It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers. Continue reading 2009, The Year in Spam»

A judge in Brisbane, Australia has fined a man accused of being one of the world’s biggest spammers nearly $200,000. The fine was levied against Lance Atkinson after the court found him in violation of the Australian Spam Act of 2003. The Australian Communications and Media Authority filed charges against him after fielding over 100,000 complaints from consumers about his spamming.

Atkinson is the ringleader of what is believed to be the world’s largest spam ring. His operation, doing business under the names HerbalKing and Canadian Healthcare sent billions of spam messages advertising fake or black market male enhancement products, weight loss pills, and other drugs. When unwitting customers placed orders at their sites they raked in affiliate fees as their credit card info was stolen. Medical experts have warned that the drugs being sold could cause serious harm if taken since they are made in India and not tested for quality or safety. Earlier this month in the U.S., the Federal Trade Commission slapped Atkinson with a $15 million fine for violations of the CAN-SPAM Act  but they have little hope of collecting unless he enters the U.S.

Atkinson, who failed to appear in court, was also banned from sending any kind of commercial email for 7 years. It will be interesting to see how they plan to enforce that!

Billionth spam received by Project Honey Pot.

Project Honey Pot announced earlier this month a dubious achievement. It had attracted its one billionth spam message. The ejunk purported to be from the U.S. Internal Revenue Service and informed its recipient:

“After the last annual calculation of your fiscal activity we have determined that you are eligible to receive 760,635 tax refund under section 501(c)(26) of the Internal Revenue Code. Please submit the Tax Refund Request form and allow us 3-9 days to process it.

“Yours faithfully,
“Sarah Hall Ingram, Commissioner”

Although the spammers forgot to put a dollar sign in front of the refund amount, they were accurate in some other details in the message. There is a section 501(c)(26) of the Internal Revenue Code. It lists non-profit organizations exempt from some federal income taxes, and subsection (26) includes in that category “State-Sponsored Organization Providing Health Coverage for High-Risk Individuals.”

Sarah Hall Ingram is an IRS commissioner, but not the IRS commissioner, as the letter would lead one to believe. However, she is the commissioner of the agency’s Tax Exempt/Government Entities Division, which would be a believable source for the message.

Project Honey Pot is a community of tens of thousands of web and email administrators from more than 170 countries around the world who are working together to track online fraud and abuse.

According to the Project, the IRS spam was sent from bot malware running on a compromised machine in India. It noted that the email address used by the bot was originally harvested on Nov. 4, 2007 by a grim reaper that has sent more than 53 million messages to the address since that time.

Continue reading Project Honey Pot: One billion spams and counting»

Security researchers say botnet herders, malware authors, spammers, and other cybercriminals have begun taking matters into their own hands and creating their own ISPs. Now that even so-called “bulletproof” ISPs are being pursued and shut down, cybercriminals have decided that doing it themselves is their best bet.

They start by setting up data centers and stocking them with servers, then they seek out a local Internet registry (LIR) or a regional (RIR) one that doesn’t have the resources to verify applications as they should. In most cases anyone applying for a block of IP space must go through a screening process that includes submitting legal documents showing their business name, the names of the officers in their company, a written explanation of why they need the space, a listing of the company’s PCs, router configurations, network maps and more. By going through either local registries or ones that for one reason or another can’t or won’t do a full screening, cybercriminals are getting set up as ISPs. In many cases these less than thorough registries require nothing more than a letter explaining why the space is needed.

Once the criminals are granted the space they themselves become bulletproof. They obviously will ignore any take down orders. The best example of this kind of set up is the infamous Russian Business Network, which hosted hundreds of spammers, botnet herders, phishers, hackers and other cybercriminals. They firmly ignored take down orders and fiercely protected their customers. RBN was able to get a block of IP space because by going through a European LIR they didn’t bother doing a thorough screening and the RIR, RIPE NCC granted the space based on the LIR’s report.  RIPE defended itself saying they had no way of knowing if an applicant is up to illegal activities or not.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case.

RIPE was eventually able to close down the LIR and reclaim the space from the RBN, but the practice is still flourishing. To stop it, it’s up to LIRs and RIR to stay on the ball and thoroughly screen applicants.

Actress Brittany Murphy’s sudden death yesterday at the age of 32 shocked Hollywood and her fans, but hackers and spammers wasted no time in exploiting the tragedy. Already the top results for searches about her death are all malicious, leading to sites that attempt to download fake anti-virus software. Spam messages with links leading to similar sites have also been detected.

The tactic is nothing new. Spammers and hackers jump on holidays, major news stories and celebrity deaths and quickly poison search results for them using black hat SEO techniques. Earlier this year the deaths of actor Patrick Swayze and pop icon Michael Jackson were similarly exploited. Experts expect the upcoming Olympic Games and World Cup to unleash a flood of similar exploitations.

