“Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks,” the report states, without identifying specific attack targets.

It’s not yet known, even after all these years, who’s behind the attacks. Some experts blame foreign governments, others say it’s the work of a highly powerful group of hackers.

“The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox,” security firm Zscaler writes. “The Trojan functionality is decrypted at run-time, and includes expected functionality, such as downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection.”

In the past, the government has blamed China for such attacks but they should be blaming themselves. Their whole computer system is way overdue for some badly needed changes. The security solutions in place are mediocre at best, and in this day and age, that’s just not good enough.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Attacks Hitting Government Contractors

Case in point: Arizona State University (ASU) – the hallowed institution located in Phoenix, Arizona, which recently chose to block all incoming emails from the petition website change.org. A popular site that’s gained a head of steam recently with the Occupy Wall Street movement, change.org’s mission seems to be to enact social change through online petitions. Apparently, ASU isn’t impressed enough with the site’s mandate to let it slip when email began flooding the institution’s inboxes. According to local newsmagazine DowntownDevil.com:

“A statement released by ASU spokeswoman Julie Newberg said ASU began blocking messages from the website in December after discovering it was a source of spam emails.” According to Newberg, “Although the individual who sent the email may not consider himself a spammer, he acquired a significant number of ASU email addresses, which he used to send unsolicited, unwanted email, which is the definition of spam.”

There’s little sense in disagreeing with Ms. Newberg on the definition of spam, but the university’s actions beg the question of whether this action against a seemingly benevolent organization is a breach of free speech. More so, can this action be deemed a form of censorship? Before you weigh in, consider this:

“Newberg also said ASU is blocking all outbound connections to the change.org server. ASU routinely blocks servers to reduce risk to students, faculty and staff, Newberg said, but no examples of websites ASU has blocked other than change.org had been provided by Thursday evening.” Newberg goes on to say that “[ASU respects] the rights of all individuals to express their opinions…however, we must reserve the right to protect the use of our limited and valuable network resources for legitimate academic, research and administrative uses.”

Exactly how change.org is a risk to students, faculty and staff is unclear, but even the most closed minded among us must concede that this action by the university goes beyond the realm of simple email spam filtering and begins to trod on the toes of a scorched earth policy. If one petitioning web domain represents a threat to the university’s bandwidth, maybe the ASU Board of Governors should consider blocking Facebook and YouTube while they’re at it. Hey, it’s just a suggestion.

In a bit of an Ah-HAH! Moment, the article divulges a few tidbits that help piece together what may be happening here:

“A Tumblr blog post on Dec. 7, 2011, accused ASU of censorship and blocking the freedom of expression of students, staff and faculty. The post read, in part, ‘Not only is this outrageous, but it is a violation of First Amendment rights of both ASU students as well as the rights of Change.org.’ The Tumblr post claimed ASU blocked change.org because of a petition created by ASU students called ‘Arizona State University: Reduce the costs of education for Arizona State University students.’”

Ah, a petition on reducing costs to students. Is it really conceivable that the institution blocked a single domain because of a petition? It hardly seems likely. Possible, however, is that the university rushed to judgment in declaring change.org a purveyor of spam. What do you think?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ASU vs. change.org: Spam or Free Speech?

Almost all spam filters rely on trigger words. These words are commonly found in spam messages and serve as a pretty good indicator of which messages are legit and which aren’t. To keep your company and marketing emails on the good side of these filters, take a look at the top 10 trigger words and try to avoid them, especially in your subject lines:

1. Meet Singles - This subject line is used endlessly in many types of porn spam.

2. Work From Home - Work from home scams are among the most common types of spam. Work at home jobs are highly sought after, especially in today’s shaky economy.

3. Business Opportunity - Have you ever gotten a 419 or Nigerian Scam message? These spam messages often offer fake business opportunities along with the fake inheritances and pleas for help smuggling a fake family fortune out of an obscure country.

4. Buy Direct - A favorite phrase for spammers hawking counterfeit designer goods and pharmaceutical products.

5. Clearance - Another favorite phrase. Spammers like to create a sense of urgency to help make recipients think they are getting a huge deal.

6. Pre-approved - A tell-tale sign of financial spam. Mortgages, credit cards, payday loans, you name it.

7. Hello - This innocent sounding salutation has been thoroughly exploited by spammers thinking the casual and familiar feel it gives their messages will make them more likely to be opened and read.

8. You Have Been Selected - The favorite subject line of spam messages claiming the recipient has won a fake foreign lottery or one hosted by Yahoo! or Microsoft.

9. Weight Loss - Weight loss pills are often touted along with other shady drugs and supplements in pharmaceutical spam.

10. Limited Time - Subject lines like this create a sense of urgency, which spammers love.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 10 Spam Trigger Words

To show how serious they are about their attempts to eradicate spam, fifteen companies have joined forces to help fight one of the most dangerous spam tactics of all – phishing.

This collective, known as the Domain-based Message Authentication, Reporting and Conformance (DMARC), has come together to develop standards that they promise will help combat the practice of spammers sending emails that appear to come from a legitimate organization.

According to DMARC, its work:

“draws upon a history of private industry collaboration with 18 months of dedicated work, to outline an enhanced vision for email authentication that can scale up to today’s Internet needs.”

Who Is DMARC?

