What we need is an Internet standard that allows this level of protection to work at scale – without any discussion, without any partner agreements,” said Brett McDowell, a security manager at PayPal who serves as chairman of the group. “That is what DMARC does.”

Setting industry standards is an important step, but still more important is getting the corporate world to adopt them. There will probably be some protesting and the inevitable excuses such as “I don’t have the time to implement them/train my IT department” and the most popular excuse “cost too much in time/productivity/money”. It may take some time to get most businesses aboard, but I think once they are, it will make a dramatic difference in the amount of spam and phishing attacks sent from corporate addresses or exploting popular brands.

What do you think? Will your company adopted the new standards? If not, why?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Banks and Top Websites Develop New Spam Fighting Techniques

1. Bad Subject Lines
Most spam filters are programmed to look for words like “free”, “sale”, “deal” and “discount” in subject lines. Since spammers love to use such words in an attempt to lure people into reading their messages, more often than not, legit emails with those words in the subject line will end up flagged as spam. It’s also important to check and double check before you hit send. I’ve received marketing emails with blank subject lines or “Type Headline Here” as the subject, indicating the person in charge of sending the marketing blast was either careless or inexperienced. Not only does this make your company look very unprofessional, but it can get your messages flagged as spam.

2. Careless Use of the CC Feature
You should never send emails to a large group using CC. This not only exposes your customer’s email addresses, but if one of them decides to respond and chooses to hit the ‘reply all’, it will end up causing an unintentional spam loop and a lot of unhappy customers. Emails with huge CC lists are also a common feature of spam generated via dictionary attacks. Use BCC or a mailing list manager like Constant Contact.

3. Sending Attachments
There should never ever be a reason for you to send your customers attachments, but I’ve gotten a couple of marketing emails with them. It was almost always caused by a poorly formatted HTML message which included the graphics as attachments. A big no-no!

4. Bad IPs
It’s important to check your IP addresses regularly to make sure they haven’t been placed on blacklist. False positives aren’t uncommon and it’s also possible to have your server compromised without knowing it. Email sent from a blacklisted IP will never make it to any recipient whose IP subscribes to that blacklist.

5. Buried Unsubscribe Instructions
There will always be people who subscribed and then changed their minds, and many will become easily frustrated and simply report your newsletter as spam instead of doing the right thing. Don’t rely on a tiny link buried at the end of the email. Make sure your unsubscribe link is easy to find.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Tips to Keep Your Emails Out Spam and Junk Folders

Along with a new year, January brought with it a new wave of spam campaigns, most ofthem malicious in nature. Here’s a look at some of the top headlines for the month:

Nokia Fined For Spamming Their Customers:

http://arstechnica.com/gadgets/news/2012/01/nokia-fined-in-australia-for-spam-texting-its-own-customers.ars

Top 9 Domains Used to Send Spam:

http://betanews.com/2012/01/25/what-are-the-top-domains-used-for-spam/

New Wave of Spam Infects Just By Opening Email:

http://www.darkreading.com/security/attacks-breaches/232500660/new-drive-by-spam-infects-those-who-open-email-no-attachment-needed.html

Global Spam Levels Drop, Malware Rises:

http://www.zdnet.com/blog/btl/global-spam-declines-as-malware-encounters-pick-up-report/67858

Man Accused of Running the Kelihos Botnet Says He’s Innocent:

http://www.computerworld.com/s/article/9223820/Accused_Kelihos_botmaster_proclaims_innocence

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

January Spam Roundup

Naturally, such tools would be very useful for IT departments and system administrators to educate employees on how to spot phishing scams. Employees falling for such scams are a leading cause of corporate data breaches, and such breaches can cost a company millions.

“The whole concept with this project started out with the discussion of, ‘Hey, wouldn’t it be great if we could phish ourselves in a safe manner?’” said Will, one of the Toolkit’s co-developers. “It seems like in every organisation there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”

While it appears the developers had honest intentions when they created the toolkit, the fact remains it could be pretty attractive to the bad guys and they have no way of controlling that. Right now it doesn’t record any data typed into the fake phishing sites it generates, but they said future versions of the kit will have that functionality. That may make it irresistible to scammers looking for a way to create phishing campaigns that’s fast and won’t eat into any profits.

What do you think? Are these toolkits helpful or just asking for trouble?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Phish Yourself?

The first one is a new incarnation of an old scam. Emails that look like they’ve come from your friends arrive with an urgent message about them being on a trip to a far flung place such as Madagascar, London, or Berlin and needing help. You see, they were mugged/assaulted and all of their money and documents were stolen, and they really need to go home but there’s the matter of their hotel bill. The messages generally ask for about $1600 to be sent via Western Union. Of course it’s just a variation of a 419 scam. If you get one, no matter how convincing it sounds, try contacting your friend first. In 99.9% of cases you’ll find they are safe and sound at home.

