As if that weren’t enough, believe it or not, Valentine’s Day themed spam has already been spotted as well! The spams are in the form of love letters and hawk male enhancement products and shady internet pharmacies claiming to offer cheap Viagra and Cialis. In addition, spam exploiting the 2010 World Cup, which is over 6 months away. Those spams are thinly veiled 419 or Nigerian scam messages. The Cutwail and Rustock  botnets are responsible. It appears spammers are getting a very early jump on upcoming holidays and events and are trying a variety of different scams. This is only the beginning. Expect more holiday themed spam and malware attacks to be unleashed as the season unfolds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Tis the Season for Christmas Spam

The article starts out by deconstructing the term “identity theft” which makes it seem less dangerous than it really is and states that “identity theft” doesn’t steal anybody’s true identity, or personhood of what makes them what they are. When you are a victim of this crime, you remain you, but that’s only a small consolation when a stranger is charging up luxury cruises and fur coats on your credit card. It’s a semantic bit of theory that was actually played out on the “Family Guy” cartoon when actor James Woods stole the identity of cartoon character Peter Griffin, to the point of moving into Peter’s home, sitting at his dinner table and sleeping in his bed. It was a funny episode, but of course, that’s not what identity theft really is.

The article comments about how experts “hounded” people into shredding bank statements and being vigilant about monitoring credit reports, but the fact is, doing so really is a good idea. It’s not a conspiracy by manufacturers of shredding machines, or of companies offering various fee-based monitoring and protection services. And here’s the real kicker, at the end of the article: “It turns out that ‘identity theft’ is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money—but your soul. Maybe it’s time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don’t need.”

Advice like this is what lulls people into a false sense of security and prevents them from taking the precautions that they need to take. Is it a fear campaign? To a degree, yes, it is. But it’s based on fear of something very real. So there is reason to be afraid and one must take the necessary steps to protect oneself – because you could be a victim.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Identity theft is the real thing

The move–claimed by ICANN as the biggest technical change in the 40-year history of the Internet–will allow domain names to be created in languages such as Arabic, Korean, Greek, Hindi, Japanese and Cyrillic. It was initially approved in 2008, but finalization won’t be completed until the organization wraps up its conference in Seoul, Korea. While the new non-Latin alphabet addresses won’t start appearing until next year, ICANN expects to see applications for the domains appearing as early as next month.

ICANN estimates that more than half of the Internet’s 1.6 billion surfers use non-Latin alphabets and that the acceptance of those alphabets in domain names will save 60 billion to 100 billion keystrokes a day by averting the need to type country codes in Web addresses. Some countries are already using their native alphabets in domain names, but their country codes are in a Latin letter set. Bulgaria, for example, uses Cyrilic, but uses .bg for its country code.

ICANN has been testing the new technology behind the change for two years–a process that phishers are keenly aware of. They’ve exploited a variation of a technique, called URL spoofing, that leverages non-Latin characters in domain names to divert unsuspecting Websters to malicious Internet sites to rip off their personal information and infect their computers with malware.

URL spoofing substitutes an outlaw Web address for a legitimate one. A simple way to do that is to exploit the state of spelling among English-speaking people. A site like eddiebaur.com might fool the eye of a casual Web surfer looking for outdoor gear from Eddie Bauer. Gaps in domain coverage can also aid spoofers. Who can forget the adult website owner who registered whitehouse.com and siphoned traffic intended for whitehouse.gov? Poor screen typography has also been a rich source of exploitation for phishers. For example, g00gle.com can appear to be google.com in some screen fonts.

With the addition of International Domain Names, which ICANN will be expanding next year, phishers found another way to disguise their spoofing by taking advantage of similarities between some of the characters in foreign and Latin alphabets. What makes that approach superior to other typographic tricks is that a target may have no way of knowing that he or she is headed to a spoofed address. That’s because in certain fonts foreign characters look like Latin characters. For example, a Cyrillic “o” will look like its Latin counterpart in many fonts. While a netizen may not be able to distinguish between the two o’s, his or her browser can, and it will act accordingly, taking the unwitting cybertraveler to some Internet back alley where he or she can be fleeced.

ICANN has believed for a long time that homographic attacks that exploit IDNs are a manageable problem. For example, it noted in a statement released in 2005:

“While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards. Significant work has been done to define implementation practices such as IDN Language Registry Tables, and guidelines for restricting or managing mixed-character-set domain name registrations.”

“ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread,” it added, “and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.”

