This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience.  Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account.  In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won.  Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business.  Businesses spend thousands of dollars each year on protecting their email systems from spam and malware.  This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over.

In Australia the ACMA report for 2008-09 stated a 21% rise in email spam complaints from the previous year.  They also reported a 71% jump in SMS spam complaints.

If the war had been won then today’s spam filters serve us for decades to come, and further innovation in the field would be unnecessary.  One thing is for sure, if the war is over then no one has told the spammers, because they continue evolving new spam techniques and bombarding email systems around the world with billions of spam messages every year.

For a single user receiving a few dozen emails per day spam probably does appear to be a problem that has been solved.  For a business of thousands of users who collectively receive hundreds of thousands of emails per day even a 0.5% miss rate on spam is a lot of staff productivity lost dealing with them.  And don’t forget the potential for security breach if someone falls for one of the more serious spam variants.

Declaring the war won is premature.  As businesses spend hundreds of millions of dollars around the world every year on prevention, as well as costing millions more in breaches, the spammers continue to profit from even the small percentage of spam that slips through.  Until that is stopped, the war goes on.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

We Have Not Won The War On Spam

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zbot Trojan Ring Busted

Russian spammers are in the process of cashing in on the swine flu pandemic. Shady pharmacies are advertising Tamiflu for rock bottom prices using massive spam campaigns and search engine manipulation. Hundreds of fake “Canadian pharmacy” sites exist, many run by cybercrime gang Glavmed, whose “affiliates” rake in tens of thousands a day from the sales. The Tamiflu being offered is usually fake or out of date. Sometimes plain old sugar pills are provided, and in some cases, they are made of disturbing and downright dangerous ingredients like rat poison. Glavemed also runs SpamIt, a group of email spam affilates that is thought to be behind the Conficker, Waldec and Storm botnets.

The spammers are exploiting the news that global production of flu fighting drugs like Tamiflu is unable to keep up with demand. They are trying to appeal to those who may be likely to order out of panic, and they are finding success. The top countries ordering the fake flu medication are the US, Canada, France, the UK and Germany.

The gang, known as “THE PARTNERKA” has found such success because they are using a mix of methods to deliver their message. In addition to floods of email spam, they are using Black Hat SEO, social networking, and malware, and there are all kinds of software to help them, such as “John22” which generates HTML content for websites at an alarmingly fast rate, links them together, uploads them, and notifies Google. The pages are so good it’s near impossible to tell they were computer generated. Then there’s ZennoPoster, which generates webmail accounts on services like Gmail and Yahoo, and accounts on social networking, free web hosting and blog sites. It also sends text, email and forum/blog spam. This recipe ensures that spam filters and anti-virus programs won’t have much impact on their bottom line.

Security and Health experts alike are advising everyone to stay away from any pharmacy advertised in spam messages or affiliate marketing. If you need medication, get it from your licensed and educated doctor.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Russian Spammers Trying to Cash in On Swine Flu

A CAN-SPAM court decision may hurt the private domain registration business.

Spammers hiding behind private registration of domain names to spread junk email received a slap in the face recently by a federal district court in California. In their attempt to nullify the U.S. CAN-SPAM Act the garbage pedlars argued, among other things, that the law was unconstitutionally vague because anyone trafficking in private domain registrations could be held liable for materially falsifying an identity under the statute.

Ironically, private domain registrations were created to protect domain owners from spammers, scammers, telemarketers and other unsavory types. Under the process, domain owners who want to keep their personal  information private enlist another company, a proxy registrar, to register their domain for them. The domain owner retains control of the domain, but for public purposes, such as listing in the WHOIS directory, the proxy’s contact information is listed as the owner of the domain. The rub to the process, though, is that anyone can use it–even spammers seeking to hide ownership of their domains. It’s a  pair of such spammers that found themselves  appealing their prosecution before the Ninth Circuit Court of Appeals.

The case, U.S. v. Kilbride, involved a pair of porn spammers operating through a company based in the small African nation of Mauritius. Their spam, which generated 662,000 complaints with the U.S. Federal Trade Commission, violated CAN-SPAM in a number of ways including forged headers, fake email addresses and phony contact information. A jury, after a three week trial, convicted the defendants of criminal CAN-SPAM violations and other charges. One smut circulator received a 6.5 year prison term; the other, five years in the Big House.