Next is the Better Business Bureau, who has joined the ranks of the brandjacked as new spam messages claiming to be from them are making the rounds. The messages tell the recipient that a complaint has been filed against them and urges them to click the included link to read it and respond. Anyone who does so is taken to a malicious site that attempts to infect their computer with the infamous Zeus Trojan. Zeus, distributes by a botnet with the same name, installs a keylogger and several other nasty bits on to the infected system and steals banking info and other sensitive data.

Finally, popular companies such as Facebook, American Airlines, Paypal, and several major banks are also being brandjacked by scammers. In some cases the phishing messages are receipts for fake purchases or reservations and in others, fake message or fraud notifications. In almost all cases, the attachments and links in the messages deliver malware. It looks like the spammers are hard at work building up their botnets!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Several New Phishing Campaigns Going Strong

A new spam campaign is brand jacking popular social networking site LinkedIn to spreadlinks leading to shady domains. The emails, which look like notifications from the site telling the recipient they have a message waiting, contain links that allegedly lead to the messages. Instead they take the recipient to a pharmaceutical site offering fake prescription drugs and male enhancement products.

Spam involving these sites is nothing new. Even though the infamous Canadian Pharmacy ring was severely incapacitated when first Spamit and then Rustock went down in 2010, it hasn’t stopped spammers from trying to cash in on these fake pharmacies. While some actually sell drugs, they are almost always fakes made in India. Since these copycat drugs are made with absolutely no regulations or oversights, the FDA issued a warning to consumers to avoid ordering from these types of sites. There are also variants of these sites that are little more than fronts for phishing operations (people place their orders but never get anything and their CC info is stolen) or attempt to deliver malware.

While like most phishing emails, hovering your cursor over the URL will reveal that the link is fake, there are still people who see the LinkedIn branding and click, thinking it’s legit. What’s more unbelievable is that some of those people will actually stay on the site and buy something.  As long as these tactics work, spammers and phishers will keep using them.

Have you ever fallen for a phishing email? Even if you only clicked on the link, it counts. Share your story with us!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Fake LinkedIn Emails Delivering Spam

Early Monday morning I received an email from Zappos, the popular online retailer.  Theemail informed me that they had been hacked and my personal info, along with that of 24 million other customers, had been compromised:

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

While it’s great that actual credit card numbers weren’t taken, the info that was leaves me and my fellow Zappos customers open to spammers and spear phishing attacks. It’s likely the hackers now know at least some of our buying history and can use that info to create very targeted campaigns, not to mention if they are able to decrypt the passwords they took before the account owner follows the company’s directions and changes it, theoretically they could access that account and go on a buying spree.

There are a couple of things to be learned from this and other recent breaches. Change the passwords you use regularly, and avoid using the same password and username on multiple sites. The hackers behind the Zappos breach will likely be able to find their way into other accounts because so many people use the same password over and over at different sites. If you’re a Zappo’s customer, change all your passwords and keep a close eye on your accounts, especially your financial ones.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zappos Data Breach Could Result in New Phishing Attacks

An open redirect vulnerability has been found on both Facebook and Google. This could easily be used to redirect users to a phishing page or a malicious domain. In a phishing attack, users wouldn’t even realize they’d been redirect, they’d just think their log in didn’t work the first time. This could potentially give scammers access to thousands of Facebook and Google accounts, and since many people have Gmail accounts linked to their Google accounts, access to those as well. A spammer’s paradise. Here’s a look at how it works:

Google

The Google vulnerability is located at the follwing URL:

https://accounts.google.com/o/oauth2/auth?redirect_uri=<malicious redirect>

If I’m not mistaken, I believe that this is actually a flaw inside of the Google API for 3rd party applications, because it is contained under the oauth directory. Oauth is what is used to make a secure link to an online account via a web API without the user compromising their password to an untrusted application.

Facebook

The Facebook vulnerability is located at the following URL:

http://www.facebook.com/l.php?h=5AQH8ROsPAQEOTSTw7sgoW1LhviRUBr6iFCcj4C8YmUcC8A&u=<malicious redirect>

In order to test both of these vulnerabilities, I recommend using the Facebook phishing tutorial found at Null Byte. However, when our web page is done, the link to our URL should be appended after the equal sign where it says “malicious redirect”. After you have crafted your URL, click it and see if you go through to your phishing page. If you did, pat yourself on the back and go mess with some of your friends.

