Steganography: new spam/scam technique
Look up steganography and you'll find that it's one of the fundamental branches of cryptology, the study of techniques that can be used to conceal information. Literally steganography means "covered writing", from the Greek words steganos (covered) and graptos (writing).
Now this process is being used to elude spam filters.
The trick, according to a recent eWeek article (http://www.eweek.com/article2/0,1759,1644840,00.asp), is to take all of the text and images that would normally constitute a spam message and embed them in one large image that looks like a collection of text and graphics. The resulting single-image message provides virtually no keywords or other information to a spam filter and thus passes through uncensored.
Most spam filters check for key words (Xanax, Valium, Viagra) or text strings ("free offer", "degrees for sale") to identify spam. That's why so many common words are misspelled: to slip through the keyword filters. And that's why you'll often see meaningless text strings in spam (<qua erskine phony condensible aida sporadic*); they reduce the "spam score" of the message. But if the entire message is one large graphic, the context is unreadable by simple filters.
Below is an example of a stenographic scam. The Amazon logo, text, and hyperlink are all part of one image. Don't worry; the link doesn't work. The message may look a bit out of place here against a darker background, but if you received it as an email message, you could be forgiven for not noticing that the message is a large graphic.
Click anywhere on the original message and it takes you not to Amazon, but to this encrypted address: http://www.amazon.com%6Cexec%6C%6F%62%69%64%6F%73%6C%61%6D%61%62%6F%74@%32%30%33%2E%32%32%39%2E%32%31%32%2E%31%34%35:%32%35%35%32/%69%6E%64%65%78%2E%68%74%6D. The address decodes to a server hosted by Korea Telecom at 206 Jungja-dong, Bundang-gu, Sungnam City, Gyunggi-do, Korea, 463-711. Point to the link and look at the browser status bar to see the actual address.
These scam artists are looking for your credit card number and pin, and any other information they can get. Korea Telecom may have pulled the plug on this particular scam -- as of this writing the link doesn't work.
Other apparently nonsensical messages embedded in the source code of this message: "I advise you without any ega you can't miss it Are you sure? in 1825 That's lovely . . . in 1860 You might put Forget it! 253 No thanks 1 in 1946 292 going to Will you . . . ."
Amazon indeed!
Another way filters can identify spam (or a scam) is by comparing an image against known "bad" images. But it's a simple matter to randomize a few bits in the graphic, thereby altering the file's checksum.
Conclusion: A steganographic message may have a lot more content than meets the eye. Spam may have a scam lurking beneath the apparent message. Either our filters will have to get smarter, or we will.
*random text string culled from today's collection of spam. Here's a longer version, also from today's email:
predominate ossifies antiquarians cordage eme percolate tallymen outpresses leached arachnophagous. aspartyl prealarm neostriatum stalklet regulatively sparged slapdash glaucophanite vaugnerite. apyrases weighted spelled eroses tantawy sodioplatinic zoonomia. eupneic programer lenticula preallow dundee claustrophobe psychopompos gauntries lifo cordage. ciboule priapean blennymenitis stiff! nesses mastectomy sunset inbreathe sabine semioblivious seafarers. dwellers shellacked tractlet ataman smockings unamalgamated cresswort quillaia. geodesical sabine preilluminate halakah nonundulatory superorganize marketeers. apometabolous orthograph tutory palatines blackguard zoosporocyst. scrawler slopeness misunderstander stereognostic rhyming. subserrate contravention myelodiastasis illicitly volplane promote besprinkling extrapelvic eyedropperful. governs esophagectomy palaeography mussuk hemapophyseal. rubidiums muzjiks videlicet lakist misunderstander cytost unmixable reata. steadfastness glamoury pantywaist balden autosign. findal ataman undisinherited skirl bandsmen pickford condemnate sparged. uluhi tannings mesmerizes prisonlike amusively khazens pst eschalots. cacuminous buttocker etatist bullcomber mirv esoterism yappiness. rave gaynesses derival letting smockings despotat nonimmunities malocclusion yens ultramodernist. animists diabolarch docking mussuk coto! neaster yens.