In their arguments before the court, the skin merchants asserted that CAN-SPAM is too vague in its definition of material falsification to meet constitutional standards because it criminalizes private registration of domain names. The court, however, wasn’t buying that contention. “We fail to perceive any vagueness on this point,” the judges opined.

Passed in 2003, CAN-SPAM provides penalties for anyone, among  other things, who “materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages” or “registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names…”

The court also rejected the notion that the material falsification definition allows innocent people to be investigated for violating the law until their intent can be determined. That, the spammers asserted, invited law enforcement officials to abuse the law. “This may be so, but it does not make the statute
unconstitutionally vague,” the court said.

“As we recently noted,” it continued, ” ‘[w]hat renders a statute vague is not the possibility that it will sometimes be difficult to determine whether the incriminating fact it establishes has been proved; but rather the indeterminacy of precisely what that fact is.’”

“While determining as a factual matter whether the requisite intent for culpability under [CAN-SPAM]exists may prove difficult, this does not demonstrate
that the concept of intent as used in the statute is an entirely indeterminate, subjective one,” it added. “Hence, the problem Defendants identify is irrelevant to the vagueness inquiry.”

Of course, the Ninth Circuit is only one court, and its decisions don’t necessarily carry any weight outside its jurisdiction. Another court could very well find that CAN-SPAM’s falsification provisions are unconstitutional and send the whole issue to the Supreme Court.

For now, however, the question remains will court decisions that discourage netizens from using private registrations or registrars from offering them make a dent in the spam volumes which are consistently over 90 percent of all email on the Internet? Probably not. If the government gets tough in probing private registrations, it will probably discourage the innocent from engaging in the practice  while Black Hats, who live by subterfuge, will continue to keep it in their bag of dirty tricks.

One thing is certain, if the courts continue to crackdown on private registrations, it won’t favorably impact the registrars who turn a buck on them. As one attorney waggishly observed in his blog, “I don’t see the domain name proxy business as a growth industry.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Private registration no defense for spammers

When the attachment was downloaded it installed the Zeus Trojan, notorious for stealing personal and banking info. The Trojan install a keylogger which is activated whenever a banking or financial site is visited and logged into. It also steals login info from popular sites like Amazon, MySpace, Facebook and Ebay. Verizon Wireless released a statement saying they are aware of the incident.

          We’re aware of this spam/phishing message being sent to our customers over the past several days, and have taken steps to stop it from occurring,” said a Verizon spokesperson.

The campaign sent over 9 million messages before abruptly shutting down Monday morning. The researchers say the Trojan was repackaged six different time in an effort to evade detection by anti-virus software and firewalls.

Zeus has been around for quite awhile now. Its past spam campaigns included faked password reset requests from MySpace, faked notifications from the IRS, and a fake update from Microsoft.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zbot Trojan Unleashes Weekend Spam Campaign

Black Hats are finding social networking sites attractive targets for mischief.

As social networks like Facebook, MySpace and Linked-in have gained popularity among Web surfers, they’ve also attracted the attention of the Internet underworld. That’s because the likelihood of infecting a computer with malware distributed through a SocNet is much better than conventional email methods. How much better? Some security experts reported earlier this year that infection success rates were as high as 10 percent for malicious code circulated through a social network. That’s 10 times the infections that could be expected from an email spam campaign.

As Black Hats have turned their attention to SocNets, they’ve begun experimenting with going beyond exploiting the sites for distribution of bad apps and using the webposts for activities such as issuing commands and controlling the operation of botnets.

Just last week, security researchers uncovered a Trojan, dubbed Whitewall, that could use Facebook to coordinate its nefarious deeds. The sinister software is circulated by exploiting known vulnerabilities in Adobe Acrobat and Microsoft Office files. The documents look legit. They may look like communications from courier companies or headlines from news media.

The malware targets the mobile version of Facebook. It receives its marching orders by reading the notes section of that program. If a note contains the title “Wells,” it will contain a timestamp for when a machine is infected. If it’s “WebServer,” the app will execute a URL contained in the note from which it will receive commands. If the title is “White,” the Trojan will follow a URL to a site from which it will download a pernicious payload. If any other words are in the title, the software will do nothing and wait for further instructions.