What’s truly outrageous about this is that when notified about this, both Facebook and Google ignored the issue completely. Now as far as Facebook is concerned, this doesn’t surprise me. Anyone who has ever had a problem with the site and needed to contact them knows it’s next to impossible. Unlike most sites, they have no customer service or tech support email or phone number, no online chat or webform – nothing! Instead they offer a help center which really isn’t all that helpful, and a ‘Known Issues’ page where any and all user posts are ignored. So yeah, I can see how Facebook could ignore this.  I am surprised Google is though. They’ve always seemed more user friendly to me.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Security Vulnerability Found in Facebook and Google – A Spammer’s Paradise

“We regret and apologize for the problems that were created,” Assistant Director Don Reuter said Thursday. “We were wanting to wish people a pleasant time, and we created some aggravation. That’s unfortunate.”

The department immediately disabled the reply all function when they realized what had happened, and says they will not send any more emails until they are sure their employees know how to make sure the ‘reply all’ function stays off.

This is a fairly common blunder for businesses and institutions to make, and it depends on user ignorance to really get going. A mass email is sent out without the ‘reply all’ disabled, and sure enough there is always someone who will immediately respond with a demand to be removed from the list. Those who get the demand will reply demanding to know why they received the demand, and it just snowballs from there. Soon an email loop will have formed with people replying to replies wondering why people won’t stop replying. It can get very ugly. If you decide to do any mass emailing, make sure you know exactly how your mailing program works and that it is configured properly. Check twice and then check again!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

North Carolina Parks Department Blunder Results in Spam

They would send their victims text messages informing them they had won a lottery or that they had been named in a will and had inherited a large sum of money:

 ”In the lottery scam, the victim receives a message stating that he has been randomly picked up in a lottery system of a multi-national corporate company, in which, he won one million pounds and then victim’s email ID is sought.

When the victim replies, he would be sent an e-mail, stating that he should appoint a UK-based lawyer to represent him to complete the process. The accused provide lawyers’ names and takes Rs 50,000 to Rs 75,000,” the IPS officer said adding that a fake Coca Cola company’s letter-head, mentioning the prize money, was recovered from them.

For tax payments in the UK, they further seek Rs 1.5 lakh. Once the payments are made, they say the cash has arrived in India and the victim should pay to RBI and Customs Department for clearance of the money. In this way, the victim shells out at least four to five lakh (rupees) over a period of time.”

The men are being held in Mumbai. The 419 scam has been around forever and while you would think most Internet users would have heard of it by now and wouldn’t be fooled, many countries in which Internet access was a luxury reserved for the very rich are now seeing it opened up to the masses as it becomes more and more affordable. This means millions of new users, and that’s what scammers are counting on and what is likely to be the reason this ring focused on users in India. It will probably be a very long time before the 419 scam wears out its welcome.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

International Phishing Ring Busted

1. Thou shall not click without thinking.
This is especially important for your social media accounts. Spammers count on the trust between friends established on these sites. For example, right now a new spam campaign is hitting Facebook. Your newsfeed will show that a friend of yours liked a link that appears to lead to a funny commercial. If you click on it, you’ll be taken to a site that says it won’t let you view the video unless you take a survey. The spammers are counting on people to give in and do so because they get paid for each survey taken. To keep the spam going, as soon as you click on the link, it posts itself on your newsfeed in hopes that you friends will do the same thing.

2. Thou shall use a throwaway email address.
This type of address, which can be obtained from a service specializing in such, or you can just create one with Hotmail or Yahoo. Use this address when shopping online or registering with websites. That way, any spam that gets generated stays out of your main inbox and the account can simply be abandoned if the spam gets too large.

3. Thou shall not respond to spam in any way.
Responding to spam, whether to tell the spammer off or because you think clicking the unsubscribe link actually works, is almost always a waste of time. At best, you’ll simply be ignored or your rant will either bounce back because the address used was fake, or be sent to an innocent person whose address was spoofed or hijacked to send the spam. At worst, you’ll be letting the spammer know that your address is active and responsive to spam.

4. Thou shall keep thy anti-virus software up to date.
Most good ones include email scanning, which block and clean any malicious attachments that may wind up in your inbox.

5. Thou shall make use of thy ISP’s abuse address and/or “mark as spam” button.
It’s important to report the spam you do get to your ISP. This helps them fine tune their spam filter and blacklists and make them more effective.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 5 Anti-Spam Commandments

1. Create new botnets and find new ways to increase and strengthen existing ones.
2011 saw the takedown of several major botnets as Microsoft teamed up with the FBI and went on the warpath, determined to crack down on spam.