The group of fifteen who have dedicated resources to this fight consists of:

• Agari
• American Greetings
• AOL
• Bank of America
• Cloudmark
• Comcast
• Facebook
• Fidelity Investments
• Google
• LinkedIn
• Microsoft
• PayPal
• Return Path
• The Trusted Domain Project
• Yahoo!

And just what exactly they are trying to do is create a specification that allows senders and receivers of email messages to share information with each other about their authentication infrastructure to make sure that emails come from the organization they claim to be.

According to their website, DMARC attempts to address this by providing coordinated, tested methods for:

Domain owners to:

• Signal that they are using email authentication (SPF, DKIM),
• Provide an email address to gather feedback about messages using their domain – legitimate or not,
• A policy to apply to messages that fail authentication (report, quarantine, reject).

Email receivers to:

• Be certain a given sending domain is using email authentication,
• Consistently evaluate SPF (Sender Policy Framework) and DKIM(DomainKeys Identified Mail) along with what the end user sees in their inbox,
• Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks,
• Provide the domain owner with feedback about messages using their domain.

So What Makes DMARC Different?

Most companies already employ some type of analysis on incoming email messages to include SPF and DKIM so this specification isn’t turning to something new. In fact, they recommend a continued approach employing other techniques such as high quality spam filters and rate limiters to form a well rounded solution to fighting spam.

What DMARC is trying to do is to standardize and streamline the process of analyzing messages because participating companies can rely on the coordination of the group to establish trust when it comes to determining whether or not a sender is legitimate.

In plain English, DMARC looks to form a conglomerate of cooperation between email senders and receivers (the organizations like Google, Microsoft, Yahoo!, etc. not the individual users themselves) who share information about the emails they send to each other. Turning to the information made available to the group, it can be easier to see whether or not an email is spoofed spam or a legitimate message worthy of delivery.

Not only is it the hope that less spam will make it through, but that resources will be streamlined as a result of these efforts as well. Large datacenters could see a positive result if all goes as planned.

The Flipside

Of course not everyone is completely sold that DMARC’s work is a panacea when it comes to ending spoofing and spam.

John Levine, one of authors of the DKIM related Author Domain Signing Practices (ADSP) standard, had this to say in an interview with Information Week:

“It’s a good thing as far as it goes, but it does have some of the chronic Internet tendency to put a steel door on a cardboard box.” Like many security standards that are not mandatory, if it’s not implemented then it won’t fail. Neither DKIM nor SPF are at the point where a recipient can say that they will only accept messages that use them. Therefore you still need to keep your eyes open.”

Using Bank of America as an example, it was pointed out in the same article that to fight phishing and spoofing in the past domains suggestive of the name Bank of America, as well as typos, were purchased en masse. Because the pool is so large, Bank of America was not able to purchase every domain available. For example, wwwbankofamerica.com is not owned by them.

So if an email arrives from support@wwwbankofamerica.com it won’t fail any of the checks from SPF or DKIM because it is not a spoofed email address. By all accounts, the sender is legitimate.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will DMARC Have Much Impact on Spam?

Spammers don’t fill our inboxes with junk because they have nothing better to do; they send out tens of thousands of messages every day because somewhere someone is going to click a link, or buy some junk proffered in that message. It’s a numbers game, and when it costs the spammer nothing more than a little time, some CPU cycles, and a cheap Internet connection to spew out garbage, spew it they will. Even if only one message in ten thousand gets all the way through from sender to unwitting recipient, who then clicks that link because they really believe they can solve any problems with their own physicality, or that they really might get a cut of some dead millionaires foreign fortune, or they really need that timeshare on a beach for pennies a day, the spammer wins.

The spammer fights an ongoing underground campaign because he can. We let him. Our mission this week is to stop doing the very things that the enemy exploits. He turns our own resources against us because we let him. It’s an insurgency campaign we’re up against, but today is the day we can start to turn the tide. Here are some of the tricks spammers use to get their messages into your users’ inbox.

Reconnaissance

Information can be a very effective weapon, and nobody knows this better than the spammer. The enemy will use bots to scrape your company’s websites for email addresses, will run directory harvesting attacks against your MTAs trying to discover valid users, and will buy and sell mailing lists whenever and wherever they can. Too often we make it easy for them, by CC-ing dozens of unrelated users with marketing emails of our own, sharing out all those email addresses with who knows who. Unless you like revealing sensitive information to the enemy, it’s time to 86 that and now.

Configure your MTAs to reject VRFY queries and to ban source addresses that attempt multiple VRFY commands or attempt to send more than a small number of messages to invalid recipients. Set maximum recipient limits on all outgoing messages to stop your users from sending out messages that could carry too many valid addresses outside the company, and train your users on the benefits of BCC. Set any distribution lists you have that can be mailed to from the outside or that contain external recipients to moderated, and reject any messages that contain too many internal email accounts. Finally, keep your head down by not posting email addresses on the websites. Either use a contact form, or encode email addresses so that real humans can use them, but so bots cannot automatically harvest them.

Probing your perimeter

The enemy is probing our lines for weakness, so too must we. Port scans for systems listening on TCP port 25 can quickly identify any system capable of receiving emails. Too often those are not a part of the corporate email system, but can relay email in to internal users. They also will look at your MX records and try to send email to systems with higher weights, on the too frequently correct premise that those are valid, and not as up to date as your primary systems. Probe your own lines by setting up regular port scans on all IP address space, whether a part of your primary datacenter, your DR site, or your remote offices. Verify that each and every host that accepts a connection on TCP port 25 is a valid mail server, and is properly configured with the appropriate anti-spam measures at your disposal. Make sure that every host with an MX record in your DNS is appropriately configured as well.

