Last week, a Wall Street Journal article entitled “The fallacy of identity theft” may have given some people the mistaken impression that there’s nothing to worry about, and that everyone’s identities are safe. Unfortunately, however, that’s not quite the case, and yes, you do need to be paranoid about it. It’s the real deal, and identity thieves can, and do on a regular basis, steal peoples’ identities and wreak havoc on their lives.

The article starts out by deconstructing the term “identity theft” which makes it seem less dangerous than it really is and states that “identity theft” doesn’t steal anybody’s true identity, or personhood of what makes them what they are. When you are a victim of this crime, you remain you, but that’s only a small consolation when a stranger is charging up luxury cruises and fur coats on your credit card. It’s a semantic bit of theory that was actually played out on the “Family Guy” cartoon when actor James Woods stole the identity of cartoon character Peter Griffin, to the point of moving into Peter’s home, sitting at his dinner table and sleeping in his bed. It was a funny episode, but of course, that’s not what identity theft really is.

The article comments about how experts “hounded” people into shredding bank statements and being vigilant about monitoring credit reports, but the fact is, doing so really is a good idea. It’s not a conspiracy by manufacturers of shredding machines, or of companies offering various fee-based monitoring and protection services. And here’s the real kicker, at the end of the article: “It turns out that ‘identity theft’ is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money—but your soul. Maybe it’s time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don’t need.”

Advice like this is what lulls people into a false sense of security and prevents them from taking the precautions that they need to take. Is it a fear campaign? To a degree, yes, it is. But it’s based on fear of something very real. So there is reason to be afraid and one must take the necessary steps to protect oneself – because you could be a victim.

The FBI, depending on the news story you read, either “netted,” “snared,” “hooked,” “reeled in” or “lured” a huge number of cybercriminals in a massive phishing investigation. We’ll resist the temptation to add to the trend by referring to the FBI as “fishing for phishers,” although we may reserve the right to wonder aloud at “the one that got away.”

This week, the FBI announced that a multinational investigation, conducted both in the US and Egypt, resulted in 53 defendants being indicted in the US, and 47 more charged in Egypt, for an even hundred, which according to Computerworld, is the largest number of people ever charged with the same cybercrime. Looks like they “bagged their limit.” Of the 53 US defendants, 33 have already been arrested.

Continue reading Media overloads with fishing analogies in Operation Phish Phry reports»

Nobody likes getting a letter from the IRS (except if it has a check in it, that is), and so emails from the IRS are likely to cause a bit of angst as well. But when you get an email from the tax collector, chances are, it’s not the real thing. In fact, the agency has explicitly stated that it does not communicate via email with taxpayers. If you get an email from the IRS with an attachment, don’t open the attachment!

With that in mind, US-CERT has issued a warning of a recent spate of spam that is created to appear as though it is from the Internal Revenue Service. The spam attack contains a message about under-reported income, and asks recipients to open up an attachment or click on a link to view a tax statement. However, the attachment contains a piece of malware, and the link opens up to a malicious website. According to CERT, the malware is the Zeus Trojan, which is used to steal money from bank accounts. Zeus is one of the more difficult Trojans to detect, and the binary changes several times a day. Zeus attempts to break into bank accounts, and then withdraws money, and according to one report, criminals using Zeus are able to drain more than a million dollars a day from bank accounts.

The campaign has been going on for about three weeks, and according to reports, hasn’t even begun to lose steam. The barrage of spam is huge, accounting for nearly ten percent of all spam email being tracked, with one company counting 11 million spam messages just relating to this one program since September 9.

The message includes a message subject line that says “notice of underreported income,” and attempts to trick users to clicking on a link to view their personal tax statement. Some users have reported the guilty Trojan is a file named sdra64.exe.

Twitter has been in the news the past few days, and it’s not been pretty. On Wednesday, the Mashable blog reported that scads of Twitter accounts were seen sending out Twitter spam with URL links all at once. The spam was not being generated by run-of-the-mill spam accounts that were created just for the purpose of disseminating spam, but rather, they were regular accounts that had obviously been hijacked. Spammy tweets had been going out by the hundreds, making it appear to many people that their friends were recommending a get-rich-quick scheme, which of course, they were not.

Continue reading Twitter hit by spam wave»

It would be a fair bet to say that scientists at Sandia National Laboratories have seen “Night of the Living Dead.” The Livermore, California researchers embarked on a test to duplicate a zombie network a million strong.

The researchers ran more than a million Linux kernels as virtual machines, in an attempt to see how malicious botnets scale. Previous simulations have been able to re-create zombie networks of only about 20,000 nodes. Analyzing botnets has been difficult for security researchers, for a variety of reasons, not the least of which is the global, almost random distribution pattern that botnets exhibit. Unlike a real botnet though, which consists of huge numbers of individual machines, the Sandia simulation actually uses virtual machine technology to duplicate the effect of multiple machines, while actually running on one very large supercomputer.

Running a simulation has a good deal of value in terms of security research. According to a press release issued from Sandia, “Many phenomena occurring on the Internet are poorly understood, because we lack the ability to model it adequately. By running actual operating system instances to represent nodes on the Internet, we will be able not just to simulate the functioning of the Internet at the network level, but to emulate Internet functionality.”

The test is being run on Sandia Labs’ 4,480 node computer cluster named Thunderbird, which is located in its Albuquerque, New Mexico facility.

