Bloomberg takes a look at this method of spamming, which involves sending scammy emails to fewer people, in smaller batches, in an effort to sneak around filters and land more of those spam emails in your inbox.
Though your junk mail folder will likely remain full to the brim with poorly worded emails touting prescription drugs and luxury watches, the spam emails that foil anti-spam filters don’t get there by accident: this kind of small-batch approach is a calculated effort to break through those spam blockers.
“Spammers are getting much more focused, much more targeted, and this shows they are getting more concerned about quality,” said Vidur Apparao, chief technology officer for a cyber-security firm called Agari Data.
For example, Agari tracked attackers working in France who were trying to steal iTunes passwords from Apple customers. They sent out just 5,000 emails to French-speaking targets with links to a fake login page, instead of trying to spam, say, 50,000 people. It was a success, for spam: most emails found their way past filters and into their victims’ email inboxes.
Attackers were then able to keep the scam up for eight hours before automated filters started to realize what was going on, by using email accounts hosted through a cloud company that isn’t a known offender on global threat lists.
Agari couldn’t determine whether users clicked links contained in those spam emails, or how many gave away passwords, but simply making it past the filters is more than your average spam will accomplish. This artisanal approach is now known in the industry as “snowshoe” spam, named for the small footprints it leaves.
As artisanal spam continues to bedevil email users, the cyber-security is pushing for new protections that would help shore up our inboxes. A global registry called DMARC is one such effort: it lets retailers and other companies register servers they’ll be using to send mass emails, newsletters, etc. Messages pretending to be from those companies that come from an unregistered address would get flagged.
In the meantime, if you’re not sure whether an email has come from where it says it has, it’s best to contact that company directly before providing login and password credentials.
E-Mail Spam Goes Artisanal [Bloomberg]