Spammers like to put fake information in email messages. This sneaks them past email filters. Since email spam  filters now just delete messages that come from non-existent domains, the spammers are very slick about making their messages look like they’re coming from real email addresses.   If your corporate e-mail addresses has been published anywhere on the Internet, you and your coworkers  are at risk as prime candidates for backscatter.

The spammer may peel email addresses off web sites or sometimes even guesses them.  Then the spammer places the addresses in the “from” line of fake messages.  Now these messages are sent out to hundreds of thousands of recipients. When the spam is sent to an inactive address, it can sometimes be bounced back to unsuspecting valid email inboxes . . . maybe even yours.

Spammers have figured out how to capitalize on this bouncing back of email to accomplish their scams.  The email server bounce back mechanism basically becomes a cash register to spammers.  Since backscatter comes from legitimate mail servers, it can cause special problems. In fact, some security specialists are convinced that spammers have been intentionally sending messages that will be bounced back as a way to sneak around spam filters. That’s because some mail servers bounce back the original message as part of their notice.

So a LISTSERV comes on the scene of an organization to cut spammers off at the knees, while allowing staff to send bulk email messages to many valid email addresses. The implementation of a LISTSERV usually occurs when email administrators discover corporate staff are using the the regular email system for mailings to large groups of people. This creates a quite a few issues for the regular email server(s).  Email users call the helpdesk about email not being received, which was sent to a list of a few hundred people.  This is ususally caused by the email server being blasklisted, which email addministrators find out after the fact.  So mainstream email systems like AOL, Yahoo, MSN, Gmail, Hotmail etc. reject the company email server connection when doing a DNS Blacklist look up.

Back to Our Case Study

What makes backscatter especially dangerous on a LISTSERV is there could be hundreds of mailing lists with hundreds of thousands of legitimate email subscribers stored on this particular type of server. Outside subscribers opt-in to LISTSERV lists with the thought their email address is safe and protected. The corporate staff list owners have the same mind set.  When a spammer gets past all the security level locks embedded into a LISTSERV to prevent spam, a company must scramble quickly to do reputation damage control. This is in addition to resolving the technical issues.

After analyzing the logs, and getting on the phone with L-Soft support, it was concluded that the main problem the client was experiencing was backscatter.  LISTSERVs directly connected to the Internet are sitting ducks as targets for backscatter,  since they usually block all emails except from authorized senders and have a number of different bounce back templates based on varying configurations. This tightness of security is what spammers rely on to accomplish their backscatter mission. The client was seeing around 50,000 NDRs coming in per hour. Rejecting a message will usually cause the sending mail transfer agent (MTA) to generate a bounce message or NDR to a local, authenticated user. Alternatively, if the MTA is relaying the message, it should only send such an NDN to a plausible originator as indicated in the reverse-path, e.g. where an sender policy framework (SPF) check has passed.

In order to combat backscatter on the client’s LISTSERV, the following actions were taken.

1. The MSG_POSTING_REJECT_NOTAUTH template was supressed.  This template is the one used to report that a particular user is “…not authorized to send mail to the LISTNAME list…”  This was the predominant (90+%) template being generated via backscatter.  If a legitimate user cannot post to the list, they will most likely contact the list owner or the helpdesk.  So concerns about legitimate blockages here are negligible.

2. The client is now routing all incoming email to the LISTSERV through their spam firewall.  There no longer is any direct connections from external email servers and the LISTSERV.   The spam filter was configured to only scan for viruses, and blacklisted hosts.  This method alone has resulted in over 75% of incoming messages being blocked.

The end result is that LISTSERV performance is now notably improved.  The LISTSERV web management interface is much more responsive and the LISTSERV spool and SMTP queues are virtually empty.

In addition to these methods, the client also configured individual OS logins for all individual email administrators, instead of a single administrator login ID.  In this way email admin staff needing access to the LISTSERV must use their personal credentials.  These allow for the monitoring of future mailing lists being created on the LISTSERV.  Part of the issues contributing to the backscatter were attributed to individual administrators configuring LISTSERV mailing lists incorrectly.  Since every administrator was using the same login ID, there was no way to identify who requires advance training in administering a LISTSERV.

Have you experienced similar situations with backscatter? How did you resolve the issues?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers’ Most Lethal Weapon

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook.

For the cyber criminal, spoofing an email message is only half of the equation. A hacker must also know the email address of the mailbox that’s being used as the journal repository. With these two factors in place, it’s fairly easy for a hacker to sneak a spoofed message into the journaling mailbox.  By changing certain properties of an email (i.e. From, return path,  reply to fields etc.), the bad guys can make an email appear to be from someone other than the actual sender. The result is the email appears to come from a fake email address indicated in the “From” field, when it actually comes from a totally different source.

Other journaling defense methodologies include the protecting Exchange email archives from spoofing attacks. The key component to protecting your archives against these types of attack is a clear understanding that there is a difference between the sender and the display name. The display name is the name the email recipient sees. It has no value in authenticating the user. The user’s true identity is connected to the account’s globally unique identifier (GUID).

