C Crime Research Computer Crime Research Center

Home / Articles

Terror Spam and Phishing

August 17, 2006 · Tomer Ben-Ari <ben-ari.tomer@idc.ac.il>, Ron Rymon , The Interdisciplinary Center Herzliya, Israel

Abstract We claim that mail Spam and Phishing can become an operational tool in the hands of terrorists, to perform more than just simple recruiting and fund raising activities. We show that by using spam methods terrorists can reach the heart of society, and succeed in getting some of its fringes to act on their behalf. This “outsourcing” of terrorist activity to own members of the attacked society may adversely affect law enforcement ability to use profiling in the war against terror. We describe a system that combines standard spamming techniques with standard and adapted security mechanisms, and which provides the functionality needed to target, recruit, and operate terrorist cells and opportunistic accomplices.

1. Introduction If you are like most Internet users, your mailbox has been routinely flooded with “spam”. Spam are email messages that try to tempt the recipient into buying something, and spammers typically send millions of identical unsolicited messages in order to get only a few buyers – altogether it estimated that spammers send 12 billion messages daily, or more than half of all email messages[Spam Filter Review, 2004].

Whereas today, spam is used primarily by commercial companies who want to increase their sales, we are already seeing cyber criminals who start using spam-based “phishing”. Phishing is a is a form of criminal activity using social engineering mainly to access private and secret information. Phishing today is mainly beeing used to extract secret codes and other information for fraudulent financial transactions [Phishing report 2004]. According to a recent survey, 43% of US adults have been targeted by phishing attempts [First Data Phishing Survey, 2005].

This Article reveals a new possible method that terrorists can easly take advantage of when carrying out there terror activities, and exposes the absence of current technology from tackling such terroists activity The article will show how terrorists can use spam and phishing methods not only to recruit members and raise funds, but also to influence other people to carry out attacks on their behalf. We will also show that through the use of spam terror, terrorists can create fear and terrorize the public, even without taking any action.

Clearly, however, the most dangerous prospect is that terror spam can be used to draft agnostic individuals and units, from within the inner parts of the attacked society, who will commit terror attacks on behalf of, and under the guidance of terrorists. When the enemy could be almost anyone and anywhere, law enforcement will find it very difficult to use profiling techniques in its war against terror.

Terrorists are already making substantial use of the Internet to circulate ideas and know-how, and for the very operation of their organizations and secret cells [Weimann, 2004]. In Section 2, we will review current uses of the Internet by terrorist’s organizations and how spam can be used in this “toolbox”. Then, in Section 3, we will discuss various forms of spam, and how spammers use technology to spread their message while evading detection and filtering [Prashanth 2003]. We assume that terrorists shall craft their spam using similar technologies and tricks. In Section 4, we will present various purposes for which terrorists may want to use spam, and how they should go about it to maximize their success. Section 5 discusses target groups and success rates of terror spam. Section 6 will give a detailed Technical implementation of a system that can serve terror organizations when using spam [Adabi, Glew, Horne & Pinkas 2002] [Garfinkel, 2003]. Finally, in Section 7, we will discuss standard and less standard alternatives in the fight against terror spam. 2. Current Use of Cyber Media by Terrorist Groups The Internet today contains endless information, tools and opportunities. Terrorist use the Internet today to satisfy their own needs. Much has been said about terrorists seeking to enlarge their power and capabilities taking advantage this important tool. Listed down are some of the main ways in which terrorists are using the Internet today.

Mass-Communication Tool Terrorist groups are already using cyber media as a primary tool for mass-communication, much like regular businesses. Permanent and ad-hoc web sites are routinely used for propaganda, to release “official” information, make demands, etc. [Weimann 2004] Web sites designed to promote their goals and influence public opinion are in fact flourishing [Al Qaeda Hamas and Hezbollah websites]. Some of these web sites are aimed at internal audiences or sympathizers, whereas others target media and “enemy” audiences.

Planning and coordination. Terrorists often use the Internet for direct communication. According to the [FBI,CIA,…], the 9/11 terrorists used to coordinate the actions and to receive commands from their masters in Afghanistan via the internet. Weimann [Weimann 2004] explains that “when you have a loosely knit network of networks, you need a channel of communication”. Due to the improved capabilities of governments, especially the U.S. and its allies, to tap into cellular networks, many terrorists had turned to internet chat rooms and e-mail to remain connected. Many computers were found at Al Qaeda training camps and hideouts in Afghanistan. Terrorists are also commonly using steganographical methods to hide messages within other messages, images, and video clips. A latest report indicated that Al Qaeda uses prearranged phrases and symbols to direct it’s agents, an icon of AK-47 appears on Osama Bin Laden photo facing different directions and in different colors [Timothy L]

