One question that often arises is, look at this e-mail I received…have I been hacked? The answer is not quite as straightforward as one might think. The protocol that defines Internet e-mail was written a long, long, time ago, and the Internet was a much different place than what it is today. The protocol itself, by today’s standards, is pretty weak allowing for much mayhem. It is pretty easy to send e-mail as someone else, and the only resolution is to closely inspect the mail delivery headers – a record of which machines have handled the message.
The most common type of attack is a phishing attack, where a recipient is lured into opening and perhaps clicking on a link in the body of the message.
These messages can contain various means of corrupting the e-mail program itself, allowing for code to be installed on the recipient’s computer (obviously the worst case scenario), or simple theft of data. Most purveyors of software know this game now and are sensitive to it, but as long as programs are big and complex, the opportunities will still exist, with new ones presenting themselves with every update. Now, with plenty of free e-mail services, cloud storage, and mobile devices, new attack vectors have risen, with bigger payoffs, making it nearly impossible to thwart.
There are essentially two camps of spammers: one that simply sends bulk e-mail in the hopes that a very small percentage actually buy products the spam is selling, and the other, that hopes actually control the system of the target. Both rely on massive lists of real e-mail addresses in order to function. The simplest way to gather e-mail addresses is to exploit known weaknesses of the e-mail client and/or the operating system on which it runs, often resulting in the export of the target’s address book. Once this knowledge is gained, it is possible to send e-mail as each person in the address book to all people in the address book, resulting in more successful hacks and address book losses. Put another way, if someone else has you as a contact and they don’t give a flip about good computing practices, password strength, or encryption, then most likely there will be spam sent as you to your colleagues. This is why a friend may say you have been hacked after receiving a message from you, when really it was a friend of a friend of a friend. The hack may have happened long ago, it may have been recent. It’s also quite possible that all of these stolen address books are aggregated, analyzed, and traded in the black market.
But why are there so many spams? The answer lies in the latter group, and it involves money, extradition laws, and botnets. If an attacker (spammer no longer applies here) can insert code on a target’s computer and then control the computer, they can build a much more efficient, disperse, spamming operation. When this happens on a large scale, it is called a botnet. The opportunities for illegal monetary gain increase greatly with botnets, one being extortion through a threat of a Distributed Denial of Service (DDOS) attack. Think of a DDOS attack as tens of thousands of computers flooding a targets network with useless requests, causing all of the infrastructure to overload and miss legitimate business activity. Perpetrators often live in countries that have no extradition treaties with their victims, essentially giving them a safe haven.
Businesses that generate online revenue are typically the victim. Since there is no real good way to fight large scale (botnet controlled) DDOS attacks, they often pay quietly, leaving no record of the extortion. Occasionally one will, and it makes headlines. Do a search of “ddos extortion attacks” and a clear picture starts to form.
So what can be done? Well, you’re in the same boat now with many large companies, and they have much deeper pockets. It’s probably best to analyze e-mail headers to look at the point of origin of the spam. Make sure that the spams do not originate from your IP address, or any IP address you use to send email. Also, look at the payload. Are there images or hyperlinks in the spam? If so, then most likely it is an attempt on your security, using your contacts as additional leverage.
All of this, stemming from a simple mail transfer protocol (SMTP) written at the dawn of the Internet. That’s right – SMTP is the actual name of the protocol. If only it were not so simple.