Spam and Phishing

Posted onAuthorcahwyguy

My computer makes a noise whenever new mail comes in. As I’m sitting at my desk reviewing a document, I look up to see what came in. Most of the time, it’s spam. I mark it for delete in Mailwasher Pro, delete it off the server, and turn back to my document. I’ve adapted to the spam.

Well, according to articles in the Sacramento Bee, the SJ Mercury News, I’m not the only one. According to a new survey, fewer Internet users are irritated by junk e-mail than a year ago, even though they report getting more of it. In fact, about 67% of computer users say spam has made being online unpleasant or annoying, compared with 77% a year ago, according to the Pew Internet & American Life Project’s survey, released Sunday. 28% of users with a personal e-mail account said they were getting more spam than a year ago, while 22% reported getting fewer unwanted messages. Of course, users are also changing how they define spam. In June 2003, in Pew’s first spam survey, 74% of e-mail users considered “unsolicited e-mail from a political or advocacy group” to be spam. This year, that number dropped to 66%. This year’s survey also showed that about 133 million American adults go online either at home or at work, and 90% of those use e-mail. The article mentioned that, by some estimates, unsolicited e-mail now accounts for more than 70% of all e-mail, despite the passage in recent years of federal and state anti-spam legislation that sets fines and even jail time for violations. How do we deal with it? Spam filtering software? Well, I know that my practice (and apparently that of many others) is to forward identified spam to a “spambox” (yahoo mail or gmail is create for this purpose), that I periodically scan to make sure I didn’t have a false positive. So I still lose time to the spam, just not as much.

What type of spam is offensive? The survey says: e-mail porn. And, evidently, there has been a slight reduction in the amount of porn they received, perhaps making users less upset about spam in general. On the other hand, “phishing” is a growing concern. 35% of respondents said they had received phishing spam and 2% said they had provided the requested information. The survey mentioned above noted that 53% said spam has made them less trusting of e-mail, compared with 62% a year ago. Perhaps having more trust in email is why phishing is growing. As they say on Morning Sedition, c’mon sheeple, don’t believe that email you get is really from the bank. As Alton Brown once noted, McDonalds doesn’t care about you, and neither does that vixen Wendy.

2%. I once did a class on the user’s role in computer security. That 2% number is astounding, for typically a 1% response is considered great for normal junk mail. We need to educate people to make phishing unprofitable. And profitable it is… The Mercury News is reporting that online merchants and credit card companies an estimated $350 million to $500 million a year in losses or reimbursements to defrauded customers. And it is growing… in February, there were 2,625 active phishing sites, up from 1,556 in November, according to the Anti-Phishing Working Group, a consortium of banks and vendors. And the phishers themselves are very slippery to catch.

The Mercury News notes that there are number of new technologies coming into play to try to make phishing less effective. Symantec and Corillian are looking for “cyber-lurkers”, who might be grabbing graphics off of legitimate sites in order to set up phishing sites. Cyota and MarkMonitor are working to shut down phishing sites in various ways. Quova, Corillian and PassMark Security are looking for accesses to a banking site from locations that don’t fit normal usage patterns, and then trying to contact the legitimate user (to me, this seems similar to what some credit card companies do). Others are trying to make the identification methods stronger. All good ideas.

SF Gate is noting that phishers are getting smarter. In the past, savvy users could determine if the Web site was a fake by checking the address to see if it looked unusual. Now phishers are using programming tricks to hide the true address of the site, blocking address windows, and actually learning to spell :-). Some phishers have even hacked companies’ real Web sites in order to redirect users from a page on the legitimate site to a fake site. The linked article is a good one, and highly worth reading.

This has an affect on users. SF Gate is noting a change in user behaviour. People avoid subject lines commonly used in spam. I know it has had an impact on my conference: we can’t send out call for papers now because some folks report them as spam. Some have gone so far as to stop using email.

Of course, I do like to see that email in my box that says “Reply to Your Post” or “Reply to Your Comment” (although I did just get a spam with the subject line “Reply to Your Post”, so that’s not always a good indication). So, in that vein, here’s a recap of this weekend’s entries:

Share