Yahoo is suing a group of spammers who used them as part of their scam. The spam mails claimed the recipent had won a lottery run by Yahoo. In reality there is no Yahoo sponsored lottery and anyone who tried to claim the bogus prize had their personal information stolen and was ripped off for hundreds of dollars in “processing fees”. The bogus prizes ranged from thousands to up to a million dollars.

“The unauthorized use of Yahoo’s trademarks is misleading, fraudulent, and has actually confused, misled, and deceived the public,” said Joe Siino, senior vice president of Yahoo global intellectual property and business strategy, in a statement on Tuesday.

“Yahoo! is 100% committed to protecting our users from fraudulent e-mail messages and this lawsuit sends a clear message to spammers,” said John Kremer, Vice President, Yahoo! Mail. “We are going after individuals who have attempted to negatively impact the e-mail experience for consumers across the Internet. Through our continued litigation efforts, our top goal and priority is to further protect Yahoo! Mail users and the public from this type of fraudulent activity.”

The identities of the scammers are as of yet unknown, but Yahoo claims to have information from some third party email service providers that will help them track them down for prosecution. The company is seeking an unspecified amount in damages. It is very unlikey they will actually succeed in winning any money, however.

SMTP auth attacks are on the rise again. What does this mean?

Exchange and many other messaging servers support authenticated SMTP, meaning the use of a username/password combination in order to send mail. Spammers can then use a closed relay, i.e. a mail server that should not be sending mail on anyone else’s behalf except for the owning organization, and use the authentication mechanism to relay spam. This is a really popular kind of attack, since servers that have been locked down to every other kind of relay attack, now are wide open for exploitation.

How does it work?
Spammers use a technique know as brute force dictionary attacks, meaning that thousands of combinations of usernames and passwords are generated in order to guess which combination may work for your server, pretty similar to picking a lock. Once a valid combination is found, spammers can then use a previously locked down server to send out spam.

How can this attack be made visible?
Regular monitoring of mail queues. Any mail queues which contain mail items which obviously do not originate from known recipients inside the org, especially in high volumes are a giveaway, especially combined with a recent black listing on several real-time block lists.

How can it be prevented?
Separate incoming and outgoing Virtual SMTP Servers, and switch off SMTP authentication on the internet facing SMTP stack. Switch on diagnostics logging and watch out for –auth and –transport events which don’t originate from the inside of the organization.  Change users password which have been compromised and watch for similar events. Ensure that guest accounts are disabled and that strong passwords are enabled for all users and service accounts.

Even better, put something else in front of Exchange to absorb incoming SMTP mail, which does not support the use of SMTP authentication and combines it with a number of other anti spam filters. Since Exchange by nature is fantastically feature rich, however, unless Exchange is secured properly it may be best to not have Exchange be internet facing. Multi level and multi vendor protection is often the best approach to securing against spam attacks, along with regular monitoring and a well thought out configuration, most known spam attacks, including SMTP auth attacks, can be prevented.

A new phishing scheme is targeting iTunes users. The emails look like they are from Apple and tell the recipent there is a problem with their account and to log into the iTunes site via the link provided. The link leads to a malicious site set up to look like the iTunes store and ask for the recipient’s credit card number, social security number, and mother’s maiden name.

Security experts speculate that Apple has become a target for phishers as a result of it’s increasing share of the computer market via it’s iPhone, iTunes service, and multi-platform QuickTime and Safari software. This increased share gives phishers a large group to hit via Apple oriented attacks.

          “The bad guys have moved on from trying to take advantage of eBay or Citibank,” said Andrew Lochart, VP of product marketing at security vendot Proofpoint. “I guess this means that Apple is now a top-tier Internet retailer. The bad guys are trying to use Apple’s brand to commit identity theft.”

Fortunately, the scammers behind this new attack are not the brightest. They didn’t bother to even try and mask the domain their malicious site is parked on and anyone paying even the slightest attention is sure to catch on before being victimized. As of now, Apple has had no comment on the matter.

The Storm Worm has returned with a vengeance, filling tens of thousands of email boxes with malicious spam. The spam, with titles such as “we belong together” and “if loving you”, has an ebedded trojan called iloveyou.exe which turns the infected computer into a member of it’s botnet. Over 81,000 malicious emails as day are being sent.

This latest attack confirms fears by analysts that the Storm Worm is being rejuvenated after 18 months of decline. The unknown hackers behind the worm also appear to be exploiting a large amount of websites which they are using to host their malware.

