May 06, 2009, 1:33 PM — Spammers have turned back the clock and are recycling a years-old tactic by planting their messages in images, a security researcher warned Wednesday.
Image spam, which hit a peak in late 2006 and early 2007, has made a comeback, said Holly Stewart, the threat response manager of IBM Internet Security System's X-Force team. After barely registering during most of 2008, image-based spam accounted for about 25% of all spam by the end of last month.
"They're doing the same kind of image-based spam as in 2006 and 2007," said Stewart. "It's very surprising."
It's surprising because spammers that rely on technological trickery rarely return to an older tactic once anti-spam vendors have figured out how to detect the junk mail. "But what they're doing now is exactly what they were doing before," added Stewart.
When spammers first started using images rather than text, they were successful at slipping their pitches through filters, which were designed only to parse text and look for such things as links. Their success led to an explosion in image-based spam, with spammers and security firms playing a cat-and-mouse game for months.
The only real difference this time around, Stewart said, is the sales pitch. "Most image spam was stock 'pump-and-dump,' but now the focus is on drugs and pills, something to make you feel better in hard times," said Stewart, who credited the change to the recession and the poor performance -- and even harsher perception -- of Wall Street.
Also odd, she continued, is that few of the messages included ready-to-click links. Instead, the images contain a URL that the user must laboriously type in manually.
Spammers conducted an image spam test run in March, according to X-Force's data, which showed a spike in the tactic from about March 19 to April 9. The test was obviously successful, Stewart said, because after a short period when the tactic disappeared entirely, it roared back with a vengeance on April 21.
"Actually, it's pretty incredible that this could be successful again," Stewart said, noting that most anti-spam filters should block the mail, unless the vendor, perhaps for performance reasons, had ditched them when image-based spam vanished last year.
The return of image spam could be the first resurrection of other once-popular tactics, she warned. "We may see others come back," Stewart said, and ticked off MP3 spam -- mail that replaced text with an audio clip -- and PDF-based spam. Both were popular in 2006 and 2007 for junk stock pushers.
Of the discarded tactics, Stewart selected PDF spam as the one most likely to reappear. "It was short-lived [before], but if I had to pick, I would point to the PDF vector," she said, noting that rigged PDFs exploiting Adobe bugs have been on a tear of late.
