Almost what I expected…

During some time off this week I booked the flights for my summer vacation. Checking for my confirmation email (using a personal email account not protected by Sophos’s PureMessage) I found not one but two emails about my purchase. One was from the flight booking website, but for a moment I was confused about the other one. Recalling that the flight was actually operated by two airlines in partnership, I wondered if this second email was from one of the companies concerned? However, the sender was not an airline I recognised. Being a security researcher who sees spam and malware all day I naturally entered sceptical mode and examined the message source. In this case it was easy to spot some give away signs that this was spam: The sender’s email addresses were inconsistent, the billing figure in this email was totally different to the one I had just paid, and the details of my purchase were supposedly in an attached zip file. A zip file for information that could easily have been included directly in the body of the email? No thank you!

Only one thing now bugged me. Why had I received this spam within a few minutes of making a legitimate flight booking? Was the computer I was using compromised with spyware that could target me with spam related to my online activities? In this case I judged coincidence as the more likely explanation, but my mind was only really set at rest when I caught up with a work colleague who happened to mention that the subject for UPS spam that day was… airline tickets!

Every now and again such coincidences will happen. That is why the authors behind the so called UPS spam keep changing to new subjects. Each campaign will catch out a few people, even computer literate people, because it just happens to resemble something they were expecting. Also remember that some spam campaigns are more professional than others. Some phishes are almost indistinguishable from legitimate emails. Sometimes one will slip through a spam filter, and sometimes the bank targeted will be your bank. Sometimes a random name will resemble someone you know, or the subject will coincide with something you were expecting.

Thus the ability of human beings to make contextual judgments is both a strength and a weakness. The more rule-based approach in typical anti-malware and anti-spam software is less easily caught off guard, but more easily circumvented. Current security software has only limited ability to make new judgements in previously unseen situations. Until artificial intelligence parallels that of human intelligence, the best security defence will be a multi-layer defence involving both comprehensive security products and users who are security conscious enough to know what they should and should not click on. The classic model would be one with three layers: the gateway, the desktop and the end user. No one layer can offer 100% protection, but even if each individual layer of protection were only 98% effective, the three layers would combine to be 99.999992% effective.

That is quite a reassuring figure. So we do not need to stress over our own part in the process, just maintain a healthy degree of paranoia. We can still sleep soundly, or fly off for a worry free vacation. I wonder if the spammers can guess which day I will be booking the car hire?