Back in May, I posted a note about a widespread spam campaign spoofing Western Union that included a malicious attachment that was harboring the Zbot Trojan - malware that tries to steal online banking information (see: High Volumes of Western Union Transfer Spam with Trojan Attachments).

Our anti-virus partner, F-Secure, was on the leading edge of detecting this particular threat and tipped us off to this blended threat. Now our zero-hour anti-virus partner Commtouch has an interesting report out about this general class of threats whereby Trojans are widely spammed with "aggressive" new variants.

See this Proofpoint/Commtouch Malware Outbreak Report for more detail, but the main theme of the report is that over May and June there was a sharp rise in the number of new viruses being distributed via email that were not caught in a timely fashion by many of the major signature-based anti-virus engines. (The illustration in this blog post shows a qualitative view of this trend.)

As we've seen in the past, messages like the Western Union spam that I noted are sent with many different Trojan variants -- an attempt by the malware distributors to bypass anti-virus engines. It takes time for anti-virus signatures to be updated to accurately detect each new variant and, during that time, email recipients are open to attack. One technique that signature-based virus vendors have been using to counter this problem is to use so-called "generic" signatures to block all variants of a given virus. The Commtouch report suggests that this isn't always effective.

I'm not going to argue the merits of signature-based A/V engines versus behavior- or pattern-based systems as both have their place in protecting enterprises from today's rapidly-changing malware threats. Proofpoint makes both types of protection available to customers. For signature-based anti-virus, the Proofpoint Virus Protection module can be deployed with a choice of two different A/V engines. For protection against emerging viruses (before signature updates are available), we offer the Proofpoint Zero-Hour Anti-Virus module, which is powered by Commtouch's Recurrent Pattern Detection technology.

Proofpoint's own recommendation as a best practice for malware defense is to have both signature and zero-hour virus protection in place at the email gateway. In fact, in our SaaS email security solution, Proofpoint ENTERPRISE and Proofpoint PROTECT, customers get both types of protection and we encourage our appliance customers to do the same.

As a reminder, our next live webinar (coming up Wednesday, July 15th at 2:00 p.m. ET / 11:00 a.m. PT) will cover some of the latest spam and malware distribution techniques. Please join us if you're interested in these topics! Register for "No Summer Vacation from Spam" here.

Not to be too sassy, but it looks to me like there was almost more press coverage of potential "death of Michael Jackson" themed spam, than actual "King of Pop" spam. The Wall Street Journal's "Digits" blog had an entry that notes two Michael Jackson-themed email attacks -- an email with a spoofed YouTube link as well as messages that exploit Jackson's death and are likely trolls for valid email addresses or directory harvest attacks.

Spammers commonly exploit current events in their attacks, but having looked through Proofpoint's own spam traps yesterday, I didn't actually see anything spammy exploiting the singer's untimely demise. Lots of legitimate bulk email (from news services and the like) actually reporting on the event, though.

Perhaps spammers didn't think that they could cut through the overwhelming amount of real email on this topic?

At any rate, my spam-fighting friends over in the Proofpoint Attack Response Center did point out a concert refund scam email that came in this morning, however. The message payload reads:

Reimbursement due to death of Pop King{Michael Jackson}

Due to millions of people that bought tickets for the show,i advise you contact me immediately to avoid been on a long queue.

Mrs.Mitchelle Holmes,
Head of operation
Michael Jackson concert{London}

Need I even note that -- even if you do happen to be a ticketholder for one of those events -- you shouldn't respond to messages like these?

On a similar tip: Our next live web seminar, "No Summer Vacation from Spam" will be covering some of the latest tricks that spammers and scammers are using in their campaigns. Join us live on July 15th by registering here:

http://www.proofpoint.com/id/spam0709/index.php

Proofpoint will be exhibiting at Gartner's Information Security Summit next week (if you're there, come see us in the Solutions Showcase, booth #40) and this preview article from Dark Reading, "Security Poised to Grab Bigger Piece of the IT Pie, Gartner Says," caught my eye.

In the article, Gartner security analyst Adam Hills is quoted as saying that:

"IT spending in 2009 is basically flat, with some companies making cuts, but we're seeing security spending increase slightly. If both of those hold true throughout the year, then it's clear that security spending will end up comprising a larger portion of the total IT budget [than in 2008]."

Software-as-a-Service spending is driving some of this growth. Hills notes that large capital investments are being put on hold as enterprises move more toward outsourcing and third-party security services. According to Hills, 30% of companies say they are spending at least 10% of their security budgets on SaaS offerings.

Hills says that security functions that are often considered "commodity" -- including the areas where Proofpoint plays including email security, anti-spam and anti-virus -- are "among the most likely functions to be outsourced or converted to SaaS."

