Canadian researchers at the University of Toronto’s Munk Centre for International Studies in conjunction with the SecDev Group and the University of Cambridge Computer Laboratory have discovered a huge cyberspy network based in China and say it’s infiltrated more than 1,000 computer networks in over 100 countries. The investigation initially began as a look into whether the office of the Dalai Lama had been hacked and led to the shocking discovery of a malicious attack that has infiltrated more than 1,000 computer networks in over 100 countries.

In addition to the Dalai Lama’s office, infected computer systems were found at NATO headquarters, several embassies, the Associated Press, and the Ministries of Foreign Affairs in Indonesia, Iran, and the Philippines, and the office of the Prime Minister of Laos among others.

Dubbed GhostNet by the researchers, the cyberspying malware is able to completely control any computer it infects. It can search and download files, turn webcams and microphones on and off, and more. The suspicion that such a network existed and that China was behind it began when the Dalai Lama’s office sent a foreign diplomat an email inviting him to meet with the spiritual leader. Before the staff could follow up their invitation with a phone call, the diplomat received a warning from the Chinese government warning him not to accept the invite.

Continue reading Massive Chinese Cyberspy Network Discovered»

Captcha was once cutting edge technlogy in the fight against spam, but not anymore. These days the systems are being cracked regularly, with Google, Microsoft, and Hotmail among the victims. Now, a 3D-based Captcha system claims to be both unbreakable and easier for humans to solve than the old text based systems.

The system was developed by social website Yuniti.com. It works by asking users to identify 3D objects rather than words or numbers. There are three objects to be identified and the list is endless, making it even harder for scammers to guess correctly.

This seems like an excellent idea. The current Captcha have lost most of their effectiveness. The ones that do still seem to work often frustrate legit users, and the last thing you want are potential customers leaving your site in disgust because the Captcha image they need to solve is too difficult to decipher. This costs you business and can lead to negative word of mouth among other potential customers.

You can try the new 3D Captcha at Yuniti.com. There’s no word yet on when it will be available for widespread use.

A victim of voice phishing in Korea learned his lesson, but too late. The Dongjak Police Station discovered that the victim of a voice phishing scam had deposited money into a swindler’s bank account and did not report the losses. A police officer phoned the victim to advise that they ask the bank to stop payment on the account.

But once bitten twice shy, the victim didn’t take Lt. Na Seok-gu at his word, and responded, “Dirty swindler! If you’re a policeman, I’m your grandfather!” However, the official was legitimate and only offering sound advice.

According to the South Korean site Dong-A Ilbo, this has become more common than most government agencies realize, and police stations, post offices and taxing authorities are having a hard time communicating legitimately with citizens, who have grown savvy about the scams and are suspicious of anybody claiming to be in a position of authority. This is by no means solely a Korean phenomenon. On one hand, government authorities often must take the lead in educating citizens about fraud. But on the other hand, they must establish a safe protocol for communicating with citizens when it is necessary to ensure legitimacy.

There have been other similar incidents. When a postal worker in Seoul called somebody to deliver an item to a person who moved to another district, the resident didn’t believe the person was on the level and hung up the phone. Tax offices and banks face similar problems, since there are so many phishing frauds out there where criminals falsely claim to be with the tax office or a government agency. On the email front, they supplement their false claim with a very realistic-looking email and web site. We’ve all learned that if somebody is calling with good financial news, chances are it’s a scam–so when a real tax agent calls about giving you a refund, how do you know they can be believed? Some Korean police departments are sending a written summons before making a phone call.

The Anti-Phishing Working Group (APWG)  is at the top of their game, where ecrime is concerned.  APWG is a consortium that tracks Internet fraud and scams. This organization  recently submitted a plan to automate submissions of phishing and other ecrime related incident reports. This plan is pending review by the Internet Engineering Task Force (IETF)

As reported in PC World by Jeremy Kirk , “The challenge facing law enforcement and security organizations is a lack of a coherent reporting system, said Peter Cassidy,  secretary general of the APWG. Until now, there was no standard way to file an e-crime report. That makes it hard to coordinate the vast amount of data that is collected on cybercrime, Cassidy said.”

Once the IETF approves this electronic reporting system, it may still be a while for a complete roll out of this ecrime reporting system.  In the meantime, the APWG has published an industry advisory, which provides guidelines for developing a company ecrime incident reporting process.  This can be immediately implemented.

Continue reading APWG Introduces New eCrime Incident Reporting»

Two Texas men recently learned a tough lesson: When you’re running a botnet that sends pump and dump stock spam, don’t send said spam to an SEC lawyer.

