Google: Spam, Virus Attacks to Get More Clever

Google's Postini team recommends enterprises guard against socially generated spam and virus attacks in 2008.

Spam and virus threats to enterprise messaging security and compliance may level off this year compared to 2007, but social engineering techniques are evolving to challenge businesses and security software providers, according to a new report released by Google's Postini team.

The report, released March 6 after Google's Postini team commissioned the study to survey 575 IT professionals, found that Postini data centers recorded 57 percent more spam and virus attacks in 2007 compared to 2006.

The size of spam e-mails also increased considerably as spammers included images, .pdf files, documents, spreadsheets and even multimedia files to spoof spam filters, according to report author Adam Swidler, senior solutions marketing manager for Postini.

This sets the stage for greater security challenges in 2008, something the Postini unit will have to seriously account for as it looks to bolster its position in the SAAS (software-as-a-service) security software market.

Google acquired Postini for $625 million and has already made significant progress applying the Postini messaging security assets to its own Apps, such as Gmail.

The social engineering techniques try to circumvent computer and network security by manipulating users into performing actions that divulge confidential data. Identity theft attacks will be launched from user-generated Web sites, such as social networks, blogs and auction sites.

Attacks will take the form of sneaky viruses that will blend with spam, leveraging specific current events, such as the Super Bowl or the Summer Olympic Games. Moreover, virus attacks will target executives at companies whose intellectual property is deemed valuable on the black market.

These attacks will masquerade as legitimate business agencies, such as the Internal Revenue Service, the Better Business Bureau and the Securities and Exchange Commission.

While most of these targets may miss their mark, Swidler said there will be high-profile data breaches at enterprises and government agencies, forcing companies to modify their e-mail practices, such as eliminating hot links in customer e-mail communications.

Businesses will also place increased emphasis on outbound security policies and content encryption. More states will revise rules governing civil procedure for state courts, so organizations will need to put in place a litigation readiness plan supported by digital message archiving and discovery.

This is where the Postini pitch comes in. Companies can lower the cost of deploying anti-spam and anti-malware software to offload the burden and cost of keeping the defenses updated, Swidler said.

He also wrote that all applications launched from a Web browser must be updated to current patch levels.

Enterprises must also define e-mail usage policies, including how to handle attachments such as executables, scripts and multimedia files, identify sensitive content contained in inbound and outbound e-mail messages and create policies that address these messages, and educate users about threats and internal company policies regarding the use of e-mail.

Click here to view the full report, which includes stats on business communication trend for 2007.