Spam. Picture: ISTOCK
Spammers are adopting a novel kind of small-batch approach in the hopes of breaking through junk-mail blocking software. Picture: ISTOCK

WHEN a group of hackers sought to steal iTunes passwords from Apple customers in France, they did not spam the entire country. They sent out just 5,000 e-mails to French-speaking targets containing links to a fake login page.

The attack, which took place in October, was a success, at least by spamming standards. Most of the e-mails found their way to their intended recipients’ in-boxes, a rare occurrence with today’s sophisticated spam filters. Agari Data, acyber-security company that tracked the incident, says more spammers are adopting this kind of small-batch approach in the hopes of breaking through junk-mail blocking software.

As anyone with a G-mail or Yahoo account knows, spam e-mail is mostly relegated to a folder you probably never check. Unlike the old days of the internet, inboxes are no longer clogged with poorly worded come-ons for Viagra pills and Nigerian banking scams. Modern antispam filters block more than 99.99% of junk messages.

Spam is still a big business. Unsolicited junk mail accounts for 86% of the world’s e-mail traffic, with about 400-billion spam messages sent a day, according to Talos, a digital threat research division of Cisco Systems. While the vast majority will never see the inside of an inbox, the few that do worked hard to get there.

"Spammers are getting much more focused, much more targeted, and this shows that they are getting more concerned about quality," says Vidur Apparao, Agari’s chief technology officer.

In the French iTunes case, attackers were able to operate their e-mail scam for eight hours before automated filters began to catch on, Agari says. They used e-mail accounts hosted through a small Belgian cloud company that was not a known offender on global threat lists.

Attackers frequently use small hosting providers to execute their schemes because the companies often lack checks in place to catch fraudulent users, unlike, say, or Google, says Apparao.

His company isn’t able to determine whether users clicked links contained in the e-mails, or how many were tricked into giving away passwords. This increasingly popular technique is known in the industry as "snowshoe" spam. (The name refers to the small footprints it leaves.)

It differs from the more commonly known spear-phishing attacks, which target specific, often important people with personalised messages sent one by one.

Craig Williams, a senior manager atTalos, says the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15% of all junk messages distributed globally.

Snowshoe attacks continue to cause "severe" problems for spam filters, Cisco says. It’s one of many vexing problems for the industry. Global spending on cyber-security technology is projected to have surpassed a record $83.6bn last year, according to an estimate by researcher Gartner.

A separate attack, also in October, involved 169 e-mails targeting Italian PayPal users, Agari says. The messages came from a data-hosting company in France that hadn’t been included on major blacklists before the attack. These e-mails, like most effective spam, didn’t include attachments, which can be quickly scanned and flagged as malicious. Because web links take longer to crawl, many filters don’t bother.

As artisanal spam becomes a bigger problem, the cyber-security industry is pushing for adoption of new protections that could save inboxes. One, called DMARC, is a global registry that letsretailers and other companies register the servers they use to send the kind of mass mailers some people enjoy receiving.

Messages purporting to be from those companies butcoming from an unregistered address would get flagged.It’s a compelling idea, but as with most proposed solutions, trying to get everyone on board has been costly and time-consuming.