Intelligence The Internet contains numerous sites that provide knowledge that can assist terrorists in planning and carrying out attacks. There is strong evidence that suggests that the 9/11 planners used data mining, an important and relatively novel use of the internet, to plan much of the 9/11 attacks. Al Qaeda was collecting intelligence on targets in order to determine which planes to hijack based on schedule, fuel capacity, and number of passengers booked. This was done to ensure that the planes would arrive on targets in relative proximity, with a significant amount of fuel on board to maximize damage, and with relatively few passengers on board to minimize potential resistance [Timothy]

**Funding ** Fund raising is commonly done on the Internet, either directly or indirectly. Direct fund raising is done through dedicated websites and intermediary organizations (usually registering as charity organizations). In such sites, contributions can be made directly to the group’s bank account or using common payment methods such as credit cards. Some organizations are also using common web marketing techniques, as well as forums and discussion groups that are aimed at convincing supporting individuals to contribute to their cause. An analyst found that Al Qaeda used Islamic humanitarian charities to raise money against the enemies of Islam. [Timothy L]. This activity has become a little more difficult since the US and its allies started to crack down on charities that serve as fronts for terrorist groups, but it still rampant.

In addition to direct fund raising activities, we believe that some terrorist organizations, sometimes in conjunction with local criminals and organized crime organizations, started to use phishing methods to get hold of credit cards, financial accounts and property. [Hinnen]

Recruitment Recruitment of new members often is done via web, publishing the specified terror group goals and agenda may convince new people to join, also publishing content of building deadly weapons that individuals can act upon and carry out deadly actions. [Weimann, 2004] [Timothy L]

Psychological Warfare Terrorist have also started to make use of cyber media for psychological warfare, e.g., issuing threats, and attempting to spread fear. Abu Musab Al Zarqawi’s videos showing the beheading of captives are known to have created significant pressure on governments to get out of Iraq thereby yielding to the group’s demands [Wanger, 2004] . Messages claiming a forthcoming terror act in a specific place may also have social and financial effects. They also use it to disperse publicity and propaganda aimed at specific audiences especially to their own people, or to the audiences that they consider as neutral, for example the European communities.

**Cyber Attacks ** A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. [SearchSecurity, 2004] . DDOS attacks have been carried out from terrorist group’s web sites like Hamas and Hezbollah. Most attacks targeted U.S and Israeli government web sites. The terror groups use their audience by publishing a link to a specific target (for example the Israeli Prime minister website) and ask the viewers to press the link at a certain time in order to crash the victim site, or to download and install a program that would do so automatically[Prichard & MacDonald, 2004]

**Providing Instructions to Potential Attackers ** Certain websites actually provide information on how to build bombs, as well as instructions of making dangerous chemical and explosive weapons in texts such as “Terrorist’s Handbook” and “The Anarchist Cookbook”. The anonymous authors of such Web sites often include a disclaimer that the processes described should not be carried out. According to the Bureau of Alcohol, Tobacco, and Firearms, Federal agents investigating at least 30 bombings and four attempted bombings between 1985 and June 1996 recovered bomb-making literature that the suspects had obtained from the Internet. [Weimann, 2004]

Cyber Terror There has been a lot of press around possible plans of terrorists to carry out actual cyber terrorist attacks, e.g., taking over computing networks that control infrastructure such as power plants, dams etc. Most researchers consider the risk of such incidents to be minimal, but of course administrators of such networks shall remain watchful. [Vatism, 2004] [Lewis, 2002] [Denning, 2000]

Is Spam the Next Ultimate Tool in the Hands of Terrorists? In this article, we claim that spam may become the important tool in the war against terrorism. Clearly spam can serve as a useful tool to spread terrorist’s messages and knowledge, and to raise funds for terrorist’s organizations. More interestingly, we claim that Spam can also serve as a tool for terrorists to influence individuals to act on their behalf or at least serving their purpose.

3. Spam and Spamming Methods The Spam Phenomenon Spam refers to one or more unsolicited messages, sent or posted as part of a larger collection of messages, all having substantially identical content. It usually manifests itself as an email campaign that targets millions of email accounts around the world, in an unsolicited fashion [Monkeys]. Experts estimate as many as 12 billion spam messages daily, making for over 75% of all email traffic [Spam Filter Review, 2004], or approximately 10 email messages a day per each internet user. Most spam is commercially motivated, trying to lure readers to purchase some type of goods or services. Since it is commonly perceived as intrusive and an invasion of privacy, not to mention that most email lists are obtained illegally, most legitimate companies shun away from using spam. Most spammers represent shady industries, primarily porn and gambling. Other operators are offering goods of reputed companies, but work at their own initiative without representing the original manufacturers or service providers.