Despite ICANN’s optimism, the verdict will reamin out on how manageable the spoofing problem is until cyberspace starts getting flooded with IDNs and the phishers start working their malevolence on them.

Phishing is becoming increasingly popular among Black Hats as a vehicle for Internet crime. The Anti-Phishing Working Group, in an analysis released last month, noted that unique phishing reports submitted to the organization hit an all time high of 37,758 in May. The number of phishing websites also peaked during the first six months of this year, reaching 49,084, the highest figure since April 2007, when a record 55,643 sites were reported.

The APWG also revealed that the unique instances of domains used to target specific brands reached an all time high of 21,085 in June, a 92 percent increase over January of this year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ICANN move contributing to URL spoofing?

A hosted email security provider offers antivirus and antispam protection for their customers using servers hosted off the customer’s premises.  This delivery model carries many benefits to the customers.

Equipment Costs – by choosing a hosted service the customer is not required to purchase their own server hardware to run the security product on their own premises.

Support Costs – support is included in the monthly fee to the hosted provider, so the customer is not required to hire and retain staff to manage an on-premise solution.  The hosted provider is responsible for all maintenance and upgrades to keep the service running smoothly.

License Costs – because the customer is not running their own server they also save on software licensing costs.  Furthermore they are simply paying a per-user license cost to the hosted provider.

Bandwidth – because any virus or spam emails are filtered by the hosted provider that traffic never reaches the customer’s network, saving their bandwidth which is both a cost and a performance benefit.

Scalability – the customer benefits by only having to pay per-user, and then having the flexibility to scale up as necessary by buying more licenses.  For on-premises solutions this may eventually lead to outgrowing an existing server, whereas with hosted services the provider manages their overall capacity needs for all of their customers and is responsible for scaling up as necessary to meet demand.

Features – end user control and comprehensive reporting are two features common to hosted services.  Some on-premises solutions lack these important features.

Simplicity – for large businesses with multiple network entry points a hosted service offers a single point of entry for email rather than having to manage multiple points of entry each with their own security product installed.

Flexibility – if a hosted service is not performing well or meeting expectations the customer can simply switch to another service without wasting expenditure.  For on-premises solutions switching to a new product can be costly because the existing product has already been paid for.

Compatibility – hosted services operate independent to their customer’s normal choice of server operating system or email platform.  For on-premises solutions a customer is often constrained by which products will be compatible with their other systems.

The benefits of hosted email security solutions are quite clear and for many businesses a hosted service will be a much more cost effective option than on-premises solutions.  Certainly all businesses should carefully consider hosted offerings when they are evaluating antispam solutions for themselves.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

9 Benefits of Hosted Antispam Services

Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Wins Suit Against Spammer

Geocities became popular in the last 1990s as a free and easy way for people to publish web sites about their businesses and hobbies.  Although in recent years it stood as a monument to horrible website design in its prime it was one of the most visited sites on the internet.

After a takeover by Yahoo! in 1999 the website began a slow but steady decline due to various changes by the new owner.  However one demographic that remained strong on Geocities was spammers.

The attractiveness of Geocities for spammers came down to a few key elements:

1. Geocities.com was a trusted and recognizable domain name to normal internet users
2. As a Yahoo! property it was unlikely that the various Geocities domain names would be blocked by anti-spam product vendors
3. Geocities permitted JavaScript on the web pages it hosted

User Trust and Social Engineering

A social engineering attack is one in which the attacker convinces the victim to perform a certain task.  These attacks involve establishing the appearance of legitimacy and trustworthiness in the eyes of the victim.

For a spammer who wants to convince a person to click on a link in an email the Geocities.com domain name was a perfect way to gain the trust of the victim because it was highly likely the person would recognize it as a place for legitimate web sites.

Free Services and Combating Abuse

As most internet security experts will attest, if there is a free service available on the web then spammers will abuse it.  The problem with this is that many free services are hosted by large, trustworthy internet companies and have millions of users.This presents security vendors with an obvious dilemma – the service is being exploited by spammers and should be blocked, however the service is also heavily used by legitimate users and so blocking it would likely cause customers some pain.

JavaScript Redirection

JavaScript is a web programming language commonly used on web sites all over the internet.  JavaScript has many useful applications but like all useful things can also be used maliciously.

Although JavaScript redirection in itself is not malicious, it is obviously able to be used in that way to redirect users from one seemingly harmless URL to another one that a spammer wants people to visit.