No one yet knows what plans the rejuvenated botnet has, but most researchers agree that the stories of it’s demise have been greatly exaggerated.

U.S. and Romanian authorities worked together to bust an international phishing scheme that is responsible for the theft of thousands of credit and debit card numbers. 40 people were indicted, 33 in California and 7 in Connecticut. Among the 65 charges the group is facing are aggravated identity theft, bank fraud, conspiracy to violate the RICO (Racketeer Influenced and Corrupy Organizations) Act, and unauthorized access to a protected computer. The RICO and bank fraud charges carry a combined 50 year prison sentence.

The group sent out phishing emails that looked like legit communication from a variety of banks, including Capital One, Citibank, and People’s Bank in Connecticut. Paypal was also a target. Over a million phishing emails were sent out per attack.

The Romanians collected the stolen bank info and sent it to U.S. based cashiers via Internet chat. The cashiers then used encoders to record the stolen info on the magnetic strips on the back of credit and debit cards and directed others involved in the scheme to test the cards by checking balances. The ones that worked were used to clean out the accounts they accessed.

         “Criminals who exploit the power and convenience of the Internet do not recognize national borders; therefore our efforts to prevent their attacks cannot end at our borders either,” Deputy Attorney General Mark Filip said in a statement. “Through cooperation with our international partners, we can disrupt and dismantle these enterprises, just as we have done today with these indictments and arrests.”

U.S. authorities are currently acting on nine arrest warrants issued in the Los Angeles area while Romanian authorities carried out search warrants related to the indictments.

Researchers at Verisign are warning businesses about a new type of phishing attack called spear phishing. While traditional phishing attacks center around getting any and all unsuspecting users to give up personal info such as passwords and account numbers, spear phishing’s goal is to get specifically targeted users to visit a malicious website that downloads spy ware or malware that allows the phisher to take control of his victims computer. This latest attack has targeted senior managers and CEO’s at Fortune 500 companies around the country. The email claims that the recipient is being sued in federal court and must visit the included link to download important court documents. Once the link is clicked the victim is told they must download a plug in to view them-but the plug in is actually a Trojan that takes control of their computer, and a keystroke logger. The emails are very believable and contain the recipient’s full name, company name and phone number. Verisign claims there are over 1,800 victims so far.

          “This is probably one of the largest spear-phishing attacks we’ve seen to date in terms of number of victims,” said Matt Richard, director of iDefense’s Rapid Response Team.

All it takes is one employee falling for the scam to put your entire company at risk. Succesful spear phishers wind up with total control of the computers they infect, allowing them to access sensitive documents and valuable data. This scam has become so prevalent that the federal court system has placed alerts on the websites of each of its courthouses.

By the way, court documents are never sent out by email. If someone sues you, the documents are presented to you by a process server or sent via registered postal mail. Educate your employees and protect your business!

Information Week is reporting that Infamous “Spam King” Sanford Wallace, who hijacked over 300,000 MySpace accounts and used them to send massive amounts of spam to other users, and his phishing partner Walter Rines were slammed with a whopping $225 million judgment by a U.S. District Court on Monday.

          “MySpace has zero tolerance for those who attempt to act illegally on our site,” said Hemanshu Nigam, chief security officer of MySpace, in an e-mailed statement. “The Federal District Court in Los Angeles awarded MySpace $223,777,500 under the federal CAN-SPAM Act and $1,500,000 under the California anti-phishing statute. User engagement is up 32 percent year over year while spam is significantly decreasing, proving efforts like this are working.”

Starting in 2006, the pair began creating MySpace accounts and hijacking existing ones to send hundreds of thousands of spam messages. They also bombed the comment area on thousands of MySpace pages with still more spam. A year later MySpace sued. Despite their victory, chances of them actually seeing any of that money are slim. Wallace responded to the judgment on his website:

          “I just read that a court awarded MySpace a $224 million dollar judgment against me. That’s pretty amazing since I haven’t even been served in this case since the preliminary injunction about a year ago. Regardless, the check’s in the mail.”

I’m sure MySpace is relieved to hear that. This isn’t the first time Wallace has been sued. Since the mid 90’s he’s been sued by AOL, Earthlink, and CompuServe among others, and in 2006 was fined $4 million by the FTC for distributing spyware. It’s doubtful this latest judgment will faze him one bit!