Technically, spammers take advantage of inherent weaknesses in the common SMTP email protocol, where it is difficult to properly authenticate email senders. Economically, spammers enjoy the ease and measly cost of producing mass email campaigns. Whereas the response rate to spam is very low, large spammers may send as many as tens of millions of messages every day, in order to obtain a few hundreds of responders.

This economic advantage has also attracted fraudsters and other criminals, and we are now witnessing numerous “phishing” campaigns. In these campaigns, fraudsters try to lure unsuspecting people into providing secret codes and passwords to internet banking accounts, and then use this information to “clean up” these accounts. Authors of viruses are also using spam to spread their malicious code, often hidden behind luring bait. The total damage due to spam is estimated at 10 billion dollars in the US alone [Spam Filter Review, 2004] In sum, spam proved itself as an easy way to reach a large audience, and an effective sales tool that works well despite the low apriority success rate of each individual email message.

Spamming Methods In order to make sure that their spam campaigns are effective, spammers must overcome spam filters, and must craft their messages in a way that targeted recipients will actually read them, and so that a high enough percentage of the readers will be interested enough to respond and ultimately to buy. In addition, they must dodge local laws that forbid spam and efforts by law enforcement agencies, ISPs, and others to hunt them down [AOL Spam Lawsuit] [Microsoft Spam Lawsuit]. Since response rates to spam are very low (less than 0.05% according to France Mike), spammers often address a huge number of email addresses in a single campaign. There are many ways for spammers to collect email addresses, ranging from “harvesting” newsgroups and web sites, to outright purchase of mailing lists that cover different types of audiences.

What makes spamming so profitable is the fact that sending millions of messages costs next to nothing. This compares to (physical) direct mail where the cost of each mailing dictates a more selective approach. Indeed a typical email list may contain millions of email addresses, and spammers can simply flood all addresses. Still, good spammers prefer more focused lists because smaller batches reduce their chances of being filtered out, and increase their response rates.

Spammers are then required to craft an attractive message. Effective messages are use attractive subject lines, are short and hit on the prospect needs or pains. Some messages are highly personalized, e.g., naming the recipient or providing a possibly familiar name as the presumed sender.

Finally, spammers must also cope with spam filters. Some filters are based on keywords, so spammers often hide keywords using various tricks such as letter replacement, spacing, use of images that contain words, use of java scripts that generate the message on the client side on-the-fly, etc. Other spam filters are based on the frequency of the message across all recipients of a given mail server, and to fool those spammers are often generating slightly different messages, including planting of random strings of letters, etc. Spammers may also try to disguise by sending small batches from multiple ISPs and email servers around the world, spoofing email addresses and IP addresses.

Phishing Whereas most spam is commercially motivated, “phishing” is a relatively new form of spam that is probably closest to the terror spam that we introduce next. Phishing is spam, used by fraudsters to get access to the passwords and other private or financial information of unsuspecting users. Fraudsters first duplicate a legitimate web site, e.g., of a bank’s internet site, and then use spam to trick users to fill in their details on the fraudulent page. In this way, millions of Internet users have received messages claiming to be from their bank (of course most recipients never had an account in said bank), asking for their personal information, and using various pretexts, e.g., a crash in the bank system as a result of which account setup information was lost, and even claiming that this would allow the bank to provide greater security to its customers. Some phishing emails require even less cooperation of the victim, and try to plant a Trojan Horse – a program that when installed on the victim machine will record key strokes, including login information, and will then send these to their master [Phishing report 2004], [Drake, Jonathan & Eugene 2004]..

Fighting Spam and Phishing Several technologies have been proposed and used to fight spam:

On the client side, we find spam filters that are based primarily on keywords, signatures of known spams that are updated from a server much like anti-virus definitions, and on black and white lists of senders. These solutions are relatively weak and are easily manipulated by skilled spammers.

On the server side, we find gateway technologies that leverage information that can be obtained from scanning email messages that are addressed to a large number of recipients, to better block spam. Also on the server side, ISPs are trying to prevent spammers from using their own accounts and email servers, e.g., by fighting robotic enrollment by spammers, retricting the amount of outgoing email from a given account, etc. As such, ISPs are also reviewing the amount of spam that comes from other ISPs and mail gateways, putting exploitable servers whose operators may not be taking enough precaution to prevent outgoing spam on DNS black lists.

A newer approach is to augment the current Simple Mail Transfer Protocol (SMTP), which is the common standard for sending and receiving email messages. Several new suggestions were made, some of which by industry giants such as Microsoft and Yahoo, which essentially try to add a Sender ID field to the message, and then authenticate the sending server. This should in principle prevent spammers from easily setting up their own email bombarding servers [ASTA 2004].