2. Find new ways to exploit social media for gain and profit.
With Facebook still refusing to vet apps before letting them be released on the site, the possibilities for rogue apps are endless.

3. Work on new Black Hat SEO techniques.
Thanks to Google’s new Panda algorithm, which has put many so-called “content mills” out of business and made traditional search engine spam techniques such as blog scraping and splogs useless, spammers will need to come up with new ways to exploit Google’s search engine results.

4. Continue to refine spear phishing techniques.
Spammers have found that targeted attacks are more effective than the traditional phishing techniques that used a large and random group of addresses. They’ve also been finding new ways to make their fake phishing sites look more and more legit.

5. Continue to look for more loopholes and security vulnerabilities to exploit. This includes finding new ways to crack anti-spam tools like CAPTCHA and ways to hijack social media accounts and websites.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 New Year’s Resolutions For Spammers

A new spam campaign is using fake pizza order confirmations to distribute malware. The message informs the recipient that their order has been received and gives them the option to either pay for it, to the tune of $100 or so, or to cancel it by clicking the provided “Cancel Order Now” button. The scammers are hoping the recipients will panic and click the cancel button. Doing so will lead them to one of several infected websites that will attempt to download malware onto their computer.

The site first uses a script to determine exactly what OS the visitor is running and then downloads the appropriate variant of malware. It recognizes Windows, Mac, iOS for the iPad, iPod Touch, and iPhone, Windows Mobile, WinCE, and more. It also checks to see what browser they have and if they have Flash, Adobe Acrobat, and Javascript. Presumably it is looking for specific programs in order to exploit any security vulnerabilities they may contain.

It’s not yet clear what happens if a recipient actually chooses to pay the bill. Will the scammers get some free money or does the link lead to same malicious website the order cancelation button does?

The scammers do try to keep the messages fresh, using different pizzas and items in the orders and using different restaurant names. However, it’s pretty easy to spot these scam emails. They won’t be addressed to you by name, and most pizza places require payment right away unless you chose to pay in cash. Plus, the pizzerias the fake confirmations come from are fake themselves.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pizza Spam Delivers Malware

1. Navy Researchers Develop New Spam Detection Technique

2. Spam Levels Hit Three Year Low

3. Malicious Spam Campaign Exploits Kim-Jong-il’s Death

4. Fake Reports of Hugo Chavez’s Death Involved in New Spam Campaign

5. Canadian Anti-Spam Law Creates Uproar

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 5 Spam News for December

A new spam campaign has been detected and it’s using Google Docs as part of its scheme. That spammers are exploiting Google Docs is nothing new, but in the past, they spammed by using the share feature to send spam filled docs. In this new campaign, they use email instead. The emails contain a link to a Google Doc that is filled with spam hawking fake degrees for sale. It’s not clear who is behind this new campaign but whoever it is, he/she is clearly experienced enough to have been able to get around Gmail’s spam filter.

While overall spam volumes have dropped, new spam campaigns are still being unleashed. One that landed in my inbox a few days ago had the subject line “Woow!” and a link that said “Click here to see attached photos”.  When I hovered my cursor over the link, the underlying URL was gibberish but did have my email address embedded in it. A little more research revealed the URL led to a fake Windows Live login page. Yep, it’s a phishing attack. It looks like the attacker is hoping to collect lots of Windows Live login credentials for some sort of future attack, or maybe to sell to another cybercriminal. The email came from my aunt’s Hotmail account, so it looks like the attacker has already managed to hijack some accounts and is using them to keep the attack going.

It’s relatively easy to spot a phishing attack. Just hover your cursor over an URL in an email and the real address will show in the info bar. There are other red flags as well. If a company you do business with emails you, they will always address you by your name or screen name, never as “Dear User” or “Dear Customer”.  Also, no legit company will email you and ask for personal info such as your password or credit card number.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Campaign Uses Google Docs

New statistics on spam have revealed that India has shot ahead of the United States and South Korea to claim the title of biggest spam producer in the world. 12% of the spam in the world comes from India. This is largely because India is a popular home for botnets and the amount of botnets whose origins lead to India is increasing.

In a written reply in the Lok Sabha, the Minister of State for Communications and IT, Mr Sachin Pilot, said that Indian Computer Emergency Response Team in co-ordination with the industry and service providers is working towards disablement of ‘spam bots’ located in India to curb spam sources.

India is also home to a thriving economy based on human CAPTCHA solving. These companies cater to spammers, who are happy to pay them to solve CAPTCHAs by the thousands. This allows them to set up email accounts on services like Gmail and Yahoo to pump out spam from and blogs on services like Blogger for distributing email and conducting Adsense and affiliate fraud.

