Malware writers 'using marketing techniques' to evaluate their attacks, claims Proofpoint

Attackers using techniques adopted from top marketing companies to avoid anti-spam email security - and to entice people to click

Malware writers have adopted mainstream marketing techniques to monitor and assess the effectiveness of their campaigns, according to Mark Sparshott, EMEA director of channels, alliances & OEM at security software vendor Proofpoint.

Furthermore, he added, they are adapting their strategies in a bid to get round corporate security systems.

Speaking at this week's IT Leaders' Forum, Sparshott said: "They use clever techniques to bypass reputation and content-checking technology at the front end when they are delivering the email. For example, they rotate the IPs [IP addresses] that they use to send the email. They rotate the sending email addresses and they rotate the websites that they are pointing people to with those links."

So, for an attack sending, say, 135,000 messages to 80 companies - which sounds like a lot but will be less than 0.05 per cent of the email they receive that day - the use of link, IP address and email address rotation means that very few of the messages will be identical. "Everything is highly rotated to avoid those 'reputation systems'," said Sparshott.

"They are also managing content in order to entice clicks, in a similar way that you might find a leading marketing or advertising agency doing. So they are really looking at it from a campaign perspective.

"If you track these campaigns over time, often on day one they will do several small bursts of traffic to different sample populations, using different templates. They will analyse their own click-rates, just like an advertising company would. Then they will pick the template that looks like it will deliver the best results and use that in their main campaign.

"So you see little darts of very small amounts of traffic, then there's a gap, followed by a big spike because they are delivering these 135,000 messages within a two or three hour period. Then it will drop off for a day or so and they will come back with a new campaign with similar content aimed at a different set of companies," said Sparshott.

Furthermore, the "open rate" achieved by these techniques is high - typically around 10 per cent, he added, with messages purportedly from LinkedIn achieving the best click rates.

"These are advanced email attacks that have gone through the anti-spam and anti-virus gateway layer," he said, not the traditional spam email, which will be picked up and quarantined by standard email security software.