This certainly fits what we're seeing in our business, as both new and existing customers adopt our SaaS email security solutions from the Proofpoint on Demand family -- solutions like Proofpoint ENTERPRISE, Proofpoint SHIELD and Proofpoint ARCHIVE.

You can read the entire article here:

http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=218101017

And if you're interested in better understanding the cost savings associated with SaaS, you'll want to check out these Proofpoint and Osterman Research whitepapers that explore how SaaS email security and SaaS email archiving can reduce costs without sacrificing security.  See:

• Whitepaper: Using SaaS to Reduce the Costs of Email Security

• Whitepaper: Email Archiving - Realizing the Cost Savings and Other Benefits from SaaS

How about some fun email stats for a Tuesday morning? Our British counterparts at Proofpoint UK conducted an online survey of 108 UK office workers about some of the potential personal uses of work email. Like Proofpoint UK's survey from earlier this year (see "Anarchy in the UK (Office)"), this survey turned up some pretty interesting results. This time, we looked at how work email is used to break "bad news" and some common, but maybe not-so-wise, personal uses of work email.

Here's what the Proofpoint survey found...

Workplace Email and Romance

• 32.1% of UK office workers surveyed admitted to sending an "inappropriate" email to a lover from their work email accounts.
• 26.3% of respondents had ended a relationship via email from the office.

Breaking Bad News

• 41.5% of respondents had sent a work email rather than phoned a friend, colleague or business associate to tell them bad news.
• The same number, 41.5% had disciplined a work colleague over email.
• 18.9% had emailed to say they would be out sick.

Other Personal Uses of Workplace Email

• 35.8% of respondents admitted to applying for a new job via their workplace email.
• 86.6% of respondents say they arrange their social calendars via work email during office hours.

And finally, a more serious data loss prevention statistic:

• 21.8% of respondents say that they have emailed confidential corporate information from their work email accounts to a personal email account.

These stats have been picked up by a variety of publications including PC Advisor and Web User magazines. Proofpoint's managing director in EMEA, David Stanley, comments that:

"Brits certainly take a few liberties with their email but companies should expect this, as they ask staff to work longer hours at their desks. However, companies need to ensure staff don't get them into trouble if email abuses escalate. Staff could very quickly land an employer in legal hot water by sending or opening the wrong email."

For more statistics about outbound email policies, technologies and abuses in the workplace, check out Proofpoint's annual "Outbound Email and Data Loss Prevention in Today's Enterprise" report. The latest version is always available at the following URL (currently, the 2008 edition):

http://www.proofpoint.com/outbound

I continue to be a big fan of the regular "Security Digest" posts over at Liquidmatrix. You can always check out the latest edition here:

http://www.liquidmatrix.org/blog/category/news/

Today's digest was full of links to interesting IT security news including a great Dark Reading post on the latest 419 scam variation hitting Facebook -- whereby Facebook users receive a message from a friend saying that they'd been "held at gunpoint in London."

Other highlights include a CNET Q&A with Kevin Mitnick, news about how Iranian hacktivists launchedDDoS attacks and some new research on underestimating the impact of data losses.

Highly recommended!

Proofpoint's live web seminar series for 2009 continues with "No Summer Vacation from Spam," being held on Wednesday, July 15th 2009 at 11:00 a.m. Pacific/2:00 p.m. Eastern time. You can register here:

No Summer Vacation from Spam - Live Proofpoint Webinar

Proofpoint spam expert Nithin Rao will discuss the latest trends in spam volume, spam composition, spam techniques, emerging malware, blended threats and much more.

And, as if to reinforce the truth of that webinar's title, I see that some of my personal email accounts (which I use as sort of minispam traps -- they don't have spam protection in front of them so I see interesting new spams) have a lot of pretty clever spam and phish in them today.

The top image at left (click it to see full-size example) is a variation on image-based spam from our old friends at "Canadian Pharmacy." The payload is in an image, but there's some legitimate looking hashbusting text in the footer. This is the sort of message that will fool less sophisticated anti-spam solutions.

Interestingly, the click-through URLs for this seem to route to a Yahoo Groups address - which likely redirects to their online store site. Do I need to tell you that it's a bad idea to actually shop there?

The subject line in that one cracks me up... Aw shucks, I've missed you, too, Canadian Pharmacy...

The second example is a pretty convincing looking phishing attack that spoofs Bank of America. We've seen a lot of these in spam traps today and there seem to be similar attacks spoofing Chase, SunTrust and others being widely spammed. (Click the image for a full-sized version.)

In this phishing attack, recipients are being asked to, yes, update their personal information in a "new version of Bank of America Customer Form." The form URL itself is not linked to an actual Bank of America URL, of course, but instead directs to a spoofed site hosted with domain name hflij1.net.

As I've said time and time again in this and other forums: Don't click these kinds of links. If you get a message like this and it inspires you to update your information at your bank or other online service, type the address directly into your browser rather than following a link.