However, with all these tools, and even though a huge number of email spams are blocked (AOL claims to block 2.5 billion messages every day), spammers and our own mailboxes can still attest that spam is still thriving and on the increase.

4. Terror Spam We believe that spam can become attractive to terrorist groups, not merely as a tool to spread their messages, but also to raise funds and recruiting members. More importantly, we speculate that spam can be used by terrorists to influence non-members to carry out attacks that coincide with the terrorist’s goals and plans, and to coordinate activities of a dispersed heterogeneously motivated network of activists. Whereas today, it is commonly assumed that some Islamic terrorist organizations will only recruit staunch believers to carry out attacks (especially suicide attacks), we believe that in the future they may use “outsourcing” techniques, and will find the right justification to doing so. The trigger may be lack of resources, or the clear logistical and operationaly benefits of “outsourced” activity, but in any event this may result in higher quality attacks.

The main features that make terror spam and phishing attractive to terrorists are:

  1. Anonymity and difficulty of tracing;
  2. Low cost to reach a large audience and hence the ability to engage a large number of (low probability) initiatives;
  3. Leverage in reaching new and otherwise inaccessible audiences
  4. Ability to recruit operatives from within the attacked society
  5. Ability to spread fear, even without any action being taken

Communications Terrorists can clearly use spam as a means of communicating their messages and aspirations to a large crowd. Spam communication can be very safe for the user because it’s a one way communication that is very hard to trace. Spam messages can refer users to a chat rooms infrastructure that will give a more detailed and personal support, the chat room can serve as a place where all participants are not known (double blinded) and by that increase the safety level for both sides. Terror spam is different from commercial spam. In commercial spam, the spammer wants potential buyers to get to contact him directly, whereas terrorists will use spam to initiate the first connection but will prefer to remain anonymous without revealing traceable details. This will require a technically different and more complex approach, but one that is within the current technical mainstream.

Funding Terrorists can use spam to raise funds for their operations, seeking sympathizers in new and unknown target audiences. A terrorist fund raising campaign is likely to be conducted in a way that is similar to any other spamming campaign, and will most likely point to a website of a non-profit organization that acts as a cover for the terrorist group. In other cases, terrorist groups can use semi-legitimate store fronts for money laundering purposes. Terrorists can also use phishing techniques to acquire additional financial resources by getting hold of financial accounts, credit card and other financial resources.

Recruitment Terrorists can use spam to recruit new members. This form of recruitment is particularly applicable to decentralized terrorist cells: members recruited through spam can be organized in separate cells, protecting the anonymity of their commanders. Spam can also be an effective means for recruiting people with technical skills. Whereas most terrorist organizations may find it difficult to cultivate such skills internally, they are relatively easy to come by on the Internet. Focused mailing lists can also be used to target specific groups, e.g., youth, disturbed and distracted individuals, and members of certain religions and ethnic groups.

Clearly, most terrorist organizations will not use web-based recruiting to staff their inner core, e.g., for fear of spying and internal alteration, but they can use it to recruit simple soldiers, low-level logistical units, etc. As we will soon discuss, they can also use web-based recruiting to form agnostic and dispersed units that will be operated in a one-way fashion. Influencing individuals to act against specific targets Terrorists may also try to use spam to influence individuals, which are otherwise not members and possibly not even sympathizers, to act on its behalf. For example, anti-American terrorists can call for a coordinated violence against American citizens and corporations on a certain date, around the world. The actual terrorist acts can be carried out by various types of activists, which are not members of the terrorist group, and for reasons other than the terrorists. The actual acts may even be taken by a disgruntled employee of an American firm. But the joint effect may serve the terrorists purpose very well. In this scheme, a terrorist group is likely to prey on individuals that are mentally disturbed or otherwise unstable, or that have certain grievances. This scheme can be particularly attractive to terrorist groups that lack the physical infrastructure because it does not require significant operational logistics and the terrorists simply act as coordinators.

Clearly, only a miniscule fraction of those addressed in such terror spam campaign are likely to act. However, those that do, represent a net gain to the terrorist organization and a clever way to leverage other people’s grievances. The fact that bomb making knowledge is already easily available on the web may ease the recruitment and execution of such attacks by otherwise untrained individuals. In fact, the mere distribution of terror spam that calls for such action may result in a significant public panic.

5. How Terror Spam May Work In this section, we describe how terror spam may work. We start by reviewing potential target audiences for terror spam, and the chances of response/success. We then discuss various technical modifications to traditional spam, which may be required to facilitate terror spam.