Geocities Was Perfect for Spammers

When you combine all of the above three elements it is not hard to see why Geocities was perfect for spammers.

A spammer could start a new Geocities web site, add the JavaScript code to redirect visitors to their real web site, and then blast out millions of spam messages with the Geocities URL to try and trick people into clicking the links.

The Geocities shutdown is a minor relief for security vendors and professionals.  Unfortunately it was only one of hundreds of similar sites that still remain today.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Geocities Shutdown Closes Door on Spammers

A new wave of spam being pumped out by the Pushdo botnet is exploiting the FDIC and attempting to capitalize on worries about the economy. The spams are made to look like they came from the FDIC and inform the recipient that their bank has failed and urges them to click on the included link to make sure their accounts have been insured.

The link actually leads to a malicious website that downloads the Zbot Trojan, which adds the computer to the Pushdo botnet and uses it to send out more FDIC spams. The Trojan also monitors the computer’s web activity and activates a keylogger whenever it detects banking, financial or e-commerce site. The users personal information and logon credentials are stolen and sent to the hacker’s server where they are stored and used for identity theft or sold to other criminals.

Pushdo is also using Facebook to acquire new zombies. Recipents receive an email with an attached file. The email is said to come from “The Facebook Team” and tells the recipient their password has been changed for security purposes and they should open the attachment to retrieve their new one. A hidden .exe file is contained within it and once opened downloads Zbot.

Pushdo was previously responsible for the flood of IRS spams that have become the top spam campaign on the net, and before that for a flood of spams that exploited the tragic death of pop icon Michael Jackson. Look for Pushdo to launch new spam campaigns in the near future, most likely timed to take advantage of the upcoming holiday season.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pushdo Botnet Sending FDIC Spam

A new sting operation conducted by the Nigerian Economic and Financial Crimes Commission has already nabbed 18 spammers. Dubbed Operation Eagle Claw, it has also led to the shut down of 800 malicious websites. The Commission has partnered with Microsoft on the project and said its goal is to remove Nigeria from the top 10 list of countries where the most scam emails originate from.

The Nigerian or 419 scam, named after the section number in the Nigerian Penal code that makes them illegal, has been around almost as long as the web itself and has several variations of a story designed to make the recipient think he will receive a huge fortune if he helps a foreign citizen (often a member of a non-existent royal family, a long lost relative who’s been killed, or a clergy member) transfer their money out of the country. The scammer either poses as the person themselves or as their lawyer. All the person has to do is turn over their personal info and wire over a small processing fee.

Once the scammer has snared a victim the requests keep coming. A bank, legal or government fee has to be paid, or sometimes a bribe. The game keeps going until the victim’s bank accounts run dry, and then the scammer disappears. The scam has bankrupted people, destroyed marriages and in a few cases has led to murder. At least three people have been kidnapped and murdered after traveling to Nigeria to seek this fortune, and in another case a man shot and killed an official at the Nigerian embassy in Prague after they refused to return the money he lost to a Nigerian scammer. 16 people have been kidnapped by Nigerian scammers when they went to the country after falling for the scam, but were released unharmed.

Recent variations on the scam include spams claming the recipient has won a foreign lottery, or had their profile discovered by someone on a dating site, and anyone who has tried to sell something on Ebay or Craigslist has likely gotten multiple spams from 419 scammers offering to buy the item for several times more than the asking price and asking it to shipped to a foreign address.

Operation Eagle Claw has just begun but it seems to be off to a very good start. Nigeria’s reputation has been ruined by these scammers and hopefully the operation will put a very big dent in the volume of 419 scam messages that clog all our inboxes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Sting Operation Snags 18 Nigerian Spammers

A recently discovered Trojan has a sneaky and disturbing new trick up its sleeve. It can alter a victim’s online bank statement. Dubbed URLZone, the Trojan is able to alter HTML coding before it’s displayed. This lets it rewrite bank statements to hide the fraudulent activity underway. This buys the scammers more time to clean out the account.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” says Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan. “It’s a very sophisticated technique. They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there. If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

The money is then sent to money mules who were tricked into doing the scammer’s dirty work. Most fell for the fake job posting spam advertising a lucrative work at home position and have no idea they are being scammed too.