Within the same Exchange Server organization an email recipient can be deceived by a  spoofed display name, when an authenticated email user sends a spoofed message to that  email recipient’s mail box. The Exchange server is not fooled. It knows exactly who actually sent the message, because of how the sender was authenticated.

This authentication process is significant, because journaling always sends messages to the designated recipient mail box in a consistent manner regardless of who sent or received the message being placed in the journal mail box. For example, let’s say email user #1 sends a message to email user #2. The Exchange mail server is also set up to journal a copy of the message to a mail box called “Journal”.  In this scenario, email user #1 or email user #2 won’t send the message to the Journal mailbox. The email will be sent to the Exchange hub server. Then the Exchange hub server sends the message as a Microsoft Exchange message on behalf of the message’s original sender.

If we know that all email messages sent to the journaling mailbox are only supposed to be from Microsoft Exchange, some easy steps can be taken to prevent anyone else or any other entity from sending messages to this mail box. Not publishing the mailbox in the directory is one way to do this.

A further step would be to ensure that only the Exchange server can place items into the journaling mail box.  Below is the process for creating a tunneling mechanism only between the Exchange server and the journal mail box. This ensures the journal mail box does not accept email from any outside entity.

1. Open the Exchange Server Management console.
2. Select Recipient Configuration > Mailbox.
3. Right click on the journal mail box and choose Properties from the menu. This causes the console to display the mailbox’s properties sheet.
4. Go to the properties sheet’s “Mail Flow Settings” tab
5. Select the Message Delivery Restrictions option.
6. Click the “Properties” button to display the Message Delivery Restrictions dialog box.  At this point you can require that all senders to this mailbox be authenticated.  You can also choose to accept only specific senders.  For the journal mail box, accept only messages from Microsoft Exchange.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Beyond Encryption with a Tunnel

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

As recently as April 17, 2009 ZDNet reports the Waledec botnet is on the move again.  For waledec to be effective, cyber criminals are relying on the rotation of different “Subject” themes and the email user’s ignorance of its existence.   That is a hint to educate your email users ASAP.

Some typical Waledec spam email subjects being used:

• Can your love life be re-ignited?
• Are you sure in your partner’s faithfulness?
• Now, It’s possible to read other people’s SMS
• We will tech you to be the master of making love art
• Just type the phone number and read SMS
• Do you want to test your partner?
• Have more fun and pleasure in your intimate life
• Now, you can read any SMS messages from any mobile phones
• Keep a spy eye on your Girlfriend’s mobile
• What’s Your Hall of Shame
• Are you ready to know the truth?

The actual Waledec message body is something like “Get Your Free 30-Day Trial! Do you want to test your partner or just to read somebody’s SMS? This program is exactly what you need then! It’s so easy! You don’t need to install it at the mobile phone of your partner. Just download the program and you will able to read all SMS when you are online. Be aware of everything! This is an extremely new service!”.

Any other unknown conficker children you want to share with us?  Let us know with a comment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Meet Waledec, Conficker’s Child

The blog “Threat Chaos” apparently agrees with Dancho in its article “More on Mr. TweetTornado“.  This blog article states “It is basically a spam tool in that those using TweetTornado generate multiple Twitter identities and put links in them back to their sites that generate revenue through affiliate networks or simply Google ads.” Commenting on this article, the developer of Tweet Tornado defended his marketing software with: “TweetTornado only adds followers. People have to click on the page and choose to follow someone so there is no spam involved, only opt in marketing. The only people who receive anything are the people who follow and give permission. Everyone needs to realize this is not like a typical spam tool. This is permission based opt in marketing! And if Twitter would quit shutting the accounts down for no good reason then the software wouldn’t have to create unlimited accounts anymore. I don’t see how this software is bad for Twitter, anyone can do the same thing without software the difference is this software saves you a lot of time following people.”

I viewed the video on Tweet Tornado, which provides an overview on its usage.  It appears to automate the process people perform on Twitter in creating an account, posting 140 character tweets of current status with a link back, following people and other people following the account holder.

Where the puzzle question comes in is whether Tweet Tornado is a potential spam tool, because it automates continuous tweets on Twitter with website link backs. It automates acquiring more followers in a shorter period of time, thereby driving traffic to a linked back website. Although a slower process, isn’t that what people do on Twitter manually?  People post tweets on Twitter with link backs to their website. People search Twitter by category to find like minded people they can follow and potentially market their products or services. Could it be that Tweet Tornado just appears to accomplish this faster?

Post a comment and let us know what you think?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Legitimate Marketing Tool or Spammers’ Delight?

OnGuard Online provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.  Funding from many partners has allowed OnGuard Online to develop educational cyber security videos, tutorials, games and other tools.  Some partnering organizations include the Internal Revenue Service, NCIS, the Federal Trade Commission, Homeland Security and the Security and Exchange Commission. Even non-profit companies, like Latinos in Information Sciences & Technology Association  (LISTA), are partners with OnGuard Online.

The target audience for these free educational products is the everyday email, computer and Internet user. There are phishy videos. Then there are games with names like “Invasion of the Wireless Hackers” and “Spam Scam Slam“. Let’s not forget “ID Theft Face Off“. Now these are educational video games for all ages.

