Cloudmark’s Threat Report for 2015 Q3 is now available and covers the following topics:
- IBM-owned SoftLayer is the number one source of spam in the world
- The spam situation in Australia
- Cloudmark’s involvement with Facebook’s ThreatExchange
- Phishing Kits and their ease of use
You can download the full report or read the highlights below.
First, we identify SoftLayer, a hosting and cloud-computing company wholly-owned by IBM, as the largest source of spam in the world. Spam from SoftLayer is seven times higher than a year ago, and 42% of all email from SoftLayer is spam. We are currently blacklisting almost 30,000 IP addresses from SoftLayer, 1.4% of all addresses they own. SoftLayer’s massive increase in outgoing spam is due largely because of spam sent to Brazil, which has no anti-spam laws.
Next, we took a look at the spam situation in Australia. We found that most spam originating in Australia is sent to Brazil, which as mentioned, has no anti-spam laws. The largest source of spam sent to Australia is the US, as it has a third of the world’s IPv4 addresses, inexpensive hosting, and good connections to the Internet.
Facebook’s ThreatExchange is a venue for sharing threat information that is currently in beta testing. Cloudmark feels that ThreatExchange has significant advantages over other information exchanges, specifically that it is hosted by Facebook, a major corporation with a strong interest in security, but not a competitor in that field. It also provides a high degree of control over the way that shared information is used by other participants. We are currently sharing compromised domains and malicious URL shortener links, which allows us to provide a real-time feed to service providers. We hope this will reduce the amount of time required to remediate the problem.
Finally, we took a look at phishing kits and how easy they are to use, even by individuals with little computer savvy. We spotlight usage of the Social Engineering Toolkit (SET) and simulate a credential harvesting attack against one of our own employees. All the steps taken are performed with a few commands to the tool: first, it finds email addresses of the target corporation by searching various social media websites. It then emails an individual that suspicious activity requires them to login to a website of the attacker’s choice (in this case, Amazon.com). If the target clicks on the link, the tool clones the login page and harvests the login information while redirecting the target to the genuine website. This is all accomplished with only minimal creativity from the user of the kit, and is only one example of the varied options provided by this freely available tool.
For more information, the full report is available here.