SecuraNET Resource Centre

SecuraNET Products : Technology Updates

• 13 May 2009 - Image spam makes a comeback - It seems like 2007 again.
  
  Spammers have turned back the clock and are recycling a years-old tactic by planting their messages in images, according to a security researcher. Image spam, which hit a peak in late 2006 and early 2007, has made a comeback, said Holly Stewart, the threat response manager of IBM Internet Security System's X-Force team. After barely registering during most of 2008, image-based spam accounted for about 25 percent of all spam by the end of last month. "They're doing the same kind of image-based spam as in 2006 and 2007," said Stewart. "It's very surprising." It's surprising because spammers that rely on technological trickery rarely return to an older tactic once anti-spam vendors have figured out how to detect the junk mail. "But what they're doing now is exactly what they were doing before," added Stewart. When spammers first started using images rather than text, they were successful at slipping their pitches through filters, which were designed only to parse text and look for such things as links. Their success led to an explosion in image-based spam, with spammers and security firms playing a cat-and-mouse game for months.
  
  The only real difference this time around, Stewart said, is the sales pitch. "Most image spam was stock 'pump-and-dump,' but now the focus is on drugs and pills, something to make you feel better in hard times," said Stewart, who credited the change to the recession and the poor performance - and even harsher perception - of Wall Street. Also odd, she continued, is that few of the messages included ready-to-click links. Instead, the images contain a URL that the user must laboriously type in manually. Spammers conducted an image spam test run in March, according to X-Force's data, which showed a spike in the tactic from about 19 March to 9 April. The test was obviously successful, Stewart said, because after a short period when the tactic disappeared entirely, it roared back with a vengeance on 21 April. "Actually, it's pretty incredible that this could be successful again," Stewart said, noting that most anti-spam filters should block the mail, unless the vendor, perhaps for performance reasons, had ditched them when image-based spam vanished last year. The return of image spam could be the first resurrection of other once-popular tactics, she warned. "We may see others come back," Stewart said, and ticked off MP3 spam - mail that replaced text with an audio clip - and PDF-based spam. Both were popular in 2006 and 2007 for junk stock pushers. Of the discarded tactics, Stewart selected PDF spam as the one most likely to reappear. "It was short-lived [before], but if I had to pick, I would point to the PDF vector," she said, noting that rigged PDFs exploiting Adobe bugs have been on a tear of late.
  
  (Source: Gregg Keizer, Computerworld (US))
  
  
• 06 May 2009 -Heartland counts the cost of security breech
  
  Heartland Payment Systems reported that the security breach it disclosed earlier this year has cost the company about $12.6 million (£8.4 million) so far, including legal costs and fines from MasterCard and Visa.
  
  Heartland also detailed plans to protect its credit- and debit-card processing network with an end-to-end encryption system that it will begin rolling out with its merchants in the third quarter. "We are in a cybercrime arms race," said Bob Carr, Heartland's chair and CEO, in explaining why Heartland intends to deploy the custom-built encryption equipment. During the company's financial earnings call, Carr and other Heartland executives acknowledged the breach is proving a heavy financial burden and that there's no estimated total cost. Heartland executives also strongly refuted MasterCard's assertion that Heartland did not respond quickly enough or appropriately to information it was given related to the breach. Without providing more detail, Heartland said it will contest MasterCard's assertions legally. Heartland processes about 100 million card transactions each month, and it's not yet clear exactly how much fraud was committed when cyber-crooks tapped into Heartland's payment network. Visa and MasterCard, as well as some banks, have indicated fraud can be traced back to the Heartland breach. "Sniffers were put on the network by bad guys," said Carr in an interview this week with Techworld's sister title, Network World, during which he described how cybercriminals were able to capture card information travelling in the clear between merchant point-of-sale devices and the processor's network. At a meeting this week of the newly-formed Payments Processors Information Sharing Council, attended by about 30 industry participants, Heartland distributed on USB sticks some samples of the malware code it believes was used as part of the breach, in the hope this could help protect other companies.
  
  To protect its own processing network, Heartland will roll out an end-to-end encryption system with its merchants, beginning with a trial project this summer, says Carr. The system will be based on hardware and software that Heartland is spending millions to develop with help from soon-to-be-announced technology partners. Heartland has not yet publicly released the technical specifications. Heartland "is basically leading the way for the rest of the industry," says Gartner analyst Avivah Litan, noting that its plan for end-to-end encryption will be the first effort of its kind in the United States. She adds that end-to-end encryption has already gotten underway in Spain among merchants and their processors. One element critical to its success there, she says, is keeping encryption key management simple for merchants. But in the US today, there is no established standard for end-to-end encryption of payment-processing networks. Heartland is hoping to rally the industry around one based on the Advanced Encryption Standard (AES) it is proposing to the Accredited Standards Committee X9 (ASC X9) in early June.
  
  
  (Source: Ellen Messmer, Network World (US))