Before you get happy and think about just simply passing on the OnGuard web site link to your email users, STOP.  A savvy email administrator can see more potential in this web site. Piece mealing the various educational aspects of this website with email users will provide more continuous education mileage.  Consider including your human resource department training resources.  Their experience will be helpful in developing training outlines and organizing topics.

Suggestions for implementing a company cyber security education program:

• Set up an area within the internal employee web site. Using the html code ONGuard allows you to copy for each tool, put up a new video every week with staff.

• Create a one page weekly email newsletter. Add a few questions and answers from the different OnGuard cyber security games.

• Do a lunch and learn by showing a couple of OnGuard videos in a conference room. Then have a question and answer session. Maybe human resources could be persuaded to fund the lunches. More people attend optional meetings faster when free food is served.

• Set up a couple of computers in the break room. Encourage employees taking a break to view a couple of the OnGuard cyber security tutorials or play a game. I find these games fun, entertaining and, oh yes, educational too.

There are so many resources on the OnGuard site; you could easily run cyber security education programs for 3-6 months. How will you know if these programs work? Monitor your helpdesk requests. Questions and issues related to spam, phishing, ID theft attempts and other security threats should go down.

Now isn’t this a great way to protect company and personal information assets?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam and Phishing Education Goldmine

With account registration moderation in place, the scenario above is a more controlled environment. So spam infiltrations are much harder to achieve. More mainstream popular social networks, like Facebook and Twitter, do not moderate registration. So spammers can slip in very easily to target legitimate members.

As mentioned in a previous article “Belated Spam Predictions“, spammers will continue to phish social networks, but use more sophisticated approaches. The goal is to collect not only personal information, but also retrieve information surrounding a person’s inner circle of friends and associates.

Continue to educate your email users to be prudent about information entered into their social network profiles. People must be more vigilant about the nonchalant acceptance with the comfort and trust in entering all types of information about themselves on social networking sites.

A balance must be created between personal branding or making networking connections, while keeping your personal information safe. If a phishing spammer gets to you, that means your friendship connections are also at risk.

It may seem innocuous to share your favorite books or movies on your profile. How about providing your real birth date as opposed to making yourself 10 years older or younger? So what, if you receive those automated or personal friend birthday wishes on the wrong day. At least you make your personal identification information safer. Your hobbies and interests may seem like it’s not a big deal. The more profile information you share, just makes it that much easier for cyber criminals to assume your identity. The more personal information shared, the higher the chances another person can become YOU to get closer to scamming your friends.

The next time you receive a “heart” invitation, a virtual “drink” or a “birthday” card from a friend on Facebook, look closer at the safety message displayed. It says “Allowing Birthday Cards access will let it pull your profile information, photos, your friends’ info, and other content that it requires to work.”  Each time the “Allow” button is clicked, your personal information and your friends list is being shared.

Social networks are powerful marketing and networking tools.   How much personal information do you think a person should share in a profile? Will the profile accuracy impact personal or business relationships?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Social Network Spam Scare

As reported in PC World by Jeremy Kirk , “The challenge facing law enforcement and security organizations is a lack of a coherent reporting system, said Peter Cassidy,  secretary general of the APWG. Until now, there was no standard way to file an e-crime report. That makes it hard to coordinate the vast amount of data that is collected on cybercrime, Cassidy said.”

Once the IETF approves this electronic reporting system, it may still be a while for a complete roll out of this ecrime reporting system.  In the meantime, the APWG has published an industry advisory, which provides guidelines for developing a company ecrime incident reporting process.  This can be immediately implemented.

Having well documented incident-reporting procedures ensures everyone in the company understands the various roles played in the reporting process. This minimizes confusion, delays, and errors in responding to a security breach caused by a phishing or other ecrime incident. Management will worry less over the public embarrassment or a tarnishing effect in company brand. More importantly, having an ecrime incident-reporting process expedites containment, recovery, and resolution.

As you prepare company ecrime reporting procedures, the APWG advisory provides detailed  recommendations in considering when and how to report an ecrime incident to:

• Anti-phishing networks
• Anti-virus and anti-malware organizations  (In cases where you discover malicious executables or scripts)
• CERT organizations
• Common Vulnerability and exploit (CVE) disclosure list administrators (in cases where you discover a vulnerability or “bug” in commercial software)
• Customers
• Law enforcement, e.g., through the Internet Crime Complaint Center
• Regulatory compliance agencies
• Software developers (in cases where you discover bugs in custom application software or webware developed exclusively for your organization)
• Any individual or organization directly affected by the phishing attack, even if they do not fit into one of the other categories listed above.
• The general public

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

APWG Introduces New eCrime Incident Reporting

Fast flux is where botnet herders continuously move the location of a website, email source, or DNS server from one computer to next. This makes malicious spam and phishing activity extremely difficult to detect. IP blacklists become useless in finding fast flux-based botnets. This stymies law enforcement agencies in being able to locate the criminal elements in cyberspace.  The storm botnet was one of the first to deploy this technique of preserving its botnet infrastructure and hiding from investigators.

