Spam emails have been around for 20 years and technical advances have made them worse. Where once it consisted merely of marketing emails that users did not want, now spam emails are used to sell illegal products such as knock-off prescriptions or sexual enhancement drugs, as well as those Nigerian princes who want to give you money in exchange for sensitive financial information.
Then there are phishing emails, which contain links to fake login pages to trick the user into giving away login details to online banking accounts, or that lead to a malicious website that installs malware on a user's computer.
They are usually sent out from groups of infected computers, called botnets, with the aim of reaching as many email accounts as possible. They can not only affect an individual computer but can compromise the systems of the user's employer, which has far-reaching consequences.
The professional spammer
According to Ilia Kolochenko, CEO and founder of High-Tech Bridge, there is such a thing as a professional spammer. On the surface, a professional spammer might run a business sending out emails for customers who want to promote illegal drugs, so these emails would contain links to actual websites where people can buy those drugs.
The spammer would use his botnet to advertise to as many users as possible, but if another customer wanted the spammer to use his botnet to infect lots of computers by sending emails with links to malicious websites, he could do that too.
"A significant part of spam emails are promoting illegal drugs, playing on human psychology as people are too shy to purchase the drugs legally or ask their doctor for Viagra," explains Kolochenko.
"I wouldn't be surprised if the same people who are infecting computers with malware are the same who send out the marketing campaigns."
Spammers also use their botnets to help rig online competitions or to gather more email addresses for sending spam to.
"We investigated a spamming campaign with employees in a bank. Emails with a malicious link were sent to the employees, and when they clicked on the link, a small harmless spyware was installed on the bank's PC that just wanted to download the contact book of the infected computer," says Kolochenko.
Blocking spam at the email server
Spam emails are no longer stopped using email plugins but by using spam filters that start at the email server.
"Malicious spam emails are all using well-documented software vulnerabilities so we focus on blocking these vulnerabilities," BeyondTrust's CTO Marc Maiffret tells IBTimes UK.
"Google have made a big breakthrough because they're looking at millions of accounts at the server level to stop spam as opposed to the old way of looking at individual accounts. If you look at a set of email accounts, they shouldn't have a lot of commonality in the email they're receiving," says Maiffret.
"In a spam attack, 1,000 accounts will all receive the same email. Then you need to figure out if it comes from a legitimate email account sending out a marketing campaign, or an unknown one."
What companies should do to protect themselves
Before investing in an expensive state-of-the-art security system to keep your company safe, Maiffret, Kolochenko and Vormetric's CSO Sol Cates say that there are several steps you can take:
1. Configure your company's systems correctly
"Many times companies will set up a new web server, and they don't configure it properly. Make sure to disable unnecessary components of the system. Just doing the right thing with configurations can reduce a great deal of vulnerabilities," says Maiffret.
2. Educate your employees about spam
"Large companies should invest more budget into an education programme and train their employees to recognise spam and malicious emails," says Kolochenko.
"One company got its internal team to send fake emails to its own employees in order to test them and offered a financial bonus to employees who were able to spot fake emails."
3. Control how administrators access data
"There are techniques that organisations can utilise to reduce access to only those that 'need to know' [but] most of these controls can be bypassed by administrators," explains Cates.
"Tools like encryption combined with separated access controls can be used to remove administrators from data access [which] is important as administrators are one of the top targets for attackers – it's like robbing the bank by stealing the bank manager's keys."
4. Isolate accounts that could be a target for attack
User accounts which have access to sensitive data such as HR or finance management should have additional security measures applied to them, as they are prime targets for malware-driven hacking attempts, which often start from an employee innocuously clicking on a malicious email.
5. Don't forget to patch known security vulnerabilities
"Most companies know they need anti-virus but they stop there and forget about the other aspects. Only 4.7% of all vulnerabilities are used to break into companies, and attacks actually leverage known vulnerabilities that could have been patched," says Maiffret.