A few dismal statistics on the prevalence of dangerous email, from a post here in a security blog SearchSecurity, quoting a study by MessageLabs, a security software firm:
- Based on their samples, MessageLabs believes that 90% of all emails globally are spam;
- 1 in 200 emails contain a phishing attack;
- 68% of all malicious emails they intercepted were phishing attacks.
As a personal note, I think they’re understating the proportion of spam — my own sample here at the office is that only 3% of our incoming email traffic was valid email, based on a study I did in mid-October.
So as usual, the bad guys are keeping one step ahead by devising new forms of attack when the old ones become less effective; nothing new there, online or offline. But phishing attacks are particularly worrysome because they aren’t as readily filtered out as other forms of spam that are just selling some kind of hokum. Phishing attacks work by getting the victim to disgorge their account numbers and passwords, which are then used to vacuum out bank accounts, open illegitimate credit cards, and all the rest of it.
A good proportion of the rest of all this spam is devoted to getting the victim to allow the spammer to download to the victim’s machine some hostile software, including keystroke loggers and the control software that will turn the victim’s machine into a spam-relaying robot.
And all it takes is one mistake, one visit to an apparently innocent but actually hostile website, and you’re nailed, and if the infection is a rootkit it’s likely that you won’t be able to either find it or fix it without a complete software rebuild on the machine.
Here is an excellent non-technical overview of one of the world’s largest phishing organizations, from the Seattle Times. It’s more than scary.
Now I’m not an alarmist, but at what point does the Internet become just too dangerous to be worth the trouble? Back about 15 years ago I used to go out to some of the Compuserve newsgroups pretty regularly for technical subjects, but gradually they became so filled up with spam messages that perhaps one in 50 was a valid message, the rest were all machine-generated junk. At that point, I just quit going there. At what point will the broader public come to the same conclusion, and become afraid to use the Internet?