It gets worse. “Double-flux is another evasion technique applying two levels of deception as opposed to one,” says David Piscitello, a member of ICANN’s Security and Stability Advisory Committee (SSAC). David is also one of the authors of a SSAC advisory paper that addresses fast and double flux attacks. Dan Piscitello further explains  “It’s particularly troublesome because using domain names is a whole lot easier than using IP addresses. Before this, you could hone in on a domain server as a way of shutting down a malicious site. But now the bad guys have one more tool in their evasion toolkit.”

In addition to understanding what fast flux means, as described above, the SSAC advisory paper defines 2 more important terms email administrators should know.

Botnet – a network of compromised third-party computers running software (ro)bots. These bots can be remotely controlled – initially by the actual attacker, and subsequently by a party who pays the attacker for use of the botnet – for any number of unauthorized or illegal activities. The attacker is typically associated with an organized criminal element. The attacker will install “bot software” without notice or authorization on a PC via a spyware download or virus attached to an email message, and more commonly, through browser or other client-side exploits (e.g., compromised banner advertising). Once the bot is able to execute, it establishes a back-channel to a control infrastructure set up by the attacker. The traditional botnet design employed a centralized model, and all back-channels connected to an attacker’s command-and-control center (C&C). Recently, botnet operators have employed peer-to-peer models for back-channel operation to thwart detection of the C&C via traffic analysis. bot-herder.  Once a botnet is established, the bot-herder leases use of their botnet to a facilitate a Fast Flux service operator.

Fast Flux facilities – refers to a software agent that has been installed without consent onto large numbers of computers across the Internet.  Fast Flux service network – a service network refers to a subset of bots that the bot-herder assigns to a given Fast Flux service operator who in turn provides its customer with facilities for fast flux hosting or name service.  This service network is oftentimes operated by a “middleman”, not by the customer themselves.

Fast flux is a mounting problem that email administrators should throughly understand.  Consider developing reporting procedures to pass on identified spam and phishing emails to your web hosting and DNS registrars.  These are the entities that will be working closely with ICANN to thwart these types of attacks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Fast Flux Primer

I recently joined a few email administrator discussion groups on LinkedIn.  I was surpirsed to see how many administrators are currently in a job search.  Although you may already know how to identify email phishing scams, it’s easy to get so caught up in the pressure which may derail our focus.

With the global economic meltdown, millions of people are out of work.  The stress is enormous. Marriages are dissolving, because  love jumps out the back window when money stops coming through the front door.  CNN even reports that many failed marrages can’t be completely dissolved, because couples can’t even afford to go their separate ways.  Tensions escalate as some couples are forced to stay together because they can’t sell property.  This is very fertile ground for email spam phishing scams to reap huge profits.

The phishing sharks are circling the rough water of a highly competitive job market. This volatile emotional climate sets the  stage for people to make very irrational decisions. People in a job search are vulnerable and easy prey for phishing scams. Bank accounts are being emptied due to people allowing their emotions to override making practical business decisions.    It’s  easy for anyone to get lathered up with email scams promising a job opportunity or making fast cash working at home in, but a cool head and common sense must prevail. I can  personally attest there are legitimate work at home opportunities.  When I’m not providing technology support to email clients, I provide business career coaching services.  My wife also runs a very successful Internet eComerce business.

Job Search Phishing Scam Prevention

• Make appropriate adjustments to your spam phishing filters and make sure the most recent updates are in place.
  

• Legimate job search sites will never send email that asks for personal information. They will also NEVER ask you to update your account via email with a link requesting you to login.

• Using your computer mouse feather over links in an email. This allows you to verify the actual web site link.

• When posting a resume online, take your time in creating a balance in disclosure vs. security. Use sites, like Careerbuilder and Monster, that allow suppressing personal information.

• Use a complex password that includes letters, numbers and special characters.

• Use multiple passwords on multiple job sites.

• Don’t send your password to anyone in an email.  You are the only person who should know your password.

Don’t send any money for job search services until you perform due diligence.  Many phishing emails present themselves as authentic services that will get you up and running with a new job quickly, but ask for a deposit up front. The Riley Guide provides many job search resources that are thoroughly verified by the owner of the this web site.  Consider using this guide as a reference.  Also consider global organizations, such as Empowering Today’s Professionals Network, that have a successful record in helping people land jobs without any up front fees. Use LinkedIn to verify companies. There is also a career management toolbar you can install to quickly obtain business intelligence on companies.

Email job offers from unknown sources should be viewed as a phishing scam until you confirm its legitimacy.  As the famous Murphy’s Law states “if it looks too good to be true, it usually is”.  Gathering business intelligence heightens our use of common sense. This keeps emotions in check and money in your bank account.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Use Common Sense During a Job Search

DKIM adds a header named “DKIM-Signature” that contains a digital signature of the contents (headers and body) of the mail message. The default parameters for the authentication mechanism uses a  cryptographic
algorithm and RSA as the public key encryption scheme, and then encodes the encrypted hash.

