Just a quick note about recent news reports (such as PCWorld, "Huge Spamming Botnet Injured but Still Alive"and InfoWorld, "What it Takes to Shut Down a Botnet") about efforts to curtail the activities of the so-called Pushdo or Cutwail botnet. This network of compromised computers is suspected of being one of the largest sources of spam and malware-infected email (see the coverage I mention previously or this interesting study on that botnet, published by Trend Micro last year).
Late last week, security researchers contact ISPs that were apparently hosting various command and control servers used by the botnet in an attempt to shut the network down (not unlike the original takedown of botnets hosted by rogue ISP McColo). Apparently approximately 20 out of 30 of the C&C servers used by the Pushdo/Cutwail botnet were cut off from the internet, possibly having a short-lived effect on overall spam volume.
As other vendors have seen, spam fighters in the Proofpoint Attack Response Center tell me that Proofpoint's own spamtraps (sometimes referred to as "honeypots") have not seen a volume decrease, but noted that the volume pattern—the natural rises and falls in spam volume that accompany new spam campaigns—have been more "spikey", with bigger fluctuations between high and low volume than we are used to seeing. It's unclear if this behavior is at all related to activities around the Pushdo/Cutwail botnet.
As always, email volumes, especially those received by large enterprises, can fluctuate wildly. This is driven in part by general spam and malware sending activity, but also from attacks that attempt to target specific organizations whether they are attempts at denial-of-service, directory harvest attacks, or targeted phishing attacks.
This ongoing unpredictability is one of the key reasons that many organizations have (or are looking at) moving their inbound email security protection to a SaaS model. The rationale being, "Why worry about properly scaling your email and email security infrastructure to meet worst case scenarios when the same type of protection and control is available "in the cloud" at a much lower total cost-of-ownership?"
In a move that surprised many, but will make a lot of sense to regular readers of this blog, Intel announced today that it has entered into a definitive agreement to buy diversified security vendor McAfee for $7.68 billion, a significant premium over McAfee's share price at yesterday's market close.
Echoing many of the same issues that Proofpoint CEO Gary Steele noted in his recent guest blog post at Byron Acohido's "Last Watchdog" blog (see "Why Wall Street is Boosting Investments in Tech Security"), Intel and McAfee gave the following rationale for the acquisition:
First, security is fundamental to today's computing environment. Intel CEO Paul Otellini is quoted as saying, "In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences."
And those "computing experiences" are becoming more and more pervasive. The explosive growth of Internet connected devices—not just PCs but smartphones, tablet computers (like the iPad, the rumored Google Chrome OS pad, etc.), even ATMs, medical diagnostic equipment and on and on—requires better security for those devices to prevent exploitation and protect private data held and processed by those devices.
As security vendors regularly point out, security threats continue to proliferate rapidly and are becoming more complex and more costly to remediate. In the email security space, for example, targeted attacks such as spear phishing, the use of multiple attack vectors (combining email, web and social media components) and more clever social engineering are now commonplace. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month,” says McAfee CEO Dave DeWalt.
McAfee's online announcement also notes that, "The current cybersecurity model isn’t extensible across the proliferating spectrum of devices – providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security." Which I think is a rather verbose way of saying that network security in today's world needs a major "re-think" and that certain security functions and controls need to migrate further down the IT application stack and be more of an integral part of the hardware and firmware that power new devices.
Additionally, Intel notes that this acquisition is part of their ongoing effort to broaden its IT footprint, delivering not just hardware but software components. Notes the Intel announcement, "Intel has made a series of recent and successful software acquisitions to pursue a deliberate strategy focused on leading companies in their industry delivering software that takes advantage of silicon. These include gaming, visual computing, embedded device and machine software and now security." (Intel's acquisitions of embedded/mobile software vendor Wind River and gaming AI/physics vendor Havok are cited.)
Expect this news to spur ongoing M&A activity in the security space. And, more importantly, the trend toward making security more of a core component of computing devices—rather than an afterthought—will make for a safer computing world.
