A man in England who was victimized by a phishing scam found himself being blamed for it by his bank. 19-year-old Billy Brown got a phishing email claiming to be from the bank, and a few days later a check for a little over 8,000 pounds-roughly $11,000-was deposited into his account, and later a withdrawal for the same amount was made. Not surprisingly the check bounced, leaving Brown’s account overdrawn. What is surprising is that the bank immediately closed his account and blacklisted his credit rating because it insists Brown knowingly gave his bank info to the scammers, inferring that Brown himself may be one. Because of their actions not one bank in the UK will give him an account.

          “Although they didn’t say it, the way they spoke to me makes me think they suspect me of carrying out the fraud, which is ridiculous. I didn’t have an overdraft on that account so there’s no way they should have allowed that money to be withdrawn.

“But instead of admitting fault they’ve blacklisted my credit rating, preventing me from getting another bank account anywhere else. It’s outrageous.

“And on top of all that I probably won’t be paid this month because Sainsbury’s say it’s a condition of my employment that I have a bank account into which my wages can be paid.”

Continue reading Banks Blacklist Phishing Victim»

This month I’ve taken a look at what spam can cost a small business in lost productivity each year, as well as how little it costs the spammer to make millions of dollars in that same year.  Most people would agree that letting spammers cost you money while they rake in millions in profits is not a situation that should be allowed to continue, but perhaps some of you are still thinking that spam prevention is simply too costly.

The major anti-spam companies all agree that the average volume of spam travelling around the internet amounts to about 90% of total email traffic.  This means that for every one email you receive another nine spam emails were sent by a spammer somewhere.

How does email volume affect hardware costs?

If those nine emails arrive at your business they need to be processed by your email server and stored in the email database.  What does this mean for hardware costs? Continue reading Can you afford the hardware you need to NOT block spam?»

Does the spam that arrives in your inbox not cause you enough pain? Does it leave you feeling short-changed and craving for more? Then SpamRadio may be the solution! Here’s how it works (from the SpamRadio website):

• Junk email arrives at our mail server, causing the wheels of spamradio to begin turning
  The junk mail is processed, taking care to break various MIME encodings and HTML formatted text into plain text.
• The plain text file is then split into smaller chunks and fed through a text-to-speech engine. This yields a number of small audio files.
• The audio files are assembled into one large file, and the resulting sound wave is mixed with the background music.
• The final output is then encoded using mp3 and inserted into the live audio stream.

Enjoy!

It never ceases to amaze me how arrogant some hackers and spammers are. Reading about the case of Josh Holly, the person who hacked into Miley Cyrus’ MySpace account, the hacker clearly shows his youth when he argues that he can’t ever be caught. Of course, when I was 19, I too thought I was invincible. We all did. My biggest crime though, was smuggling a briefcase full of beer into my friend’s dorm room. (Unlike Holly though, I was never caught!) He was just too sure of himself and spent a little too much time bragging about his exploits, and people who are a lot smarter than he finally caught up to him. As for me and my friends, we just drank the beer and moved on with our lives.

Holly, also known as “TrainReq”, had hacked into the talented Miss Cyrus’ MySpace and Gmail accounts and stole her personal photos, but according to a recent update on the account on Wired.com, his activities weren’t just limited to cheap thrills. He was, of course, a spammer and had raked in over a hundred thousand dollars, sending out spam from celebrities’ email accounts.

Continue reading Hacker who broke into Miley Cyrus account was a spammer»

Hackers have again managed to crack Microsoft’s CAPTCHA system, allowing them to set up thousands of accounts on the Windows Live Hotmail service and spam from them. This latest attack differs from previous ones in that the hackers no longer use command and control automation. This time they used encrypted communications between the spammers bot controlling servers and the infected PCs, also known as zombies, that they control.

According to security researcher Sumeet Prasad this is how it’s done:

          In this attack the CAPTCHA-breaking host or bot server injects encrypted instructions onto a compromised machine. The encrypted code includes templated sign-up instructions with the spammers’ predefined credentials, such as a Windows Live ID, password, first name and so on, along with CAPTCHA-breaking instructions such as “image send and code receive.”

The bot-infected client then decrypts and follows the instructions from the CAPTCHA-breaking host or bot server and connects to the Live Hotmail site to sign up for an account. The bot continues to the secured Live Hotmail signup page, where it attempts to fill in all predefined credentials. The compromised machine sends the CAPTCHA image request to the CAPTCHA-breaking host. The compromised machine receives the scrambled CAPTCHA code from the CAPTCHA-breaking host, descrambles it and completes the signup process.

