Spam: Why is it Still the Most Common Attack Vector?

Cybercrime has become more complex over the years, and today’s hackers rely on sophisticated techniques to gain control of computers

However, some of the oldest techniques to compromise computers are still widely used today. More than 40 years after the advent of email, spam is still the most widely used means of gaining access to systems and information, according to research from F-Secure, a leading expert in cybersecurity.

While some spam is designed to entice potential customers to make online purchases of seemingly legitimate products, it’s also a vector for getting users to reveal sensitive information. Some spam will direct users to enter their password into a sham website, and hackers can then use this password to attempt to access other user accounts. For those residing in the United States, supplying a hacker with one’s Social Security number can lead to identity theft. Furthermore, email can be used to send files to users. By getting a user to install a program sent through email, spammers can compromise systems and further build out botnets.

The nature of spam is changing. According to Päivi Tynninen, among the spam samples F-Secure received in 2018, 46 percent were dating scams, and 31 percent directed users toward malicious websites. Twenty-three percent of emails contained malicious attachments. Tynninen also points out a potential reason why email might still remain a popular source of malicious attacks: As other vectors become more secure, malicious actors might be turning toward spam as a tried-and-true method that’s difficult to fully protect against.

Despite the simplicity of malicious spam, fully preventing attacks remains a difficult problem. Part of the reason is due to how cheap it is to send out spam. Even with a modest botnet, spammers can send out an endless stream of spam to potential targets, and hackers don’t mind that nearly all of the spam sent will not be read. If even a tiny fraction of spam makes it to a recipient, and even if only a tiny fraction of spam emails received successfully compromise systems, the potential rewards are still high enough to make the effort financially viable.

Part of the solution to spam email is education. However, even people who understand the basics of spam can still fall victim. Among the finding’s of F-Secure’s research: The probability of a recipient opening a spam email rises 4.5 percent if there are no misspellings on the subject line. If the email claims to come from someone the recipient knows, the probably of opening the email rises 12 percent. Somewhat surprisingly, emails claiming urgent action is needed are less successful that those merely implying urgency, perhaps because they seem more authentic at first glance.

Still, managing email spam also requires technical expertise in addition to education, and security software and policies need to be continually updated. Instead of pointing users directly toward a malicious site, some spammers direct them to an innocuous site that then points to the malicious site, and this can evade certain email filters. Furthermore, malicious attachments are often now password-protected, which can prevent security programs from scanning them adequately.

Hackers will continue devising new means of attacking users and computers, and this trend shows no signs of slowing. However, it’s also important to not lose sight of classic means of compromising computers, and everyone focused on security needs to ensure their email policies and education are appropriately tailored to the most common attack vector.