That’s exactly what Darrrel and Jack Uselton did in 2007, raking in more than $4 million in the process. The SEC calls their particular pump and dump scheme scalping. That is, buying stock for yourself, recommending it to others whilst posing as an expert, and then immediately selling the stock when the price rises as a result of your recommendation.

As a result of a lawsuit filed by the SEC and which was recently settled, the Uselton’s had their profits seized and were slapped with a $1 million fine. In addition Darrell Uselton was hit with charges for engaging in organized crime.

Just goes to show you that crime really doesn’t pay!

Google’s new Google Voice feature lets subscribers get a ten-digit phone number that links all your other numbers, and rings them simultaneously. It also lets you make calls for free in the US and inexpensively for international calls, which will position the feature as a formidable competitor to Skype. The voice service adds a lot of extra value as well, with an SMS feature that converts voice messages into text, so you can read them at your convenience. You can also listen to your voicemails either online or from your phone, and get notifications of voicemail by email or SMS. All in all, it’s a cool sounding service with plenty of useful features. So why am I worried?

Continue reading Google Voice: Good and bad»

Where does spam come from? We have a preconception that people in the spam business are shady characters operating out of back rooms, located in dark alleys in unmarked offices. They operate under the radar, have slicked-back hair and wear flashy suits. They have warehouses full of counterfeit Viagra, and hire hackers from Russia to create mailing lists and disseminate their bogus email ads.

While this may well describe some people in the spam business, it doesn’t describe all of them. My last entry noted how American Express has gotten into the spam business; today it’s Verizon. It seems spam is more of a corporate phenomenon than we realized.

Continue reading Corporate spam is on the rise»

A new wave of spam combines a new technique with an old one in its efforts to spread malware. Spam messages containing a fake news alert claiming a bombing has taken place in the recipient’s local are hitting inboxes across the net. Manipulating headlines and making up fake news stories are nothing new in the land of spam, but the fact that these spams are specifically tailored to the recipient’s location is. It appears that spammers are using IP look ups to deliver personalized content.

The spam contains a link to a site that contains a realistic looking Reuters news story and video. The news story reads much like this:

          At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables. “It was awful” said the eyewitness about blast he heard from his shop. “It made the floor shake. So many people were running,”

“Amsterdam” changes to a city near the recipient, based on an IP lookup. The video, if clicked on, tells the user they must update a CODEC before it can be viewed. The CODEC is actually a Trojan that adds the infected computer to the Waledec botnet and downloads even more malware, scans the system for personal information, and attempts to send itself to the users in the infected system’s address book.

Despite the spammer’s attempts to personalize their spam and make their site look as realistic as possible, the poor grammar in their fake news story is a dead giveaway!

In early January the article “Have a Spam Free Year” by Dan Blacharski, introduced the term “fast flux“.  Clicking on the image to the left provides an excellent visual of fast flux in action.   About 2 weeks after Dan’s article was published, the Generic Names Supporting Organisation (GNSO) Fast Flux Hosting Working Group published an initial report on January 26, 2009. This group was formulated by Internet Corporation for Assigned Names and Numbers (ICANN).  This report is obviously in response to a serious anticipation of increased spam and phishing attacks.

Fast flux is where botnet herders continuously move the location of a website, email source, or DNS server from one computer to next. This makes malicious spam and phishing activity extremely difficult to detect. IP blacklists become useless in finding fast flux-based botnets. This stymies law enforcement agencies in being able to locate the criminal elements in cyberspace.  The storm botnet was one of the first to deploy this technique of preserving its botnet infrastructure and hiding from investigators.

It gets worse. “Double-flux is another evasion technique applying two levels of deception as opposed to one,” says David Piscitello, a member of ICANN’s Security and Stability Advisory Committee (SSAC). David is also one of the authors of a SSAC advisory paper that addresses fast and double flux attacks. Dan Piscitello further explains  “It’s particularly troublesome because using domain names is a whole lot easier than using IP addresses. Before this, you could hone in on a domain server as a way of shutting down a malicious site. But now the bad guys have one more tool in their evasion toolkit.”

Continue reading Fast Flux Primer»

Text message spam is particularly annoying to people who have phone plans like mine, where you have to pay for incoming messages. When spam comes through my email, at least I can delete it and don’t have to shoulder any additional burden; when it comes in the form of a text message to my cell phone, I have to pay for the inconvenience.

A report carried on the Computer Crime Research Center referred to an article, originally printed in “The Sovereign Society”, which brings to light some startling new policies for those who use American Express cards. Effective April 2, American Express can phone-spam, or text-message-spam you at any number to which you have even a remote connection. AMEX sent a new notice of terms, which users must agree to or cancel their account. In other words, if you want to keep your plastic, you have to agree to the terms.

Continue reading ‘I Agree’ to you spamming me»