URLZone is controlled by a server in the Ukraine. While officials there announced they had suspended its domain, count on it to simply find a new home. As we saw after the McColo shutdown last year it doesn’t take long at all for hackers and scammers to set up shop somewhere else. Finjan says the URLZone operation could easily make over $7 million a year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Malware Covers Its Tracks By Altering Bank Statements

In a new report by the Government Accountability Office, NASA was reprimanded over its lax security practices and told to shape up.  NASA has reported nearly 1300 security incidents in the last 2 years, and although it has taken some steps to improve its IT issues, the GOA says it still has far to go.

“NASA remains vulnerable to similar incidents going forward,” the report finds. “Control vulnerabilities and program shortfalls make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts.”

The security breaches reported at NASA include malware infections, data theft, the theft of several laptops containing data on a prototype hypersonic jet, a space telescope and a lunar orbiter, 82 computers being made part of a botnet thanks to the installation of rootkits, and the infection of 86 other computers with the Zoneback Trojan, and others infected with the Coreflood Trojan.

The GAO made 200 recommendations addressing 129 weaknesses. NASA says it is continuing to improve its IT management and better train its employees on proper security practices. Kind of scary that a high tech agency like NASA could be so careless when it comes to security!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

NASA Reprimanded Over Lax Security Practices

The Zeus Trojan is a favorite of muleskinners.

Money muling, until recently, has been used by information highwaymen to prey on unwitting consumers. Muleskinners had modest goals. Their scams ranged from $200 to $2000. Their targets were consumers with more greed than sense. Recent muling patterns, however, indicate that these fraudsters are expanding their ambitions and hatching cons to snatch larger amounts from small businesses.

• In May, a Texas company was clipped of $1.2 million with the help of some 40 “mules.”
• In July, muleskinners in the Ukraine skimmed $415,000 from accounts for Bullit County, Ky. The county realized something was askew when it found unauthorized wire transfers of $10,000 or less from its payroll coffers were being made to accounts of at least 25 people across the country. In the United States, money transfers must exceed $10,000 before they are subject to special reporting requirements under the Bank Secrecy Act of 1970.
• In September, Downeast Energy & Building Supply, a heating and hardware firm in Brunswick, Maine, saw $200,000 disappear from its online bank account, siphoned into the accounts of at least 20 individuals nationwide.
• This month, the Pease Development Authority, the agency that manages ports in the Portsmouth, N.H. area discovered about $100,000 in transfers instigated by muleskinners.
• Also this month, thieves attempted to transfer $87,000 from the accounts of the St. Isadore Catholic Church in Danville, Calif. to about a half dozen mules, but were thwarted when the church’s bank blocked the transfer.

A  key component of these scams are money mules. They are individuals recruited through blind employment ads posted on the Internet or through spam mailings. On some occasions, mules have been initially recruited as copy editors and proofreaders hired at minimum wage to clean up spam letters used to recruit more mules. When pressed for payment for the editing work, a muleskiner will attempt to recruit the editor as a “local agent” for transferring money.

As local agents, the mules are told to set up accounts at their local bank into which the fraudsters can transfer money. When money is deposited into the accounts, the mules are instructed to retain a percentage of it for themselves and to wire the rest to the muleskinners.

Once the scam is discovered, a bank will usually freeze the mule’s account and squeeze him or her for the money transferred to the cybercrooks.

One malware program popular among muleskinners is the Windows-based Zeus Trojan, also known as Zbot. It collects data from a  network of “zombie” computers infected by the dirty software. After taking up residence in a computer, Zeus immediately nicks the credentials of the machine’s user and sends them via instant messaging to the botnet administrator.

It also establishes a direct connection with the target’s computer so malefactors can perform their misdeeds directly through their victim’s Internet connection. That’s an indication that these thieves are savvy hackers and not mere script kiddies. One security precaution by banks is to check the IP addresses of customers performing transactions on their systems. A red flag is raised when an oddball address appears outside the ordinary geographic range of the typical one associated with a particular username and password. By performing their mischief through a user’s IP address, a Net miscreant can bamboozle a bank’s security system into thinking everything is copacetic.

The Trojan also contains another malevolent twist aimed at giving the Black Hats more time to make their getaway. It’s called the KOS, or Kill Operating System, command. It allows a botmaster to crash a system on his or her network. The crash can be used to divert the user’s attention from online activity and embroil it in local troubleshooting.

While crashing a system can gain a cracker some time, it does call immediate attention to itself and hence, immediate action. A more subtle switch included in the KOS tool will trash the Windows directory of a machine during an active session. Windows registry changes don’t take effect until a computer is restarted. When finishing his or her work for the day, the user will turn off his or her computer. That night, the thief performs his dirty work. In the morning, the user turns on his or her computer and when the corrupted registry attempts to load, nothing happens. It could be hours before the problem is identified and solved, and the user gets back online to check account activity.