A security researcher recently discovered a new malware attack that has poisoned nearly 300,000 websites. The SQL attacks began last month and use a hidden iframe to redirect visitors to a malicious site that is programmed to look for and exploit known vulnerabilities in several different apps including Adobe Flash, ActiveX, IE, and several other Microsoft applications. If found, a rootkit called Backdoor.Win3.Buzus.croo is installed. This malware steals banking information and likely downloads even more malware to the infected system. It’s believed to be related to the Rustock botnet.

Rustock, along with Cutwail, Zeus and Mega-D, control over 5 million computers and send out billions of spam messages. The shutdowns of cybercrime friendly ISPs McColo and Real Host have done little to stop them-in fact current spam levels have exceeded pre-McColo ones. Experts say botnet herders no longer rely on a single ISP or domain so that if a shut down happens they will be back up in hours instead of weeks or months.

Experts say those with properly updated and patched systems are in no danger so make sure all your users are protected.

Sky News UK has reported on the results of research into victims of online fraud.  The survey revealed that some fraud is never reported due to embarrassment, indifference, or simply not being aware that the fraud has even occurred.

These reasons might seem strange to some people who would assume that any fraud victim would want to see justice and would immediately report the matter to authorities.  Unfortunately online fraud caused by spam, phishing, and other scams often does go unreported.  Let’s take a closer look at the reasons for this, and why those reasons should be put aside in favour of more reporting.

Embarrassment

There are a few different reasons why someone may be too embarrassed to report a fraud.  The first is if the amount of money lost is very high.  Being scammed out of your life savings would be a devastating and embarrassing event that a lot of people would feel so ashamed about they may want to keep it secret.  An attitude of “I should have known better” can sometimes play a role in this.

Another reason is when the nature of the scam is sensitive and embarrassing.  Examples of this include Russian mail order bride scams, and fake male enhancement drug scams.  In both cases a person could easily be too embarrassed to admit they were attempting to purchase those items in the first place, on top of the embarrassment of being a fraud victim.

It takes a lot of bravery to come forward and admit you were fooled.  Two things should be remembered here – firstly these are professional criminals often with very effective methods for tricking people.  Secondly, reporting your incident to authorities can help prevent other people from becoming victims in future.

Indifference

Say what you want about criminals, but they usually aren’t stupid.  It might seem strange to look at them this way but a lot of online criminals are basically malicious marketers, and have all of the skills that honest marketers have.  One of these is an understanding of human nature, and one of the natural instincts of a lot of humans is not to bother with trivial matters. Continue reading Unreported Spam Costing Billions»

Heartland Payment Systems announced it has reached a settlement with American Express regarding the massive data breach revealed earlier this year. The $3.6 million dollar settlement is only the beginning for Heartland as they are also working on reaching settlements with MasterCard and Visa.

The breach was the largest in history, affecting over 100 million credit and debit cards. The company said they had discovered data stealing malware on their system, which processes payments for over a quarter of a million companies. Heartland says no SSN, PINs, or other personal information was stolen.

MasterCard and Visa both hit Heartland with steep fines after the breach was announced, claiming the company was negligent and failed to take corrective actions once they knew of the breach.

“Heartland believes that it responded appropriately to all information that it learned regarding the possibility of the system breach, and that upon discovering the intrusion, it took immediate and extraordinary action to address the intrusion,” Heartland Chairman and CEO Bob Carr said.

Security experts say Heartland deliberately tried to downplay the breach by announcing it on January 20^th, which was the day of the historic inauguration of President Obama. Some say doing so was downright deceptive.

Heartland’s problems aren’t over yet. Visa said that while the company was previously validated as Payment Card Industry Data Security Standard compliant, that status is now under review. If they lose that status they could find themselves losing business fast as businesses won’t do business with a processor that’s been cut off by the major CC companies.

Surprised researchers have discovered that MP3 spam has returned. It was last seen in 2007 and like PDF spam, was thought to have been discarded by spammers in favor of simple link spam. However, late last week security researchers discovered a brand new spam campaign using MP3 attachments. The MP3 was of a computerized voice hawking the website of a fake Canadian pharmacy that offers shady male enhancement pills and Viagra, with the audio from Meg Ryan’s famous scene in “When Harry Met Sally” playing in the background. There were random characters in the lyrics tag, an attempt to evade spam detectors that work by noting MD5 file hashes.

The campaign lasted just 24 hours but sent out over 500 million messages, accounting for 1.2% of the global spam volume for that time period. It’s believed that the Cimbot botnet is responsible for the spam. It boasts a network of between 10,000 and 20,000 zombies, most which are located in Europe. Cimbot had previously launched an image spam campaign hawking the same products and leading to the same Canadian pharmacy website.

A new report by security researchers claims that Google’s reCAPTCHA system is flawed – so flawed that it would allow a botnet with just 10,000 zombies to manage 10 recognition successes an hour resulting in over 850,000 fake accounts being registered each day. The researchers say the flaw is the same one that has plagued all CAPTCHA services -the human factor- but with a twist.

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”