Computers and the internet are increasingly affordable in India, and the number of internet users there have skyrocketed to over 110 million.

In better news, the United States, once one of the top three spam producers in the world, has dropped out of the top 10 altogether. This is attributed to the efforts Microsoft and the FBI have made over the past year to crack down on spammers and take down several major botnets. This is also credited for bringing the global spam volume down to 75% of all email sent.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

India: King of Spam?

A new study reveals that spam email volume has plummeted to levels not seen since 2008. Spam now accounts for 70% of global email volume, down from a high of 90% and very close to the levels seen after the shady ISP McColo was shut down three years ago. The drop in the levels is attributed to the fact that spammers have moved to more targeted attacks for their spam, malware, and phishing attacks, rather than the massive blasts to random addresses they have traditionally favored. Spam filters are also becoming more and more effective and users more educated.

I think social networking has also contributed to the drop. People just don’t rely on email quite like they used to. Instead they hop on Facebook or Twitter and send a message. Spammers will always go where the biggest audiences are and that means the social networks. Not only do sites like Facebook offer enormous traffic, they also offer something else spammers covet-trust. A spam link on Facebook or Twitter is much more likely to be clicked since it will look like it was posted by a friend and people naturally trust their friends. It’s this built in trust that makes spam so rampant on these sites. It’s hard for people to break the habit of clicking on their friend’s links.

Another feature that spammers love is Facebook’s refusal to vet third party apps. Unlike Apple’s App Store, which has a strict approval process, developers must navigate in order to have their apps made available for downloading, Facebook lets anyone post any app they want. This means rogue apps aplenty. They will respond to user reports and shut down such apps, but it would be better if Facebook had a system in place to prevent them from being posted in the first place.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Levels Plummet to 2008 Levels

A judge awarded Yahoo! over $600 million in damages in the conclusion of a lawsuit filed in 2008. In the suit, the company claimed the unnamed spammers infringed on their trademarks and harmed the brand by using them in a campaign of messages claiming the recipient had won a lottery sponsored by them. The lottery was fictitious and the emails where actually an attempt to cash in on the famous Nigerian or 419 scam. The recipient is told they have won millions in a foreign or online lottery. If they respond, they are told they must pay certain fees before their winnings are handed over. If they pay, they are simply told there are still more fees. This goes on until the victim gets fed up or goes broke.  These types of messages may also act as phishing bait, luring the recipient to go to a site and log in so that their personal details can be stolen. Yahoo! says the spammers sent over 11 million fake lottery emails between 2006 and 2009.

The judge awarded Yahoo! $27 million in damages for trademark infringement and $583 million in damages for CAN-SPAM violations. However, they aren’t dancing to the bank. Not surprisingly, the spammers ignored the lawsuit completely and never showed up in court. It’s believed they may be located in Thailand, Nigeria and Taiwan, making it next to impossible for Yahoo! to actually collect on their judgments.

How do you feel about companies suing spammers? Is it a waste of time and money since the chances of getting any judgments awarded are slim to none? Or do you think they server as an effective deterrent?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Yahoo! Awarded Millions in Spam Case

While it’s despicable for a spammer to take over anyone’s account, and I can understand why Paula Chase’s family is upset, the situation does raise some questions. Why didn’t they close her account when she died? Many of my friends have a list of their online accounts and passwords stored with their wills, and I think this is an excellent idea. Another question I have is why didn’t they simply block their mother’s email address? Rather than let the spammer “torment” them, blocking her address might have saved a lot of stress.

This story illustrates the importance of making sure your online accounts are taken care of if something happens to you.  For example, Facebook will turn your account in a memorial page -all your loved ones have to do is contact them and request it.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Family Tormented By Spam From Dead Relative’s Account

Recently researchers have detected a variety of new spam campaigns coming from Cutwail. Among them are phishing attacks disguised as fake Facebook friend requests (if the user clicks on the embedded link to accept the request, they are brought to a fake Facebook login page and their details stolen), and malware laden ACH transfer cancellations and order confirmations for airline ticket reservations. These attacks are meant to alarm recipients and/or peak their curiosity and click on the provided links, which lead to malicious websites that attempt to download Trojans that add the victim’s computer to the botnet.

Currently the sites the malicious spam messages point to are hosting SpyEye, a dangerous type of malware designed to steal login credentials and other personal information such as banking info and launch transactions with that info. Bobax is a Trojan that sends information about the computers it infects to its command and control servers, scans the computer’s data for email addresses to harvest, and uses the infected system to pump out spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Cutwail Botnet Still Going Strong