Camouflage

Spammers will also try to get past your defenses, and your users’ own suspicions, by obfuscating links using a variety of methods including encoding, URL shorteners, and  redirects. Your message filtering system should already be filtering that sort of thing out, but make sure you set low thresholds for the numbers of links that are in an email. Educate users on the dangers attachments present, and quarantine any encrypted attachments until you can confirm they are legitimate business communications.

Covert operations

Spammers will frequently spoof the sender address in email to get past filters. They may even use a recipient’s address or another in the same domain as the sender address so it looks more legitimate. To defend against such attacks, use the technologies available to you. Ensure your own SPF records are up-to-date, and set to hard fail (-) to protect others from spammers who try to masquerade as you, and reject any email you receive that fails an SPF check. Use DNS black lists to refuse mail from known spammers and address ranges that belong to residential and mobile services. You can always whitelist a partner but your default posture should be to reject any mail that fails to pass the sniff test.

Ultimately, if the spammer finds even a fraction of a percent of his efforts are successful, he will remain motivated to attempt more attacks. We have to take the financial incentive out of the equation, and that means spreading the word to our user base, our friends, our families, and the social groups we interact with. If no one responded to a spam message, or clicked a link in a piece of UCE, there’d be no financial motivation for a spammer to continue his campaigns against us. Will we get the word out to every single email user in the world? Of course not. But if we can educate our users to stop the activities that make all the user@ourdomain.com addresses pop up in the cross hairs of the spammer, and we take appropriate cautions and set proper configurations on our systems, in the long term we should see a marked downtick in the volume of spam heading our way.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Fighting Boot Camp Week 1: Know Your Enemy

What we need is an Internet standard that allows this level of protection to work at scale – without any discussion, without any partner agreements,” said Brett McDowell, a security manager at PayPal who serves as chairman of the group. “That is what DMARC does.”

Setting industry standards is an important step, but still more important is getting the corporate world to adopt them. There will probably be some protesting and the inevitable excuses such as “I don’t have the time to implement them/train my IT department” and the most popular excuse “cost too much in time/productivity/money”. It may take some time to get most businesses aboard, but I think once they are, it will make a dramatic difference in the amount of spam and phishing attacks sent from corporate addresses or exploting popular brands.

What do you think? Will your company adopted the new standards? If not, why?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Banks and Top Websites Develop New Spam Fighting Techniques

This has prompted a majority of IT departments to employ some sort of anti-spam, or spam filtering, solution to assist in keeping the inboxes of their users as spam free as possible.

But notice that the word assist is used in that previous sentence.

This is because no spam filter is going to completely eliminate spam. There are some out there that will do a great job of drastically reducing the amount of junk email that is successfully delivered, but despite the anti-spam solution’s best efforts there are users in every organization that will find a way to attract spam like ants to a picnic.

To help reduce the number of pharmaceutical advertisements and promises of great riches that fill the inboxes of your co-workers, try these hints to help involve them in the fight against spam:

1. There is no one giving you a iPad for free.

When you click on those advertisements that proclaim you the lucky winner of an iPad, XBox, smart phone, etc. understand that they are just collecting your email address and other personal information to sell off to spammers.

Instruct your users to avoid clicking on any advertisements when they using computer resources at work to avoid falling for scams that collect their email addresses and to stay away from sites that may install malware on their computer.

2. Social games harvest more than virtual crops.

When a game boasts over 70 million players, people take notice. Some of those people are spammers.

Social games are fun ways to pass the time, and most are free to play. And while the makers of these games will often charge for level-ups or other premium services they also make money other ways. When you register, you provide your email address, your age, your income and a host of other information that can help advertisers (and spammers) better target you for mass mailings.

Users should understand that they should only play games on sites that legitimately protect their personal information and that their work email should never be used to register on any site. Also, they can cut down on spam and advertisements by reading the fine print when signing up and opting not to receive product information from the company or its partners.

3. Unsubscribing tells spammers you are alive.

According to the CAN-SPAM Act, all email marketing must contain a way for recipients to remove their name from the mailing list. Spammers know this and use this for two things. First, it helps legitimatize them. People see this and think that it is merely an innocent advertisement. Secondly, it lets the spammer know that they have found an active email address instead of one that has long been abandoned.

Teach users how to block emails so that when they receive newsletters and advertisements that they don’t pay attention to, they can simply block them rather than opt-out.

Make it easy for users to help identify spammers. One organization I work with has an email address set up for users who receive spam or other suspicious mail. They simply forward the email message in question to that account and someone from the IT security team addresses the problem. Not only does this help feed the spam filter with more data to use, but it brings the users into the fight. They feel like they are helping to solve the problem.

Users can be one of the best weapons in fighting spam, if you make it easy enough for them to help. A simple email address where they can forward suspicious emails beats having them fill out a form or filing a formal report.

4. Never register for forums, websites, chats or newsletters using your work email address.

Many times, we sign up for things with our work address because it is something legitimately used for work. This can lead to users being comfortable with this process and eventually, they will post that address to a less than ethical site.

Make it a policy that company email addresses should not be used to register for anything other than with a trusted vendor, customer or partner.

