PDF Files Laced with Spam
|
MX Logic has reported a 25 percent increase in spam volume, in particular spam that uses text in PDF attachments. According to Sam Masiello, director of threat research for MX Logic, tainted PDF documents are the evolutionary next step for image-based spam. The reason: The converters needed to open the PDF document in order to use OCR technology to scan the document and check for spam aren't yet widely used in anti-spam tools. Masiello thinks that will change and so do I. This latest tactic--using text in PDF document attachments--will likely be curtailed soon as anti-spam and mail security tools spin up PDF converters and start running filters over the contained images and text. However, social engineering and the PDF's reputation as a trusted information source are likely big reasons why spammers are using the file format. In my experience, subject lines and file attachments that resemble the subjects and files I use in my daily work life are much more likely to get me to click "open." This doesn't always work. E-mail messages addressed to me that are supposedly from coworkers who long ago stopped working at Ziff Davis immediately get zapped when I'm going through my inbox. The same goes for e-mail that claims to be coming from me. But a message with a terse note from my editor with a PDF attachment? Yeah, I'd likely open that message. The reason: I trust PDFs because, in the past, PDF files sent to me have always contained information that I needed. (For one thing, page proofs for the print version of eWEEK magazine are sometimes sent to me in PDF format.) Masiello, when I asked him to speculate about the next step for PDF spam, said after .zip attachments to mail messages lost their appeal because of user training, password-protected .zip attachments--where the password was included in the mail message, usually with the advice to use the enclosed password to open the supposedly encrypted .zip file--became the all the rage. Maybe we'll see password-protected PDFs next. I'd hate to see the day, however, when I stop opening PDFs attached to mail messages the way I stopped opening .zip files. |
For more IT related content on the blogosphere, check out www.ithub.com
Comments (3)
The comparisons to ZIPs are interesting because they refer to malware, not spam. PDF-based malware is not an unreasonable thing to expect; there are plenty of vulnerabilities in old versions that a PDF could exploit. But as a substitute for image spam, PDFs stink, because everyone sees the inline image, but only some percentage of users will open the PDF attachment.
Posted by Larry Seltzer | July 19, 2007 7:58 PM
Larry,
I completely agree with you that PDFs are certainly not the most effective transmission vehicle, but at least for the short term it is getting into the inbox. At the end of the day, deliverability = profitability for the spammers so they'll latch onto whatever works. The social engineering aspect will continue to evolve also.
Both the technique and the technology for this new type of spam are both still pretty nascent. As we saw with image spam, we can certainly expect to see the tactic continue to evolve over the next 6-12 months.
Posted by Sam Masiello | July 20, 2007 3:47 PM
The thing about spam that uses graphics is that the security vendors have figured out how to scan for them. Hence the evolution to PDFs and other file formats, like Excel. Like Cameron said, PDF scanning isn't quite up to snuff yet, hence its attractiveness as the next spam vector.
Posted by Lisa Vaas | September 21, 2007 11:40 AM