Location Based Spam

Location based spam is the latest technique being used by “bad guys” to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message. This new methodology is the next salvo in the spam arms race, but is really just an extension of the “social engineering” threat vector that has become so popular and effective in the last 3 years.

Here is how this works…

Thanks to IP addressed based geolocation (see http://en.wikipedia.org/wiki/Geolocation_software), it is a trivial exercise for a bad guy to determine, with a surprisingly high degree of accuracy, the physical location where a company or organization’s email server is hosted. With this information in hand, the spammer has enough information to design a targeted attack.

For example:

Let’s assume you work for Google. Using a simple IP check, the spammer can determine that one of Google’s email servers has the IP address 74.125.67.100. Thanks to IP based geolocation (http://www.ip2location.com/free.asp), the location of this IP address can easily be determined to be in Mountain View, CA.

Using this data, the spammer will then query the website of a local newspaper, in this case the San Jose Mercury News, and will pick a local “hot topic” headline to be used as the subject for the message.

Finally, the spammer will extract actual content from the news and will insert it into the spam message and will include links that appear to provide the recipient with more information about the topic, but are actually links to dangerous, threat laden web sites. Unfortunately, social engineered attacks, specifically those using location, are proving to be highly effective at soliciting the all important “click” from the unsuspecting victim.

At Sendio we have seen all types of social engineering based attacks increasing steadily. While it is difficult to determine exact figures, our best estimates place social engineered location-based attacks between 10% – 30% of all unsolicited email.

What effect did the November 2008 “McColo” shutdown have on spam (http://www.securityfocus.com/brief/855).

The McColo shut down had a measurable impact, but Sendio’s customers, the vast majority of whom are small, medium and large enterprises, did not see anywhere near as dramatic a change as the major free email providers (Gmail, Yahoo, AOL, MSN, etc.) The levels of spam/uce have, based on our estimates, moved beyond the level seen immediately prior to the McColo shutdown.

As we have seen over the course of the last 6+ years, the bad guys are extremely well organized, motivated, and appear to be well funded. Unfortunately, thanks to the reactive nature of the current status quo spam countermeasures, the arms race continues in favor of the bad guys.