Target Audiences In this section, we present terror as a “product” to be spammed. Like any other product, the terror spammer needs to consider the target audience(s), so that the campaign reaches the intended recipients, and so that the campaign is structured to appeal to the respective audiences. While it is true that the direct cost of spamming is very low, terror spammers may still want to avoid indiscriminant campaigns. First, spamming indiscriminately requires more resources, and will also reduce the time-to-block time frame, i.e., the time it would take law authorities to stop the spam and to block the next step of making contact with a collaborating receiver. Second, and more importantly, it may be important for terror spammers to craft different messages that will appeal to specific audiences.

We consider the following groups as primary targets for terror spammers:

Affinity religious, ethnic, and national groups. Clearly, terrorists may find their best targets among “their own” audiences. Nationalistic organizations may do well when targeting their own nationals; Islamic radicalists will likely target Muslims, and separatists will likely try to reach their own people. In that case, spam serves as merely another form of communication since it is most likely that same groups are already addressed in other ways.

Sympathizers. Terrorist groups may also find spam to be an effective tool to reach second-degree sympathizers. These are people that are not members of the former affinity groups, and who may be sparsely spread within a larger population that is otherwise not affectionate to the terrorists cause. Compared to spam, most other means to locate and reach such sympathizers may be way more expensive. Consider for example identifying and reaching Muslim radicals within a western university campus. Clearly, it may be possible to reach certain radical Islamists clubs, if existing. However, it would be more difficult to identify and reach potential sympathizers within a non-radical Islamist club, and even more difficult to identify sympathizers within the general students population. Spam to any of the latter groups may provide an effective way to identify and reach such individuals.

Disadvantaged and disgruntled groups. Terrorists may also be able to use spam to ride others’ grievances, convincing them to carry out terrorist acts against a common enemy or subject of hate. Potential targets include • Ethnic groups that are discriminated against, or that carry longtime grievances. In the U.S., for instances, terrorists may address African Americans or Native Americans. In Europe, they may want to target new immigrants to EU. • Economically suffering groups may be targeted, especially in societies that harbor a wider gap between the haves and have nots, and especially in years of economic downturn. • Political minorities may also be targeted, especially in countries that do not have a long democratic tradition. • Extremist activists and anarchists of other types who may not identify with the terrorists cause, but who may believe that a certain act of terror may also serve their own purpose.

Teens. We suspect that teens may sometimes fall prey to terror spam. As a generalization, teens as a group may have weak self awareness, low self esteem and are the most easily influenced by advertised material [Erica 2004]. Some teens may also have a tendency to rebel and terrorists may provide them with the image, and the technical know-how to carry out a terrorist act. In most western societies, we are already seeing an increase in violence among teens, including some mass-murder acts that are performed by teenagers. It is possible that terrorist organizations would try to locate and recruit teens to perform acts on their behalf.

To reach their target audiences, terrorists shall simply follow the footsteps of savvy marketers. They should start by identifying their targets, and then acquire relevant email addresses. Common ways to do so include buying email lists and harvesting forums and chat groups frequented by their targets. (As aside, robotic chats may represent another way for terrorist organizations to reach and recruit people)..

Terrorists group can benefit from almost any outcome such a spam campaign will bring. By throwing spam campaign terrorists will be able to achieve physical damage in some cases and advertisement that can lead to public panic in other cases, in both cases terror organization will benefit.

A spam campaign can be used to coordinate an attack among a number of people This type of coordination can be achieved due to the high level of control that the technology environment provides i.e. giving guide to many people that are located in distance places. Exact orders can be given to all executers telling them precisely what to do in a specific time period or place, additional guidelines can be given via SMS. More over a special secured forum or chat room can be opened and enable the attackers to exchange information between themselves. If at the same day a number of American symbols such as restaurants, entertainment chains etc…will be attacked the media effect will be very large.

The spam campaign can simply empower “Traditional” cyber terror actions By encouraging users to DDOS web sites email addresses and other web based services of governments and private companies such as banks, e-com web site etc…and by that disrupt public services.

In some cases the potential users will prefer not to take an active role in terror actions but will be willing to volunteer critical information. Security leaks of critical infrastructure, governmental offices and public places can give a meaningful added value to the terror organizations. Terrorists can tempt users to “help” by offering money to any sensitive information that will be delivered to them.