At this point, White Hats say, the Trojan hasn’t infected a significant number of computers. Its discovery, though, may be important because it may be a proof of concept for hackers mulling ways to use SocNets as command and control servers.

Social networks have also been exploited for more conventional cracker attacks. At the end of October, for instance, more than 350,000 spam mails flooded inboxes claiming to be from Facebook. It told its  recipients that their Facebook password had been changed and instructed them to click on an attachment to obtain their new one. The attachment contained malware that turned its host into a zombie on a botnet.

The Facebook password con is just one example of how info highwaymen are leveraging the reputation of SocNets to spread their mischief. Not only are users more apt to engage in insecure behavior when they receive spam masquerading as email from one of their favorite social networks, but spam filters are less likely to scrap the correspondence before it reaches its target. For example, in a recent ethical phishing  experiment, a charade purporting to be from LinkedIn evaded all the anti-spam filters it was tested against.

The message concocted by the researchers was a mock invitation from Bill Gates, of Microsoft fame, to join his network on LinkedIn. LinkedIn was chosen because it’s known and trusted among many professionals and as such, mail originating from it would be recognized by many corporate email systems. As is typical in this kind of scam, the link in the email leads the user to a site that mimics a legitimate  LinkedIn page, but information collected in the forms at the site is sent to Black Hats. The campaign had a 100 percent success rate, with none of the malevolent mail being filtered out by the target system’s spam filters.

The simple solution to foiling cyberbandits milking the popularity of social networks for their own odious ends would be to shut down network access to such sites. That, however, may not only be an ineffective solution, but an insecure one as well. Younger workers expect to have access to their social networks from work. Failure to meet those expectations could affect a company’s ability to attract the kind of talent it needs to be competitive in its industry. Moreover, shutting down access to SocNets will only drive usage underground where it will open up potential security breaches in a corporate network. A better solution would be to allow access to social networks but carefully monitor    and regulate their use, as well as educating employees about “best practices” when using SocNets in the workplace.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why social networking spam reaps more rewards than email

Researchers have successfully knocked a major botnet offline. The Mega-D botnet was shut down by a team at FireEye. The researchers attacked the botnet by registering some domains meant for the botnet’s command and control servers and shutting down others. As a result it stopped sending spam immediately.

The attack began with abuse complaints being sent to the ISPs where Mega-D was being hosted. Nearly all the complaints were successful. Then the researchers began working with domain registrars to shut down the primary domains of the CnC channels, registered domains on Mega-D’s CnC list and registered some of the not yet generated ones (the botnet is programmed to generate new domains based on the date and time to back up its own list) for a total of three days to further cripple the botnet.

In the process of crippling the botnet, FireEye gained CnC control, which it used to help the owners of the zombie computers in it regain control of their PCs.

While Mega-D has for now completely stopped sending spam, researchers say it is only a matter of time before it comes back to life. To keep the botnet offline for good they’d have to keep registering future domains to stay ahead of it. This is still very good news. Mega-D is one of the largest botnets on the net and is responsible for pumping out billions of spam messages, most hawking fake supplements, shady internet pharmacies, and male enhancement products. FireEye’s experiment has proven that maybe, just maybe, bot herders aren’t quite as smart as they think they are.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers Knock Mega-D Botnet Offline

Now several weeks later and with thousands of members joining the forum I realize the biggest benefit of the membership price – there is no spam.

For the average internet user everything they do online is free.  After they have paid for a computer and an internet connection from an ISP most people will not pay another cent for any of the intangible experiences that the internet has to offer.

Thousands of popular websites offer streaming videos, games, instant messaging and social networking without charging a cent for access.  Email is the ultimate free communication medium, costing nothing to acquire and use.  These services all attract spammers.

Free online services face a difficult challenge in preventing spam.  Their users want free access, but also resist overt monetization efforts by the website owner.  And yet without a revenue stream the websites can’t afford to invest heavily in security and support.  Without the money to fund a developer focus on proactive spam prevention, and a support team to handle reactive spam prevention, the spammers have a large window of opportunity to exploit these free services for their own gains.

The fallback monetization strategy for most of these websites is simple advertising.  MySpace added advertising early on.  YouTube is slowly introducing advertising models to support their massive infrastructure costs.

