Simple Tools and Tips To Protect Your Website From SPAM
As one of the most pervasive problems in the world of technology, SPAM has been creating huge damages beyond imagination. Given its strategic nature, eliminating SPAM completely may seem impossible. However, one can face and beat the challenges of Spam by adopting protective measures.
Statistics show that SPAM has invaded many websites and inboxes. Spam costs businesses a whopping $20.5 billion every year! Therefore, technologists and innovators keep coming up with various methods to deal with the tenacious nature of SPAM, to tame it, if not be able to stop it completely.
Typically, spammers and hackers use website forms to plant malicious malware. They also use spam to promote their business. Therefore, the best strategy is to use a combination of methods to help identify the threats to avoid spam and to protect against spam by deploying anti-spam software and tools.
In this blog, we explore a few simple tools and ways to deal with SPAM. These will guide you on how you can prevent it and how you can protect against it by deploying the right anti-spam tools.
Techniques Used by Spammers
Amazon Prime
In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September’s Prime Day sale, such messages were plausible.
Scammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should call the number in the message. Fearing their accounts may have been hacked, victims phoned the number — this was either premium-rate and expensive, or, worse, during the call the scammers tricked them into revealing confidential data.
Scammers collect photos of documents and selfies
This quarter we detected a surge in fraud related to stealing photos of documents and selfies with them (often required for registration or identification purposes). In phishing emails seemingly from payment systems and banks, users were asked under various pretexts to confirm their identity by going to a special page and uploading a selfie with an ID document. The fake sites looked quite believable, and provided a list of necessary documents with format requirements, links to privacy policy, user agreement, etc.
Some scammers even managed without a fake website. For instance, in summer Italian users were hit by a spam attack involving emails about a smartphone giveaway. To receive the prize, hopefuls had to send a photograph of an ID document and a selfie to the specified email address. To encourage victims to respond, the scammers stated that the offer would soon expire.
To obtain copies of documents, scammers also sent fake Facebook messages in which recipients were informed that access to their accounts had been restricted due to complaints about the content of some posts. To prevent their account from being deleted, they were instructed to send a photo or scan of a driving license and other ID documents with a selfie, plus medical insurance details.
YouTube and Instagram
Scammers continue to exploit traditional schemes on new platforms, and Q3 was a bumper quarter in this regard. For instance, YouTube ads appeared offering the viewer the chance to earn a lot of quick and easy money. The video explained to users that they had to take a survey and provide personal details, after which they would receive a payout or a gift from a large company, etc. To add credibility, fake reviews from supposedly “satisfied customers” were posted under the video. What’s more, the enthusiastic bot-generated comments did not appear all in one go, but were added gradually to look like a live stream.
All the user had to do was follow the link under the video and then follow the steps in the video instructions. Sure, to receive the handout, a small “commission fee” or payment to “confirm the account” was required.
Similar schemes did the rounds on Instagram. Advertising posts in the name of various celebrities (fake accounts are easily distinguished from real ones by the absence of a blue tick) were often used to lure fans with prize draws or rewards for completing a paid survey. As with the YouTube videos, there were plenty of fake glowing comments under such posts. Given that such giveaways by stars are not uncommon, inattentive users could swallow the bait.
Back to school
In Q3, we registered a series of attacks related in one way or another to education. Phishers harvested usernames and passwords from the personal accounts of students and lecturers using fake pages mimicking university login pages.
The scammers were looking not for financial data, but for university research papers, as well as any personal information that might be kept on the servers. Data of this kind is in high demand on the darknet market. Even data that seems useless at first can be used by cybercriminals to prepare a targeted attack.
One way to create phishing pages is to hack into legitimate resources and post fraudulent content on them. In Q3, phishers hacked school websites and created fake pages on them to mimic login forms for commonly used resources.
Scammers also tried to steal usernames and passwords for the mail servers of educational service providers. To do so, they mailed out phishing messages disguised as support service notifications asking recipients to confirm that the mail account belonged to them.
Apple product launch
In September, Apple unveiled its latest round of products, and as usual the launch was followed by fans and scammers alike — we detected phishing emails in mail traffic aimed at stealing Apple ID authentication data.
Scammers also harvested users’ personal data by sending spam messages offering free testing of new releases.
The number of attempts to open fake websites mentioning the Apple brand rose in the runup to the unveiling of the new product line and peaked on the actual day itself:
Attacks on pay TV users
To watch TV or record live broadcasts in the UK, a license fee is payable. This was exploited by spammers who sent out masses of fake license expiry/renewal messages. What’s more, they often used standard templates saying that the license could not be renewed because the bank had declined the payment.
The recipient was then asked to verify (or update) their personal and/or payment details by clicking on a link pointing to a fake data entry and payment form.
Spam through website feedback forms
The website of any large company generally has one or even several feedback forms. These can be used to ask questions, express wishes, sign up for company events, or subscribe to newsletters. But messages sent via such forms often come not only from clients or interested visitors, but from scammers too.