The signs that muleskinners are seeking bigger game for their shenanigans are not good ones for companies who manage their finances online, nor is it for naive mules who, instead of being a victim of a petty crime, are becoming an accomplice in grand larceny.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Money mulers expanding horizons

The fake antivirus programs are known as scareware because of their technique of performing a fake antivirus scan on the computer, scaring the user by alerting them to virus infections that don’t really exist, and then offering to sell the victim software to remove the non-existent infections and protect from them in future.

The victim gives up credit card details for software ranging from $30 up to $100, but the real outcome is that their computer falls under the control of the spammer to grow their botnet.

Security analysts estimate that many tens of millions of computers have been taken over by spammers using these tactics.  Conservative estimates at the low end of the fake antivirus pricing suggest this could be a $1.2 billion industry for spammers and malware authors around the world.

As the criminals rake in these profits and computer users fall victim to such schemes every day there are calls for more to be done by Microsoft to protect their customers who are running Windows operating systems.  Microsoft has taken some recent steps such as offering a $250,000 reward for information that leads to the arrest and conviction of the Conficker authors.  More recently they released their free consumer malware protection called Microsoft Security Essentials.

However some commentators think that further steps are needed.  It is suggested that a whitelist of safe security products and vendors be created and included with Microsoft Windows so that it can detect fake antivirus software and prevent users from installing it.

This move would be welcome by many consumers and IT professionals but not necessarily by the security vendors themselves.  New vendors and products may be stalled by any certification process that would be required to be added to the whitelist.

Some existing vendors already have a frosty relationship with Microsoft as the software maker continually encroaches on their market territory with features such as Windows Firewall and Microsoft Security Essentials.  Any bottlenecks in the process would certainly bring claims of anti-competitiveness down on Microsoft.

Finally there are the costs.  Vendors will not incur additional costs in their software development and release process without passing that on to consumers.  Although the argument could be made that even an additional cost to consumers may be far less than what is currently being ripped off from victims by the spammers today.

At the very least, keeping those profits out of the hands of criminals would be a positive outcome.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Fake Antivirus Software a $1.2 Billion Industry

Despite the shutdowns of several spam friendly ISPs, the number of botnets sending out spam has increased. The newest kid on the block is the Maazben botnet, which was first discovered in May.  It joins veteran botnet Rustock in spewing out millions of online casino spams each day. Rustock is responsible for 10% of all spam sent, while Maazben is responsible for 1.4%. That doesn’t seem like much but that volume has doubled since August.

While the monster botnet Cutwai, responsible for nearly 46% of all spam sent at its peak, was severely crippled by an ISP shut down, botnets Grum and Bobax have quickly jumped in to make up for it, and together are responsible for 39% of all spam sent.

Botnets are also beginning to be used for more than just spewing spam and stealing passwords.  The Gumblar botnet infects websites and uses them to distribute malware, and the Bahama botnet uses the computers it infects to commit click fraud. What’s more, the sheer number of botnets around now has made DDoS attacks easier and cheaper than ever. While such attacks don’t result in profits, they are still used to muzzle critics, knock online competitors out, and otherwise send an unpleasant message to an individual or group.

Botnets are here to stay. They are growing more sophisticated and powerful everyday and it is going to be more and more difficult to stay ahead of them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Botnets Emerging

A new spam campaign is targeting Outlook Web Access users with the goal of distributing a nasty Trojan.  The messages are slick and professional-looking and tell the recipient that they need to update their mail settings by clicking on the included link. The link leads to a very well made, but fake, Outlook Web Access site.  Those that keep going and thinking that they are downloading the new settings, download the Zeus Trojan instead.

Zeus lurks on the victim’s hard drive, doing nothing, until the infected computer visits a page related to financial matters, such as a brokerage firm, online banking, Paypal, or a credit card account page. A keylogger is activated when such a page is detected and the login details are stolen.  The Trojan can also hijack a browser and redirect the user to a fake version of a bank’s webpage. These so-called  “Man in the Browser” attacks are hard to detect.

