Sleazy informercial king Kevin Trudeau’s 30-day jail sentence has been stayed by the courts. He was slammed with it for orchestrating a spam email campaign designed to influence the judge in his case. He’s currently on trial in Civil Court fighting a complaint by the FTC that the advertising for his “natural cures” book is misleading. He was first sued by them in 1998 and banned from making false claims in the future, ordered to pay $500,000 in consumer redress and pay another $500,000 for a performance bond to ensure compliance. In 2004 he was sued again for ignoring the order and making false claims about a product called Coral Calicum. He was ordered to pay $2 million in fines and damages and banned from doing informercials except for informational publications like books, provided he make no misrepresentations. He again ignored the order which is why he is in court again. Trudeau has long been hawking his natural cures as the answer to everything from obesity to drug addiction.

In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Look out Waledec, Zeus and Conficker! Chuck Norris is in town. A new botnet named after the iconic action star is targeting and infecting routers, or as one writer joked “The Chuck Norris botnet doesn’t infect routers, it stares them down until they infect themselves.” The botnet, first discovered by Czech researchers, looks for badly configured routers and infects them by guessing the default password. It uses the remote access feature to take control.

It takes over MIPS-based devices running Linux by launching a password guessing dictionary and changes the DNS settings of the router, and then redirects the user to a poisoned webpage that downloads even more malware. It also scans the network for other devices to infect.  Experts say the botnet has infected machines from South America to Asia. There’s no information on exactly how many machines have been compromised, who is behind it, but like other botnets, its goal is to steal personal information like passwords and bank account numbers. Some researchers say it may also conduct DDoS attacks.

For a botnet named after Chuck Norris (it got the name from a line in its code: “in nome di Chuck Norris” which means “In the name of Chuck Norris”) the malware it delivers has a surprising weakness. Since it is installed in the router’s RAM, a simple restart will remove it. To protect against it, make sure all routers and modems on your network are not using the default password and that each device has a unique and hard to guess one.

Microsoft notched an important legal victory this past week. A court awarded them a restraining order that has effectively cut Waledec off at the knees. The decision was the result of a lawsuit filed on February 22^nd and will result in traffic being cut off to 277 domains that hold the command and control servers that run the botnet. All of the domains are located in China and will be blacklisted by VeriSign. Without its command and control servers Waldec is essentially dead because its millions of zombies can’t contact home for instructions.

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

3000 credit card numbers belonging to customers of electronics retailer Small Dog Electronics have been compromised in a data breach. The breach left the sensitive data exposed for almost a month between late December and late January. The company claims it is PCI compliant and that it was subjected to a penetration test. They are now pursing the issue with that tester. The CEO, Don Mayer said the security flaw has been fixed but had no other details, admitting he did not even know what language their ecommerce system was written in.

“I’m very proud of our staff in terms of their reaction. We have dealt with this very responsibly, and notified customers immediately of the breach,” Mayer added. “We are doing everything in our power to reclaim our customers’ trust and provide the credit monitoring services that are necessary.”

Small Dog’s customers appear to be less satisfied with the company’s response, claiming the letters sent explaining the incident offer no compensation or credit protection and that although the company will provide the service if asked, many don’t realize they can ask.

Should a company offer credit protection in the event of a data theft? I believe so. It’s an important step in keeping your existing customers’ trust and gaining that of potential new customers. Data breaches are a growing threat. Last year the average total cost of a data breach was $6.75 million for an average of $204 per compromised record. Security experts say there are three main causes of data breaches, System glitches, which account for 36%, malicious attacks, which account for 24%, and the most common cause, negligence or simple human error, which accounts for a whopping 40% of all data breaches.

A new phishing attack launched by Zeus has taken aim at military personnel and intelligence officials in several countries including the US. The spammers behind the attack exploited a trusted security firm and sent fake messages pretending to be from the firm. Using social engineering tricks they sent messages to the same people their earlier phishing attack had targeted. The messages acknowledged the attack and asked them to download a zip file that claimed to be a security patch that would fix the vulnerability that allowed the earlier attack. The file has just a 35% anti-virus detection rate.

Unlike most phishing attacks, which tend to target banks and other financial firms with the goal of monetary gain, this attack is much more worrisome. While the kind of information that could be stolen in such an attack could be sold for huge sums on the black market, the other implications are far more serious. Should a hacker gain access to a military or intelligence computer there is no telling what kind of havoc they could wreak. It could result in a national security crisis. This should be of particular concern to the US government, which has come under fire in recent months for its poor cyber security practices. Last week, the Bipartisan Policy Center hosted a simulation of a cyber attack on the US and the government failed miserably. Security experts say the government is woefully unprepared for a cyber attack and that it’s no longer a question of if one will occur, but when.

A widespread cyber attack that started 18 months ago has affected nearly 2,500 businesses and government agencies. Led by a Zeus variant, it infiltrates corporate and government networks and steals passwords, log on credentials, banking info and other confidential data.

