Can You Stomach The SPAM?

Matt Peterson

Most of us go through our daily routines of digesting a healthy amount of SPAM without ever noticing its nutritional value.  There are several factors that help those responsible for securing ourselves with understanding the multiple flavors this wonderful package brings us in the form of email.  For security administrators, we often choose "delete" like every other user, but certainly there are some value in determining the various trends associated that make people want more SPAM!  Why?  Because if it didn't work, we would no longer have all this SPAM sitting around.

Don't knock it 'till you try it!  Go ahead, open up that email and take a look at the messaging involved, and you'll notice the increasing smell from 'phishing'.  For those that don't know, 'phishing' is a technique used to acquire sensitive information by attempting to portray an actual legitimate business through e-mail.  This occurs through the use of fake emails portraying to be a popular and well known social networking site, banking institution, online auction, or any other site in which would typically contain access to personally identifiable information or payment card information.  This is a social engineering activity that is very carefully thought out and methodical in its approach in order to dupe the unsuspecting recipient.

The latest Gmail breach is an example of just this very approach on 'phishing'.  In today's world of instant gratification, we all become susceptible to this type of attack if not carefully monitored.  With the ability to register for various email notifications from trusted sources, it's easy to quickly overlook the origin of a request, or inadvertently utilize these phishing/SPAM techniques through a mobile browser to quickly obtain the information requested.  This is quality information to obtain and use by the groups that promote and sponsor this behavior.  While you are likely to continue seeing the original flavor of SPAM, trying to get you to donate money to a charity that doesn't exist, claim your lottery winnings from a country you never visited, or discreetly acquire that performance enhancing drug you've been too afraid to ask your doctor about.

How do we police these types of activities?  Good information security practitioners would continue to fight this through education and awareness training.  This problem isn't going away soon, so reduce your risk of having your identify stolen, credit card information being stolen, user accounts being stolen for online banking, social networking sites, or auction sites.  This is a type of social engineering that works effectively and is well crafted to achieve high results.  Here are a few tips and suggestions to make your life less eventful when you encounter such emails:

Nutritional Facts to Prevent SPAM/Phishing:

1. Understand that legitimate businesses would not require you to enter personal information through a link made available within an email message.  Instead, you would be required to visit the website of the business directly. 

2. Look at the website URL window to know the domain you are going to.  If you are trying to login to www.acme.com and notice that the domain reads www.acme.trust.ua is not.

3. For all those PDA friendly folks, and that stands for "Personal Digital Assistant" - Find out if your bank, auction site, social networking site, etc. has an 'app' that you can use to interface and communicate with the legitimate business online.

4. Enable SPAM detection properties with your email provider, where available.  For corporate entities, technologies exist to prevent this exploitation of the user population through SMTP gateways.  For personal use, most internal email providers offer a varied level of security to prevent this behavior, but it cannot always be prevented.

5. Educate others to help prevent this exploitation.  Subscribe to a Security Awareness Training program through a reputable vendor.  This will enable you to educate users and reduce the risk to your organization through a variety of activities and situations.

What happens if you've fallen for such a scam?  If you are able to comprehend what just transpired, immediately go to the legitimate business's website and change your account login information (username/password).  This may not always be possible if the account information was already changed by the attacker.  Next, immediately contact the legitimate business organization to report the incident so appropriate steps may be taken to reduce the impact.

As with any diet, it's important to watch what you eat.  Don't become overwhelmed, as with proper education and understanding, we can all consume higher nutritional email and throw out the junk food called 'SPAM'.