“This attack illustrates how organized internet crime syndicates are expanding their focus from consumers to enterprises, by targeting employees with credentials to access high value banking, financial, and other web-based applications,” said Mickey Boodaei, CEO of Trusteer. “The level of personalization used in these Phishing messages and the fact that they appear to be coming from the company’s IT department makes this attack very convincing and by extension very dangerous. We are urging enterprises to warn their employees and lock down browser settings to prevent unauthorized code execution inside the browser.”

Experts say that the hackers behind Zeus are targeting corporate users because business accounts tend to have much higher balances than consumer ones.  The malicious sites linked to in the spam message are located all over the world in places like Romania, Russia, Columbia, and Hungary, and so far Zeus is not being detected by many anti-virus programs.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Outlook Web Access Users Hit With Trojan

Snowshoe Spam is a growing problem.

Continued growth of snowshoe spam has prompted Spamhaus, a leader in the war on junk email, to craft a specific response to it. Earlier this month, the spamfighters rolled out a CSS component of the organization’s Spamhaus Block List.

The SBL is a database of IP addresses from which the organization recommends blocking email. Mail systems throughout the Internet can query the database in real time. It allows email administrators to identify, tag or block incoming messages from IP addresses blacklisted by the group as being connected to sending, hosting or originating unsolicited bulk email, better known as spam.

According to Spamhaus, CSS is an integral part of the SBL. It’s distinguished, however, by a different return code, 127.0.0.3. Users of the SBL need not do anything to activate the new CSS, other than to make sure that their existing spam filters can handle the additional return code.

Snowshoe Spam gets its name from the way it fans out its malicious behavior over the Web. Just as snowshoes spread the weight of a step on snow to minimize sinking and facilitate travel, snowshoe spammers spread their abhorrent activities across a multitude of IP addresses. By doing that, they can reduce their visibility on the Web and raise havoc with reputation metrics and evade detection by spam filters. The spammers know a percentage of their clutter will be diverted by anti-spam systems deployed by their targets, but by broadening the swath of their efforts, they can increase that percentage.

Launching a snowshoe operation takes some sophistication. That’s because an operator needs to use an assortment of IP addresses, as well as servers and providers to fan out his payload. Analysis of snowshoe spam shows that IP addresses are rarely repeated. That makes isolating the spam more challenging because spamfighters can’t turn off the spigot from a particular IP address. They must analyze the content of each message to capture the junk, a more processor intensive process than just blocking an IP address.

As is typical of byte bandits everywhere, snowshoe spammers hide behind fictitious businesses and phoney names and identities. They frequently change postal dropboxes and voicemail drops. They’re masters of creating fake Whois records, records used to trace the owners of domain names.

One technique used by the spammers to perpetuate their subterfuge is to use tunneled connections between their spam cannons and the IP they use to spread their junk. That way, the IP address of the back-end cannon doesn’t appear in the headers of the spam messages. When a range of “spigot” domains are blocked, the spammers just redirect their cannons to another set of domains and keep pumping out their crud. The tactic makes the spam difficult, but not impossible, to trace.

According to Spamhaus, snowshoe spamming has been around for some time, but last year a few U.S. junk emailers refined the process by adopting scrubbing techniques like listwashing and waterfalling to recycle mailing lists. The practice has become so popular that snowshoe spam accounts for 20 to 30 percent of all connections at a typical generic top level domain server. It is the second largest segment of the mailstream next to botnet spam from compromised machines in the dynamic IP space. Snowshoe spam works in the static IP space.

Some White Hats believe that Spamhaus’s latest move will decrease spam traffic.

“The new list will likely result in a lot of spam being blocked, which is a good thing,” Steven Champeon wrote in the Enemieslist blog.

“[S]o-called snowshoe spam has been an increasingly large component of the spam we see here and in the trap feeds we monitor,” he continued. “In one sense, [snowshoe spam] is a return to old-school statically-hosted spamming, the sort that Spamhaus SBL was created to solve–but representing an evolution in tactics and new levels of obfuscation.”

He added that Spamhaus’s snoweshoe efforts represents an opportunity for Email Service Providers who are solid Netizens. He cited a number of legitimate companies who have been suckered by snowshoe spammers. They include Sears, Brinks, LG, Kraft, Gerber, Dish Network and the AARP. The Spamhaus initiative will encourage legitimate clients of spammers to move to ESPs, he argued. “[I]n the long run,” he reasoned, “[that's] a good thing, because ESPs with transparency and a reputation to protect will educate their new clients.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamhaus targets snowshoe spam

“Contrary to what we witnessed in the first half of this year, phishers came back with a vengeance in the third quarter”, says IBM researcher Holly Stewart. “By August, however, the volume of phishing reached the volume seen in the most active months of 2008, and the volume seen in September completely surpassed the volume seen during any one month of 2008.”