Facebook’s advertising system has an ironic twist – spammers can indirectly exploit the system by using free Facebook apps and games to gain access to users’ profile information, then use that information to personalize advertisements and target them more closely to certain demographics.  These advertisements are often unethical – for example targeting 15 year old girls to sign up their mobile phone (paid for by their parents) to a ringtone subscription service in order to earn more points to use within a popular Facebook game.

The irony is that so much money is made by the advertiser, who in turn pays fees to Facebook, that the spammers are largely responsible for generating the revenue streams that make it more feasible for Facebook to invest more in security and spam prevention.  Would this problem exist if services such as Facebook were not free?

This idea meets with a predictably mixed response.  A decade ago people my age spent money every month in phone calls and postage stamps communicating with our friends and family.  These days we do it for free online, but the concept of paying for this service is not out of the question for most.

Younger generations are more used to the idea of instant, global communication at zero cost.  Paying for such access seems ludicrous, despite the obvious irony that many of them spend hundreds or thousands each year on computers, internet access and mobile phones to make use of the free services.

A monthly or yearly fee would no doubt lower the signup rate for these websites.  Would Facebook have 350 million users today if each had to pay $30/year?  Not likely, especially if free alternatives (even lower quality ones) existed.  Would they prefer to have 1/100^th of the users if it meant a consistent revenue stream and more secure experience?  Probably not.  Success online is measured in eyeballs not dollars.

Would charging for Facebook or Twitter accounts solve the spam problem on the internet?  Not completely.  For the spammer the target audience is perhaps much smaller, but the ultimate free spam vector – email – still remains available to them.  Only now the attacks are easier.

Consider the success of bank phishing scams.  The emails are effective because they play to the fears of the victims – that their hard earned money may be in jeopardy if they do not take the action the spammer asks them to (e.g. verify their account password because of a recent suspicious transaction).

When you attach a value to something it makes phishing that much easier.  Losing your free Facebook account is a minor inconvenience.  Losing your paid Facebook account is a blow to the hip pocket.  Just like the bank phishing email for a specific bank, although the Facebook phishing scam would reach fewer actual Facebook users but each would be more likely to fall for it because of the higher value of the account.

As long as email is free spam will exist.  A spammer doesn’t need access to Facebook, free or paid, to exploit the popularity of the service in order to trick victims into giving up their account passwords or installing malware on their computer.  All they need is the ability to send email, which comes at a cost so close to zero that almost any level of success can lead to a positive ROI.

This ultimately means that the responsibility for preventing spam rests with businesses and end users.  You must take ownership of the risks and protect yourself instead of waiting for free online services to deliver protection for you.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Would Spam Exist if the Internet Wasn’t Free?

This scam has two sets of victims, the companies that are being stolen from and the innocent people being used to do the dirty work. Most are recruited via phony “Work from Home” ads. Scammers prey on the unemployed and underemployed, often flooding sites like Craigslist and Monster with fake job openings and also scanning the site for job seekers who have posted contact info and spamming them. What makes this part of the spear phishing scam so sinister is that the mules aren’t just being scammed, they are money laundering, which is a serious criminal offense.

The FBI advises companies to confine their banking activities to a dedicated, locked down computer that is not used for any other purpose and isn’t allowed access email or everyday web browsing. A strong and constantly updated firewall is also a must.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

FBI Issues Warning About Spear Phishing

Gumblar uses SQL injection to infect Web servers.

Malware watchers are reporting that Gumblar botnet is working its mischief once again, this time on a larger scale than ever. The malicious software first attracted the notice of White Hats this spring when it used SQL injection attacks to infect legitimate websites–sites such as Tennis.com, Variety, and Coldwellbanker.com–and spread itself to the personal computers of visitors to those netposts. SQL injection attacks are performed on the database layer of an application. They take advantage of vulnerabilities in the layer that can be exploited by input that produces unintended consequences, such as forgetting to authenticate a user’s identity.

After making its initial splash, its activity abated only to experience a revival at the end of the summer. Now it’s running wild again, according to security researchers, infecting hundreds of trusted sites and through them, thousands of PCs.