The receiving SMTP server then uses the name of the domain from which the mail originated, the string “domain key”, and a selector from the header to perform a DNS lookup. The returned data includes the domain’s public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail originated at the purported domain and has not been tampered with during transmission.

Since DKIM is an authentication technology, it is still not a spam filtering mechanism. This does not take away from the fact that widespread use of DKIM can prevent spammers from forging the source address of their messages. This is a technique they commonly employ today. If spammers are forced to show a correct source domain, then other filtering techniques can work more effectively. In particular, the source domain can feed into a collaborative reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good “friendly” domains, either locally maintained or endorsed by third party certifiers, it can skip the filtering on signed mail from those domains. This would allow for more aggressive filter of the remaining emails.

DKIM can also be useful as an anti phishing technology. Senders of email from and to heavily phished domains can sign their mail to show that it is genuine. People who receive these phishing emails can quickly identify the missing signature email from those domains to be an indication that the mail is probably fake. The best way to determine the set of domains that merit this degree of scrutiny still remains open to further discussion.

One of the added considerations for implementing DKIM is to have an optional feature called ADSP.   This allows authors that sign all their mail to be self identified.  The effectiveness of this approach to dramatically cut down on spam still requires further testing. It also requires agreement on standards by all mainstream email vendors.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The New Spam Sheriff in Town

The more serious issue is automating the process of posting spam comments. This process is driven by custom scripts or software written to quickly produce a high volume of spam comments. This type of software becomes a spam producing machine.  It can submit thousands of spam comments in a very short period of time. This spam machine can hit multiple pages within many blogs.

These automated scripts don’t typically submit comments by going through the comment entry forms on your weblog. They are programmed to tap directly into a blog’s comment submission script.

Minimizing Comment Spam

• Turn on comment moderation – This allows you to review all comments prior to them being publishing. Novice bloggers usually won’t know to turn on this feature of their blog.  This at least allows full control over what your public readers will view.
• Obfuscate Comment Form – This does require an understanding of JavaScript and basic HTML coding. You may not completely be able to hide the name of your blog comment script or field value names within your comment forms, you can certainly attempt to obfuscate them. The way to achieve this is by using JavaScript to generate a comment form, or certain parts of it.  Spammers often use automated scripts that download the source code from blog pages. Then the spammers search the pages for the names of your comment script and form field names. If these values are obfuscated using JavaScript, the spammers’ spidering software needs to be able to parse and execute JavaScript to determine the correct values.  Obfuscating the form stymies the spam spiders.
• Implement a Turing Test – Named after the early computer scientist pioneer, Alan Turing,  a Turing test poses a challenge that humans can resolve, but computers cannot.  Adding a Turing test to comment forms allows legitimate human commenters to pass through unhindered. Forms attacked by automated spamming software will receive no spam comments. The most commonly implemented Turing test is the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).  CAPTCHA frequently come in the form of blurry images. Within the images are contained merged letters and numbers. Humans can read this CAPTCHA text field and enter the correct combination.  Automated optical character recognition software has trouble getting through.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Stopping Comment Spam

Apparently the National Science Foundation, the U.S. Army Research Office, Microsoft and IBM agree on phishing education. Each of these companies provided grant money to fund the CyLab Usable Privacy and Security Laboratory (CUPS).  In affiliation with Carnegie Mellon CyLab, CUPS has developed an awesome anti phishing educational tool.

CUPS brings together researchers working on a diverse set of projects related to understanding and improving the usability of privacy and security software and systems.  This valuable research has produced a game employees can actually justify playing at work called Anti-Phishing Phil. This interactive game teaches people how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.

I not only had fun playing Anti-Phishing Phil, it also taught me a few things. The game can be  customized with your organization’s URLs and branding. Anti-Phishing Phil can integrate the game into a larger training program. The game play data can be used to assess your organization’s ability to resist phishing attacks and focus company training efforts.

Cylab studies have found that user education makes a big difference in preventing people from falling prey to phishing attacks. Cylab research also proves Anti-Phishing Phil to be an effective approach to educating all staff on technology security.   Playing a game at work that helps reduce the loss of personal and business assets surely deserves serious consideration from company management.

Anti-Phishing Phil addresses the main causes of people getting hooked into phishing scams:

• People usually won’t read security tutorials
• With so much online security training material, how can people identify what’s important to know?
• Much of the security information is still lacking in not educating people in how to protect themselves.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Game Protects Assets

The word “phishing” originally came from the analogy of early Internet criminals using email lures to “fish” for passwords and financial data from a large sea of unsuspecting Internet users. The use of the “ph” in this terminology has been forgotten about over time.  It was most likely linked to hacker naming conventions such as “Phreaks”.

This can be traced back to early hackers who were involved in “phreaking” – the hacking of telephone systems.  The term was  coined during 1996, by hackers who were stealing America Online (AOL) accounts. They were picking off passwords from AOL users. The first mention on the Internet of phishing was made in 2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker magazine called “2600”.