5. Clean out your inbox regularly.

When forced to clear junk mail out of their inbox, most people will be more cognizant of how much spam is sent to them on a daily basis. When they find this process to be tedious, they will likely do a better job at managing their email address out in the wild.

Most companies have policies that address email inboxes, and just as many don’t really enforce these policies. Make sure that users know that this, or any other policy regarding email, will be enforced.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Ways Your Users Can Help You Fight Spam

1. Bad Subject Lines
Most spam filters are programmed to look for words like “free”, “sale”, “deal” and “discount” in subject lines. Since spammers love to use such words in an attempt to lure people into reading their messages, more often than not, legit emails with those words in the subject line will end up flagged as spam. It’s also important to check and double check before you hit send. I’ve received marketing emails with blank subject lines or “Type Headline Here” as the subject, indicating the person in charge of sending the marketing blast was either careless or inexperienced. Not only does this make your company look very unprofessional, but it can get your messages flagged as spam.

2. Careless Use of the CC Feature
You should never send emails to a large group using CC. This not only exposes your customer’s email addresses, but if one of them decides to respond and chooses to hit the ‘reply all’, it will end up causing an unintentional spam loop and a lot of unhappy customers. Emails with huge CC lists are also a common feature of spam generated via dictionary attacks. Use BCC or a mailing list manager like Constant Contact.

3. Sending Attachments
There should never ever be a reason for you to send your customers attachments, but I’ve gotten a couple of marketing emails with them. It was almost always caused by a poorly formatted HTML message which included the graphics as attachments. A big no-no!

4. Bad IPs
It’s important to check your IP addresses regularly to make sure they haven’t been placed on blacklist. False positives aren’t uncommon and it’s also possible to have your server compromised without knowing it. Email sent from a blacklisted IP will never make it to any recipient whose IP subscribes to that blacklist.

5. Buried Unsubscribe Instructions
There will always be people who subscribed and then changed their minds, and many will become easily frustrated and simply report your newsletter as spam instead of doing the right thing. Don’t rely on a tiny link buried at the end of the email. Make sure your unsubscribe link is easy to find.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Tips to Keep Your Emails Out Spam and Junk Folders

Malware developers seem to appreciate a little humor when it comes to naming their schemes. One of the latest email scams to invade inboxes everywhere is no exception, it seems, and the FBI has been quick to let businesses know that if they don’t keep their eyes open for a phishing scam originating in an email from FDIC, NACHA and the Federal Reserve, opening the mail’s attachment could be one of the most devastating choices in a young 2012. Worse yet, this new scheme appears to be linked to the Lord of the Greek gods – or its eponymous malware, anyway.

‘Game over’ is never a good thing, whether it means that your last ship has been destroyed and your quarter spent, whether it’s a lame and overused witticism that yet again has found its way into the mouth of Hollywood’s action hero du jour, and yes, even when cyber criminals are searching for just the right name for their latest piece of malware. While we’re not averse to debating the first two, our interest here is firmly with the latter. It seems the U.S. Federal Bureau of Investigation shares that interest, as evidenced by a security bulletin earlier this month that identifies a new email scam, one which cyber criminals have decided to call – what else? – Gameover.

Gameover is a phishing attack that appears in the form of spam emails spoofing the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Bank, or the National Automated Clearing House Association (NACHA). Like a multitude of others, the scheme preys on users’ fears and/or lack of vigilance, informing them that there has been a problem with their bank account or an ACH transaction (ACH stands for Automated Clearing House, a network for financial institutions in the U.S.). Sufficiently frightened, recipients are encouraged to click the included link, which instead of resolving the issue, takes the user to a malicious site where the Gameover malware is executed.

The malware has been identified as a variant of ZeuS, a notorious piece of malware which has been responsible for stealing financial information through the practice of keylogging for a number of years. Once activated, the cyber crooks can steal banking information such as account numbers and passwords.

As if that wasn’t enough…

More than just a keylogger, however, ZeuS (and coincidentally, Gameover) has an added payload. According to the FBI:

“After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site — probably in an attempt to deflect attention from what the bad guys are doing.”

But wait – there’s more!

In what sounds like a novel involving international intrigue, FBI investigations have been able to trace the attacks as far as to jewelers, as the stolen funds are used to purchase “precious stones and expensive watches from high-end jewelry stores”. The crooks contact the jeweler, tell them what they’d like to purchase and inform them that they will wire the money the following day. The following day, a “money mule” – a person involved in the money laundering part of the crime – shows up at the jewelry store to pick up the merchandise. The jeweler confirms that the money (the stolen money from the spam scheme) is in their account and upon doing so, turns the merchandise over to the mule, who in turn delivers the merchandise to the crooks or converts it into cash that upon being transferred, is effectively laundered.

Wow – It really is the stuff of imagination, but even more interesting is that the FBI has suggested that the mules could be unsuspecting victims of those omnipresent ‘work at home’ schemes that we see everywhere. While the federal agency has confirmed that many of the mules are willing participants, it has also noted that an increasing number are likely people who have succumbed to these schemes and have been unwittingly recruited into laundering money stolen from victims of the spam scheme.

