Security Watch

Keeping Track of patches and hacks in the IT security world.

Image Spam Uses Photo-Sharing Site to Sneak Under Radar

Secure Computing is reporting that it has detected a new form of image spam that has taken an evolutionary leap over past image spam, using the popular photo-sharing site ImageShack to upload spam images.

Spammers are sending e-mails containing a URL leading to the spam images. Once the spam is opened, the image is uploaded from ImageShack, without ever having gone through anti-spam technologies.

The images look like other image spam people have become accustomed to seeing. Here is a sample, provided by Secure Computing Principal Research Scientist Dmitri Alperovitch:


To emphasize the point: "You don't have to click on it," Alperovitch told me. "As soon as you open the e-mail, it's in HTML format and contains a link to the image that pulls the image into an e-mail client."

Secure Computing discovered this new paradigm only a few hours ago. Anti-spam vendors are unable to squash the spam because their technology is only detecting a link to a legitimate photo-sharing site. "It can't be blocked outright," Alperovitch said. "[The site] has a lot of legiti-mate users."

Neither can the photo-sharing site simply squash the spam images, he said, given that the spammer is using multiple random images, not just one.

Secure Computing said it thinks there are two reasons for the new development: First, developments in anti-spam and filtering technologies have forced spammers to become more sophisticated and to obfuscate their images. That's why you'll often see spam images with random pixels and dots as well as color scrambling, as spammers attempt to evade the more advanced technologies. "It became very hard to hard to read the image as you opened it up and tell what was going on and what they were trying to market," Alperovitch said.

With this new technique, spammers can deliver an image that looks far more crisp and professional.

The new spam is now being used to promote stocks, including logos of Fidelity, Ameritrade and ETrade.

Another reason that spammers may have turned to this new method is because the image doesn't need to be obfuscated, throughput doesn't have to be optimized.

As it is, Secure Computing has seen a "dramatic" drop—30 percent—in spam volumes over the last year, as filtering and anti-spam technologies have advanced.

"We believe that's partially because spam software has to do more work to bypass filters and obfuscate images," Alperovitch said.

There's currently no malware being detected in the new spam form, but that won't last long, he said. "We've seen worms relying on a similar technique: sending e-mail with a link to a site that contains malware," Alperovich said.

Secure Computing hasn't yet seen large volumes of the spam, but the company only detected it very recently. Because of characteristics similar to e-mail from zombie PCs in botnets, the firm said it believes the messages are coming from Russian spammers.