There is nothing new about this phenomenon per se, but it is interesting to observe how the mechanism for sending spam through forms has evolved. If previously spammers targeted company mailboxes linked to feedback forms, now fraudsters use them to send spam to people on the outside.
This is possible because some companies do not pay due attention to website security, allowing attackers to bypass simple CAPTCHA tests with the aid of scripts and to register users en masse using feedback forms. Another oversight is that the username field, for example, accepts any text or link. As a result, the victim whose mailing address was used receives a legitimate confirmation of registration email, but containing a message from the scammers. The company itself does not receive any message.
Such spam started to surge several years ago, and has recently become even more popular — in Q3 services for delivering advertising messages through feedback forms began to be advertised in spam mailings.
Attacks on corporate email
Last quarter, we observed a major spam campaign in which scammers sent emails pretending to be voicemail notifications. To listen to the supposed message, the recipient was invited to click or tap the (phishing) link that pointed to a website mimicking the login page of a popular Microsoft service. It was a page for signing either into Outlook or directly into a Microsoft account.
The attack was aimed specifically at corporate mail users, since various business software products allow the exchange of voice messages and inform users of new ones via email.
It is worth noting that the number of spam attacks aimed specifically at the corporate sector has increased significantly of late. Cybercriminals are after access to employees’ email.
Another common trick is to report that incoming emails are stuck in the delivery queue. To receive these supposedly undeliverable messages, the victim is prompted to follow a link and enter their corporate account credentials on another fake login page, from where they go directly to the cybercriminals. Last quarter, our products blocked many large-scale spam campaigns under the guise of such notifications.
Tools to avoid SPAM
SpamTitan
This is one of the most popular and widely used anti-spam software that protects against phishing and malware. When deployed, it blocks all phishing, spam, viruses, malware spyware, and malicious links with inbound and outbound scanning. This is used essentially for your website email security.
Mail cleaner
This software eliminates up to 99% of spam and protects servers for ISP, SME, SMI, and large companies too against the worst spam around.
Spam-filter service
Without the need for any extra hardware, this is a very effective anti-spam filter service that guarantees 99.9% of spam detection. It essentially protects against DDoS attacks and phishing.
modusCloud
This anti-spam software gives advanced threat protection with URL and attachment defense.
Spamfighter
This anti-spam tool is designed to protect against major malicious malware. It enables small to medium-sized businesses to detect and mitigate risks by blocking spyware, malware, and phishing frauds.
Sblam
This is a tool that helps block spammy posts in comments and forums alike. It is a web service that protects against spam of vicious nature.
The Honeypot technique
This is a strategic approach to dealing with SPAM. This technique involves creating a hidden field that can be seen only by spambots. So when they fill it, you can block it out, so normal users are unable to see it, and they naturally wouldn’t fill it, thus avoiding spam attacks.
Captcha
Captcha may not be one of the best recommendations, but it works in most cases and is still widely used. You can adopt the type that asks visitors to simply check a box that says they are not a robot. There are also some other more complicated Captcha options.
Other than the above-mentioned tools, there are also some free tools available that help check your website security. Netsparker is a free tool that helps test SQL injection and XSS. You can also try OPenVAS, which claims to be one of the most advanced open source security scanners that tests for known vulnerabilities.
How to Avoid SPAM through Comments
People also often encounter spam through comments on their websites. You can use the following ways to avoid spam through comments and forms alike-
Avoid using standard URLs for forms
Comment spam is automated and they attack any web form directly. This is the most common form of website spam attacks. By not using the standard URLs for forms and changing the name of the file, you can block these automated spam bots and thus avoid invasive spam.
Keep moving form pages periodically
Even if you are not using the obvious or standard file name, spammers can still easily locate them if they are linked to your site. So moving your pages at certain intervals of time can help you fight spam effectively.
Changing the name of you form-action scripts
At times, spammers directly attack the script by knowing its name. You can confuse the spammers by changing the name of the script too. This can very well work to guard against spam intrusion.
Final Words
The disruptive and intrusive nature of technology makes it a two-edged sword. On the one hand, it has brought revolutionary change that enhances life and makes it convenient. However, on the other hand, the intrusive nature of technology is posing more challenges than before. SPAM just happens to be a product of invasive technology, and its menace has only been growing ever since it started to invade.
SPAM is a wide-spread technology-disease that attacks through websites, web forms, emails, inbox, and much more. As long as there are going to be websites and web forms, there is going to be SPAM. Some of the most malicious spam such as Trojan Horses, zombies, Phishers and Vishers, inappropriate content, and more are just floating around to attack and kill the very motive of technology – convenience and security. However, one can deal with SPAM by becoming more vigilant, being aware, and being armed with the right tools to fight it out in order to curb the nuisance and the damage caused by SPAM.
What techniques do you use to protect your website from SPAM?
Credit: Simple Tools and Tips To Protect Your Website From SPAM