the war on cyberterror, as in the war on terror, there are people who end up trapped in grey areas. After Mark Ellis’s Web connection was abruptly cut off several years ago, he received a letter from his Internet service provider (ISP), advising him his business was no longer welcome. He says it wasn’t until he was booted off a second ISP that he figured out why: he’d been blacklisted, reportedly for running a major spam operation. The charge was levelled by the Spamhaus Project, one of several anti-spam non-profits whose findings are used by many ISPs.
Spamhaus’s Register of Known Spam Operations, an online database of some 120 alleged repeat offenders, lists about a dozen Canadians. Ellis is one of them. He insists Spamhaus, which is based in Geneva and London, has the wrong guy. “Somebody was spamming from my connection,” he says. “It wasn’t secured.” He says the dubious honour has made him the target of threatening emails and phone calls: “People say, ‘I’m going to find out where you live. I’m going to kill you.’ ” (Concerned about attracting further attention, Ellis declined to use his real name for this story.) Though he’s managed to convince his ISP to restore his connection, he says many of his business-related emails never reach his clients, presumably because his ID is blocked by other ISPs.
Spamhaus declined requests for an interview, but in an email, CIO Richard Cox wrote: “Almost all spammers claim as a matter of course that they are ‘doing nothing wrong,’ but we can assure you that extensive research is done to both establish their identity, and prove their responsibility for the spam.” In addition to the public information on its registry, he said, Spamhaus keeps “extensive dossiers,” which it is contractually obligated not to release, except to law enforcement officers. Companies, too, rely on such enterprises to crack down on abuse. Swidler says Google, for one, uses Spamhaus. But the blacklist approach raises troubling questions. And Arquilla says it risks punishing innocents without deterring the real masters of spam.
In fact, the war on cyber junk may just be getting started. As Internet access in developing countries continues to rise, says Arquilla, “the slope [of spam] will actually go up. From a smaller proportion of [overall Internet] traffic, it will grow to a larger proportion.” New technologies can inadvertently help things along. According to a recent Sophos report, smartphones can lead to new modes of attack. And the economic downturn may give spam an added boost: Swidler suspects some laid-off computer programmers “are finding it more lucrative to turn their talents toward writing malware than legitimate software.”
In Canada, there is hope that anti-spam legislation will empower law enforcement to take action and send a strong message. “Everybody recognizes that the law isn’t a silver bullet,” says Michael Geist, Canada Research Chair of Internet and e-commerce law at the University of Ottawa. “But it is a necessary condition, and one that’s long overdue.”
But technology and legislation can’t save us from ourselves. When we’re presented with a proposal from a Nigerian prince or breaking news about a deadly storm, curiosity sometimes trumps reason. And as long as we continue to click blindly on alluring links and open mysterious attachments, spammers will find a way to deliver their message.
Pages: 1 2
