Gallery

The truth is out there

Posted on 11 May 2007 at 11:57

Davey Winder searches for aliens in the enterprise while wondering whether anyone's listening when it comes to the AUP debate.

Not all Joe Jobs use spam as the weapon. I've seen examples of seemingly legitimate messages being sent to thousands of users through a BCC list that contained intimate (and false) details. This can be particularly nasty, since it adds yet another level of reputation damage to the process. Not all Joe Jobs are sent as email spam; the original attack was mounted via web-based forums, for example, and IM has been known to suffer as well. The one thing all Joe Job attacks have in common is that they're vengeful in nature, designed from the outset to cause problems, to defame an individual, company or political cause and, ultimately, to harm someone's reputation at a personal or business brand level. The point is that everyone hates spam, and very few people are prepared to look further than their indignation on receiving such messages.

These days, effective spam filtering within a maturing anti-spam industry has meant that traditional Joe Jobbing has become less prevalent, and messages are now far more likely to contain inflammatory opinions and references to offensive and illegal sexual practices such as paedophilia in order to have the desired effect. That effect can be devastating - beyond the personal insult or reputation damage, there are matters such as bandwidth cost, loss of service and perhaps even police investigations if people are sufficiently taken in by the message content to report you as the perpetrator.

That's why I was alarmed to hear from my friends at the security vendor Sophos (www.sophos.com) about a new twist on this old attack route. Sophos reckons it's uncovered evidence that spammers are now using Joe Job techniques to evade spam filters when sending online pharmacy marketing messages. This isn't altogether surprising when you realise that anti-spam technology has matured enough to be able to detect most of the Viagra/Cialis/Anatrim genre of spam, using more than just keyword analysis or Boolean maths. One of the problems facing the spammers is that the URLs of online pharmacy sites quickly become known and are consequently blocked, and if the messages don't get through and the pharmacy doesn't see the sales, the spammer will lose its trade and income. The spam business is hugely competitive and still relatively open (although growing criminal control over the industry is changing that free enterprise dynamic).

This new wave of attacks solves some of the spam-filter problems by directing users to legitimate websites instead of the actual pharmacy ones. The operators of these sites, more often than not small businesses or individuals, are unaware that their servers have even been hacked, let alone that they're redirecting spam traffic in this way. Sophos tells me that all the compromised sites have one thing in common: they all employ PHP scripts. PHP has suffered some notorious security holes in the past, which are still visible due to the huge numbers of users who never apply upgrade patches to close them.

As with the Joe Jobbing attacks of old, it's the innocent victim who stands to lose here. Although there's no malicious intent - merely a desire to stay one step ahead of the anti-spam industry and law enforcement - the webmaster of a hijacked site can lose their reputation and, worse still, there are associated increases in hosting charges if bandwidth exceeds preset limits because of all that additional spam traffic. There may even be legal ramifications if someone is ripped off by an online pharmacy, but sues your hijacked site as being involved in the supply chain. In fact, being ripped off is the least of your worries if you're buying prescription drugs online by the cheapest route, especially if it was spam that brought it to your attention. Would you buy heart pills from a door-to-door salesman? Of course not, but somehow if that salesman is online the internet provides a cloak of legitimacy that kicks common sense out of the window.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site