Image Spammers Utilize PDF

Security vendors are reporting a new trend in spam in which images are embedded in PDFs.

Security vendors warn image spammers are increasingly using PDF files to bypass spam filters.

Researchers at BorderWare Technologies, based in Toronto, reported that on any given day more than 30 image spam campaigns are being run, with more than half of those being PDF-based.

The findings come as a number of vendors have reported that the amount of image spam has declined in favor of PDF spam. A Commtouch report for the second quarter of the year found that image spam had dropped to less than 15 percent of all spam, compared with 30 percent in the first quarter of 2007.

Rebecca Herson, senior director of marketing at Commtouch, said image spam had dropped overall because of increased enforcement attention to stock scams and improved spam filtering technologies.

"Well, it took some time for them to catch up, but many anti-spam filters now can block most image-based spam," she said.

/zimages/3/28571.gifClick here to read about whether there has been any significant decrease in "pump-and-dump" investment spam.

Still, she said, researchers have been seeing PDF spam that looks like image spam, but the images have been turned into PDF files.

"What I mean by this is that it is the same types of randomized images that we were seeing previously, with all the font tricks, background noise, different colored pixels and so on," Herson said. "But instead of sending the images as GIF or BMP, the spammers are taking it a step further and creating PDFs out of the images."

The tactic works because many messaging security tools are not effective at detecting images in the PDF form. Filtering PDF spam in general can be problematic for many security tools because a PDF file is complicated and contains a lot of information, in many formats, said Andrew Graydon, CTO of BorderWare.

"Typical solutions look at the file type and decide which internal processing queue to put it on," he explained. "If it is a text-based file they run the queue through a content scanner looking for text, and utilize simple dictionaries to detect a match," he said.

"If the file type is an image file, then they use a different queue and a different scanner. The problem with a PDF is in the mixture of content that is within the file," Graydon said.

/zimages/3/28571.gifHow are phishers using spam attacks to snag high-level executives personal data? Click here to read more.

"A single file can contain text, images, files, links, JavaScript, or pretty much any embedded content which is a very powerful combination for spammers or hackers to bypass traditional filters, and this is not the last exploit we will see from this format," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.