In Some cases the spread of fear and instability is far more damaging then the physical act of terror itself. We assume there will be cases that will not end with a phisica action due to fear or second thoughts of the carrying person will have. In some cases suspicious activity will attract the eyes of the police who will prevent the action at the last minute. In such cases we believe terror organizations will get credit for reaching the person and manipulating him to execute terror acts, these cases will probably get a wide publicity and frighten the general public. If up until now we thought that a terrorist must come from a certain part of the world or alternative believe in certain things at this point we will have a problem of defining a terrorists due to the fact that it can be the next door neighbor that doesn’t believe in anything suspicious and revenge is the only thing that guides him.Separately, terrorist groups may also want to use spam to simply create panic, by targeting celebrities (e.g., the Madonna case) and otherwise people who may provide them with exposure in the mass media.

In the next section, we discuss the technical of aspects creating and running a terror spam campaign 6. Technical Implementation of Terror Spam Campaign We propose an implementation blueprint for a Terror Spam System (TSS) that uses available spam technology, and simple modifications thereof that provide the additional security services that terrorists may need. System Overview The TSS is designed to enable terrorists to initially contact a wide target audience, and to then continue to communicate with respondents safely until and after the terror act is actually committed.

In the initial phase, the TSS enables the terrorist groups to reach as many potential agents (prospects) as possible. Some prospects may share the terrorist’s motivations, whereas others may simply want to leverage the terrorist’s capabilities and resources in order to achieve their own goals (which may partially coincide with the sponsoring terrorists). In this phase, the TSS provides some mechanisms that would reduce the risk of detection, and others that would help segregate communication channels.

Once the first responses are received, The TSS provides additional security mechanisms, and various controls on the communication with different prospects, including mechanisms designed to segregate communication channels, and to reduce the risks posed by informants and ingenuine respondents, as well as the risk of exposure of genuine respondents.

Figure 1 shows an overview of the TSS system and the flow of information and processing.

Figure 1. Overview of TSS System

Just like in a marketing spam campaign, the goal of the first phase is to mass mail to prospective “agents”. The first step in this phase is to acquire lists of email addresses of potential prospects, based on a specified set of target audience criteria. This is done by the “Email address collection” component.

Next, the TSS “Message generation and personalization” component shall construct/design a message (or select one from a number of pre-designed alternatives) to match each of the targeted prospects. The goal here is to personalize a message that is likely to draw the attention and response of targets. Thus, different messages can be mapped to different target audiences. Subsequently, each message shall be enhanced with security mechanisms using the “Security crafting” component. For example, we propose that messages contain a script, and recipients are requested to reply through this script rather than by clicking “Reply” and using the regular SMTP reply. This script may, for example, encrypt the reply using a public-key scheme. The security mechanisms shall make it more difficult for the ISP to record and track the response, and shall make it difficult for an eavedropper to interpret the actual message. The script may also collect some information about the recipient’s machine, using spyware-like technologies. This information, together with the message unique ID, and a time stamp indicating when the message was sent, may later be used to authenticate the respondent and to detect possible “mischief”. Finally, different batches of outgoing messages shall be designed to respond to different email addresses (collection points), for segregation reasons.

The next step is of course to send the messages, using the “Spam Sender” component. This component will use standard spamming techniques to distribute the email messages to the target addresses. As an example, to avoid detection, the Spam Sender may distribute the messages into several batches which will be sent through several mail servers and at different times.

This completes the first phase of mass mailing.

The expectation is that a small fraction of recipients will respond to the initial email campaign. The secured script that is embedded in the message will use the identifier, time stamp, and the unique public-key that is provided for this message to encrypt this communication. The reply will be sent to one of several receiving email addresses, per the above mentioned segregation policies. The receiving program will then use the “Detection prevention” component to review the responses for authenticity and for various tell-tales of possible risks. Replies in which there is a mismatch between the unique identifier and the address to which the original message was sent, and the address from which the response was received will be ignored. It is also possible to ignore responses that are not received within a certain time window from their time stamp, as ones that may have been tampered with, e.g., the received may have contacted law enforcement authorities. (of course this may result in some loss of genuine respondents). Filtered messages will be sent to human operators, who will then use a separate communication channel with each respondent.

In the beginning of this “second level communication”, the prospect would be provided with software components that would enable the implementation of additional security mechanisms, e.g. • confidentiality – through encryption using public and/or symmetric key schemes for the communications, as well as for communication traces and data stored locally on the propsect computer • authentication – using cryptographic means, and also physical and OS identification of the prospect computer • segregation – using a unique channel and communication address for each prospect • detection avoidance – by frequent changing email addresses and other “meeting locations” • detection of mischief – through a spyware component that would monitor the activities of the prospect, and his/her other communications

Description of Specific System Components In this section, we provide a more granular description and discussion of each of the TSS components.