Be on the lookout for this one and advise your staff ASAP. At very most, it could be a story worthy of a novel. At very least, it could save you and your users plenty of headaches and lost funds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

FBI Declares ‘Gameover’, Link to ZeuS

Along with a new year, January brought with it a new wave of spam campaigns, most ofthem malicious in nature. Here’s a look at some of the top headlines for the month:

Nokia Fined For Spamming Their Customers:

http://arstechnica.com/gadgets/news/2012/01/nokia-fined-in-australia-for-spam-texting-its-own-customers.ars

Top 9 Domains Used to Send Spam:

http://betanews.com/2012/01/25/what-are-the-top-domains-used-for-spam/

New Wave of Spam Infects Just By Opening Email:

http://www.darkreading.com/security/attacks-breaches/232500660/new-drive-by-spam-infects-those-who-open-email-no-attachment-needed.html

Global Spam Levels Drop, Malware Rises:

http://www.zdnet.com/blog/btl/global-spam-declines-as-malware-encounters-pick-up-report/67858

Man Accused of Running the Kelihos Botnet Says He’s Innocent:

http://www.computerworld.com/s/article/9223820/Accused_Kelihos_botmaster_proclaims_innocence

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

January Spam Roundup

Please read the following post with the voice of a drill sergeant in your mind. Imagine something between R. Lee Ermey and Samuel L. Jackson if you can, or maybe Stephen Lang. Alright people, listen up! Welcome to Spam Fighting Boot Camp, or what some mamby-pamby college puke might call Spamfighting 101!  Over the next nine weeks I’m going to take you through a series of briefings designed to turn you into a lean, mean, spam fighting machine. We will teach you to know your enemy, train you to anticipate, out think, outmaneuver, and out fight your opponent, and leave you with the skills necessary to defend your email systems to the last message. Our users must be protected from the enemy, and that enemy is spam!

The best defence is a strong offence, but as much fun as a search and destroy mission behind enemy lines might be, our field of battle must remain within our users’ inboxes. Our goal is zero casualties people, and no mailbox gets left behind. Here’s what you can look forward to over the next several weeks:

Week 1: Know your enemy

We’re going to look at how spammers think, how they act, what their motivations are, and the cunning tricks that they play in their unending attempts to compromise our users’ inboxes. We’ll look at our own infrastructures’ fortifications through the eyes of a spammer, so that we can see the weaknesses that our enemy will attempt to exploit.

Week 2: Beware of friendly fire

While our mission is to oppose the enemy wherever we may find him, we don’t want to become the victim of friendly fire, and we don’t want anyone else mistaking us for a spammer. We’ll look at the proactive measures and policies that will prevent these sorts of accidents from happening.

Week 3: Improvise, adapt, overcome

Budgets are tight, and sometimes you must make do with what is at hand at the moment. We’ll look at the anti-spam technologies that are available to you in some of the most popular email systems.

Week 4: A well-regulated militia

Try as we might, sometimes the enemy slips behind the line, and arming our users’ workstations adds a layer of security to halt those spams that might get past our sentries.

Week 5: The last line of defence

Spammers continue their campaign against us because, at the end of the day, there’s always someone who will buy whatever line they’re selling. Here we’ll look at winning the hearts and minds of our users, educating them against the threats spam presents.

Week 6: Gearing up 

To shore up our defenses, we have many options available. During this training mission, we’re going to look at the options available for shoring up our defences with bolt-on software solutions.

Week 7: Allied Forces 

Some campaigns may require us to interact with allied forces. Understanding them completely can make the difference between a quick victory and a protracted campaign, and we’ll look at strategies for combining our strengths into an effective spam smashing force.

Week 8: Forward operations

The closer we can bring the fight to the enemy, the further away they are from our users, and cloud-based solutions move the fight from our datacenter to the Internet. We’ll examine strategies for success.

Week 9: Good to go

Training complete, you’re  ready to engage the enemy. We’ll go over some last minute tactics and strategies to make you the complete spam killing machine.

Well alright then. Gear up, strap in, and get ready for some action! Spamfighting bootcamp is about to begin!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Fighting Boot Camp: The Mission

People just weren’t spending as much money in the malls and department stores.

However every single study of consumer spending did show that companies with a strong online presence had a significant boost in sales this past year, including the holiday shopping season. In fact during December alone, non-store sales rose 10.6 percent from the same time one year ago. Even automobile sales online boasted a 9.5 percent increase.

To make sure they can stay competitive in the online retail sector, businesses must strive to build, and at the same time maintain, a solid reputation on the Internet.

Of course it was only a matter of time before spammers realized this as an opportunity to take advantage of this trend to dupe business owners into downloading dangerous malware.

How the Scam Works

Businesses are sent an email branded with the Better Business Bureau logo that reads:

“Thank you for supporting your Better Business Bureau (BBB). Your BBB receives more than 6,500 requests for information every day and provides reliability reports to consumers 365 days a year, 24 hours a day, and 7 days a week.

As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.

We encourage you to use our ONLINE FORM to provide us with this updated information. The URL below will take you directly to this form on our website:

CLICK HERE to login to your BBB account

You may also complete the form on the reverse side of this letter and mail to PO Box 1000; DuPont, WA; 98327; or fax to (206)436-5496.

Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily. In addition, many consumers may search our database using your e-mail and/or Web address, so please be sure to include this information as well. As a BBB accredited business, you receive a free hyperlink from your online reliability report to your company Web site if provided to us.

Thank you again for your support, and we look forward to receiving this updated information.

Sincerely,

Accreditation Services”

Eager to keep their information and good standing current, business owners and managers who click the link are not taken to a legitimate site hosted by the BBB. Instead their computer downloads malware and their account credentials are compromised by the phisher.

