Here’s a look at the Zeus botnet’s top spam campaigns:

1. An unauthorized transaction billed to your bank account- Although most people should know that if their bank spots a fraudulent transaction they will call you or send you a letter - not email you, this subject line is alarming enough to get some people to open it and wind up getting phished or infected with malware.
2. DHL Tracking number #######- This is one of the oldest campaigns. A variation uses UPS instead of DHL, but in both cases the included attachment has a hidden executable that contains malware.
3. FDIC has officially named your bank failed bank- An obvious attempt to exploit the economic crisis. Too bad the horrible grammar gives it away.
4. Hello- This is why it’s often advised not to send emails this way. Many spam filters flag messages with “Hello” or “Hi” as the subject because of campaigns like this.
5. Notice of Underreported Incomeir- The glaring misspelling gives this away as spam right away.
6. Review your annual Social Security statement- This has been around for a while as well. The scammers are hoping there are still folks out there who don’t know that the SSA sends out your statement via postal mail about 6 months before your birthday each year.
7. Welcome to Friendster- An obvious attempt to exploit a brand. Unfortunately for them Friendster isn’t quite as popular as it used to be.
8. You have received a file from (email) via YouSendIt.- This campaign is banking on people’s natural curiosity to be peaked enough to open it.
9. Your Flight Ticket #####- Delta was one of the more recent airlines to be exploited by this campaign. The scammers are hoping that when someone gets the fake ticket and cheery note informing them that their credit card has been charged over $800 that they’ll be upset enough to not think first and open the attached paperwork, which delivers a Trojan.
10. Your Order with Amazon.com- This is a blatant phishing campaign. Every link in the fake notification leads to a fake Amazon login page. It’s pretty easy to spot though because the total amount due, which is listed twice, is always two different amounts and there is plenty of broken English as well.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 10 Zeus Campaigns

You might have been considering implementing a hosted spam filtering solution such as GFI’s Max MailEdge service, but are unclear as to how it works, and what reprecussions it might have on your existing IT infrastructure.

Simply put, the majority of hosted or cloud-based spam filtering works by redirecting incoming e-mails directly to the appointed service provider instead.  This is achieved by appropriately modifying the IP address listed under the MX configuration of the company’s domain. As a result, e-mails that come in are forwarded to the service provider’s servers first, before being rerouted to the “real” e-mail server.

Today, I’ve listed some important factors of a hosted spam filtering deployment that the technical manager will be interested in.

Freedom from the burden of processing spam

One of the key advantages of using a hosted provider to tackle spam is how it allows businesses to offload the computational and storage demands of eliminating spam to a service provider.  Unlike the hard to predict costs of operating and maintaining servers over any length of time, hosted spam filtering providers charge a fixed rate per protected mailbox, which serves to eliminate hidden or unanticipated costs.  Ultimately, this allows businesses to better track and budget for the cost of properly equipping each employee in the company.

Bandwidth and DDOS protection

One facet that is usually missed out in a hosted spam filtering deployment is the greatly reduced bandwidth required for the e-mail server.  Assuming the company e-mail server is hosted in a data centre, this translates into direct savings on the billable bandwidth since only e-mails that have been cleaned are forwarded to the mail server.  This reduction in network traffic is true even in servers deployed on the local area network and which will be evidenced by faster Internet connectivity in the office.

In addition, the use of a hosted spam filtering service also grants an implicit defence against denial of service attacks that are propagated against the e-mail domain.  Obviously, this does not stop a malicious hacker or entity from directly targeting your e-mail server’s IP address.  It does however form an additional layer of defence against DDOS, and should be more than adequate against casual or widely targeted spamming.

Platform Neutrality

One of the greatest advantages of a hosted spam filtering service is its platform neutral nature. All messaging systems are supported by default, ranging from Microsoft Exchange, Lotus Notes, to standard POP or IMAP servers.  This includes more sophisticated deployments involving BES implementations of BlackBerry smartphones or Exchange Sync clients like the iPhone.

The only real prerequisite to use hosted spam filtering is that the protected e-mail address must belong to a company-owned and managed domain, in order to allow the MX configuration to be modified accordingly.  E-mails flowing in will be automatically forwarded to the service provider, which will eventually route processed e-mails back to the correct e-mail server.

Ease of deployment

All it takes is a signed service contract and the appropriate modification of MX records to enable hosted spam filtering, making it a trivial matter to implement.  The reverse is true of a self-deployed solution; companies usually have to either acquire physical severs (or provision virtual ones), purchase the correct number of client access licenses, followed by the installation and configuration of the appropriate spam filtering software.  And I’ve not even got started about setting up the appropriate level of failover redundancy or the training and lead time required of the technical staffers running it on a day-to-day basis.