The pharmacies in the spams aren’t located in Canada at all.  Researchers say they are likely located in Russia and run by the partnerka, a network of spammers and malware distributors.

Phishers are going after email accounts with vengeance.  New or “virgin” accounts are especially desirable because they haven’t yet been blocked by spam fliters or blacklists. These accounts are sold to spammers for $2 each.  While the global economy is still recovering, the underground cybercrime economy appears to be booming.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pharmaceutical Scam Responsible for 70% of September’s Spam Volume

The real risks are the objectives that spammers are attempting to achieve, such as identity theft, credit card fraud, bank fraud, selling fake goods, phishing, taking over computers for botnet armies and other online scams.

Too often we focus on solving the problem of spam, instead of addressing the risks that spam presents to us.  We scan for malware but not phishing attacks.  We do email content filtering but no web content filtering.  We run a firewall but an open wireless network.  We ban Twitter and Facebook but not online forums.

Protecting ourselves from the risks of spam means first understanding those risks, and then implementing a comprehensive protection strategy that addresses each of them in turn.Malware – malware comes in many forms.  There are the traditional viruses and worms that infect computer networks and are often destructive in nature.

Little has changed with this threat in the last decade.  The infection sources are still largely the same – innocent-looking software containing malicious code, network worms that can spread across the LAN or the internet, and files shared between business and home computers via removable media (USB flash drives being the most popular these days).  Spammers will also attempt to spread malware by promoting it as free software alternatives to expensive proprietary brand names.

Security vendors often refer to their preventative products in this category as “endpoint security”, the name intended to convey that there is more to malware protection than just scanning files on the computer’s hard disk.  Endpoint security solutions extend traditional anti-malware protection and control to include portable storage devices.

You cannot rely on others to protect their own computers and prevent them from infecting yours.

Phishing and Scam Emails – My own experience is that of the tens of thousands of spam emails a business may receive, only a small handful contains malware.  Security vendors support this type of statistic with their own much broader analysis, reporting as little as 4% of malicious email contains a malware payload.

An email user is far more likely to receive a phishing email than a virus these days.  The email will attempt to fool the user into revealing credit card or online banking details. The protection against such emails is email content filtering using an anti-spam product.

You cannot rely on others, even major ISPs and email providers, to protect you from email attacks.

Websites and Social Networks – now that we have looked at email content filtering we must consider malicious web content as well.  There are two simple reasons for this – firstly not all malicious emails will be detected, so in some cases an end user may be tricked into clicking a link to a website.  Secondly email is not the only vector that attackers use to try to draw traffic to their websites.

Web content filtering from a reputable security vendor will protect users from known malicious websites in the cases where they are successfully tricked into visiting one, whether by email or from other online communications such as social networking, instant messaging, and forums.

You cannot rely on social networks and other web services to strictly police their often free services for spammers and other malicious people.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Taking Control of the Risks

This week, the FBI announced that a multinational investigation, conducted both in the US and Egypt, resulted in 53 defendants being indicted in the US, and 47 more charged in Egypt, for an even hundred, which according to Computerworld, is the largest number of people ever charged with the same cybercrime. Looks like they “bagged their limit.” Of the 53 US defendants, 33 have already been arrested.

The joint investigation actually got underway in 2007, when FBI agents went to work with banks to “identify and disrupt” criminal phishing rings that targeted the financial services industry. During the course of the investigation, information gleaned by the FBI led them to enter into a joint agreement with Egyptian authorities, when it quickly became clear that the scope of the criminal enterprise was international.

According to court records, hackers in Egypt were able to use phishing techniques to obtain bank account numbers and other personal information from banking customers. The phishing techniques weren’t anything new—it simply involved the old tried and true method of an email message that was disguised to appear as though it was from a bank or credit card company, asking people to click on a link or log onto a phony web page and enter their account details. Members of the criminal enterprise then were able to hack into accounts and transfer funds online. It was apparently quite a sophisticated operation, and included “runners” who set up bank accounts in banks to hold the stolen money, and allow it to be easily withdrawn. The US-based conspirators then wire transferred a portion of the ill-gotten gains to their Egyptian counterparts as payment.

On the US side, each defendant was charged with conspiracy to commit bank fraud and wire fraud, and will face a maximum penalty of 20 years.