Another version of the phishing scam informs the recipient of the email that a negative review of their company has been posted to the BBB site. To refute the claim, the recipient must click on the supplied URL and address the problem. Failure to do so would result in the complaint resulting in a bad report being filed.

The URL here also directs the victim to a malicious site and has the potential for account credentials being stolen.

Fighting Back

This newest scam is the third of its kind in the last three months targeted at business owners.

Businesses have been instructed, by the BBB, to contact them directly if they receive emails claiming that they have received a negative complaint or that their information is incorrect or incomplete.

The Better Business Bureau is also taking steps to fight the problem, enlisting the help of the FBI.

“Our national organization in Arlington, Va. has been working for three months with the FBI, and I can tell you that they’ve closed down over 50 sites”, Katie Carrol, Director of Media Relations and Communications with the BBB, said.

They have also asked for business owners to help them fight this growing problem by contacting them at phishing@council.bbb.org if they received these emails, or any others like them.

IT departments should also be aware of this scam and take necessary precautions.

In house steps that can help prevent problems related to this latest attack, as well as others, include:

• Keeping anti-malware software up-to-date.
• Make sure anti-spam solutions are configured correctly and up-to-date.
• Make sure that employees are aware of this scam.
• Put procedures in place for employees who receive this email, or other spam messages, to report it.
• Teach employees how to better recognize spam and phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Scam Targets Victims Using Better Business Bureau

Naturally, such tools would be very useful for IT departments and system administrators to educate employees on how to spot phishing scams. Employees falling for such scams are a leading cause of corporate data breaches, and such breaches can cost a company millions.

“The whole concept with this project started out with the discussion of, ‘Hey, wouldn’t it be great if we could phish ourselves in a safe manner?’” said Will, one of the Toolkit’s co-developers. “It seems like in every organisation there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”

While it appears the developers had honest intentions when they created the toolkit, the fact remains it could be pretty attractive to the bad guys and they have no way of controlling that. Right now it doesn’t record any data typed into the fake phishing sites it generates, but they said future versions of the kit will have that functionality. That may make it irresistible to scammers looking for a way to create phishing campaigns that’s fast and won’t eat into any profits.

What do you think? Are these toolkits helpful or just asking for trouble?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Phish Yourself?

The first one is a new incarnation of an old scam. Emails that look like they’ve come from your friends arrive with an urgent message about them being on a trip to a far flung place such as Madagascar, London, or Berlin and needing help. You see, they were mugged/assaulted and all of their money and documents were stolen, and they really need to go home but there’s the matter of their hotel bill. The messages generally ask for about $1600 to be sent via Western Union. Of course it’s just a variation of a 419 scam. If you get one, no matter how convincing it sounds, try contacting your friend first. In 99.9% of cases you’ll find they are safe and sound at home.

Next is the Better Business Bureau, who has joined the ranks of the brandjacked as new spam messages claiming to be from them are making the rounds. The messages tell the recipient that a complaint has been filed against them and urges them to click the included link to read it and respond. Anyone who does so is taken to a malicious site that attempts to infect their computer with the infamous Zeus Trojan. Zeus, distributes by a botnet with the same name, installs a keylogger and several other nasty bits on to the infected system and steals banking info and other sensitive data.

Finally, popular companies such as Facebook, American Airlines, Paypal, and several major banks are also being brandjacked by scammers. In some cases the phishing messages are receipts for fake purchases or reservations and in others, fake message or fraud notifications. In almost all cases, the attachments and links in the messages deliver malware. It looks like the spammers are hard at work building up their botnets!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Several New Phishing Campaigns Going Strong

The Microsoft Digital Crimes unit has continued its investigation into the perpetrators behind Kelihos, and today filed an amended complaint in the U.S. District Court for the Eastern District of Virginian, naming Russian citizen Andrey N. Sabelnikov as the alleged perpetrator.

Microsoft indicated in a blog post today that former defendants Piatti and the dotFREE Group have been cooperating with Microsoft, and it is this cooperation combined with new evidence that has enabled Microsoft to amend their complaint and name Sabelnikov.

In the amended complaint, Microsoft presented evidence against Sabelnikov alleging that he wrote code for Kelihos and either created or participated in the creation of the malware. Evidence was also presented supporting the allegation that

Sabelnikov “used the malware to control, operate, maintain and grow the Kelihos botnet.”

The complaint goes on to allege that Sabelnikov registered over 3,700 domains in the cz.cc namespace with the dotFREE Group SRO, using these in the ongoing spread and control of Kelihos.

A statement on Microsoft’s official company blog by Senior Attorney for the Microsoft Digital Crimes Unit Richard Domingues Boscovich asserts Microsoft’s commitment to continuing the investigation and taking action against all the individuals who participated in Kelihos. Remember that the original complaint named twenty-two John Doe co-conspirators. One can only assume that Sabelnikov is the first, with another twenty-one to be named as more evidence is developed.

Microsoft has also made available more information on botnets and free tools to help clean users’ computers if they have been infected. You can view that information at: http://support.microsoft.com/botnets.

As more information develops on this case, we’ll be sure to keep you up-to-date with continued coverage. Those of you with an interest in the legal actions involving Sabelnikov can read the amended complaint here (PDF, new window).