On the other hand, hosted spam filtering can be implemented without extraneous training for already overwhelmed IT managers or system administrators.  In fact, the correct information and authorization to modify the MX records could even allow service providers to setup and enable their service – remotely.

Flexible and versatile

Finally, the nature of hosted spam filtering allows for great flexibility and versatility in how it is deployed.  For example, users can concievably “stack” multiple providers in a chain, or opt to channel e-mails through another server (or service provider) for archival first, or even reroute new e-mails to a different server for the purpose of rolling out a new e-mail server.  The list goes on.

This clean separation between the various components of your e-mail subsystem means there is no need for corporations to be concerned about operating system security patches or updates to the spam filtering software inadvertently “breaking” any part of your precious e-mail infrastructure.

Conclusion

Of course, while the controls and spam filters afforded by the hosted spam filtering services are generally excellent, there are also advantages to running a self-deployed spam filtering server as well. Next week, I shall be looking at some of the features that an IT manager will want to look for in a self-deployed system, so stay tuned!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Some Reasons to Consider Hosted Spam Filtering

Google announced that it has fixed a bug that caused a small percentage of GMail accounts to send the same email messages over and over again. The unending barrage of messages caused some of the affected accounts to be blacklisted by services such as SORBS.net and Backscatterer.org and left users wondering if their computers had been infected with some kind of malware or hacked.

“The problem with Google Mail should be resolved,” Google’s tech support staff wrote. “We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better.”

Some affected users who use GMail for business purposes were embarrassed and left having to explain to clients and colleagues who were no doubt annoyed by the flood of duplicate messages. Google has not provided any details about the bug or what might have caused it, and it’s not known if they provided assistance in getting blacklisted users off those lists.

It’s estimated that about 2.5% of GMail’s roughly 160 million users (as reported by the Wall Street Journal) were affected. That may not sound like much, but it equals about 4 million users whose accounts were turned into mail bombing machines by the bug. That’s a lot of email.

Google probably wishes the timing had been better as the bug hit in the same week they had called a press conference to announce that Google Voice and GMail have been integrated.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

GMail Bug That Turned Some Users Into Spammers Fixed

The folks over at InformationWeek are reporting that the Pushdo botnet has been crippled. Thanks to a combined effort on the part of several security researchers, Pushdo, also known as Cutwail, has had the majority of its command and control servers shut down. Pushdo pumps out enormous amounts of spam, much of it malicious, and is responsible for a massive DDoS against hundreds of commercial and government websites earlier this year.

Compromised computers spew spam.

          “We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world,” said Thorsten Holz at cybercrime intelligence service LastLine. “We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several command & control servers are still online at this point.”

The shutdowns resulted in Pushdo’s huge flood of spam sharply plummeting.

Is this a good thing? Of course. Will it last? Not likely.

Botnet herders have learned from the McColo shutdown. Their command and control systems have become more complex and widespread so that when something like this happens, they are usually back in business within days rather than weeks or months. Many botnets are not programmed with long lists of domains so that if they try to connect to one and get no response they can move on to the next one and so on until they are able to connect.

It will be interesting to see how long it takes Pushdo to bounce back!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pushdo Botnet Crippled

Apple’s walled garden, also known as the iTunes store, showed a crack this week when reports began flooding the Internet of compromised accounts being used to siphon money from PayPal for unauthorized purchases at the online music outlet.

Sums charged to PayPal varied, but one iTunes customer claimed $4700 had been debited to his account through the Apple store by parties unknown. Other users reported more modest thefts–$500, $650 or $1000.

Although the bandits were exploiting connections between iTunes and PayPal, they exhibited behaviors associated with credit card scammers. For instance, they always spent less than $100 on an item. That’s a tactic used to stay off the radar screen of fraud trackers. It’s also a significant cut off point for merchants. At $100 or above, they’ve got to foot the bill for a fraudulently purchased item.

PayPal has denied its systems had been breached. “We’ve looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account,” the company’s chief information security officer Michael Barrett wrote in a blog.

While PayPal was advising its customers to report their problems to the company so they could be reimbursed for   any money they may have lost to scammers, Apple passed the buck to others. “We’re always working to enhance account security for iTunes users,” it said. “If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about chargebacks for any unauthorized purchases.”

While not officially commenting directly on the security of iTunes, off the record, the company discounting breach speculation. “There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a bot attack or phishing scam-a variation on the one that’s been around for years now,” John Paczkowski wrote in All Things Digital.

“Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions,” he added.

If neither iTunes nor PayPal were compromised, password theft via a phishing scam or malware infection seems like a logical inference. Indeed, it’s one a number of unnamed security experts cited when contacted by reporters following the story. But there were some oddities in the transactions involved that didn’t seem to fit a straight password pilfering scam.

