Often in the media you will see statistics from security vendors that state that spam makes up over 90% of all email sent over the internet these days. To some people that sounds like an unrealistic number. I received about 30 emails at work today, does that mean another 270 spam emails were sent my way as well? Well according to the statistics, yes it does.
While I was performing some maintenance checks on a customer I decided to see if their statistics matched up with what is quoted in the press. As it turns out they are right on target for the amount of spam that they receive. In the reporting period that I checked about 21,000 emails had been processed, over 19,000 of which were detected as spam. That’s around 92% spam for this small business.
But the more interesting statistic was the breakdown of overall threats. Of the over 19,000 emails blocked only 3 were blocked for containing viruses. It would appear, at least for this customer, that email-borne viruses are not much of a problem these days.
This is in stark contrast to the early days of my career in IT, going back more than 10 years now to March 1999 when the Melissa virus struck and took down email systems across the world. This simple Word macro virus was the first in a wave of serious viruses that could spread using email. Virus infections were visibly destructive, trashing files and computers that they came in contact with. Email viruses were seen as one of the biggest threats to IT systems and were the topic of many mainstream media stories.
At the time spam was relatively non-existent, for a few simple reasons – home internet access was slow and uncommon (especially in countries well known as spam havens today), and online commerce was nearly non-existent. Amazon and eBay had launched in the mid-1990s and online banking had also emerged but they were far from mainstream. Malicious email was the domain of people who wanted to cause mischief or make a statement; it was not seen as a way to make a lot of money with fraud and scams.Fast forward to today and the situation is completely reversed. Email is being used by spammers worldwide to steal banking and credit card details, push fake goods onto unsuspecting buyers, and trick people into sending money to African princes.
Meanwhile virus writers are less interested in causing destruction and more interested in cashing in on their clever coding skills. Rather than write a program that will destroy a computer’s files, they write a sneaky little application that will run quietly and log the victim’s keystrokes in the hope that they will collect passwords or credit card details, or turn the computer into a spambot that they can then sell control of to spammers.
And they don’t waste a lot of time trying to email these malicious programs to people, too many email systems are protected from viruses these days (although sadly not as many from spam). Instead they use other attack vectors such as web browser vulnerabilities to create popups that trick people into downloading fake antivirus software. Or they will use social networks to promote malware as some cool new game people can play for free, often capitalizing on a recent fad or trend to hook more victims (e.g. check out this Kanye West screensaver!).
The days of Melissa-like email viruses may be behind us forever. The security threat landscape has shifted towards spam, phishing and identity theft now. Protecting businesses is now much more than just blocking the bad guys at the email server.