In the early days of AOL you could create a fake account as long as you had a credit card generator. AOL smartened up to  this technique. AOL now uses banks to verify every credit card submitted.  By 1996, hacked accounts were called “phish”.  By the time 1997 rolled around phish were actively being traded between hackers as a form of currency. There are instances where Phishers would routinely trade 10 working AOL phish for a piece of hacked software. This type software was referred to as “warez“, which is stolen copyrighted applications and games.

The earliest media reference to phishing wasn’t made until March 1997.  “The scam was called ‘phishing’ — as in fishing for your password, but spelled differently”  said Tatiana Gau, vice president of integrity assurance for AOL.

In 1997 Ed Stansel, reporting for the Florida Times Union, said  “Don’t get caught by online ‘phishers’ angling for account information,”

Over time, the definition of what constitutes a phishing attack has blurred and expanded. The term Phishing does not just cover obtaining user account details. Now phishing includes stealing all personal and financial data.  In the early days phishing entailed tricking users into replying to emails for passwords and credit card details. As we know now, phishing has expanded into fake websites, installation of Trojan horses by key loggers and screen captures. Then we have the “man in the middle” data proxies, which can be delivered through any electronic communication medium.

The combination of phishers’ high success rate and negative global economies, has resulted in scams  escalating. An off-shoot to the classic phishing scam now includes the use of fake job sites or job offers. Applicants are being conned with the promise of making a lot of money for very little work. All a person has to do is create a new bank account. Then take the funds that have been transferred into it, minus their personal commission, and send it on as an international money order. As experience teaches us, this is a classic money laundering scheme. Hence, the phishing past still keeps coming into the present.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

History of Phishing

Aurelija with PC1 News provides some keen predictions for 2009 to be on guard about.  Social networking sites will continue to be phished but in a much more professional way with a goal of collecting as much personal information and information surrounding a person’s inner circle of friends and associates as possible. Certain types of spam will target proper names and be segmented according to demographics or certain types of markets. Be on the look out for shorter spam messages that will trip up spam filters with shorter messages. Other spam may resemble legitimate newsletters and other special offers. Once a person falls prey, the spam may spread with a viral marketing effect through their personal network.

Consider providers having to respond more often to CAPTCHA breaking techniques in 2009 by enhancing the CAPTCHA process, while deploying alternative CAPTCHA approaches. Any web site requiring a personal account to be created online will continue to be targeted and the CAPTCHA failure rate will continue to increase accordingly.

The advance fee fraud (419 scam) should be considered a continuing spam threat and worth giving vigilant attention. It is expected that these types of messages will become harder to recognize at first glance.  Messages will contain only a couple of sentences, rather than a long story. Cyber criminals will try to trick potential victims and involve them in their schemes slowly, inviting them to find out more about the offered “business opportunity”. Besides, scammers will also make greater use of email attachments to convey their messages with more detail. This facilitates  the scammers to bypass traditional anti-spam filters.

Spam is appearing more often as an intra-country globalized threat. China, Brazil, India and Russia are among the biggest emerging broadband markets worldwide and as such offer a tremendous opportunity for cybercrime. Email experts predict that in 2009 the emerging markets will be more heavily targeted with spam delivered in the local language.

Malicious emails will include an increasing proportion of attachments or web links to non executable (*.EXE) files. These will be legitimate looking data files, such as Microsoft Word documents and Adobe *.PDFs.  These innocuous looking file types may actually contain sleeper code that exploits software or web browser vulnerabilities. Viewing these files, which would be harmless on a patched computer, could lead to an invisible disaster on an unpatched one.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Belated 2009 Spam Predictions

Mobile communications expert, Andy Adams says “mobile phones are seen as easy targets since text messages are the perfect medium for sending junk mail out to the world. The extent of this issue is most prevalent in China. In China there are an estimated 555 Million mobile phone users, two hundred million phone users who were surveyed reported to have been victims of mobile spam. Considering that most users reported that they received on average 8 spammy messages per week this makes for a huge problem.”

Tips to Get Your Wireless Mobile Carrier to Stymie Spam

• AT&T: Log in at http://mymessages.wireless.att.com. Under Preferences, look for the text-blocking and alias options. You can also block specific addresses and websites.

• Verizon Wireless: Log in at http://vtext.com. Under Text Messaging, click Preferences. Click Text Blocking to block text messages from e-mail or from the Web. You can also block specific addresses or websites, or set up an alias.

• T-Mobile: Log into http://www.t-mobile.com and go to “My t-mobile” using the t-mobile sites drop down at the top of the page.  Now, search for “Change plan or services” and click the link. You will be taken to a page with the section “Your Current Services” where you’ll have to click the “change services” button. Here, you can block text messages, instant messages, photo messages, messages sent via e-mail, or even all text messages.

• Sprint: Log in at http://www.sprint.com. On the top navigation bar, click My Online Tools. Under Communication Tools, click Text Messaging.  On the Compose a Text Message page, under Text Messaging Options, click Settings & Preferences. In the text box, enter a phone number, email address or domain (such as Comcast.net) that you want to block.

