Slashdot Mirror


Hidden Messages in Spam

randomwalker writes "There was an extremely interesting presentation at the Blackhat Windows Security Conference in January by Dr Curtis Kret entitled Nobody's Anonymous. In his presentation he showed how information about spammers can be determined. In addition he showed that some spam is being used as a covert communication channel. This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness. Four spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel."

8 of 232 comments (clear)

  1. Tin Foil Hats by Allen+Zadr · · Score: 3, Insightful
    Maybe, but this might actually mean that the authorities will start putting some actual resources into finding SPAM outlets and shutting them down.

    Oh, and Tin Foil Hats are useless - you must use my special patented Irradiated Tin Foil to keep the new mind control machines out.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.
  2. Why is this suprising. by re-Verse · · Score: 4, Insightful

    One of the best methods of not having your communications snooped in on is to use a busy, noisy channel. Communications inside of malls, clubs, whatever. It makes perfect sense. People don't expect sensitive information in soe sort of public form, so they don't listen for it. We're all so sick of spam that we erase it on sight - so if someone wants to use it to communicate - its perfect. It draws a hell of a lot less attention to ones self rather than forming a whole new covert form of communication.

    What looks more suspicious - A spam with some seemingly random keywords to throw off the filters at the bottom, or a highly encrypted data transmission on an obscure port. I know what one would make me take notice first.

    1. Re:Why is this suprising. by re-Verse · · Score: 2, Insightful

      Well thats the thing. An exptremely covert message gathers more attention. Like "Wow - look at that random stream of data from that source - it must mean something because I can't decipher a bit of it - monitor all futher incoming and outgoing communications to that IP", whereas spam - well, like I said, nobody pays any attention - they think its just some slimeball trying to make a greasy dollar off a sucker who knows no better.

      I know its ironic, but often the best hiding place is in plain sight.

  3. Re:Covert Messages by Anonymous Coward · · Score: 3, Insightful

    it would also be impossible to tell who the books were intended to (and therefore the US Mil could contact spies who could be in a tight spot, or informants who may be in a tight spot). The books could also contain a bunch of different messages using different cryptographies, in plain sight, to communicate with multiple agents.

    Three Days of the Condor is an excellent movie with this very same premise. :) IRL, however, it would be difficult to use something like this for communication.

    If, as you say, some Three-Letter-Agency wanted to get a message to a spy "in a tight spot" they would hardly have time to wait for a conventional printing press to run off a mass-market publication. "Tight spots" need to be resolved in days (if not hours), and to send a message through a printing press can take weeks or sometimes a month to run an edition, bind it and ship it to all corners of the earth.

    So I doubt anyone's using this technique with dead-tree publications :)

  4. Re:Steganography... by russotto · · Score: 2, Insightful

    Yeah, and the nature of spam makes steganography EASY. Exactly which mis-spelling is used for a word could encode several bits. Those HTML comments used to obscure could hide entire words, in both content and placement. So could the lists of nonsense words used to defeat SPAM filters.

  5. Re:Steganography... by Lord+of+Ironhand · · Score: 2, Insightful
    So could the lists of nonsense words used to defeat SPAM filters.

    In fact, when I first saw these random word lists the first thing I thought of was hidden communication, NOT defeating filters...

    Btw, Usenet also makes a great medium for this since it's possibly even harder to discover the intended recipient (especially when you encode the message in some pictures posted to an alt.binaries.erotica group...).

  6. Re:Facts about spammers: by fbform · · Score: 4, Insightful

    I applied this method to the lastest 100 spam mail and got the following results:

    44.3% of the spammers want to get me rich, too.
    32.2% want to enlarge my penis


    Unbelievable! I never knew you could get 0.1% precision by analyzing a mere 100 discrete samples of email. Or does the 33rd spammer want to enlarge only 20% of your penis? Or is he only 20% sure that he wants to enlarge your entire penis?

    --
    Time flies like an arrow. Fruit flies like a banana.
  7. Re:Spam = Covert communications by Frizzle+Fry · · Score: 2, Insightful

    Because it might not be you personally who decided to filter the word viagra. For example, if your using a hotmail or yahoo account, that word is going to make the mail more likley to be flagged as spam and go to your "bulk mail" folder (I would think). Similarly, you might have installed a third-party spam filter (or your isp or workplace might be using one) that looks for words like this. The fact that "viagra" mail isn't going to reach the enduser doesn't mean that he has personally decided to kill all mail to his account about viagra.

    --
    I'd rather be lucky than good.