In its birth form, the badapp poisoned a site’s back end server or used an iFrame or other ploy to redirect a visitor to black server for a proper fleecing and contamination. The use of iFrames has become a popular ruse of cyberbandits. Once injected into a trusted site, it redirects a browser to another iFrame that executes clandestine javascript code on an unsuspecting keyboard jock’s computer. The code then connects to Net places where more code is secretly executed to exploit vulnerabilities in a target system. Crackers leverage those vulnerabilities to gain control of a user’s computer and filch usernames, passwords and other information from the system. It also looks for FTP credentials so it can infect more servers.

Although browsers like Firefox will alert users when they are being redirected from a website, the practice is so common that most users sanction it without a second thought, much as they would when they receive a notice to upgrade a browser extension or plug-in.

The original Gumblar redirected its victims to a couple of nefarious sites, but now, White Hats say, the scamgram is pointing gulls to thousands of servers in more than 200 countries. In the United States alone it’s estimated that more than 7200 servers are spreading Gumblar. A favorite target of Gumbsters are servers with the domain extension .edu or .gov.

The latest version of Gumblar appears to be departing from its iFrame roots, according to security experts. Rather than redirecting muggins to a rogue site, like Gumblar.cn, it’s planting its sickening scripts and felonious payloads directly on a compromised host. That makes fighting the malware that much harder. Instead of focusing on an attack vector consisting of one or two servers, they now have to cope with one made up of thousands of infected servers. Moreover, the scripts are camouflaged so they match the existing file structure at a website and heavy obfuscation is used to foil existing security measures.

According to one malware watcher, Gumblar’s script modifies this key in the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

The alteration ensures that the malware will load any time a browser is launched.

The malicious program also alters sqlsodbc.chm, a default file found in the Windows\System32 directory on Windows XP

Security experts report that the latest strain of Gumblar is fond of infecting Adobe Reader and Flash Player files. They add that infections are so widespread that some PC vendors are finding their support lines inundated with calls about erratic computer behavior that is symptomatic of the cybercancer. That behavior includes spontaneous reboots and failure to reboot completely. In the case of an incomplete startup, the computer’s screen will remain black with only a mouse pointer displayed.

Gumblar’s behavior is leading some security researchers to believe that it is a “botnet for hire” designed to achieve a variety of ends for a variety of Web rats. In some cases, the badapp is merely redirecting traffic to a rogue site to collect page views and collect advertising revenue through click fraud. In other cases, it’s diverting Websters to sites which will infect a target’s system with malware.

Making sure a system’s operating system’s security patches are up to date and an organization’s intrusion prevention signatures  are current can provide some measure of protection from Gumblar, but vigilence when those redirect messages pop up in a browser window will go a long way in thwarting the malware’s malevolent aspirations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Gumblar has new face on ugly head

The report also found that malware and botnets have increased by 30%. While social  networks like Facebook and Twitter have been especially hard hit, email is still popular with spammers and scammers. Over 94% of all emails sent are spam. Pharmaceutical spam is the most prevalent, followed by porn, male enhancement and fake designer goods. Brand abuse is also rising, with everything from the AARP to the Hollywood Reporter finding themselves exploited by spammers. One such brand, UPS, is being used  in spam messages spreading the Bredolab Trojan and the sending of those messages has been rising sharply.

Bredolab has been very active in helping to increase the Cutwail botnet, which was briefly derailed when Pricewert, the rogue ISP hosting it, was shut down. As expected it quickly found a new home and bounced back to life. Security experts expect spam and malware levels to continue to increase throughout the holiday season.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spain Leads World in Botnet Infections

As if that weren’t enough, believe it or not, Valentine’s Day themed spam has already been spotted as well! The spams are in the form of love letters and hawk male enhancement products and shady internet pharmacies claiming to offer cheap Viagra and Cialis. In addition, spam exploiting the 2010 World Cup, which is over 6 months away. Those spams are thinly veiled 419 or Nigerian scam messages. The Cutwail and Rustock  botnets are responsible. It appears spammers are getting a very early jump on upcoming holidays and events and are trying a variety of different scams. This is only the beginning. Expect more holiday themed spam and malware attacks to be unleashed as the season unfolds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Tis the Season for Christmas Spam

The article starts out by deconstructing the term “identity theft” which makes it seem less dangerous than it really is and states that “identity theft” doesn’t steal anybody’s true identity, or personhood of what makes them what they are. When you are a victim of this crime, you remain you, but that’s only a small consolation when a stranger is charging up luxury cruises and fur coats on your credit card. It’s a semantic bit of theory that was actually played out on the “Family Guy” cartoon when actor James Woods stole the identity of cartoon character Peter Griffin, to the point of moving into Peter’s home, sitting at his dinner table and sleeping in his bed. It was a funny episode, but of course, that’s not what identity theft really is.