• Virgin Mobile: Check the Messaging Settings page on Virgin Mobile’s website (http://www.virginmobile.com) to block text messages from up to ten telephone numbers or email addresses.  You can also change preferences on your handset (VirginXL or VirginXtras > Messaging > Messaging Management)

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Mobile Phone Spam Prevention Tips

ACMA also plays an important role in e-security in Australia, gathering evidence and assisting in protecting Australians from computer fraud and identity theft.  As Australia’s anti-spam watchdog it  has lauded the effectiveness of the Spam Act 2003.   According to Iain Ferguson of ZDNet Australia, ACMA also warned international efforts and moves to combat the “fusion of spam, fraud and cyber crime” must be stepped up.

Smart Company’s Patrick Stafford reports three mobile phone companies are facing legal action by the ACMA for allegedly sending unsolicited SMS messages to Australian mobile phone users.  Mobilegate, Winning Bid and Jobsy must answer charges filed by ACMA in the Federal Court.  The mobile companies are accused of creating phony dating web site profiles. These bogus profiles were used to bait victims into replying to SMS messages, which cost $5 for each reply.

The ACMA also alleges that the companies allegedly sent messages advertising fantasy chat services, including Singles Club and AU Singles, which were also designed to convince users to reply to messages, also at a cost of $5 each.

This case sets a precedent in Australia. This is the first time ACMA has taken a company to court for breaching the spam act by using text messages.  Hefty fines of up to $1.1 million a day and $220,000 for individuals could be paid, for those parties found guilty.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Australia Watchdog Checks Text Messages

Getting past the symptoms that achieve the in-session phishing results, let’s examine the root cause.  I learned a long time ago that the solution to any problem lies within the problem itself.  This has proven true over the years in overcoming problems life has presented.

This adage holds true with in-line phishing.  The solution to preventing or minimizing in-phishing or other phishing scams lies in eliminating the complexity of domain names. Beyond the ignorance of people having identities or money stolen, the root cause lies in the way universal resource links (URL) are created. As technocrats, we get hung up on creating complicated internet web address URLs. The thought is the more complicated the URL, this increases the chances of thwarting the phishing thieves. This complicated URL approach does not consider the every day person who won’t know the difference.  So this actually makes it easier for the phishers to reel in their victims.

In “Security Best Practice: Host Naming & URL Conventions“,  author Gunter Ollmann provides solid methods for addressing the root cause of phishing attacks. Gunter points out that companies need to spend time rethinking the naming conventions for Internet web address URLs.  Organization names used for Internet visible hosts or references to web application URLs can often be abused to make for a more successful attack. Due to a lack of insight or understanding of current attack variables, many organizations are failing to follow best security practices in their host naming and linking conventions. The result is companies unwittingly aiding the attackers.

Most attackers, whether they are malicious users or professional criminals, have a bag of ‘tricks’ from which they construct their attack. Many common attack vectors initially depend upon the manipulation of the host name and/or application URL to deceive the customer in order to be successful.  To conduct an attack comprised of any of the threats previously discussed, the attacker has a finite pool of techniques and vectors that he can use. The most important and successful techniques are:
• Registration of similarly named domains
• Manipulation of complex URLs

Suggestions for Minimizing Phishing Attacks

Protect against all of the threats by adopting a robust and comprehensive in depth defense posture.  At a fundamental level, the process of keeping host names as simple and recognizable as possible – combined with the use of short URLs for referencing application components – can appreciably contribute to the overall security of an organization’s online service.  Customers and clients must be able to tell at a glance exactly which service offering they are connecting to, and have confidence that they are not succumbing to a fraudulent link.

Care should be taken when considering how domain names are to be used when delivering host services. Regardless of any particular attack vector, most customers are non-technical and are easily overwhelmed with the long and complex information presented in “follow this link” URLs.

Suggested “best practices” in domain naming and host service referencing include:

• Use of the same top level domain

• Redirection of regional domains

• Representative service naming

• Use of the simplest and least confusing host name

• Avoiding host numbering

There is no magic silver bullet.  Gunter Ollmann is probably not popular with phishing thieves right now, because he is on the right track with his approaches.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Root Cause of Phishing Attacks

The little spam “breaking news” gremlins have struck again. Capitalizing on the war torn region between Israel and Hamas, another fake email containing a trojan has been discovered. Similar to the previous CNN spam exploits, the website that you may be redirected to from this malicious email looks like it attempts to load a flash video. The web site Spyware Remove reports a  Adobe_Player10.exe file was detected by security researchers as TROJ_DLOADR.QK which is a trojan virus. It apparently has the ability to connect to another URL which may be detected as TROJ_INJECT.ZZ. This trojan infection, TROJ_INJECT.ZZ, is an information stealer that logs keystrokes, which launches a sniffer to gain access to security credentials that are entered through the computer keyboard.  In addition to the second Trojan, a rootkit was discovered to be dropped which is identified as TROJ_ROOTKIT.FX.

Some Proactive Measures
Many times email messages in Outlook and other email clients messages initially show up as a series of images. People often choose to load the images, which will enable redirection to the website link when the  image is clicked on with a mouse. If you choose to bypass or disable image loading, then it will prevent the web links from being active. In this particular case the “CNN” message would not be very effective in spreading malware because the embedded image link cannot be followed, if image loading is turned “off”.

