Press Release of the Day
SPAM/PHISHING “ARMS RACE” ESCALATES IN AUGUST: ALARMING RISE IN USE OF STEGANOGRAPHY AND OTHER ADVANCED TECHNIQUES
For Immediate ReleaseSeptember 7, 2004 (Miami, Florida)
Filtering out spam, phishing (identity theft) and other email based attacks is getting harder by the month. August marked a sharp increase in the use of advanced techniques designed to get past all but the most sophisticated email filtering products. Zero Spam Network Corporation saw use of steganography, randomization and other complex techniques rise from a fraction of a percent to almost 5% of email traffic flow in August alone. “These sophisticated payload delivery mechanisms are meant to get spam, viruses, identity theft and spyware attacks past 99% of the solutions in place to stop such attacks,” said Bill Franklin, President of Zero Spam. “They’re darned effective and essentially make most anti-spam products obsolete overnight. We’re in quite an ‘arms race’ at the moment.”
How do these techniques work, and why do they get past so many products?
As an example, let’s take a look at use of Steganography in spam and phishing attacks. Steganography (from the Greek for “covered writing”) involves taking one piece of information and hiding it in another. Over the last year, attacks began using images to “hide their payload” from text based content filtering products (Displaying the text as an image could be considered a very crude form of Steganography since the goal is to “hide” it from text based filters). Bayesian based products that look for sequences of words in text to perform accurate filtering stumble when the message is no longer in text, but is now hidden in an image. This led a few vendors to start adding image hosting blacklist capabilities to their products. A few more advanced vendors added image processing capabilities to compare images embedded in (or referenced by) messages to a library of known bad images. In the last month, the attackers have taken this arms race to a new level, by randomizing images in nearly every copy of a message: they overwrite some of the least important bits with a hidden message. That means that the image cannot be simply compared against known bad images from a previous copy of the same spam or identity theft scam. Now the image processing algorithm must eliminate small portions of the image which are inconsitent with the general pattern (or “signature”) of the image. This puts the criminals sending spam, viruses, phishing and spyware attacks several—HUGE—steps ahead of the vast majority of anti-spamand other content security technology providers.
”Advanced stegonography decoding techniques are only known to a few technology vendors,” states Franklin. “As far as I know, we’re theonly email and web security provider with a production steganography decoding capablity.” Zero Spam’s customer base has reaped the rewards of such advanced protection technology: for the 14 months ended August 31st, 99.996% of spam was detected and blocked, not a single virus infection occured, not a single spyware pentration occured and not a single identity theft incident occured. Franklin concludes: “I know most folks are pessimistic and believe we’re a long way from curing the ills affecting email and web surfing, but we’ve got a 14 month track record to show that it can ALREADY be done in a very cost effective manner. No one should be at risk (or even feel at risk) from any form of Internet crime or malevolent computer behavior as long as they are protected by our service. The risks exist solely for those who choose to not protect themselves adequately with newer technology that is readily available and which actually works.”
The rest of the release is self-serving blather, but may be on to something. Check them out at the website.
All the time and energy dumped into message filtering is silly. The solution is simple.
1. Implement one of the proposed sender verify schemes.
2. Email sent from within the US is subject to a national do not spam list.
3. Email sent from outside the US gets shifted to another email account except where whitelisted
4. Since even email is not truly free, get the United States Post Office in the business of offering email boxes where sending and receiving email is not free, but very inexpensive (millicents per kbtye). Make the US Postal email system a “closed” system that cannot send or receive email except to similar systems enacted by other governments.
5. Have optional email terminals at postal facilities that way even people without computers have accessibility to email.
Technology cannot solve the spam problem. There are always humans that
Boy, I was getting a worked-up about this press release – writing about how a program encoded in a graphic was useless, unless there was a program on the victim’s computer which would decode the steganography.
What they were saying didn’t make any sense – with what I’ve read about steganography – until I caught this part:
(Displaying the text as an image could be considered a very crude form of Steganography since the goal is to “hide” it from text based filters)
Very crude is right. I thought they were talking about placing a “trojan” program in a graphic, not just adding text to a graphic.
What happened to not opening an unknown attachment? What happened to turning off auto-load of graphics in html-formatted email?
I need to pay for software to analyse every picture I download? (since any picture can have information added to it).
Thanks, but no thanks. 🙂
But I don’t *need* a steganography filter, Choicemail works on the “if the ‘from’ address isn’t on my whitelist then its considered to be spam and binned” principle.
I am trying this poster art, posters I just wanted to say you have a very informative site which really made me think,
thanks very much! Have a nice Day!!
It does not take steganography on the internet to attack our
money and our technology, so here is a sad saga of mine about
phishing expeditions, so to speak.
It’s hard to get people to avoid phishing attempts when life
imitates art, or banks imitate phishing attacks. One of the
main reasons phishing continues is that banks seem to have
this huge need to market to their existing customer set. If the
anti-phishing stuff becomes too efficient it will catch and
exclude their own stuff. Let me give you a couple of examples
from my banker, Wells Fargo:
1. As I was making a purchase from NewEgg the other day
with my Wells Fargo Visa card, I got a popup offering me a
new protection for my credit card, and there was very little
but an OK to go to it. Well, I have done quite a bit of business
on NewEgg, and so I suspected that it was legitimate. I changed
my regular password to a new one, just in case, so that my
regular account could not be accessed by the password I
was giving the new protection. However, this is the banks
training you to respond to something that you should never
really do, and that is respond to the establishment of such a
service in a transaction not initiated by you. I then called my
Wells Fargo reps and chewed them out…again, and that takes
us to…
2. which really should be #1, because it precedes #1. This is
the old-fashioned type of phishing, pre-internet. I received a
phone call one day from an automated dialer, telling me that
I might have some fraudulent transactions, and that I should
call an 800 number to make sure that there were no actual
problems. Now, I got the calling number from my Caller-ID,
and called it back, just to see what it was…same message.
Hmmmmmmmmm…let’s see. The calling number and the
number I was given to call were absolutely new to me. Neither
was on my credit card or in my credit card bills. Well, I called
the number on my credit card, chewed them out, and resolved
the problem, which was not a problem. I then called the offered
number to see what it would want me to do. Well, it wanted the
last 4 digits of my card, and my password. Does anybody see
a problem here. I offered them an alternate scenario.
Let’s say that I am a scamster. I get two 800 numbers. I make
up an automated script to call people and tell them to call the
other 800 number because there may be some fraudulent
transactions on their credit card. I don’t even have to say which
credit card, or I can take a chance and pick one…VISA or MC
would do, though almost everyone now has a VISA. Now, when
they call the other 800 number, I can ask them for all sorts of
identifying information, and ask about some transactions that
really don’t exist. Then I tell them not to do anything further,
because in a few days, a new card will be sent to them. Till they
figure it out, I am free to do almost anything that I wish. I’ve
surely got 48 hours to wreak havoc.
What they are doing is training people to respond to things that
should never be responded to. All such items should be customer
initiated to known phone numbers, such as the one on the credit
card. I’ve tried this one out on Wells Fargo, and though I’ve gotten
agreement up to the local bank president, no results. Now, I see
the ads by other credit card issuing banks about the wonderful
“security” technique where they call you to tell you about those
two guys buying surfboards half a continenet away.
By the way, though the Wells Fargo logo shows on it, the first
scenario above is actually being controlled by VISA International,
or so Wells Fargo tells me. Ugh. With that level of security
understanding in those quarters, things will just get worse.
Everett L.(Rett) Williams
rett@classicnet.net