For example, all the unauthorized transactions were tied to PayPal. If the scammers stole iTunes passwords in a phishing scam, why were the only users victimized those who made iTunes purchases with their PayPal accounts?

The receipts generated by the unauthorized purchases were also queer. When purchases are made at the iTunes store, a receipt is generated and sent to the purchaser. Such receipts were received by the victims of this scam. However, a comparison of subject lines in receipts performed by Charles Arthur at The Guardian revealed an interesting disparity.

When an item is bought with a credit card at iTunes, the subject line usually says “Receipt for your payment to iTunes Store.” When it’s bought with PayPal, the subject says reads, “Receipt for your payment to iTunes.” What Arthur discovered was that while PayPal was used to make unauthorized purchases, the receipts generated from those purchased contained credit card subject lines.

Despite the lingering questions about the break-in, the consensus still seems to be that they involved compromised passwords and those passwords were obtained by phishing or other forms of Net mischief.

For consumers who want to avoid becoming victims of online scammers, PayPal’s Barret offers these tips:

• Use a safe password: use a strong password which includes a combination of upper and lowercase letters and numbers. But don’t use the same password for every online account you have. That’s basically like using the same key for your house, your car, your office and your safety deposit box. If you lose that key, you’re in trouble.
• Protect your computer: use a modern, supported operating system such as Windows 7 or Apple’s OS X Snow Leopard. You should also use an updated Internet browser that blocks fraudulent websites, like Internet Explorer 8, Safari 5, Firefox 3 or higher. As always, keep your antivirus software updated.
• Don’t click on links in email: never click on links in email and then enter your username, password or other sensitive information – even if the email looks like it’s from your bank, an e-commerce site, the IRS or popular sites like PayPal.
• Use common sense: if you wouldn’t do something in the offline world, don’t assume it’s safe online. If a stranger walked up to you at a gas station and said, “Please give me the key to your house; I need to make sure there are no burglars there,” you’d probably tell him to go take a hike. Likewise, if you get an email, phone call or some other unexpected message demanding that you turn over your username and password, don’t do it. Trust your instincts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing primary cause of bogus iTunes charges

One aspect of spam has to do with trickery, where users are cajoled or tricked into performing an action, usually in the form of clicking on a specially prepared URL link.  While the best way to stop the proliferation of spam would of course be the implementation of a good spam filter, the inevitable junk e-mail slipping is often an inevitable state of affair.

Rather than having to sort through the mess after the fact, one way that IT managers can turn the situation around is to train non-technical staffers to complement and enhance technical methods of identifying spam. Teaching employees how to identify spam is a good idea on a few fronts, such as allowing spam administrators to better refine or tweak existing spam filters.  In addition, savvy users dramatically reduce the possibility of malware being introduced through spam.

Today, I will highlight a number of current spam vectors that you can use to train your users on how to identify spam.  You can of course also use these methods to better tune your spam blacklist.

1. “Mail undeliverable” messages
   I personally experienced a spike of such e-mails recently, which were all fortunately caught in my spam filter.  Depending on specific configurations – so as not to erroneously block legitimate warnings about unsuccessful mail delivery – some organisations might inadvertently let in more of such spam.  Less savvy users who see such e-mails might be panicked into rashly clicking a link in a misguided attempt to determine the problem.  While it would be unreasonable to train every employee on how to read e-mail headers, it won’t be as difficult to coach them on how to watch out for bogus links embedded within such e-mails.
2. Messages from popular on-line services
   The shotgun nature of unsolicited mails means that spammers are drawn to masquerade as popular Web services that have a higher chance of being used by their targets.  Common vectors are sites such as Facebook, PayPal, Amazon, or even iTunes. In a nutshell, messages that claim to come from these popular on-line services are then laced with links in the hope that victims will click on them.
3. Nonsensical headers or text body
   One popular trick by spammers is to copy or paste snippets of legitimate Web content as the e-mail header or text.  Links to specific sites are then carefully embedded to trick readers into clicking them.  The content of copied text can vary greatly, and I’ve seen materials from several sites combined before in a bid to bypass Bayesian filters.  Users can be further confused because e-mail recipients and senders are typically spoofed.
   IT managers need to remind users that if an e-mail makes absolutely no sense, it probably isn’t legitimate – even if apparently originating from someone they know.
4. Death and accident involving well-known personalities
   Events ranging from the demise of pop megastar Michael Jackson to the recent World Cup have clearly shown us how spammers are reacting much faster than before in an attempt to circumvent increasingly sophisticated spam technology.  Spam involving current or breaking news have a far higher chance of making it into inboxes before administrators have an opportunity to react.  Also, users who might have heard part of the news via other avenues are far more susceptible to read or click on any links that are given. Rather than forcing spam administrators to stay glued to breaking news, tapping into users to identify such spam is also an excellent opportunity to involve them in the fight against spam.
5. HTML file attached
   Most e-mail servers and spam filters now block executables by default, even if compressed within ZIP archives.  However, the continued discovery of flaws in popular Web browsers have led to spammers who send HTML files containing code to exploit these vulnerabilities.  Header and body text can vary as usual, but suffice to say that it usually involves something enticing such as winning a lucky draw or some unsolicited transfer of funds.  Users need to know that the sending of HTML files constitutes extremely suspicious behaviour and should first be verified with the appropriate administrator.