The anti-spam team over in the Proofpoint Attack Response Center shared some statistics with me about spam trends in Q2 (April through June) of 2010 that I thought I would relate here.
First, the spam team provided a breakdown of the top 10 spam-sending countries for Q2 and you can see a graphical view of that at right (click the image for a larger view).
This data, compiled from spam messages that hit Proofpoint's spam "honeypots" (email addresses and email servers that attract and collect spam email messages), shows that the US was the top spam sending nation during the second quarter. Brazil and India took the #2 and #3 positions—unsurprisingly as the recently released Proofpoint/Commtouch Q2 Internet Threats Trend Report showed those two nations as the top hotspots for botnet infestation.
Another interesting trend observed during Q2 is that, in general, malicious email messages continued to become more difficult to detect—that is, spammers continued to innovate and use more complex obfuscation techniques. The percentage of messages containing an obvious spam URL destination, for example, fell by more than half. Similarly, image-based spam messages declined by more than a third and messages with virus-infected attachments fell by more than a quarter.
Since overall spam levels didn't decline during the quarter, what's taking the place of those easier-to-detect spam messages?
Proofpoint anti-spam engineer Scott Panzer tells me that "spoof" messages (the type commonly used in phishing attacks) have been generally on the rise and that Proofpoint's anti-spam technology catches these using more predictive approaches. (For a great deal of information on the unique, machine learning techniques that Proofpoint uses to stop spam, see our whitepaper about Proofpoint MLX.)
Proofpoint customers weren't affected by the increasing complexity of spam messages during the quarter, however, as Proofpoint's anti-spam effectiveness actually increased from an average of 99.93% during Q1 to 99.94% during Q2. As noted in Gartner's latest Magic Quadrant for Secure Email Gateways, Proofpoint is one of the few email security vendors that publicly publishes its ongoing anti-spam effectiveness. You can view Proofpoint's spam detection accuracy for the last 190 days by visiting:
Proofpoint exhibited recently at the 2010 Infosecurity Europe show, held in London, and as we did at the 2010 RSA conference, we conducted an electronic survey about email trends that 140 attendees (81% of them with IT, security or messaging titles and the balance with analyst/legal/compliance or non-IT titles) took the time to fill out.
Among the findings:
43% of respondents said they are "very concerned" about inadvertent leakage of private or personal information from their organizations via email. Fully half said they are "somewhat concerned" about this issue. Just 7% claim that they are "not concerned" about these sorts of data leaks.
That concern is well justified since nearly two-thirds (64%) of respondents said that their organizations are subject to data protection regulations that require certain types of email to be encrypted or handled with particular care, because the contain private or confidential email. Only 25% said their organizations were not subject to such data protection regulations.
In this short video, several attendees discuss the various regulations (such as the UK's Data Protection Act, PCI-DSS, etc.) that apply to their company's use of email:
The trend toward increasing the security around private data is something we've reported on quite frequently here in the blog and the growing awareness of data loss issues is reflected in some of our other survey findings. For example, 94% of respondents who have a corporate laptop said that it was password protected and more than half (58%) said that their corporate laptop used full disk encryption.
In addition, nearly half of respondents (49%) said their organization had already deployed an email encryption solution. Another 21% said that their organization intends to deploy an email encryption solution in the future.
On the topic of inbound email security, 40% of respondents said their organizations had been the target a "spear phishing" attack in the past 12 months. That is, they were targeted by a phishing email designed specifically to compromise their own email users. (Our survey from RSA, where most respondents were US-based, found that nearly half of respondents believed their organizations had been the target of spear phishing attack in the last 12 months.)
35% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 26% cited cost. 20% said that "ease of administration" was the most important factor. 8% cited available deployment method (e.g., SaaS vs. appliance) and 4% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.
Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (48% and 21%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:
17% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
9% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (As I mentioned in my post on RSA survey findings, I still fall into this camp!)
Just 2% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.
In the following video, attendees on the Infosecurity Europe show floor discuss their top email annoyances:
Something I've been meaning to post for a while but hadn't had the chance... The latest Internet Threats Trend Report from Proofpoint and our partner Commtouch is now available.