The article comments about how experts “hounded” people into shredding bank statements and being vigilant about monitoring credit reports, but the fact is, doing so really is a good idea. It’s not a conspiracy by manufacturers of shredding machines, or of companies offering various fee-based monitoring and protection services. And here’s the real kicker, at the end of the article: “It turns out that ‘identity theft’ is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money—but your soul. Maybe it’s time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don’t need.”

Advice like this is what lulls people into a false sense of security and prevents them from taking the precautions that they need to take. Is it a fear campaign? To a degree, yes, it is. But it’s based on fear of something very real. So there is reason to be afraid and one must take the necessary steps to protect oneself – because you could be a victim.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Identity theft is the real thing

The move–claimed by ICANN as the biggest technical change in the 40-year history of the Internet–will allow domain names to be created in languages such as Arabic, Korean, Greek, Hindi, Japanese and Cyrillic. It was initially approved in 2008, but finalization won’t be completed until the organization wraps up its conference in Seoul, Korea. While the new non-Latin alphabet addresses won’t start appearing until next year, ICANN expects to see applications for the domains appearing as early as next month.

ICANN estimates that more than half of the Internet’s 1.6 billion surfers use non-Latin alphabets and that the acceptance of those alphabets in domain names will save 60 billion to 100 billion keystrokes a day by averting the need to type country codes in Web addresses. Some countries are already using their native alphabets in domain names, but their country codes are in a Latin letter set. Bulgaria, for example, uses Cyrilic, but uses .bg for its country code.

ICANN has been testing the new technology behind the change for two years–a process that phishers are keenly aware of. They’ve exploited a variation of a technique, called URL spoofing, that leverages non-Latin characters in domain names to divert unsuspecting Websters to malicious Internet sites to rip off their personal information and infect their computers with malware.

URL spoofing substitutes an outlaw Web address for a legitimate one. A simple way to do that is to exploit the state of spelling among English-speaking people. A site like eddiebaur.com might fool the eye of a casual Web surfer looking for outdoor gear from Eddie Bauer. Gaps in domain coverage can also aid spoofers. Who can forget the adult website owner who registered whitehouse.com and siphoned traffic intended for whitehouse.gov? Poor screen typography has also been a rich source of exploitation for phishers. For example, g00gle.com can appear to be google.com in some screen fonts.

With the addition of International Domain Names, which ICANN will be expanding next year, phishers found another way to disguise their spoofing by taking advantage of similarities between some of the characters in foreign and Latin alphabets. What makes that approach superior to other typographic tricks is that a target may have no way of knowing that he or she is headed to a spoofed address. That’s because in certain fonts foreign characters look like Latin characters. For example, a Cyrillic “o” will look like its Latin counterpart in many fonts. While a netizen may not be able to distinguish between the two o’s, his or her browser can, and it will act accordingly, taking the unwitting cybertraveler to some Internet back alley where he or she can be fleeced.

ICANN has believed for a long time that homographic attacks that exploit IDNs are a manageable problem. For example, it noted in a statement released in 2005:

“While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards. Significant work has been done to define implementation practices such as IDN Language Registry Tables, and guidelines for restricting or managing mixed-character-set domain name registrations.”

“ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread,” it added, “and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.”

Despite ICANN’s optimism, the verdict will reamin out on how manageable the spoofing problem is until cyberspace starts getting flooded with IDNs and the phishers start working their malevolence on them.

Phishing is becoming increasingly popular among Black Hats as a vehicle for Internet crime. The Anti-Phishing Working Group, in an analysis released last month, noted that unique phishing reports submitted to the organization hit an all time high of 37,758 in May. The number of phishing websites also peaked during the first six months of this year, reaching 49,084, the highest figure since April 2007, when a record 55,643 sites were reported.