Consider sharing information to your end user community about setting up a spam rule in Outlook or whatever email system is being used. Although rules may not block every spam message, this type of rule can thwart disaster by sending dangerous virus infected messages to your junk mail folder. Instruct email users, step by step, to manually create an [Outlook] rule to help catch messages that contain either  “CNN” in the “From” email address, the email “Subject” or the actual “body” of the email. This simple technique creates an excellent filter to look for the specific text in three (3) different sections of an email to quickly move this malicious  message to your junk email folder.

I know from personal experience that time taken to create a simple rule like this is definitely worth a pound of prevention, with these types of deadly spam emails. The best spam defense is the proactive offense in continuously educating your end user email community.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

CNN Spam Exploits Israel and Hamas Conflict

What have we learned from engaging in almost daily squirmishes with our spam foes?

If we first identify what spammers try to accomplish, then we can come up with a strategy to bolster our defenses.  So what is a spammer’s agenda? Different spammers have various goals. Let’s review some the main objectives.

• Sell products and receive affiliate commissions

• Acquire personal information for identity theft

• Breach computer network security to access corporate information

• Plant bot software for denial of service attacks

• Install viruses that bring computers to an abrupt halt

• Have people send money for fictious causes

• Access email address books just to send more spam and clog the Internet highway

These are some of the main objectives, but I’m sure you can come up with many more.  I encourage you to brainstorm with associates to come up with a complete list.  It will enhance your anti-spam strategy.

In the “Art of War” by Sun Tzu a key statement is “If you know both yourself and your enemy, you can come out of hundreds of battles without danger“.  What does this have to do with fighting spam?  It provides the answer to the ultimate defense against fighting spam.  Do you really know your enemy? Do you know yourself?  Have you given any  thought to why spammers appear to be ahead of email administrators at every turn? Why does it appear as though we can’t seem to win the spam war?

Those questions are all answered by asking the question “Where is the weakest fortification that enables spammers to achieve their mission?“.  Hold that thought for a minute.

Know Your Enemy
Spammers take time to learn all they can about what makes people perform certain actions. They take seminars on marketing. They exchange ideas within informal underground forums about human social interaction. Remember, spammers are running a business. They educate themselves on consumer buying habits. In other words, spammers integrate all aspects of the human psyche with technology tools.  These proceses are no different than those performed by legitimate advertising companies.

Know Yourself
As technologists, many times we get lost in the details of automated system deployment.  Technology clouds us from seeing the bigger picture. It’s easy to forget the nature of each business aspect of our email audience.  Executive assistants are in the office management business. Lawyers are in the legal business. Bankers are in the finance business. Plumbers are in the leaky faucet business. Human resource professionals are in the staffing business. The masses are not in the email business.  The only time most people care about email is when they cannot send or receive it.

So the common denominator for spammers and email administrators to achieve their mission is the human factor.  Spammers have been better able to leverage this variable than we have, as email administrators. This is the weakest front line link that answers the question above.

The Ultimate Defense Against Spam
The best email user is an educated email user. The email users are on the front line. If we bolster this fortification, spammers don’t stand a chance.

Consider Implementing Continuing Education Programs

• Publish a technology newsletter / blog with spam articles

• In addition to sending spam alerts to your technology buddies, send them to the email user community

• Ask Human Resources to sponsor some “lunch and learn” spam and email security workshops.  Provide non-technical topics. Speak in terms email users understand, with appropriate analogies.

• Use spam help desk requests to have a 3 minute mini seminar to educate that caller. Make it a goal to empower each person to become self sufficient.

Continuously educate, inform and transfer knowledge to email users. Over a period of time the spam bullies will move on to easier corporate prey, as your email user front line  maintains a solid fortification.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Ultimate Defense Against Spam in 2009

A LISTSERV owner maintains total control of the mailing list. Spam is eliminated, because the email list owner moderates who can subscribe.  People can opt in or out of the list. Either way human intervention is required to confirm or delete subscriptions. So spammer automated processes are ineffective with LISTSERV mailing lists.

A listserv  can be used as an online forum. Members use the listserv to ask questions, comment on solutions, and network with the members of a special interest group or community. Messages sent to the listserv are available to all registered members of the community to read and respond to. Some members receive each message via email, others prefer to have a Daily Digest, while still others prefer no email This means messages can be read by accessing the community website. Each member decides whether the individual messages are of particular interest. A member can also choose to read, respond, or discard the messages. A Yahoo news group works very much like a Listserv configuration.

Made by L-Soft, a free version of LISTSERV Lite is limited to a maximum of 10 mailing lists with up to 500 subscribers each. It is available for users who want to run hobby or interest-based email lists and do not derive a profit, directly or indirectly, from using the software.

Some ideas for when to use a LISTSERV:

• Distributing project status reports to internal and external resources

• Newsletters

• Departmental team communications

• Customer communications

• Instructional mailings

• Company sponsored clubs or organizations

• Special interest groups

• Blog or web site subscriptions

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why to use a LISTSERV for your email groups