[Infowarrior] - Spammers dump images, switch to PDF files

[Richard Forno]

 Spammers dump images, switch to PDF files
Robert Lemos, SecurityFocus 2007-07-18
http://www.securityfocus.com/news/11475?ref=rss

Foiled by increasingly accurate corporate spam filters, spammers have dumped
pictures for PDFs in their bulk e-mailings, according to the latest data
from security firms.

Image spam, which at the beginning of the year accounted for nearly 60
percent of all junk e-mail, has plummeted and now accounts for only about 15
percent of spam. Taking its place, the number of junk e-mail messages using
an attachment in the Portable Document Format (PDF) has steadily climbed
since mid-June, accounting for as much as a third of spam.

"It went from zero to -- when the spammers started experimenting --
fifty-fifty image spam and PDF spam," said Matt Sergeant, senior antispam
technologist for e-mail security firm MessageLabs. "Now, its gone to
wholesale PDF spam."

The ebb and flow of different types of spam is an indicator of the arms race
between spammers and network defenders. Image spam took off in late 2006,
primarily as a way to tout penny stocks and manipulate the volatile
over-the-counter markets. Yet, other types of spam, advertising products
from fraudulent pharmaceuticals to sexual enhancement devices, soon started
using embedded images as well. The growth of image spam peaked earlier this
year, making up as much as two-thirds of all spam in January.

Companies have adapted to the attack, however, detecting the unwanted images
and blocking them, said MessageLabs' Sergeant.

"The volume of image spam was so great that a number of large businesses
took to wholesale blocking of e-mails coming in with image attachments," he
said.

The better filtering has led spammers to change tactics and experiment with
PDF files.

While security firms agreed that PDF files started regularly appearing as
spam attachment about mid-June, estimates for the volume of PDF spam varied
somewhat between companies. MessageLabs, which filters out virus-laden and
spam e-mail messages for its clients, estimated that about 30 percent of all
spam now uses PDF files. Security firm McAfee had a more modest estimate
that 2.6 percent of all junk e-mail messages carried PDF files. While
Symantec, the owner of SecurityFocus, has found the fraction varies between
2 and 7 percent.

"The spammers are doing the old cat-and-mouse game," said Guy Roberts,
senior research manager for anti-spam at McAfee. "Vendors have caught up to
spammers and detection is pretty good for image spam, so (the spammers) are
changing tactics in order to get their message across."

The growth of spam e-mail messages with PDF attachments have also caused the
total bandwidth of spam to grow quickly, because PDF files tend to be much
larger than the GIF images that the files are replacing.

>From a spammers point of view, the strength of PDF is that many companies
require that their e-mail systems allow the documents to be passed to the
user, said Menashe Eliezer, director of anti-spam research for security firm
CommTouch. Because PDFs are ubiquitous in the business world, such
attachments are more likely to reach the users, he said.

"Now, they are using professional looking PDFs, and if it doesn't look like
spam, that's even better," Eliezer said.

While moving unwanted advertisements from images to PDFs may make it more
likely that the message reaches the intended recipient, whether or not that
person opens the attachment is another question, said Doug Bowers, senior
director of anti-spam engineering for Symantec.

"We are interested in seeing if this is really effective in getting a spam
message, not just delivered, but also read," Bowers said.

In the end, if PDF spam cannot deliver more eyeballs to spammers, the trend
may end up being a short-lived phase, he said.