The APWG also revealed that the unique instances of domains used to target specific brands reached an all time high of 21,085 in June, a 92 percent increase over January of this year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ICANN move contributing to URL spoofing?

A hosted email security provider offers antivirus and antispam protection for their customers using servers hosted off the customer’s premises.  This delivery model carries many benefits to the customers.

Equipment Costs – by choosing a hosted service the customer is not required to purchase their own server hardware to run the security product on their own premises.

Support Costs – support is included in the monthly fee to the hosted provider, so the customer is not required to hire and retain staff to manage an on-premise solution.  The hosted provider is responsible for all maintenance and upgrades to keep the service running smoothly.

License Costs – because the customer is not running their own server they also save on software licensing costs.  Furthermore they are simply paying a per-user license cost to the hosted provider.

Bandwidth – because any virus or spam emails are filtered by the hosted provider that traffic never reaches the customer’s network, saving their bandwidth which is both a cost and a performance benefit.

Scalability – the customer benefits by only having to pay per-user, and then having the flexibility to scale up as necessary by buying more licenses.  For on-premises solutions this may eventually lead to outgrowing an existing server, whereas with hosted services the provider manages their overall capacity needs for all of their customers and is responsible for scaling up as necessary to meet demand.

Features – end user control and comprehensive reporting are two features common to hosted services.  Some on-premises solutions lack these important features.

Simplicity – for large businesses with multiple network entry points a hosted service offers a single point of entry for email rather than having to manage multiple points of entry each with their own security product installed.

Flexibility – if a hosted service is not performing well or meeting expectations the customer can simply switch to another service without wasting expenditure.  For on-premises solutions switching to a new product can be costly because the existing product has already been paid for.

Compatibility – hosted services operate independent to their customer’s normal choice of server operating system or email platform.  For on-premises solutions a customer is often constrained by which products will be compatible with their other systems.

The benefits of hosted email security solutions are quite clear and for many businesses a hosted service will be a much more cost effective option than on-premises solutions.  Certainly all businesses should carefully consider hosted offerings when they are evaluating antispam solutions for themselves.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

9 Benefits of Hosted Antispam Services

Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Wins Suit Against Spammer

Geocities became popular in the last 1990s as a free and easy way for people to publish web sites about their businesses and hobbies.  Although in recent years it stood as a monument to horrible website design in its prime it was one of the most visited sites on the internet.

After a takeover by Yahoo! in 1999 the website began a slow but steady decline due to various changes by the new owner.  However one demographic that remained strong on Geocities was spammers.

The attractiveness of Geocities for spammers came down to a few key elements:

1. Geocities.com was a trusted and recognizable domain name to normal internet users
2. As a Yahoo! property it was unlikely that the various Geocities domain names would be blocked by anti-spam product vendors
3. Geocities permitted JavaScript on the web pages it hosted

User Trust and Social Engineering

A social engineering attack is one in which the attacker convinces the victim to perform a certain task.  These attacks involve establishing the appearance of legitimacy and trustworthiness in the eyes of the victim.

For a spammer who wants to convince a person to click on a link in an email the Geocities.com domain name was a perfect way to gain the trust of the victim because it was highly likely the person would recognize it as a place for legitimate web sites.

Free Services and Combating Abuse

As most internet security experts will attest, if there is a free service available on the web then spammers will abuse it.  The problem with this is that many free services are hosted by large, trustworthy internet companies and have millions of users.This presents security vendors with an obvious dilemma – the service is being exploited by spammers and should be blocked, however the service is also heavily used by legitimate users and so blocking it would likely cause customers some pain.

JavaScript Redirection

JavaScript is a web programming language commonly used on web sites all over the internet.  JavaScript has many useful applications but like all useful things can also be used maliciously.

Although JavaScript redirection in itself is not malicious, it is obviously able to be used in that way to redirect users from one seemingly harmless URL to another one that a spammer wants people to visit.

Geocities Was Perfect for Spammers

When you combine all of the above three elements it is not hard to see why Geocities was perfect for spammers.

A spammer could start a new Geocities web site, add the JavaScript code to redirect visitors to their real web site, and then blast out millions of spam messages with the Geocities URL to try and trick people into clicking the links.