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Kelihos Actions Continue: New Defendant Named

The year’s off to a rousing start, with all sorts of interesting security news this week: Wikipedia led a temporarily successful foray against SOPA and PIPA by joining numerous websites that went dark for a day; the founder of Megaupload had his hands slapped when law enforcement officials told him resoundingly, “no, you can’t pirate copyrighted material” – insult was heaped upon injury when dozens of expensive cars were towed away to show him they were right; and Koobface – the Facebook botnet that has been harassing Zuckerberg for years – was taken down by its own creators after the Facebook gang teamed up with The New York Times to uncover and publish the identities of the worm’s owners. To round off the week, QR codes (like the one in the image here) may just be the latest form of spam, and news out of the Twitterverse suggests that Darwin’s cardinal rule is not only true, it’s actually a dire prophecy of our impending extinction.

The year’s less than a month old and it may already be shaping up as ‘the year of anything goes’. Topping the headlines was a mass protest against seemingly inevitable anti-piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect I.P. Act), as innumerable websites intentionally went dark on January 18. Led by students’ greatest friend and perpetual source of dubious information Wikipedia, the activist movement irritated web surfers across the globe and scored one for the little guy as the bureaucrats in Washington, DC backed off the proposed legislation and shelved the bills, albeit temporarily. It’s practically inevitable that some wily spammer will take advantage of this controversy, so keep your eyes open and watch your back.

In a related story and in the spirit of fishy timing (i.e., the same week as the aforementioned protests), Megaupload founder, Kim Dotcom, was carted off along with several other geniuses who figured they would get away with providing a conduit for copyrighted material, all the while skimming millions of dollars off the illegal activity and thumbing their noses at the FBI. German national Mr. Dotcom, lamented as his lavish New Zealand mansion was raided and dozens of vintage cars were hauled away as the spoils of war. Again, there’s more here than meets the eye, especially now that Anonymous has its back up.

In an LMAO moment, individuals responsible for Koobface – a nasty piece of malware that has been frustrating Facebook and Twitter users for years – have taken down their own command and control server after Facebook teamed up with The New York Times to uncover and embarrass five of the founders – Russian nationals living in St. Petersburg, Florida. The named individuals have scrambled to scrub their online profiles, but it’s highly doubtful that erasing their cyber identities will have much of an effect in the real world, where police carry real guns and real handcuffs.

Are QR codes the newest spam threat? Some people think so. QR – or Quick Response – codes were developed in the automotive industry and have been used for a while. Slowly entering the mainstream  over the past couple of years, they are in wide use in Japan, the UK and the US, amongst other countries. Popular because of their fast readability and relatively high storage capacity (compared to bar codes), the increased use of smartphones with cameras and QR reading apps have made the codes a prime target for manufacturers and retailers; heck, even Google’s looking at getting into the game by using QR codes as a secure login method.  The problem is that QR codes can contain virtually any information, meaning that they are already being exploited by scammers and spear phishers. Keep an eye on this one, folks – and think twice before you take a picture of that code staring you in the face.

Finally, from the Twitterverse, here’s one that, no matter how much you shake your head, won’t rid that sickening feeling that the human race is on a collision course with extinction. Perhaps a case of ‘you can’t spell Twitter without ‘twit’, this recent article shows just how careless – or ignorant, or both – web users really are. Get this: over a twenty-four hour period, more than 11,000 Twitter users shared their email addies with the rest of the world. A safe practice if we were living in Thomas More’s Utopia, but it’s not the case if you reside anywhere on Earth, which is rife with people who would just love to use that information against you. This is just a guess, but it looks like spear phishing season is open and Twitter is the local watering hole.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Week in Review: You Can’t Spell Twitter Without ‘Twit’

A new spam campaign is brand jacking popular social networking site LinkedIn to spreadlinks leading to shady domains. The emails, which look like notifications from the site telling the recipient they have a message waiting, contain links that allegedly lead to the messages. Instead they take the recipient to a pharmaceutical site offering fake prescription drugs and male enhancement products.

Spam involving these sites is nothing new. Even though the infamous Canadian Pharmacy ring was severely incapacitated when first Spamit and then Rustock went down in 2010, it hasn’t stopped spammers from trying to cash in on these fake pharmacies. While some actually sell drugs, they are almost always fakes made in India. Since these copycat drugs are made with absolutely no regulations or oversights, the FDA issued a warning to consumers to avoid ordering from these types of sites. There are also variants of these sites that are little more than fronts for phishing operations (people place their orders but never get anything and their CC info is stolen) or attempt to deliver malware.

While like most phishing emails, hovering your cursor over the URL will reveal that the link is fake, there are still people who see the LinkedIn branding and click, thinking it’s legit. What’s more unbelievable is that some of those people will actually stay on the site and buy something.  As long as these tactics work, spammers and phishers will keep using them.

Have you ever fallen for a phishing email? Even if you only clicked on the link, it counts. Share your story with us!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Fake LinkedIn Emails Delivering Spam

Spammers, always trying to stay one step ahead of the game, realize this. They know full well that businesses conduct trainings for their employees, IT departments spend thousands of dollars on spam filtering technologies and many of their intended victims have just grown wise to their methods over the course of time.

So, like any good criminal would, spammers have adapted.

Over the years they have ventured out into other avenues in which to launch their attacks using social media, text messaging services and even the content used by websites has become a method for spammers to advertise their products.

However now spammers have not only changed how they attack their victims, but they have changed the victims themselves.

