“Spam Spoofing” - A new and dangerous type of spam.

Receiving a truckload of e-mail spam used to be just a frustrating nuisance. Now however, spam has turned far more sinister. Internet users need to be keenly aware of precautions against a new and emerging form of spam designed to take advantage of the unwary.

"Brand spoofing", is where a spammer disguises email to make it appear as though it's from a trusted company in order to extort personal information such as bank account particulars, credit card details and other sensitive financial information. Major companies throughout the world have been brand spoofed in recent months.

What types of organisations are being spoofed?

As an example, Sony Electronics recently warned that it had become aware of a deceptive mass emailing that was being sent to consumers with the subject "Sonystyle user and email address". The message, which claimed to come from "SonyStyle Customer Service", was requesting personal information from the email recipient, which included user names and passwords.

Brand spoofing is a newer form of email spoofing, in which spammers disguise emails to look like they come from familiar addresses, such as those of co-workers. Most experts believe that brand spoofing is most threatening to those types of Internet users who normally don't get a lot of email and consequently are less aware and possibly more easily fooled. Small business is also an area of serious concern because the recipient is more likely to be a decision-maker.

What can those businesses being spoofed do about it?

Business should take some precautionary steps to protect their IT systems, employees, and customers by doing at least the following:

• Notify customers and employees that emails seeking personal information are suspicious and should be reported immediately. There's no legitimate reason for any Web site to ask for email verification or an update of confidential information via email.
• Urge customers and employees not to open suspicious emails or even visit Web sites mentioned, as they pose a risk, such as the possible automatic download of a Trojan horse program, to anyone logging on to the site.
• Monitor Internet and spam security information resources.

Just refresh us, just what is spam again?

Usually Spam is another term for any kind of unsolicited (not requested) commercial email (UCE). Unfortunately for most, those people with an account on the Internet have become painfully familiar with spam. It is almost always advertising "spamware" (software for spammers), pornography, shady “Pyramid Selling” deals, and other scams.

Vint Cerf, often acknowleged as the "Father of the Internet" has stated that: “Spamming is the scourge of electronic-mail and newsgroups on the Internet. It can seriously interfere with the operation of public services, to say nothing of the effect it may have on any individual's e-mail mail system. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization."

So that would make a spammer a …?

A spammer, simply, is a person who sends spam. More often than not a spammer who is convinced they are going to get rich on the Internet by flooding it with messages and hoping to get a response. More often than not they do get a response. It usually takes the form of outraged people who receive the spam and complain to their, usually helpless, ISP (Internet Service Provider) about the spammer. Occasionally this will result in the spammers dial-in accounts, email addresses, and/or web pages being cancelled.

How do spammers get our email addresses in the first place?

Spammers generally gather email addresses in the following ways:

Using spambots to scour web pages.
Spambots basically follow links and capturing email addresses from "mailto" links on web pages, storing them as they go along.

Using spambots that scour newsgroups.
If you are a user of Internet Newsgroups you will already know how it works: you have to hide or disguise your email address or you will be swamped with spam. Not only do you have to disguise it in the body of your post, but in your newsreader client settings as well. Spambots love to grab those email messages.

Buying lists from other spammers or companies
You may have already been spammed with the message - "Over 1 million email addresses on a CD!" Not just CDs but on ftp sites, web pages, etc. Once your email is harvested, it may get copied around for years. The only good news is that they want to charge other people for their hard work, so it does usually cost them some money to buy the addresses.

From a mailing list
This is a particularly despicable manner. Spammers join a mailing list, then gather the email addresses of the members, either from a list of the members provided by the mailing list software, or from people as they post. It's hard to avoid this, short of not joining the list.

By people themselves
Commonly seen as part of a spam message: "To stop any future mailings, just reply to this message with a subject of REMOVE". This is a more than equally despicable method. If you reply to the spammer, you accomplish three things:

• You verify to the spammer that your email address is valid.
• The spammer then knows that you actually read the mail, and took the time to reply to it.
• You alert the spammer to your lack of anti-spam knowledge by falling for this trick.

The above only means that you are far more likely to receive more spam by replying.

Other ways
The Center for Democracy & Technology has also written a very good report entitled Unsolicited Commercial E-mail Research Six Month Report.

Arthur Hissey
Computer Research & Technology
www.crt.net.au