Survey: Millions of users open spam emails, click on links
A newly released report from the Messaging Anti-Abuse Working Group (MAAWG), summarizing the results of the group's second year survey of email security practices, offers an interesting insight into the various interactions end users tend to have with spam emails.
How many users access spam emails, click on the links found within, and open attachments intentionally? Why are they doing it, and who are they holding responsible for the spread of malware and spam in general, in between conveniently excluding themselves?
Nearly half of those who have accessed spam (46%) have done so intentionally – to unsubscribe, out of curiosity, or out of interest in the products or services being offered
Four in ten (43%) say that they have opened an email that they suspected was spam
Among those who have opened a suspicious email, over half (57%) say they have done so because they weren’t sure it was spam and one third (33%) say they have done so by accident
Canadian users are those most likely to avoid posting their email address online (46%). Those in the U.S., Canada and Germany are most likely to set up separate email addresses in order to avoid receiving spam
Many users do not typically flag or report spam or fraudulent email
When it comes to stopping the spread of viruses, fraudulent email, spyware and spam, email users are most likely to hold ISPs and ESPs (65%) and anti-virus software companies (54%) responsible
Less than half of users (48%) hold themselves personally responsible for stopping these threats
It's interesting to see the paradox of end users blaming ISPs and antivirus vendors, whereas 43% of the surveyed users said that they have accessed spam emails, and that they do not typically flag or report these emails.
Moreover, the survey indicates that a common misunderstanding among end users, is still dominating their perspective of spam in general. Nowadays, spam is no longer a mass marketing channel for counterfeit goods/pharmaceuticals only.
Spam is both, an infection and propagation vector for malware campaigns in general, with an interesting twist - the most aggressive Zeus crimeware serving campaigns for Q1, 2010, were optimizing the traffic they were getting through the spam campaigns, by embedding client-side exploits on the pages, next to actual malware left for the end user to manually download and execute.
After 26 days, and almost 350 million email messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2.731.88 -- a bit over $100 a day for the measurement period or $140 per day periods when the campaign is active. Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year.
What do you think? Why are users still interacting with spam emails, which could easily lead them to drive-by exploits serving web site? Are ISPs or vendors to blame, or the end user's lack of awareness on the risks involved when interacting with spam emails these days? Do you think that spam is fought in the wrong way, in the sense that before it reaches your Inbox, it has to go out from the network of a socially-irresponsible ISP first?