The recent OWA (Outlook Web Access) themed spam/crimeware reinforces what has been known for some time. Criminals continue to get better and better at what they do. (http://ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam-campaign.html)
What is also enforces is that, it’s not about just keeping up.
Through the tiers of systematic scans and filters, we have managed to reduce an inordinate amount of SPAM and crimeware. The use of signatures, heuristics, dictionaries, and external reputation scoring you can dramatically reduce the amount of spam received. Through these mechanisms we now only deal with a single digit percentage of the total emails received at the gateway.
The next step in this battle has relied on the education of end users. Given the fast changing landscape of how spam/malware/crimeware is changing, it’s a difficult prospect to expect end users to be able to dissect each email with a keen technological and investigative eye. Though I will admit, this has been the common practice to help fight that which makes it through all your technical controls.
In the case of this OWA themed spam the emails look remarkably like they OWA system and sound professional enough to be legitimate. It’s very easy for end users to discern spam when the wording of the email is similar to this:
“Good news dear, It is my pleasure to inform you that the latest development regarding the news from the New president of the United State of America to release all your fund through bank of america without any further delay.” (http://www.scambusters.org/scamlanguage.html)
However when the images are done well, the wording is grammatically correct, and the emails appropriately targeted, this can be a difficult task.
While this may be considered a tactical approach to combating these issues, I have a suggestion that can help fight this battle:
Provide your end users with a validation that internal emails are authentic.
By utilizing certificates to digitally sign your email communications, you provide your end users with:
- Message integrity (content is reliable)
- Validate origination (this came from a known trusted source)
In the case of the OWA spam, users would note that this is not digitally signed and from their trusted source. So they don’t have to worry about discerning if the wording is correct, mousing over links to see if they are legitimate urls, etc.
This approach will help your organization communicate two messages to your end users. One, the message you are sending in the email communications, and two the concern and support for reliable trusted communications between the company and the user base. Utilize your education and awareness campaigns to inform users of the point of digitally signed communications and hope that the applications of the technology find it’s way into other applications. In the case you have an external certificate store, there is an excellent opportunity to use this to communicate with your customer base also.