The Geocities shutdown is a minor relief for security vendors and professionals.  Unfortunately it was only one of hundreds of similar sites that still remain today.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Geocities Shutdown Closes Door on Spammers

A new wave of spam being pumped out by the Pushdo botnet is exploiting the FDIC and attempting to capitalize on worries about the economy. The spams are made to look like they came from the FDIC and inform the recipient that their bank has failed and urges them to click on the included link to make sure their accounts have been insured.

The link actually leads to a malicious website that downloads the Zbot Trojan, which adds the computer to the Pushdo botnet and uses it to send out more FDIC spams. The Trojan also monitors the computer’s web activity and activates a keylogger whenever it detects banking, financial or e-commerce site. The users personal information and logon credentials are stolen and sent to the hacker’s server where they are stored and used for identity theft or sold to other criminals.

Pushdo is also using Facebook to acquire new zombies. Recipents receive an email with an attached file. The email is said to come from “The Facebook Team” and tells the recipient their password has been changed for security purposes and they should open the attachment to retrieve their new one. A hidden .exe file is contained within it and once opened downloads Zbot.

Pushdo was previously responsible for the flood of IRS spams that have become the top spam campaign on the net, and before that for a flood of spams that exploited the tragic death of pop icon Michael Jackson. Look for Pushdo to launch new spam campaigns in the near future, most likely timed to take advantage of the upcoming holiday season.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pushdo Botnet Sending FDIC Spam

A new sting operation conducted by the Nigerian Economic and Financial Crimes Commission has already nabbed 18 spammers. Dubbed Operation Eagle Claw, it has also led to the shut down of 800 malicious websites. The Commission has partnered with Microsoft on the project and said its goal is to remove Nigeria from the top 10 list of countries where the most scam emails originate from.

The Nigerian or 419 scam, named after the section number in the Nigerian Penal code that makes them illegal, has been around almost as long as the web itself and has several variations of a story designed to make the recipient think he will receive a huge fortune if he helps a foreign citizen (often a member of a non-existent royal family, a long lost relative who’s been killed, or a clergy member) transfer their money out of the country. The scammer either poses as the person themselves or as their lawyer. All the person has to do is turn over their personal info and wire over a small processing fee.

Once the scammer has snared a victim the requests keep coming. A bank, legal or government fee has to be paid, or sometimes a bribe. The game keeps going until the victim’s bank accounts run dry, and then the scammer disappears. The scam has bankrupted people, destroyed marriages and in a few cases has led to murder. At least three people have been kidnapped and murdered after traveling to Nigeria to seek this fortune, and in another case a man shot and killed an official at the Nigerian embassy in Prague after they refused to return the money he lost to a Nigerian scammer. 16 people have been kidnapped by Nigerian scammers when they went to the country after falling for the scam, but were released unharmed.

Recent variations on the scam include spams claming the recipient has won a foreign lottery, or had their profile discovered by someone on a dating site, and anyone who has tried to sell something on Ebay or Craigslist has likely gotten multiple spams from 419 scammers offering to buy the item for several times more than the asking price and asking it to shipped to a foreign address.

Operation Eagle Claw has just begun but it seems to be off to a very good start. Nigeria’s reputation has been ruined by these scammers and hopefully the operation will put a very big dent in the volume of 419 scam messages that clog all our inboxes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Sting Operation Snags 18 Nigerian Spammers

A recently discovered Trojan has a sneaky and disturbing new trick up its sleeve. It can alter a victim’s online bank statement. Dubbed URLZone, the Trojan is able to alter HTML coding before it’s displayed. This lets it rewrite bank statements to hide the fraudulent activity underway. This buys the scammers more time to clean out the account.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” says Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan. “It’s a very sophisticated technique. They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there. If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

The money is then sent to money mules who were tricked into doing the scammer’s dirty work. Most fell for the fake job posting spam advertising a lucrative work at home position and have no idea they are being scammed too.

URLZone is controlled by a server in the Ukraine. While officials there announced they had suspended its domain, count on it to simply find a new home. As we saw after the McColo shutdown last year it doesn’t take long at all for hackers and scammers to set up shop somewhere else. Finjan says the URLZone operation could easily make over $7 million a year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Malware Covers Its Tracks By Altering Bank Statements