As usual, this Q1 2010 version reviews the latest spam techniques, spam trends, spam topics and spam sources. Highlights in this latest edition include:
A SpamAssassin bug caused numerous false positives for users of open source email security... The latest spam template techniques being used by spammers... CNN redirect exploited to send work-at-home scam emails... An analysis of how much spam comes form gmail.com... Rises in spam, zombie trends, malware variants, the "hottest" spam topics... and much more. Visit the following link to download a free copy of this email security report:
Proofpoint CEO Gary Steele says, “We believe Proofpoint’s positioning in the leaders quadrant by Gartner is a great confirmation of our continued success in helping global enterprises take control of email risks. Our continued innovation and unique focus on email security, encryption, data loss prevention and email archiving—combined with the ability to deliver those solutions in all of the popular form factors including SaaS, appliance or hybrid deployments—makes Proofpoint the ideal choice for organizations that want to reduce costs while making email more secure, compliant and easier to manage.”
Writing in the “Magic Quadrant for Secure E-mail Gateways,” (previously known as the “Magic Quadrant for Email Security Boundaries”) Gartner analysts Peter Firstbrook and Eric Ouellet note that the email security market is “defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against inbound and outbound e-mail threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of appliances or software that goes on customer premises, hosted solutions that reside in solution providers' data centers, or multitenancy SecaaS that exists in multiple data centers around the globe.”
Gartner also says that, “The e-mail security market is very mature. Targeted phishing detection, outbound e-mail inspection, encryption and delivery form factor are the major differentiators.”
If that darn volcano hasn't interfered with your travel plans and you're in London for this week's Infosecurity Europe 2010 show, do make sure you visit Proofpoint at stand L90 to learn about our latest SaaS solutions for email security, data loss prevention, email encryption and email archiving.
In an announcement we issued yesterday, Proofpoint introduced its Proofpoint 6.1 platform (which powers our flagship Proofpoint ENTERPRISE email security solution) to the European market. New features include multi-protocol (email and Web) DLP capabilities, a new data loss prevention dashboard, an Outlook plug-in for easier access to on-demand email encryption (via Proofpoint Encryption) and other security and performance enhancements. You can read all about it (in English) at the following URL:
That release is also available in French and German, as well.
Now today, we've announced a new partnership with Titus Labs, an company that provides email classification and document classification solutions. I have to admit that, before we started working with Titus Labs, I didn't know much about issues such as email classification, protective markings and such, but it turns out that there are a wide variety of regulations that government organizations and other types of enterprises need to comply with that involve the proper classification and marking of both communications (such as email) and documents themselves.
Titus makes some really great solutions in this area and, as you might imagine, there are some terrific synergies between solutions like this and data loss prevention, email encryption and archiving. For example, our press release today describes a couple of use cases:
Titus Labs Message Classification and Document Classification products are widely used by government, military and commercial organizations to classify and protectively mark Microsoft Outlook messages and Office documents. Explicit visual labels and corresponding metadata properties that are applied to email messages and their attachments by Titus Labs solutions can automatically trigger a wide variety of policy enforcement, data loss prevention, encryption and archiving policies applied by Proofpoint solutions.
For example, using Proofpoint ENTERPRISE™ Privacy, protectively marked emails and documents can be automatically encrypted, blocked or quarantined for further review before transmission via email, depending upon what labels have been applied. Similarly, different data retention periods can be enforced based on the classification of a message or its attachments (using Proofpoint ARCHIVE™).
Applications include compliance with a wide variety of regulations including the UK’s GPMS (Government Protective Marking Scheme) and Data Protection Act, the Australian E-Protective Marking standard, ITAR (International Traffic in Arms Regulations), HIPAA and other healthcare privacy rules and GLBA, PCI-DSS and other financial data privacy regulations.
This is a really interesting new area and Titus Labs will be joining us for an upcoming webinar to explain how their solution works and the benefits of using email classification and email security technology together to better protect data.
When you visit Proofpoint's booth, you can also be entered to win an Apple iPad, just by taking our Infosecurity Europe email security trends survey. We have a couple of the new tablet computers on hand that you can use to take our short survey about email security trends in Europe and one lucky respondent will get to take one home!