According to a report by the Information Security Research Team, Google’s GMail service could potentially be turned into a giant spam machine thanks to a flaw that essentially renders it an open relay server. The flaw allows anyone with the ability to connect to SMTP port 25 and HTTP port 80 to exploit a GMail account and gain access to Google’s white-listed SMTP relay service.

Since Google has such a good reputation, most ISPs have white-listed the GMail domain and its IPs. A hacker exploiting the flaw would enjoy the benefits of that and be able to spam with no worries of being blocked. What’s more, they would also be free of GMails 500 message limit for bulk emails and be able to send thousands. INSERT’s test attack allowed them to spam over 4,000 email addresses in just 6 hours.

          “To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details,” the group wrote in its advisory.

Google has not yet commented on the group’s report. This is not the first time spammers have had a field day with Google. In February it was revealed that their CAPTCHA system had been cracked, and recently reports of spammers exploiting Google Calendar have begun to surface.

Messenger spam started off with windows alerts being pushed to the surprised users desktops. Pop-ups would appear on user’s desktops with the advertisement information. Users would have no control and no ability to block or opt out, since they had not given permission in the first place.

How did it work? NetBIOS and RPC ports were left open, allowing spammers free access to systems, both home based or otherwise, and with the advent of broadband, thousands of advertising opportunities opened. Poorly secured network connections allowed access to the Windows Messenger service, a service originally designed for administrators to send messages to users about network related issues to be abused. Messages sent this way, would be nearly untraceable, anonymous and annoying.

Spam messages often included telephone numbers and web site addresses; however the original advertiser would not be blamed for the intrusion into user’s machines, since they would have outsourced the advertising to a spammer specializing in this space.

Spam traffic, including SMTP traffic accounts for a huge proportion of today’s internet traffic. Worms and robots which gather information for spammers, include traditional spam bots trawling websites for usable email information, however even more sinister are robots which probe thousands of internet connected networks every day, seeking to find open ports to inject advertising messages.

Instant Messaging clients, including MSN, Yahoo, Google, Jabber, etc, have all at one point in time been targets of attack, forcing the owners to tighten up security in order to protect users. Since malware and spyware take advantage of the same Windows Messenger Service and IM ports which allow unwanted advertising to be propagated, much has been achieved with personal firewalls.

Corporate networks will benefit from ensuring that NetBIOS and RPC based ports are locked down, as well as logging IM based traffic. Infesting in intelligent firewalls such as Microsoft’s ISA server and federating the Instant Messaging traffic sent and received, using enterprise IM products, not only greatly reduces IM spam, but offers a level of control not previously possible to the network administrator.

Due to the huge range of Windows Versions available in the world today, messenger spam is still being reported across the globe. Network administrators can protect their users from the Windows Messenger Service attack by ensuring that the service is stopped and disabled in the control panel if not required by the business, as well as installing a firewall capable of blocking this and other kinds of messenger spam attacks.

New research from Marshal’s TRACE team has found that the new Srizbi botnet, first detected in February, has now grown to the point that it is now responsible for half of all spam sent. This makes it the world’s largest botnet. The team estimates it is made up of at least 300,000 computers and sends over 60 billion spam messages per day. 60 billion! It’s been used to promote everything from watches to sexual enhancement pills., and also uses spam disguised as celebrity news to distribute its own malware.

While Srizbi grows to mammoth proportions, Storm has begun to fizzle out. Spam sent from it has decreased by over 57%. This caused it to lose its place as the number one source of spam to the Mega-D botnet, which declined in February when it’s controlling servers went offline for 10 days. Unfortunately it’s back now and fighting for second place with the Rustock botnet. To give you an idea of the disparity between the first and second place botnets, Rustock sends merely 60,000 spam messages a day.

“The challenge now is for the security industry to turn its sights on Srizbi and the other major botnets. We look forward to seeing Microsoft target Srizbi with MSRT in the near future,” said Bradley Anstis, vice president of products at Marshal.

Until now Srizbi has been mostly overshadowed by the Storm and Kraken botnets. Kraken had been found in over 50 Fortune 500 companies and was undetectable in most machines, even if they are running up to date anti-virus software. Recently researchers at DV Labs were able to infiltrate it and shut it down, severely impacting its threat.

It’s interesting that Srizbi rose to glory just as Mega-D went offline back in February. Is there a connection? No one knows for sure, but it does seem to be quite the coincidence!