The volume of fraudulent SPAM email has decreased sharply in recent years, but the bad guys may just be shifting their tactics towards social media, according to a new report from IBM’s awesomely-named X-Force, the “X-Force Trend and Risk Report for 2011.”
The total volume of SPAM email plunged 50% from 2010-2011, the IBM council of superheroes estimates; progress was also made in areas like software vulnerabilities, with unpatched weak spots decreasing from 43% in 2010 to 36% in 2011, and exploit code, with the volume of new exploit code decreasing 30%. But all these gains were partially offset by a big increase in “social phishing” emails, which sucker the unsuspecting by impersonating email notifications from social media sites.
The IBM report states: “The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven't been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to Web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.”
It doesn’t help, of course, that people provide all kinds of sensitive information about themselves via social media, which the bad guys can use to craft ever-more-subtle attacks. Here IBM notes: “The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.”