The University of Alabama’s Spam Data Mine has discovered a new malicious spam campaign that is designed to steal social security numbers as well. The messages are made to look like an alert from the Social Security Administration and have subject lines such as “Review your annual Social Security statement” and “Watch for errors on your Social Security Statement” and direct the recipient to click the included link to visit the SSA’s website. The link redirects to a legit-looking but malicious fake of the actual government website. The page asks visitors to input their social security number before proceeding. Next, it presents them with a page asking them to download their Social Security statement and review it for errors, promising tax breaks and refund payments if any errors are found.

The UAB Spam Data Mine says when the link is clicked the Zbot Trojan is download. This is a widespread and nasty banking Trojan that steals logins, banking info and other personal information. It installs a keylogger that records all information typed in websites by the infected computer, and also adds the machine to the Zeus botnet.

Zeus has been around for a while now and shows no signs of slowing down. It is also pummeling Facebook with phishing emails and sending out fake FDIC and IRS alerts in separate spam campaigns. Another variant of the Zbot Trojan is being spread via messages claiming someone has posted compromising photos of the recipient on the web. The messages direct them to the site where the alleged photos are on display, but the downloadable “photo archive” is actually Zbot.

Since this latest campaign is so new, it is still undetectable by many major anti-virus programs but that will likely change very soon.

Worm turns ugly for iPhone.

The first smartphone malware began innocently enough. A Dutch cracker discovers a way to penetrate modified, or “jailbroken,” iPhones using their default root password “alpine.” “You want to protect this phone from more attacks?” he asks his victims. “Pay me five Euros, and I’ll tell you how to do it.”

Not to be outshone by the Dutch, an Australian writes a virus, ikee, that makes its presence known by changing the background on the mobile to a photo of Rick Astley, who became a one-shot wonder in 1987 with the hit song “Never Gonna Give You Up,” and displaying the message “ikee is never going to give you up.”

More important, though, was that ikee could replicate itself. Once it infects an iPhone, it begins searching for other jailbroken devices on a mobile network that use alpine as their root password and infects them. In other words, it’s a good old fashioned ego-centric virus–annoying but not very harmful and designed to spread the name of its creator, ikee.

But as White Hats discovered this week, those initial efforts were just a prelude to a nastier variant of the ikee worm. Like its predecessor, it takes advantage of modified iPhones with the SSH protocol turned on and unchanged default passwords. This variant, however, is designed to  steal banking information from the phone.

What’s more, it has botnet characteristics. It connects to a Web-based command and control server located in Lithuania, effectively turning infected phones into zombies that will do the bidding of the crackers without the knowledge of the mopho’s owner.

Continue reading Virus variant turns iPhone into zombie»

A new wave of malicious spam makes promises of a free MacBook Air but delivers malware instead. The spam messages were only recently detected and arrived with the subject line “Congratulations!” The body of the message reads “Congratulations! You have won todays Macbook Air. Please open attached file and see details.”

The file is an .exe file that installs malware on to the system. The malware has been identified as TROJ_AGENT.AWYQ.  Once installed it drops TROJ_CUTWAIL.GO, which adds the infected computer to the Cutwail/Pusdo botnet. A spam module is downloaded along with one or more “Campaign modules” which contain third party malware from a number of different sources. It’s also programmed to connect to web based email providers it detects the the infected computer has logged into like Hotmail, Yahoo! and GMail and send out copies of itself.

Cutwail/Pushdo is one of the largest botnets in the world, sending out millions of spam messages a day.

NBC Chicago published a list of 5 tips for people to protect themselves from scam emails.  Although they mean well, and the tips are a step in the right direction, they are far too simple to be really effective at stopping spam.  Let’s take a look.

Tip 1 – If you don’t know the sender, don’t open it!

This tip is a carry-over from the old days of computer viruses where people were advised not to trust attachments in emails that they were not expecting.  These days the malicious payload of an email is rarely in an attachment, rather it is usually hosted on a website somewhere in the form of a product sales scam or a web browser hijack exploit.

The tip doesn’t work for two reasons:

1. Emails from people you know can be just as untrustworthy as emails from people you don’t know.  If someone you know has their email or social networking account compromised then you are likely to receive malicious email from “someone you know”.
2. Businesses could not survive if they did not open emails from people they don’t know.  An analogy in the physical world would be not opening the door to your store for anyone you didn’t recognize, cutting off all new customers from your business.

A more practical approach would be to assess emails based on their contents, and use alternate channels to verify anything that seems unusual or out of character.  A graphic designer receiving an email from someone they don’t know would be turning away a customer if they didn’t open it, whereas a person trusting the message from their friend asking for money in an emergency could easily fall victim to a scam.

Tip 2 – Watch out for emails that request personal information

This tip is oversimplified with the statement “No legitimate organization will ask for your social security number”.  Protecting your sensitive personal information such as social security and credit card numbers is important, but what about seemingly harmless information?

Let’s say you receive one of those amusing chain letter emails asking 25 questions about you such as the name of the street you grew up in, your favorite movie, your pet’s name, and so on.  Now consider that in doing so you are revealing useful information about yourself that can be used in future attacks. Continue reading 5 Tips to Protect Yourself From Spam Scams (That Don’t Quite Work)»

Alan Ralsky, dubbed the “Godfather of Spam” has been sentenced to 4 years in prison by a federal judge. Ralsky was convicted of conspiring to commit wire and mail fraud, violating the CAN-SPAM Act, wire fraud, and money laundering. He was the ringleader of a spam ring that raked in millions off of a “pump and dump” scam featuring Chinese penny stocks. He sent billons of spam messages promoting the penny stocks.