1. Email addresses collection The role of this component (which will likely be implemented as a set of specific systems and procedures) is to acquire email lists according to the characterization of the target audience. Spammers are implementing similar systems, which use a variety of automatic and manual methods, e.g., • extracting email addresses from mailing lists, directories, chat rooms, and discussion forums • automated harvesting of email addresses from web pages, who-is contact lists, etc.; • guessing email addresses for a specific domain, e.g., as a combination of first and last name; • using social engineering methods to obtain email addresses and other personal information; • legitimate purchase, and/or bribing for, and/or breaking into consumer databases

2. Message generation/personalization Mail messages should attract prospects to open and read, and if possible entice prospects to respond/act. Success chances can be improved if the message can be personalized to the specific characteristics and attributes of the targeted reader. As such a different message is likely to work on a devout religious fanatic vs. a disturbed or otherwise problematic teen. In general, messages should be short and to the point. As indicated, the message shall also collect necessary information and initiate second-level contact.

A possible implementation may start with a number of pre-composed message templates in several languages that will support localization, and then select and fill out the template that best fits each targeted recipient. A matching function shall be constructed to maximize the match between the features of the message and those of the prospective recipient. Dynamically adapting matching functions may be programmed to learn from past response rates.

3. Security crafting This component adds a security response script to each message. The script shall support automated encryption of the response, and taregeting of the response directly to one of the collection centers. The script shall also verify that response does not exceed the valid time window. In addition, the script shall collect and send back some identifiers from the user’s machine like the user and machine names, MAC, and IP address. The script may also collect more subtle information such as email correspondence, browsing information, bookmarks, etc, and may even install a spyware component (or even a trojan) that will continue monitoring the activity on the machine.

4. Spam Sender The spam sender is fed with a list of email addresses and the message templates that were selected for each. Before sending, the spam sender attaches a time stamp to each message, to start its validity window. The main challenge of the spam sender is to avoid its detection and the blocking of its messages. Spammers have specialized in this, and use methods such as: • use many and frequently changing IP addresses, as well as use of spoofed addresses; • use third-party outgoing mail relays that were left open • sending smaller batches from each outgoing mail server; • adapt the templated messages to a form that would be less detectable by filtering programs (this shall probably be done in the messages database itself, rather than in the sender, but we bring it here because it is one of the ways to avoid detection) • use HTML messages with Java script-encrypted frame tags that launch the body text only at the email client • use web beacons, and deceptive opt-out links to verify which addresses are active (again, this shall probably be fed back into the email addresses database) • use Trojans on some of the recipients to send more messages from their machines

5. Detection prevention The role of the receiver is to detect responses from law enforcement and other impersonators. Responses that are not well encrypted with the originally provided keys (in the script) will be rejected. Several rules in the detection prevention component shall seek suspicious information in the machine-specific data returned from script. This data shall also be stored and compared to future communication with same prospect. In case of serious suspicion, the receiver may abandon the entire communication associated with this email collection center, assuming it was compromised.

**7. Some Recommendations ** In order to prevent and/or minimize terrorist’s success in achieving their goals by using spam we’ll suggest a few actions that could be taken.

  1. Create a “Terror Spam Tracing Center” that will monitor all terror transportation. This center will gather data from all ISP’s and publish domains, ISP’, IP’s etc…of mails that are suspected to be from terror organizations and publish them to all ISP’s. The ISP’s will be obliged to block all mails from the terrorists list.
  2. Send a follow up email to every address that receives a “spam-terror” email saying that you just received an email from a terror organization, please delete it, Indicating that cooperating with terror organizations is a felony, letting the recipient understand that is actions are being watched and he’s will be better off if he stops the contact with terrorist organization.
  3. Create a unit that will detect and follow the traces of terror spam, in order to reach the perpetrators. Detectives in this unit shall respond to terror spam, and shall create contact where possible (under cover of course) with the relevant cells, with the goal of gathering intelligence and making arrests
  4. Shut down servers that were used to send terror spam using either legal or semi-legal means depending on the location of those servers.
  5. Some thought should be taken in order to protect the mobile phone industry from SMS terror Spam.

8. Conclusion There is evidence today that religions terror organizations are linking with other terror organization in order to join forces against common enemies. For example Al Qaeda and far right groups such as neo-nazis and skinheads in Europe, these links are suspected to be both on the financial and action carrying levels. If terror organization will decide to further extend there links to individuals whom not necessarily believe in their organization ideology but are willing to take actions that might serve it than Spam email might serve as a perfect tool to achieve those links. By using this simple tool we showed how terror organizations can easily cause more violent incidents and increase the terror level world wide. Spam can reach civilians inside a target population that want to harm their own population provides a perfect communication tool. The spam will allow individuals to contribute both silently and actively to terro organzitions dependent on each individuals preference. We showed that spam is hard to stop and detect, Although the industry is taking more meaningful and aggressive approaches verse spam still spam is diffucult to detect and many spam emails reach the users mailbox at the end of the day. By using spam terror organization will spread the knowledge of creating dangerous weapons, as technology is getting better and better the task of creating explosives is getting to be unbelievably simple in a way that teenagers can easily build explosives and activate them, Moreover spam can help coordinate between people who do not interact directly and by that increase the level of the terror actions and the public insecurity and fear. Finally we showed a few actions that can be taken in order to fight the phenomena of spam terror.