The Zeus botnet has over 74,000 infected PCs under its control and is using them to carry out the attack. 10 federal agencies are among the victims and there is no telling just how much sensitive data the hackers have stolen. Security firm NetWitness did manage to intercept 75GB of stolen data, but there is likely much more out there.

“The botnet is still active and still actively being managed by the organized criminal activity behind it,” NetWitness CTO Tim Belcher told The Register. “Over the last month, we’ve seen it retask its (victim) members half a dozen times looking for different types of information.”

In a surprising twist, the firm discovered that the affected PCs were also infected with Waledec. This could mean there are two cybergangs working together or merely that a solitary gang is using more than one strain of malware to avoid detection.

Among the organizations attacked are Merck, Paramount Pictures, and Cardinal Health. All in all organizations in 196 countries around the world have been attacked. Rumors are swirling that even the Pentagon was hit, but they are declining to confirm any such breach.

A San Francisco law firm has found itself the target of a disturbed spammer. A woman named Leslie Brodie has been spamming a “petition” to law firms and law students across the country. The petition claims to be part of a campaign to “End racism/sexism in U.S. law firms” and slams the small firm of Kerr & Wagstaffe and partner James Wagstaffe, who also teaches at UC Hastings Law. Brodie’s spam claims the firm favors white males for lawyers and partners and attractive white females for associates.

When a Berkley law student received the spam and demanded to be removed, citing the CAN-SPAM rant, Brodie sent off a rant to the school’s dean claiming free speech and that she was being harassed, and also that the CAN-SPAM Act did not apply to her because she was not selling anything. She also threw in some racist slurs for good measure.

          Also, the CAN-SPAM Act of 2003 (the “ACT”) applies only to emails which are commercial in nature. It is obvious that the email which was sent was not intended to sell any goods or services, but rather was political in nature. As such, Ms. PERFECTLY-REASONABLE-BOALTIE also misrepresented the content of the ACT in order to trick and deceive me as to the state of the law in order for the unsolicited email to stop . This attempt to mislead and trick an opponent as to the content of the law is a very serious misconduct which also reflects negatively on her moral character.

Please instruct your students/faculty/staff at Boalt Hall to refrain from making any more threats concerning unsolicited emails which they receive via the U.C. email system. That system does not belong to them, but to the People of the State of California.

She then turned around and spammed her rant to even more firms, law schools and legal blogs. What makes the whole campaign even more bizarre is Brodie’s reasons for launching the spam attack: She received a bad grade in James Wagstaffe’s CivPro class. That’s right. It’s all because of a bad grade! Unbelievable. Not only that but her identity is shrouded in mystery. UC Hastings has no record of law student by that name, nor the does the California State Bar.

This case is a good reminder that it isn’t just hackers and scammers that spam. Sometimes disgruntled employees, customers, or vendors will launch a vindictive spam campaign like Brodie did. Has this ever happened to your company? Let us know!

It comes as no surprise that scammers have been quick to exploit the 2010 Winter Olympic Games for their own benefit. Spam claiming to have exclusive videos of events like the tragic death of Georgian Luger Nodar Kumaritashvili have been spreading. The links lead to malicious sites pushing fake anti-virus software or dropping Trojans.

In addition scammers have set up a fake Twitter account that sends out tweets disguised to look like Olympic updates. The URL has a subtle typo but at first glance looks like the official Olympics site, Vancouver2010.com  When users visit the site they are prompted to download a codec or Flash update. The fake update is actually a Trojan.

“Given the popularity of the Winter Olympics, it is not surprising that attackers are taking advantage of the event to spread malware,” said Michael Sutton, vice president of research at Zscaler. “Given the authentic nature of the attack site, lack of anti-virus signatures, use of Twitter to advertise the campaign and timing of the attack, it is reasonable to assume that it will succeed.”

Other Olympic themed spam campaigns include messages offering travel tips for those going to Vancouver or offering bus tickets and transit passes. Scammers have also used Black Hat SEO techniques to poison search results for top Olympic athletes like Bodie Miller, Sasha Cohen, and Jennifer Rodriquez.

A notorious hacker who ran an underground site that was a popular hangout spot for hackers, carders, scammers, spammers, and other cybercriminals was slammed with a 13 year prison sentence for his part in a series of credit card scams that cost the US $86 million.

Max Ray Vision was also ordered to pay over $27 million in restitution. He ran CardersMarket, a forum where cybercriminals bought and sold malware and stolen card numbers, swapped war stories and socialized. His crimes, which included harvesting stolen banking and credit card information, came to a halt after the Secret Service infiltrated the site. When arrested he had near 2 million stolen credit card numbers in his possession.

Vision was facing a life sentence but it was reduced due to his cooperation with authorities. It won’t be his first time-in 2001 he spent 18 months in jail for participating in a scripting attack against the Pentagon.