Most of us have got accustomed to using spam filters, so we never even see most of it. The spam that does get through, we tend to ignore. We just glance past it, delete it, and never bother reading it, because we’re used to the suspicious headings and the tip-offs that classifies it as an advertisement. Anything coming from a barrister in Nigeria, or a crooked banker in South America goes straight to the trash, as do all the ads for pharmaceuticals, get-rich-quick schemes, and secret tropical fruit juices that are used by people on some island in Southeast Asia where they all live to be 100 years old.

But it seems, one man’s trash is another man’s treasure, and there are a few people out there who actually want those fruit juices. If you’re one of those people, here’s a tip: I used to buy that same juice that the multi-level marketers sell for $40 a bottle, when I was living in Bangkok, from street vendors for about a half a dollar. Be that as it may, now and then there is an ad that catches my eye. Yes it’s true, sometimes those ads do peddle something useful, like printer ink cartridge refills, which I regularly purchase. But I suppose to lots of other people, those ads are spam, too.

Continue reading Who responds to spam?»

The Conference on E-mail and Anti-Spam, held in Mountain View, California this week, brought to light some interesting trends in spam and research on where it comes from. According to a report in today’s MIT Technology Review, new research highlights just how spammers get their email address lists in the first place, and how they relay the messages.

According to a paper coming out of Indiana University that was presented at the conference, it is common for spammers to gather email addresses from Web pages, in much the same way that a search engine’s spider works. When you print your email address on the Web, you’re risking spam–automated spam crawlers, constantly survey the Web, looking for email addresses, and sooner or later, it will get to yours. The research showed that when you include an email address on a comment board on a web site, there is a high probability of receiving spam. But what about when you register on a web site? It’s very common for a web site to require user registration to gain access, and this is a legitimate way for a site to operate–you’re in essence, trading your email address for access to information. But the registration process is less likely to result in spam, especially when more legitimate and mainstream sites are conducting the registration.

Is there a way to stop the spam crawler programs? The researchers say yes, and it should be a straightforward process to block them and thereby protect email addresses submitted to a web site from being harvested.

A common technique seen throughout the Internet is to replace the @ symbol with the word “at”, to foil the automated harvesting mechanism. Surprisingly, this very simple technique has proven to be highly effective.

The Indiana University researchers recommended users exercise caution when divulging email addresses–and also noted that spam can arrive very quickly, in many cases, in less than an hour after entering an email address on a web site. The spamming crawlers tended to be fairly aggressive as well, ranging from visiting two times per minute to over 50 times per minute.

Microsoft released a security advisory this week about a dangerous vulnerability in the Microsoft Video ActiveX Control (msvidctl.dll), which is used for streaming video. According to the advisory, an attacker who exploits the vulnerability could gain the same rights to an attacked PC as the local user. The code execution takes place remotely in Internet Explorer, and doesn’t require any user intervention. In other words, it’s a “drive-by” attack that injects a Trojan downloader into the victim’s PC. In the advisory, Microsoft said they would release a patch, and provide an automated tool for disabling the ActiveX control. Disabling the ActiveX control manually is a difficult process and requires re-setting several kill bits in the registry. The “FixIt” automated tool is now available here.

This dangerous exploit holds tremendous potential to cause damage on the same scale as Conficker, or perhaps even more. Conficker took advantage of a bug that had already been patched, and captured millions of PCs to create a huge botnet. The exploit is already widely published on several Chinese web sites, and could cause tremendous damage by the time the patch is created and sent through Microsoft’s regular update mechanism.

The ActiveX control can be accessed using Internet Explorer. Several security companies have reported detecting compromised sites that use the exploit.

Systems running Vista or Windows Server 2008 are not vulnerable to the attack, since the ability to pass data within IE in those systems is restricted. Users running running IE8, Firefox, or Chrome, are also not vulnerable to the attack. Users still running Windows XP, or Windows Server 2003, are vulnerable if using IE6 or IE7.

Just about every company has some sort of anti-spam technology in place that filters out suspected spam. The technology is commonplace and inexpensive, and for the most part, effective. But beyond simply putting in some anti-spam software and forgetting about it, there’s really a lot more to spam prevention. Here are the top ten anti-spam tips for businesses:

1. Education. This has to be top on the list. Educating users as to what spam is, and what the consequences of it may be will go a long way towards eliminating the hazardous effects of spam if it does get through. Users need to be educated to not click on suspicious links, and to recognize “phish” emails when they appear.
2. Avoid overuse of posted email addresses. Sometimes it’s necessary to publish your email address, but be aware that doing so may make you vulnerable to robots that collect them for purposes of spam dissemination. A response form, as opposed to a published email address, may eliminate this problem; a second strategy is to use a separate email address when it’s necessary to post it in public.
   Continue reading Top Ten Anti-Spam Tips for Business»

The Sydney Morning Herald reported yesterday that a new scam is making the rounds in the land down under. A perpetrator of a phishing scam has created an email scam, claiming to be the Australian Tax Office (ATO). The email promises Aussie taxpayers a $250 bonus with their tax return, and sends them to an online form that asks for their tax information, along with their bank account data.

The web site containing the form then asks the victim to mail a printed copy of the form to an address. The print-and-send is just a ruse though, the data is actually captured through a hack when the victim presses the “print” button. The email, like many such scams, attempts to create a sense of false security, by claiming the print-and-send routine is being done for the victim’s safety.

Officials still have not been able to trace the source of the fraudulent email sender, who is using a bot network to send the emails. The ATO recommends that people delete emails like this immediately, and advises that they do not ask people to provide personal information by email. The same holds true for most, if not all, tax collecting agencies in other countries.