The scam works by tricking people into buying what they think is a hot stock, thereby artificially inflating its worth. The scammers then cash in and disappear, leaving their victims holding worthless stock and having lost hundreds to thousands of dollars.

“With today’s sentence of the self-proclaimed ‘Godfather of Spam’, Alan Ralsky, and three others who played central roles in a complicated stock spam pump- and-dump scheme, the court has made it clear that advancing fraud through the abuse of the Internet will lead to several years in prison,” said U.S. Attorney Terrence Berg, in a statement on Monday.

Ralsky’s partners will also see jail time. His son-in-law Scott Bradly was sentenced to 40  months in prison and 5 years probation while How Wai John Hui, a Hong Kong resident who served as the dealmaker for the companies whose stocks were being hawked, got 4 years in prison and 3 years probation. Ralsky’s third partner, John Bown, will be spending 32 months in prison and 3 years on probation.

In addition to his prison time, Ralsky will also be put on 5 years probation and have to forfeit $250,000 seized by the government.

There are 7 others involved in the scam awaiting sentencing.

Security experts have issued a warning about a new spam campaign that targets the unemployed and financially troubled and exploits Twitter to do it. The spam, being sent by the Donbot botnet, hawks “get rich quick” and work at home scams designed to get people to pay a fee for a useless program that claims to help them make money on the internet.

The spam messages use a variety of methods to get past spam filters. First, the message itself is an image rather than text so it can’t be analyzed by filters, and that image contains a link to a Twitter account. The spammers did this because they know Twitter would never be blocked due to its size and reputation. The image is of a fake newspaper article which gushes about how great the get rich program is.

These types of scams are rising as spammers take advantage of the 10.2% unemployment rate in the U.S. and of people desperate to make money in order to get out of financial problems. The timing of the new campaign also coincides with the holidays, which is a time when many people are looking for a quick way to make some extra cash.

Experts say the campaign is increasing. Within 24 hours of its beginning it accounted for 4% of the world’s total spam volume.

I came across an article today written last week that proclaimed “We won the war on spam”.  The general thrust of the article is that “despite continued hysteria, unwanted e-mail is largely a thing of the past”.

This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience.  Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account.  In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won.  Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business.  Businesses spend thousands of dollars each year on protecting their email systems from spam and malware.  This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over. Continue reading We Have Not Won The War On Spam»

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Russian spammers are in the process of cashing in on the swine flu pandemic. Shady pharmacies are advertising Tamiflu for rock bottom prices using massive spam campaigns and search engine manipulation. Hundreds of fake “Canadian pharmacy” sites exist, many run by cybercrime gang Glavmed, whose “affiliates” rake in tens of thousands a day from the sales. The Tamiflu being offered is usually fake or out of date. Sometimes plain old sugar pills are provided, and in some cases, they are made of disturbing and downright dangerous ingredients like rat poison. Glavemed also runs SpamIt, a group of email spam affilates that is thought to be behind the Conficker, Waldec and Storm botnets.

The spammers are exploiting the news that global production of flu fighting drugs like Tamiflu is unable to keep up with demand. They are trying to appeal to those who may be likely to order out of panic, and they are finding success. The top countries ordering the fake flu medication are the US, Canada, France, the UK and Germany.

The gang, known as “THE PARTNERKA” has found such success because they are using a mix of methods to deliver their message. In addition to floods of email spam, they are using Black Hat SEO, social networking, and malware, and there are all kinds of software to help them, such as “John22” which generates HTML content for websites at an alarmingly fast rate, links them together, uploads them, and notifies Google. The pages are so good it’s near impossible to tell they were computer generated. Then there’s ZennoPoster, which generates webmail accounts on services like Gmail and Yahoo, and accounts on social networking, free web hosting and blog sites. It also sends text, email and forum/blog spam. This recipe ensures that spam filters and anti-virus programs won’t have much impact on their bottom line.

Security and Health experts alike are advising everyone to stay away from any pharmacy advertised in spam messages or affiliate marketing. If you need medication, get it from your licensed and educated doctor.

A CAN-SPAM court decision may hurt the private domain registration business.

Spammers hiding behind private registration of domain names to spread junk email received a slap in the face recently by a federal district court in California. In their attempt to nullify the U.S. CAN-SPAM Act the garbage pedlars argued, among other things, that the law was unconstitutionally vague because anyone trafficking in private domain registrations could be held liable for materially falsifying an identity under the statute.

Ironically, private domain registrations were created to protect domain owners from spammers, scammers, telemarketers and other unsavory types. Under the process, domain owners who want to keep their personal  information private enlist another company, a proxy registrar, to register their domain for them. The domain owner retains control of the domain, but for public purposes, such as listing in the WHOIS directory, the proxy’s contact information is listed as the owner of the domain. The rub to the process, though, is that anyone can use it–even spammers seeking to hide ownership of their domains. It’s a  pair of such spammers that found themselves  appealing their prosecution before the Ninth Circuit Court of Appeals.

The case, U.S. v. Kilbride, involved a pair of porn spammers operating through a company based in the small African nation of Mauritius. Their spam, which generated 662,000 complaints with the U.S. Federal Trade Commission, violated CAN-SPAM in a number of ways including forged headers, fake email addresses and phony contact information. A jury, after a three week trial, convicted the defendants of criminal CAN-SPAM violations and other charges. One smut circulator received a 6.5 year prison term; the other, five years in the Big House.

In their arguments before the court, the skin merchants asserted that CAN-SPAM is too vague in its definition of material falsification to meet constitutional standards because it criminalizes private registration of domain names. The court, however, wasn’t buying that contention. “We fail to perceive any vagueness on this point,” the judges opined.

Passed in 2003, CAN-SPAM provides penalties for anyone, among  other things, who “materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages” or “registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names…” Continue reading Private registration no defense for spammers»