The bot repeats this process over and over, potentially creating multiple accounts.

Continue reading Microsoft’s CAPTCHA Cracked Again»

At a basic level, comment spam sometimes involves spammers manually typing spam into a blog comment form. This submission of spam is entered the same way as any regular reader. Although this allows a spammer to assume the same identity of regular commenters, this is a painfully slow process. The return on the investment of time dictates that spammers rarely use this method to post spam comments.

The more serious issue is automating the process of posting spam comments. This process is driven by custom scripts or software written to quickly produce a high volume of spam comments. This type of software becomes a spam producing machine.  It can submit thousands of spam comments in a very short period of time. This spam machine can hit multiple pages within many blogs.

Continue reading Stopping Comment Spam»

The NYT recently reported that AT&T had spammed its customers with text messages encouraging them to watch the season premiere of American Idol, a show which is sponsored by the company. According to the NYT, AT&T claim that the messages were not spam as the recipients were provided with an option to elect to opt out of future spam advertizing campaigns.  “It’s clearly marked in the message what you need to do if you don’t want to participate. It couldn’t be more open and transparent,” said an At&T spokesman.

The Federal Trade Commission agree that AT&T did nothing (legally) wrong. From the NYT article:

          Claudia Bourne Farrell, a spokeswoman for the Federal Trade Commission, said the message had not appeared to violate the commission’s rules or the law. It would do so only if it cost recipients or was deceptive in some way, and did not allow recipients to turn off future messages.

So, was this spam or not? To my mind, it undoubtedly was. The majority of people would probably define spam in much the same way that Wikipedia do (“Spam is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages”) and it’s a description which applies perfectly to AT&T’s messages. Whether or not AT&T actually broke the law is really by the by; the messages were spam. Plain and simple.

Continue reading AT&T Spam Their Customers»

In a recent article ‘A new method to educate users about spam?‘ by Dan Blacharski, the U.S. Department of Justice tested and educated employees with fake phishing scams.  This phishing scam “fire drill” provides an excellent training lesson that more companies should adopt.  As I mentioned in an earlier article, ‘Ultimate Defense Against Spam in 2009′,  educating email users is the best defense against spam and phishing scams.

Apparently the National Science Foundation, the U.S. Army Research Office, Microsoft and IBM agree on phishing education. Each of these companies provided grant money to fund the CyLab Usable Privacy and Security Laboratory (CUPS).  In affiliation with Carnegie Mellon CyLab, CUPS has developed an awesome anti phishing educational tool.

Continue reading Phishing Game Protects Assets»

Unemployment is startlingly high. In some communities, it’s approaching ten percent. My neighboring county, Elkhart County Indiana, has the dubious honor of having the highest unemployment in the nation. And with all these unemployed people around, it’s a sure bet that there are people out there trying to take advantage of them.

Tuesday, the Wall Street Journal carried an article about spam disguised as legitimate help-wanted ads. Looking for a job during a recession is a depressing task, and one tends to get desperate. That ad that doesn’t list the hiring company’s name, and says that you can make $50,000 a year with no experience and education, should raise a red flag–but you need a job and are ready to accept anything. You ignore the red flag in your head and apply.

Continue reading Spam targeting job-seekers»

After years of ignoring the zombies on its network, Verizon has announced it will finally start fighting back. According to Spamhaus, Verizon.net has twice as many zombies  on its network than any other ISP. Over 56,000 Verizon.net addresses are on Spamhaus’s CBL.  One of the main reasons spammers love Verizon is because unbelievably, it still allows open relays over Port 25, something most ISP’s blocked long ago in favor of Port 587 which requires authentication. Now Verizon has announced it too will do the same.

“The majority of our network customers will not be impacted by the change,” Verizon spokesman Clifford Lee said. “For those Verizon.net customers who use a Web browser to access their email, the Port 25 blocking should be transparent and their email usage should not be impacted. By switching to port 587, which uses authentication and is the industry accepted alternative to Port 25, Verizon will be able to quickly identify spammers, including those using so-called zombie systems, and shut them down. Those customers who may be impacted by the shift to port 587, will be notified in advance of the change and we will provide them with the technical assistance needed to accommodate the switch to port 587.”

The reason why Verizon has ignored the problem up until now is simple. Money. They simply felt dealing with the zombie issue would be too expensive. It’s good to know they’ve finally realized the cost of ignoring zombies is much, much higher.