References

  1. [France2002] France, Mike “Commentary: Needed Now: Laws to can spam Business Week September 26, 2002 http://www.businessweek.com/magazine/content/02_40/b3802104.htm

  2. [Weimann 2004] Weimann, Gabriel “How Modern Terrorists use uses the internet 2004

  3. [Wanger 2004] Thomas, Wanger: “Internet Emerges As Potent Terrorist Tool” September 24, 2004 http://federalnewsradio.com/index.php?nid=84&sid=138527

  4. [SearchSecurity 2004] SearchSecurity.com Definitions - distributed denial-of- service attack http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci557336,00.html 5)[Prichard & MacDonald, 2004] Prichard, Janet and MacDonald, Laurie: “Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks” 2004

  5. [Wikipedia] Wikipedia: “Spam Definition” http://en.wikipedia.org/wiki/Spam_(e-mail)

  6. [Leung 2003] Leung, Andrew: “Spam The Current State” August 8, 2003

  7. [Monkeys] Monkeys, Spam Defined ” http://www.monkeys.com/spam-defined/definition.shtml

  8. [Spam Filter Review 2004] Spam Filter Review : Spam Statistics http://spam-filter-review.toptenreviews.com/spam-statistics.html

  9. [Vatis 2004] Vatis, Michael : “Cyber Attacks: Protecting America’s Security Against Digital Threats” June 2004

  10. [Lewis 2002] Lewis, James: “Accessing the risk of cyber-terrorism cyber war and other cyber threats” December 2002

  11. [Denning, 2000] Denning, Dorothy: “Testimony before the Special Oversight Panel on Terrorism Committee on Armed Services U.S. House of representatives http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html May 23, 2000

  12. [Erica, 2004] Erica, Bozzi “Expectations of social behavior and cognitive dissonance among college freshman as influenced by mass media” http://www.anselm.edu/internet/psych/sr2003/bozzi/webpage.htm 2004

  13. [Phishing report, 2004] Anti fishing working group “Phishing attack trend report 2004”

  14. [Prashanth, 2003] Prashanth , Srikanthan “An overview of spam handling techniques” 2003

  15. [Drake, Jonathan & Eugene 1004] “Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz Anatomy of fishing email”

  16. [ASTA, 2004] ”Anti-Spam Technical Alliance Publishes Industry Recommendations to Help Stop Spam”

  17. [AOL Spam Lawsuit] “AOL signs on to anti-spam lawsuit” 2004 http://www.bizjournals.com/washington/stories/2004/03/08/daily21.html

  18. [Microsoft Spam Lawsuit] Microsoft spam lawsuits http://informationweek.com/story/showArticle.jhtml?articleID=54201964

  19. [EL Qaeda 2004] “How El Qaeda uses the internet” 2004

  20. [Garfinkel, 2003] Simson L. Garfinkel “Enabling Email Confidentiality through the use of Opportunistic Encryption” 2003

  21. [Adabi, Glew, Horne & Pinkas, 2002] Matrin Adabi, Neal Glew, Bill Horne & Benny Pinkas”Certified Email with a Light Onlinerusted Third Party:Design and Implementation” 2002

  22. [First Data Phishing Survey, 2005]. Survey: 43 Percent of Adults Get ‘Phished’. http://news.yahoo.com/s/ap/20050512/ap_on_hi_te/phishing_survey

  23. [Hinnen ] Todd M. Hinnen “The cyber-front in the war on terrorism: curbing terrorist use of the internet”

  24. [Timothy L] Timothy L. “Al Qaeda and the Internet:The Danger of “Cyberplanning”

    WEBSITES

  25. Hamas: http://www.hamasonline.com/index.php

  26. Jehad: http://www.jehad.net/

  27. Hizbollah: http://www.hizbollah.org/

  28. El Qaeda:

  29. A list of terrorist websites http://www.intelligence.org.il/eng/sib/8_04/internet.htm

Acknowledgments We would like to thank Yael Shahar for her assistance to this article.

AdvertisementAd slot — add your AdSense ID in src/data/site.ts