Now this process is being used to elude spam filters.
The trick, according to a recent eWeek article (http://www.eweek.com/article2/0,1759,1644840,00.asp), is to take all of the text and images that would normally constitute a spam message and embed them in one large image that looks like a collection of text and graphics. The resulting single-image message provides virtually no keywords or other information to a spam filter and thus passes through uncensored.
Most spam filters check for key words (Xanax, Valium, Viagra) or text strings ("free offer", "degrees for sale") to identify spam. That's why so many common words are misspelled: to slip through the keyword filters. And that's why you'll often see meaningless text strings in spam (<qua erskine phony condensible aida sporadic*); they reduce the "spam score" of the message. But if the entire message is one large graphic, the context is unreadable by simple filters.
Below is an example of a stenographic scam. The Amazon logo, text, and hyperlink are all part of one image. Don't worry; the link doesn't work. The message may look a bit out of place here against a darker background, but if you received it as an email message, you could be forgiven for not noticing that the message is a large graphic.
Click anywhere on the original message and it takes you not to Amazon, but to this encrypted address: http://www.amazon.com%6Cexec%6C%6F%62%69%64%6F%73%6C%61%6D%61%62%6F%74@%32%30%33%2E%32%32%39%2E%32%31%32%2E%31%34%35:%32%35%35%32/%69%6E%64%65%78%2E%68%74%6D. The address decodes to a server hosted by Korea Telecom at 206 Jungja-dong, Bundang-gu, Sungnam City, Gyunggi-do, Korea, 463-711. Point to the link and look at the browser status bar to see the actual address.
These scam artists are looking for your credit card number and pin, and any other information they can get. Korea Telecom may have pulled the plug on this particular scam -- as of this writing the link doesn't work.
Other apparently nonsensical messages embedded in the source code of this message: "I advise you without any ega you can't miss it Are you sure? in 1825 That's lovely . . . in 1860 You might put Forget it! 253 No thanks 1 in 1946 292 going to Will you . . . ."
Amazon indeed!
Another way filters can identify spam (or a scam) is by comparing an image against known "bad" images. But it's a simple matter to randomize a few bits in the graphic, thereby altering the file's checksum.
Conclusion: A steganographic message may have a lot more content than meets the eye. Spam may have a scam lurking beneath the apparent message. Either our filters will have to get smarter, or we will.
*random text string culled from today's collection of spam. Here's a longer version, also from today's email:
predominate ossifies antiquarians cordage eme percolate tallymen outpresses leached arachnophagous. aspartyl prealarm neostriatum stalklet regulatively sparged slapdash glaucophanite vaugnerite. apyrases weighted spelled eroses tantawy sodioplatinic zoonomia. eupneic programer lenticula preallow dundee claustrophobe psychopompos gauntries lifo cordage. ciboule priapean blennymenitis stiff! nesses mastectomy sunset inbreathe sabine semioblivious seafarers. dwellers shellacked tractlet ataman smockings unamalgamated cresswort quillaia. geodesical sabine preilluminate halakah nonundulatory superorganize marketeers. apometabolous orthograph tutory palatines blackguard zoosporocyst. scrawler slopeness misunderstander stereognostic rhyming. subserrate contravention myelodiastasis illicitly volplane promote besprinkling extrapelvic eyedropperful. governs esophagectomy palaeography mussuk hemapophyseal. rubidiums muzjiks videlicet lakist misunderstander cytost unmixable reata. steadfastness glamoury pantywaist balden autosign. findal ataman undisinherited skirl bandsmen pickford condemnate sparged. uluhi tannings mesmerizes prisonlike amusively khazens pst eschalots. cacuminous buttocker etatist bullcomber mirv esoterism yappiness. rave gaynesses derival letting smockings despotat nonimmunities malocclusion yens ultramodernist. animists diabolarch docking mussuk coto! neaster yens.
posted by The View from Landmark @ 9/15/2004
<< Home