More Spam Targeted At Children

Children have always been the indirect casualty of spam since the day they sign up for their first email account. Once that address is captured by a spammer’s list they will most assuredly start receiving ads for pharmaceuticals, financial help and even mail order brides.

But for quite some time their receipt of these messages was based on mere coincidence. Their email address was caught in the cross-fire.

Spammers didn’t target them directly because the messages sent to them were essentially worthless. Most 13 year olds weren’t looking to get out of debt or interested in meeting singles in their area (over the age of 18 that is).

But that has all started to change.

Spam itself has changed as well. Sure there are still enough email messages pleading for your assistance moving money out of a war torn nation, but for the most part this type of spam has slowed down. Taking its place are phishing scams and the delivery of malware. And both are much more dangerous than the Nigerian prince hoax.

Children Are Easier Targets

Children may be more adept at using technology than their parents, but they are still kids. And what is one thing that kids love to do on the computer? Play games.

Of course, this quickly became a breeding ground for spammers.

Spammers can easily target the email addresses of younger Internet surfers to advertise fun, arcade style web sites that specifically appeal to children. Clicking on the link provided in the spam email takes the eager-eyed kid directly to a site where they can choose from hundreds of online games to play.

By infecting the website with malware spammers have found that they can easily attract thousands of visitors who are far less skeptical and much more willing to click a link or download a file if it means that they can soon have access to a wealth of games to keep them occupied.

So bad is the problem that some security firms report that there are more than 60 arcade game sites that contain malicious software aimed at children. Some of these sites were designed specifically to serve malware and others are the unknowing victims of cybercriminals who have injected the malicious code into a perfectly legitimate web site.

Why Kids?

If kids don’t have the money to fork over to the spammers, then why have they become the targets of these attacks?

Because it gives the criminal easier access to their parents information and data.

Since most children share a computer with other family members, spammers have picked up on the fact that by tricking little Johnny or little Sally into downloading a keystroke logger through their site, they can have complete access to any information their parents may have there.

Taking it one step further, by requiring a credit card to access premium content or to purchase additional game features, scammers can easily capture thousands of freshly validated card numbers from parents who allow their children to make these purchases online.

Unfortunately, education doesn’t really work as well with kids as it does with adults. Adults quickly see the ramifications of spam and avoid it. Children, on the other hand, are much more impulsive thus, clicking on a link that promises fun outweighs the risks.

To fight this trend it is going to take vigilance on the part of parents to stay on top of their children’s Internet activities and the implementation of the right technologies to help keep kids off of sites that pose such a risk.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers Targeting Kids Through Gaming Sites

Early Monday morning I received an email from Zappos, the popular online retailer.  Theemail informed me that they had been hacked and my personal info, along with that of 24 million other customers, had been compromised:

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

While it’s great that actual credit card numbers weren’t taken, the info that was leaves me and my fellow Zappos customers open to spammers and spear phishing attacks. It’s likely the hackers now know at least some of our buying history and can use that info to create very targeted campaigns, not to mention if they are able to decrypt the passwords they took before the account owner follows the company’s directions and changes it, theoretically they could access that account and go on a buying spree.

There are a couple of things to be learned from this and other recent breaches. Change the passwords you use regularly, and avoid using the same password and username on multiple sites. The hackers behind the Zappos breach will likely be able to find their way into other accounts because so many people use the same password over and over at different sites. If you’re a Zappo’s customer, change all your passwords and keep a close eye on your accounts, especially your financial ones.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zappos Data Breach Could Result in New Phishing Attacks

An open redirect vulnerability has been found on both Facebook and Google. This could easily be used to redirect users to a phishing page or a malicious domain. In a phishing attack, users wouldn’t even realize they’d been redirect, they’d just think their log in didn’t work the first time. This could potentially give scammers access to thousands of Facebook and Google accounts, and since many people have Gmail accounts linked to their Google accounts, access to those as well. A spammer’s paradise. Here’s a look at how it works:

Google

The Google vulnerability is located at the follwing URL:

https://accounts.google.com/o/oauth2/auth?redirect_uri=<malicious redirect>

If I’m not mistaken, I believe that this is actually a flaw inside of the Google API for 3rd party applications, because it is contained under the oauth directory. Oauth is what is used to make a secure link to an online account via a web API without the user compromising their password to an untrusted application.

Facebook

The Facebook vulnerability is located at the following URL:

http://www.facebook.com/l.php?h=5AQH8ROsPAQEOTSTw7sgoW1LhviRUBr6iFCcj4C8YmUcC8A&u=<malicious redirect>

In order to test both of these vulnerabilities, I recommend using the Facebook phishing tutorial found at Null Byte. However, when our web page is done, the link to our URL should be appended after the equal sign where it says “malicious redirect”. After you have crafted your URL, click it and see if you go through to your phishing page. If you did, pat yourself on the back and go mess with some of your friends.

What’s truly outrageous about this is that when notified about this, both Facebook and Google ignored the issue completely. Now as far as Facebook is concerned, this doesn’t surprise me. Anyone who has ever had a problem with the site and needed to contact them knows it’s next to impossible. Unlike most sites, they have no customer service or tech support email or phone number, no online chat or webform – nothing! Instead they offer a help center which really isn’t all that helpful, and a ‘Known Issues’ page where any and all user posts are ignored. So yeah, I can see how Facebook could ignore this.  I am surprised Google is though. They’ve always seemed more user friendly to me.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Security Vulnerability Found in Facebook and Google – A Spammer’s Paradise