Kudos to the US and Egyptian authorities for their work on this one. Ultimately though, removing this one particular crime ring certainly won’t be fishing out the stream any time soon, and phishing is still going strong. We still need to be on guard, and there are still something along the lines of 50,000 phishing web sites, and those are just the ones that have been detected by the Anti-Phishing Working Group.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Media overloads with fishing analogies in Operation Phish Phry reports

Some experts believe that the breach is just too large to have been achieved through phishing alone and suspect malware, mainly keyloggers, may have been involved as well.

“The quantity of people hit makes me think that it was key logging — the success rate for phishing is only about one in 1,000,” Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet. “Secondly, when I went through the list of e-mail account credentials, there were entries with the same username, but a slightly different password, which suggests that they’re typos. I don’t think people would keep falling for a phishing scam and entering their details, it looks more like people are making mistakes and the key-logging software is recording them,” he said.

So far researchers have been unable to pinpoint the exact cause of the breach or determine who is responsible. They recommend that everyone, regardless of what email service they use, change their passwords immediately and then do so every six months. Passwords should be a combination of numbers and letters and every account you have should have its own unique password.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam From Sites Involved in Data Breach Increases Dramatically

“[T]he victims of botnets are often users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites,” the group observed in a paper that is scheduled to be presented next month in Chicago at the ACM Computer and Communications Security Conference.

“This is evidence that the malware problem is fundamentally a cultural problem,” reasoned the paper’s authors, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna.

         “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer,” they explained. “Therefore, in addition to novel tools and techniques to combat botnets and other forms of malware, it is necessary to better educate the Internet citizens so that the number of potential victims is reduced.”

During their botnet escapade, the researchers also discovered that the size of botnets can be misrepresented if too simply analyzed. “[A] naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results,” they found.

They also discovered how difficult it was to report problems once they were uncovered.

         “[W]e learned that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a rather complicated process,” the researchers wrote.

“In some cases,” they continued, “simply identifying the point of contact for one of the registrars involved required several days of frustrating attempts.”

“We are sure that we have not been the first to experience this type of confusion and lack of coordination among the many pieces of the botnet puzzle,” they acknowledged. “However, in this case, we believe that simple rules of behavior imposed by the US government would go a long way toward preventing obviously-malicious behavior.”

Botnets, also known as zombie networks, consist of computers infected with malware, usually a Trojan, that gives control of the machines to a cracker operating from a remote location. The malnets can be used for a number of purposes, including spreading spam and filching sensitive personal information.

          “Botnets,” the researchers noted, “are the primary means for cyber-criminals to carry out their nefarious tasks, such as sending spam mails], launching denial-of-service attacks, or stealing personal data such as mail accounts or bank credentials.”

“This reflects the shift from an environment in which malware was developed for fun, to the current situation, where malware is spread for financial profit,” they added.

The UCSB researchers targeted a bot net created with the Torpig Trojan, which is designed to harvest information, such as bank account and credit card information from an infected computer. During the 10 days that the researchers controlled the botnet, they report that they were able to identify 1.2 million IP addresses contacting the command and control server used by the group to operate the malnet. Those addresses could be tagged to more than 180,000 infections which produced almost 70GB of data during the experimental period.

A distinctive characteristic of Torpig discovered by the researchers is that it appears to be used as a “Malware As A Service” vehicle. They explained that Torpig DLLs are marked with a “build” type in their header field. The build doesn’t seem related to feature sets in the libraries, they reasoned, because all builds of the Tropjan behave in the same way. Yet, build type information is transmitted in all communication with the malware’s control and command server, including in the submission header and in each data item contained in the body of the submission.

          “[T]he most convincing explanation of the build type is that it denotes different ‘customers’ of the Torpig botnet, who, presumably, get access to their data in exchange for a fee,” the bot detectives deduced. “If correct, this interpretation would mean that Torpig is actually used as a ‘malware service’, accessible to third parties who do not want or cannot build their own botnet infrastructure.”

Password information gathered by the botnet was also analyzed by the researchers. They discovered that 28 percent of the malware’s victims reused their credentials for accessing 368,501 websites. In additon, in a test of password strength, they found that of 173,686 passwords nicked by the malnet,  56,000 were cracked in 65 minutes with a commonly used password breaker called John the Ripper; another 14,000 just 10 minutes later. “Thus,” they wrote, “in less than 75 minutes, more than 40% of the passwords were recovered.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers say malware cultural problem