Spam's Next Target: IM

As improved filtering technology blocks more and more email spam, some hackers are turning to instant messaging as another way to send their nasty correspondence. Corporate networks can be vulnerable to an attack through an instant messaging system because employees typically use IM clients from AOL, Google or Yahoo that have few if any security measures to protect against spam or malware.

IM spam "potentially could be even worse" than email spam, says Michael Osterman, president of Osterman Research Inc.

Part of the problem is that email spam can be easy to spot based on a suspicious subject line or unknown sender, but that's not the case when it comes to instant messages, which must come from someone authorized to be on a recipient's "buddy list."

Spammers exploit that trustworthiness by luring victims to a Web site, installing a piece of software, or malware, onto a user's machine, infecting their IM client and then sending an IM message to all of the members of the victim's "buddy list." "The likelihood of spreading the infection is much higher with IM than it is with email," Osterman says. "You're more likely to click on the link and potentially get infected than you would with email."

Despite that, the number of victims is still tiny. "It is a relatively small problem today. It's nothing compared to email spam," Osterman says. "But the potential is there for some problems with IM."Postini Inc., an Internet message management company based in San Carlos, California, that sifts through 1 billion email and instant messages every day, confirms that the incidences of IM spam are rare but increasing dramatically.

The company processed 7.5 million IM messages for its customers in July and blocked 0.26 percent of them for containing worms or viruses. That's more than twice as much IM blocked in June, 0.10 percent. By comparison, about 0.5 percent to 1.5 percent of email messages that Postini processes contain viruses. The figure was 0.58 percent in July. In addition, the number of new pieces of malware - worms and viruses - developed for IM increased 17 times from 2004 to 2005, reaching 2,400 unique pieces of malware. Postini expects the number to be surpassed this year.

Postini's 35,000 customers worldwide - including Circuit City, Grant Thornton, Invesco, Johnson Controls, MBNA, Merrill Lynch and 900 small and mid-size Internet service providers - redirect their email to pass through the company's data center, where it blocks the garbage messages. Postini also filters IM for about 100 customers.

Andrew Lochart, Postini's senior director of marketing, believes the IM infection rate is a cause for concern because few companies have a defense in place. Many do not even know that their employees have downloaded an IM client and are using it, because they can do so for free and without permission.

"It was creeping up through the floorboards," he says of the growing number of people who've begun using IM at work. "The IT department was not involved, it was not really aware of what was going on, and had to figure out an appropriate use of IM and balance that against the need to protect their networks."As IM becomes a preferred medium of communication for everyone from stockbrokers to customer service employees, companies are looking to take control of IM traffic the same way they do email."What businesses are wrestling with, there is no corporate IM server. It's just AOL, Yahoo or Google - there's little expertise," Lochart says.

Postini, which offers a hosted service, helps companies manage IM traffic by requiring users to identify themselves. That way, no one can communicate using a handle more appropriate for a chat room. And employees who have no reason to use IM on the job are prevented from having it on their computers.

Enforcing a standard set of content filtering rules is also an important feature of Postini's service, Lochart says. So, if the finance department is prohibited from sending Excel spreadsheets outside the company, then the same applies to IM, too.

Companies looking to increase the security of their IM communication have two options, Osterman says. They can pay for hosted filtering services from Postini or one of its competitors, FaceTime Communications Inc., Akonix Systems Inc., or IMlogic Inc., which was acquired by Symantec Corp. in February.

Or, as a more expensive option, they can install an enterprise grade IM system such as Lotus Sametime which is more secure because it encrypts messages, Osterman says. IBM said last month that its Lotus Sametime 7.5 collaboration platform, expected to be available by the end of September, will be integrated with Microsoft Outlook, Microsoft Office and SharePoint applications and will connect to Microsoft Windows Mobile devices.Instant messaging is gaining in popularity inside companies, according to Osterman. About 93 percent of companies have some IM use and one-third of people who send email also use IM.

Here's how they can become a victim of IM spam. A virus or worm is not sent as attachment with the message but as a link described as, say, a funny photo or some other tease. Once a person clicks on the URL, it executes a two-part download. First, it seeks out the "buddy list" address book of the IM client and sends a message to every address listed. Then, the actual virus itself can destroy files, install spyware or a keystroke logger or turn a PC into a zombie.

"It can be the same payload that's being distributed over an email virus or worm," Lochart says. "The bad guys have figured out how to exploit all these different ways our computers are connected to the Internet."