The spam spotters over in the Proofpoint Attack Response Center pointed out an interesting multi-lingual spam campaign that showed up late last week.
This spam campaign, which is essentially recruiting "money mules" (see this previous blog post for more about how money mule scams operate) demonstrates the international flavor of today's spam campaigns. In this case, a scam that may originate in Moscow is propagated using both English and Spanish language spam messages.
The PARC team says that it saw a large number of these messages in English, with many different variations (click image above for a full-size sample). The same campaign was also distributed in Spanish (click image below for a full-size sample), but seen in much lower volume and with fewer variations.
The two language variations share some commonalities that illustrate the highly-randomized nature of today's spam campaigns, including:
Both used a varying set of phrases, randomized salary amounts and respond-to email addresses.
The domain of the respond-to address did not vary in each campaign.
The domain was bogus (no website) and registered to the same person in Moscow.
The nameserver for the domain was nameself.com, a known spammer-abused service.
Here's an example of the text of one of the English language messages (note that it's slightly different from the image sample above):
Welcoming speech I am a representative of the HR department of a large international company. Our enterprise is connected with a great number of various activities, like: - real estate- companies setting-up and winding-up - bank accounts opening and maintenance - logistics- private undertaking services - etc.
We are looking for staff in United States at the moment: - salary 2.600 euro + bonus - 1-2 working hours per day - flextime If you have a wish to become a part of our team, please inform us the following: [contact address redacted] Name: Surname: Country: E-mail: Mobile phone-number:
We are looking for the people who have a right to work in United States
Please mention your name and write the phone number. Our manager will contact you to fix an interview.
And here is one of the Spanish language variations:
!Que tengalas muy buenas!
Actualmente estamos en busca de los coadjutores residentes de Espana. !Remuneracion mensual es de 2,463 euros!
Cuando esta posibilidad de trabajo le interese, le solicitamos nos mande sus datos sobre el nombre, edad, domicilio y telefono de contacto a la direccion: [contact address redacted]
En caso de recibir este mensaje por un error, disculpenos.
---
If you'd like to learn more about the latest spam techniques, check out Proofpoint's upcoming email security webinar and our recently updated anti-spam whitepaper at the links below.
Register for Proofpoint's April 21st email security webinar:
Earlier this month, we held our annual customer "Inner Circle" events in New York and San Francisco, which was a great opportunity to sit down with Proofpoint customers and talk about how they use the product. Assistant vice president and IT manager John Vander Velde of Lake Michigan Financial Corporation graciously agreed to chat with me about how his organization uses Proofpoint to secure both inbound and outbound email.
Lake Michigan Financial Corporation has been a Proofpoint customer for several years now and have, over time, adopted more and more of Proofpoint's email security product suite (see our 2007 press release about Proofpoint and Lake Michigan Financial Corp).
In this video, John talks about how his organization uses Proofpoint for inbound email protection (anti-spam, anti-virus) as well as outbound data loss prevention and email encryption, to ensure the safety of account holder data as well as compliance with data protection regulations such as Gramm-Leach-Bliley (GLBA).
John talks with me about how LMFC selected Proofpoint, some of the policy issues involved in outbound email compliance, consolidating email security functionality onto a single platform and how the rise in spear phishing activity is once again making end-user education an important part of his overall approach to IT security.
Join Proofpoint spam expert Nithin Rao and Proofpoint machine learning scientist Vipul Sharma (see also my previous post with a video featuring Vipul) for a look at the latest spam techniques, targeted attacks, threats from social media and the growing need for outbound spam protection.
Vipul will explain the basics of machine learning and will discuss how Proofpoint applies these advanced statistical techniques to the problem of fighting spam.
As always, your questions will be answered during the live Q&A session. And, if you can't make it to the live event, remember that registered attendees will receive a link to the replay as soon as it's available.
Register now for this web seminar, being held at 11:00 a.m. PT / 2:00 p.m. ET on Wednesday, April 21, 2010. Click the link below for the registration page:
