Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.

This week Yahoo! permanently closed down its venerable Geocities service.  This move ended one of the internet’s longest standing free web site hosting services and one of the most frustrating spam problems of more recent years.

Geocities became popular in the last 1990s as a free and easy way for people to publish web sites about their businesses and hobbies.  Although in recent years it stood as a monument to horrible website design in its prime it was one of the most visited sites on the internet.

After a takeover by Yahoo! in 1999 the website began a slow but steady decline due to various changes by the new owner.  However one demographic that remained strong on Geocities was spammers.

The attractiveness of Geocities for spammers came down to a few key elements:

1. Geocities.com was a trusted and recognizable domain name to normal internet users
2. As a Yahoo! property it was unlikely that the various Geocities domain names would be blocked by anti-spam product vendors
3. Geocities permitted JavaScript on the web pages it hosted

User Trust and Social Engineering

A social engineering attack is one in which the attacker convinces the victim to perform a certain task.  These attacks involve establishing the appearance of legitimacy and trustworthiness in the eyes of the victim.

For a spammer who wants to convince a person to click on a link in an email the Geocities.com domain name was a perfect way to gain the trust of the victim because it was highly likely the person would recognize it as a place for legitimate web sites.

Free Services and Combating Abuse

As most internet security experts will attest, if there is a free service available on the web then spammers will abuse it.  The problem with this is that many free services are hosted by large, trustworthy internet companies and have millions of users. Continue reading Geocities Shutdown Closes Door on Spammers»

A new wave of spam being pumped out by the Pushdo botnet is exploiting the FDIC and attempting to capitalize on worries about the economy. The spams are made to look like they came from the FDIC and inform the recipient that their bank has failed and urges them to click on the included link to make sure their accounts have been insured.

The link actually leads to a malicious website that downloads the Zbot Trojan, which adds the computer to the Pushdo botnet and uses it to send out more FDIC spams. The Trojan also monitors the computer’s web activity and activates a keylogger whenever it detects banking, financial or e-commerce site. The users personal information and logon credentials are stolen and sent to the hacker’s server where they are stored and used for identity theft or sold to other criminals.

Pushdo is also using Facebook to acquire new zombies. Recipents receive an email with an attached file. The email is said to come from “The Facebook Team” and tells the recipient their password has been changed for security purposes and they should open the attachment to retrieve their new one. A hidden .exe file is contained within it and once opened downloads Zbot.

Pushdo was previously responsible for the flood of IRS spams that have become the top spam campaign on the net, and before that for a flood of spams that exploited the tragic death of pop icon Michael Jackson. Look for Pushdo to launch new spam campaigns in the near future, most likely timed to take advantage of the upcoming holiday season.

A new sting operation conducted by the Nigerian Economic and Financial Crimes Commission has already nabbed 18 spammers. Dubbed Operation Eagle Claw, it has also led to the shut down of 800 malicious websites. The Commission has partnered with Microsoft on the project and said its goal is to remove Nigeria from the top 10 list of countries where the most scam emails originate from.

The Nigerian or 419 scam, named after the section number in the Nigerian Penal code that makes them illegal, has been around almost as long as the web itself and has several variations of a story designed to make the recipient think he will receive a huge fortune if he helps a foreign citizen (often a member of a non-existent royal family, a long lost relative who’s been killed, or a clergy member) transfer their money out of the country. The scammer either poses as the person themselves or as their lawyer. All the person has to do is turn over their personal info and wire over a small processing fee.

Continue reading New Sting Operation Snags 18 Nigerian Spammers»

A recently discovered Trojan has a sneaky and disturbing new trick up its sleeve. It can alter a victim’s online bank statement. Dubbed URLZone, the Trojan is able to alter HTML coding before it’s displayed. This lets it rewrite bank statements to hide the fraudulent activity underway. This buys the scammers more time to clean out the account.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” says Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan. “It’s a very sophisticated technique. They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there. If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

The money is then sent to money mules who were tricked into doing the scammer’s dirty work. Most fell for the fake job posting spam advertising a lucrative work at home position and have no idea they are being scammed too.

URLZone is controlled by a server in the Ukraine. While officials there announced they had suspended its domain, count on it to simply find a new home. As we saw after the McColo shutdown last year it doesn’t take long at all for hackers and scammers to set up shop somewhere else. Finjan says the URLZone operation could easily make over $7 million a year.

In a new report by the Government Accountability Office, NASA was reprimanded over its lax security practices and told to shape up.  NASA has reported nearly 1300 security incidents in the last 2 years, and although it has taken some steps to improve its IT issues, the GOA says it still has far to go.

“NASA remains vulnerable to similar incidents going forward,” the report finds. “Control vulnerabilities and program shortfalls make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts.”

The security breaches reported at NASA include malware infections, data theft, the theft of several laptops containing data on a prototype hypersonic jet, a space telescope and a lunar orbiter, 82 computers being made part of a botnet thanks to the installation of rootkits, and the infection of 86 other computers with the Zoneback Trojan, and others infected with the Coreflood Trojan.

The GAO made 200 recommendations addressing 129 weaknesses. NASA says it is continuing to improve its IT management and better train its employees on proper security practices. Kind of scary that a high tech agency like NASA could be so careless when it comes to security!

The Zeus Trojan is a favorite of muleskinners.

Money muling, until recently, has been used by information highwaymen to prey on unwitting consumers. Muleskinners had modest goals. Their scams ranged from $200 to $2000. Their targets were consumers with more greed than sense. Recent muling patterns, however, indicate that these fraudsters are expanding their ambitions and hatching cons to snatch larger amounts from small businesses.

• In May, a Texas company was clipped of $1.2 million with the help of some 40 “mules.”
• In July, muleskinners in the Ukraine skimmed $415,000 from accounts for Bullit County, Ky. The county realized something was askew when it found unauthorized wire transfers of $10,000 or less from its payroll coffers were being made to accounts of at least 25 people across the country. In the United States, money transfers must exceed $10,000 before they are subject to special reporting requirements under the Bank Secrecy Act of 1970.
• In September, Downeast Energy & Building Supply, a heating and hardware firm in Brunswick, Maine, saw $200,000 disappear from its online bank account, siphoned into the accounts of at least 20 individuals nationwide.
• This month, the Pease Development Authority, the agency that manages ports in the Portsmouth, N.H. area discovered about $100,000 in transfers instigated by muleskinners.
• Also this month, thieves attempted to transfer $87,000 from the accounts of the St. Isadore Catholic Church in Danville, Calif. to about a half dozen mules, but were thwarted when the church’s bank blocked the transfer.

A  key component of these scams are money mules. They are individuals recruited through blind employment ads posted on the Internet or through spam mailings. On some occasions, mules have been initially recruited as copy editors and proofreaders hired at minimum wage to clean up spam letters used to recruit more mules. When pressed for payment for the editing work, a muleskiner will attempt to recruit the editor as a “local agent” for transferring money.

Continue reading Money mulers expanding horizons»

Security vendors are warning of a wave of ’scareware’ attacks that use false Conficker alerts to trick victims into installing fake antivirus software on their computers.

The fake antivirus programs are known as scareware because of their technique of performing a fake antivirus scan on the computer, scaring the user by alerting them to virus infections that don’t really exist, and then offering to sell the victim software to remove the non-existent infections and protect from them in future.

The victim gives up credit card details for software ranging from $30 up to $100, but the real outcome is that their computer falls under the control of the spammer to grow their botnet.

Security analysts estimate that many tens of millions of computers have been taken over by spammers using these tactics.  Conservative estimates at the low end of the fake antivirus pricing suggest this could be a $1.2 billion industry for spammers and malware authors around the world. Continue reading Fake Antivirus Software a .2 Billion Industry»

Despite the shutdowns of several spam friendly ISPs, the number of botnets sending out spam has increased. The newest kid on the block is the Maazben botnet, which was first discovered in May.  It joins veteran botnet Rustock in spewing out millions of online casino spams each day. Rustock is responsible for 10% of all spam sent, while Maazben is responsible for 1.4%. That doesn’t seem like much but that volume has doubled since August.

While the monster botnet Cutwai, responsible for nearly 46% of all spam sent at its peak, was severely crippled by an ISP shut down, botnets Grum and Bobax have quickly jumped in to make up for it, and together are responsible for 39% of all spam sent.

Botnets are also beginning to be used for more than just spewing spam and stealing passwords.  The Gumblar botnet infects websites and uses them to distribute malware, and the Bahama botnet uses the computers it infects to commit click fraud. What’s more, the sheer number of botnets around now has made DDoS attacks easier and cheaper than ever. While such attacks don’t result in profits, they are still used to muzzle critics, knock online competitors out, and otherwise send an unpleasant message to an individual or group.

Botnets are here to stay. They are growing more sophisticated and powerful everyday and it is going to be more and more difficult to stay ahead of them.

A new spam campaign is targeting Outlook Web Access users with the goal of distributing a nasty Trojan.  The messages are slick and professional-looking and tell the recipient that they need to update their mail settings by clicking on the included link. The link leads to a very well made, but fake, Outlook Web Access site.  Those that keep going and thinking that they are downloading the new settings, download the Zeus Trojan instead.

Zeus lurks on the victim’s hard drive, doing nothing, until the infected computer visits a page related to financial matters, such as a brokerage firm, online banking, Paypal, or a credit card account page. A keylogger is activated when such a page is detected and the login details are stolen.  The Trojan can also hijack a browser and redirect the user to a fake version of a bank’s webpage. These so-called  “Man in the Browser” attacks are hard to detect.

“This attack illustrates how organized internet crime syndicates are expanding their focus from consumers to enterprises, by targeting employees with credentials to access high value banking, financial, and other web-based applications,” said Mickey Boodaei, CEO of Trusteer. “The level of personalization used in these Phishing messages and the fact that they appear to be coming from the company’s IT department makes this attack very convincing and by extension very dangerous. We are urging enterprises to warn their employees and lock down browser settings to prevent unauthorized code execution inside the browser.”

Experts say that the hackers behind Zeus are targeting corporate users because business accounts tend to have much higher balances than consumer ones.  The malicious sites linked to in the spam message are located all over the world in places like Romania, Russia, Columbia, and Hungary, and so far Zeus is not being detected by many anti-virus programs.