Spam Volumes: Past & Present, Global & Local

[Kontik]

Spam Volumes: Past & Present, Global & Local​

Last week, National Public Radio aired a story on my Pharma Wars series, which chronicles an epic battle between men who ran two competing cybercrime empires that used spam to pimp online pharmacy sites. As I was working with the NPR reporter on the story, I was struck by how much spam has decreased over the past couple of years.

Below is a graphic that’s based on spam data collected by Symantec‘s MessageLabs. It shows that global spam volumes fell and spiked fairly regularly, from highs of 6 trillion messages sent per month to just below 1 trillion. I produced this graph based on Symantec’s raw spam data.

gsv07-12

Some of the points on the graph where spam volumes fall precipitously roughly coincide with major disruptive events, such as the disconnection of rogue ISPs McColo Corp. and 3FN, as well as targeted takedowns against major spam botnets, including Bredolab, Rustock and Grum. Obviously, this graph shows a correlation to those events, not a direct causation; there may well have been other events other than those mentioned that caused decreases in junk email volumes worldwide. Nevertheless, it is clear that the closure of the SpamIt affiliate program in the fall of 2010 marked the beginning of a steep and steady decline of spam volumes that persists to this day.

Of course, spam volumes are relative, depending on where you live and which providers you rely on for email and connections to the larger Internet. As I was putting together these charts, I also asked for spam data from Cloudmark, a San Francisco-based email security firm. Their data (shown in the graphs below) paint a very interesting picture of the difference in percentage of email that is spam coming from users of the top three email services: The spam percentages were Yahoo! (22%), Microsoft (11%) and Google (6%).

WebMailSpamCloudmark

Here’s a graph of total Cloudmark spam volume data from the big three over time, with linear regression trend lines. As we can see, Google’s spam volume is pretty much flat over all (looks like they fought off an attack in September); Microsoft is trending slightly downwards; Yahoo! goes up and down, but more up than down.

YMGspamline

Andrew Conway, Cloudmark’s lead software engineer, said one possible explanation for the big difference in Yahoo!’s spam levels is that the company experienced layoffs in December 2010 and April 2012.

“In the past five years they have had four CEOs plus two interim CEOs,” Conway said in an email interview. “That sort of reputation makes it hard to attract and keep top engineering or management talent. Also, when you are faced with having to cut costs, as Yahoo is, spam prevention does not generate any revenue. Cost centers get cut more than profit centers.”

Conway said spammers will follow the line of least resistance; as such, Yahoo only has to have fewer account creation security controls than the other Webmail providers to attract a lot more spam.

“We see spam coming both from bulk manufactured accounts and from genuine accounts that have been compromised,” he said. “Google has much better algorithms for preventing bulk account creation, and both of them are better than Yahoo at detecting and shutting down accounts that are used for spamming.”

A quick check at one dodgy site that sell access to bulk-created accounts at the top Webmail providers, for example, offers a basic lesson in supply and demand. That site sells 1,000 Yahoo Mail accounts for $35, or roughly 3.5 cents per verified account. Contrast that with the price of Gmail accounts, which is $150 for 500 accounts, or about 30 cents per account.
Prices at dodgy sites that sell auto-created accounts show Yahoo! accounts are almost 10 times cheaper than Gmail accounts.

Prices at sites that sell auto-created accounts show Yahoo! accounts are almost 10x cheaper than Gmail accounts.

 

[Kontik]

New Java Exploit Fetches $5,000 Per Buyer

New Java Exploit Fetches $5,000 Per Buyer​

Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.

javaredOn Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.

The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month. From his sales pitch:

“New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.”

The seller must have found a second buyer for the exploit, because the thread has since been deleted from the crime forum. To my mind, this should disspel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program. I should note that this same thing happened not long after Oracle released a Java update in October; a few weeks later, a Java 0day was being sold to a few private users on this same Underweb forum.

Yes, there are still sites that require Java, but most users can — and should — get by without it. For tips on how to keep Java without exposing your computer to a constant stream of zero-day exploits, see my Java Q&A from this past weekend.

I got into a bit of a Twitter fight yesterday with several readers on this point, but I feel strongly that Oracle is an enterprise software company that — through its acquisition of Sun Microsystems in 2010 — suddenly found itself on hundreds of millions of consumer systems. Much of the advice on how to lock down Java on consumer PCs simply doesn’t scale in the enterprise, and vice-versa. Oracle’s unprecedented four-day turnaround on a patch for the last zero-day flaw notwithstanding, the company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems. Oracle seems to be sending a message that it doesn’t want hundreds of millions of consumer users; those users should listen and respond accordingly.