In the escalating clash between online scammers and security vendors, the attackers have once again developed new tactics that give them the upper hand in bypassing filters and infiltrating corporate networks, experts say.
The new techniques, which experts began seeing sporadically earlier this year and in large waves in recent weeks, involve the use of a process called steganography, or embedding or hiding text in an image.
In the most recent cases, spam and phishing messages have incorporated complex images containing text. In some cases, the image files include hidden code designed to exploit known vulnerabilities in e-mail clients and Web browsers.
The most prominent example of the steganography wave is a recent variation on the ubiquitous Citibank phishing scam that attempts to lure recipients into disclosing online banking user names and passwords. Previous versions used text and images, such as authentic-looking Citibank logos and privacy seals. But versions that began surfacing recently are made up of one large image file containing all the text.
“We continually modify our systems to enhance safeguards for our customers,” said a spokesperson for Citibank, a unit of Citigroup Inc., in New York. “It is also important that consumers be aware of these issues and act appropriately.”
While the subtle change is lost on most end users, the image-based messages are able to skirt most spam and content filters, which rely on algorithms that seek out certain text strings in spam or malicious e-mail. These filters, known as Bayesian filters, also consider the context of each e-mail but are unable to parse the text in the image files.
Like most effective malicious techniques, steganography has quickly been picked up by others in the cracker and spam communities and passed around.
“Its becoming a mainstream tactic. And its darned effective,” said Bill Franklin, president of Zero Spam Networks Inc., a managed mail security provider in Coral Gables, Fla., that has had some success in stopping the new attacks. “You have to take a full contextual look at it. This used to be down at the bottom of our list of problems.”
Zero Spam is now using a combination of methods to block steganographic messages, including assessing the size and format of the messages, as well as looking at the sender and recipient and the route the mail took. It also compares the images against known bad images, which is effective in some cases, but less so against messages in which some of the bits have been randomized, which alters the files checksum.
While individual filtering tools from large vendors have proved largely powerless against the new threat, some security vendors are preparing help in the managed e-mail model as well.
McAfee Inc., of Santa Clara, Calif., will launch a Managed Mail Protection service for small and midsize businesses. The service, which may be extended to large enterprises in the coming months, comprises anti-spam, anti-virus and content filtering. All inbound e-mail goes through McAfee servers before it hits the customer network.
For administrators, the new attacks are another challenge in the battle against worthless and malicious e-mail. “The new messages with the hidden code or scripts are nasty,” said David Summerfield, director of IT at the Office of the Jefferson County Clerk, in Louisville, Ky., which uses Zero Spams service. “You have to be able to stop them at the source before they can get to the users.”