The above list represents just some of the newer spam attempts that I’ve personally witnessed; periodical training will be necessary to keep users up-to-date.  Ultimately, staffers need to know that the spam (or mail) administrator is always available to address any doubts or queries that they might have.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Five Ways to Train Your Users to Identify Spam

Security researchers say the massive Rustock botnet is currently responsible for 40% of the world’s spam volume. This is particularly impressive considering the number of infected computers under its control has dropped from 2.5 million to 1.3, probably as a result of increased detection by anti-virus software. Still, even with the reduction in size it is still pumping out nearly 50 billion spam messages a day.

Compromised computers spew spam.

Most of that spam is pharmaceutical, hawking counterfeit prescription drugs offered by the infamous group of Canadian Pharmacy websites. The drugs, which are freely distributed without a prescription, are made in India and China and are not regulated or inspected in any way. The group behind the Canadian Pharmacy scams is said to be connected to the Russian Mafia.

Rustock was thought to be using Transport Layer Security to encrypt its spam in an effort to make detection difficult but appears to have abandoned the practice, probably due to the affected it had on bandwidth and processing speed.

The botnet has been thriving since its recovery from the McColo shutdown back in November 2008. When the cybercriminal-friendly ISP had its service terminated by its upstream providers, Rustock went dark, but the herders behind it acted quickly to switch its command and control servers to another host and began developing ways to keep it from depending on a single host, which has kept it from further shut downs. Botnets are now programmed with a list of different domains and IPs to contact for instructions, so if one goes down, a new one can easily and quickly be found.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Rustock Botnet Responsible for 40% of All Spam

In newspaper circles, when a correction to a story has to be written, a rule of thumb used by many organizations is to omit the original mistake from the correction. That’s not to eschew embarrassment, although it often works out that way, but to avoid printing the incorrect information twice. Bad information, you see, has a way of sticking to little gray cells when it’s the first to arrive in the information marketplace. Repeating it, even in a correction debunking it, tends to add to its stickiness.

That seems to be the case with the recent hullabaloo over the “dislike” button in Facebook.

Members of the vast Facebook social network have the ability to click a button when they “like” a posting they see in their news feeds, but unlike other websites that solicit mob opinion on their content, Facebookers can’t show their displeasure with what they see on the network. That omission has vexed more than a few of the Facebook faithful, including columnist Dan Tynan.

          “Like many people of an inherently cynical nature, the fact Facebook only allows you to express your ‘Like’ on various topics, posts, and advertisements irks me,” he wrote. “I know I’m not alone, and so do Facebook scammers, which is why the latest viral ‘Dislike button’ scam has spread so quickly.”

As many popular scams begin on Facebook, a member sees a message with an enticing pitch. In this instance, it was “I just got the Dislike button, so now I can dislike all of your dumb posts lol!!” or “Get the official DISLIKE button NOW!” Included with the message is a shortened URL, so victims don’t know where they’re going when they click on it.

Clicking on the short URL in the Dislike message displays a screen for installing the Dislike Button. When members attempt to install the feature, they’re asked to give their permission to allow the app to access their basic information, post to their “walls” and access their data at any time, which pretty much opens the door to the chicken coop for the foxy spammers.

Once they have access to your Facebook information, the spammers use the member’s information to promote–under the member’s name–the Dislike Button to all the member’s friends.

Meanwhile, the member still doesn’t have a Dislike Button. Before he or she gets the button, they must fill out a survey, which makes the scammers some cash. After finishing the survey, the member is sent to a website where they can install a browser add-on called Dislike Button. The app began as a Firefox add-on, but now it can be downloaded as a executable file that will work with Chrome, Internet Explorer and Opera. Support for Apple’s Safari browser is in the works.

What got lost in all the hubbub about the scam, though, was the fact that the Dislike Button is a legitimate add-on. Its makers, FaceMod, were being victimized by the scammers as much, if not more, as Facebookers clicking on the URL in the fraudster’s pitch message. Unfortunately, the maker’s message was lost in the digital din that erupted when the scam was revealed by a malware fighting firm.

          “Recently, the Dislike Button has been mentioned in several articles, blogs and tweets, in conjunction with a scam, which silently sends the link to users’ Facebook friends, and requires the user to then take an online survey, which makes money for the scammers,” FaceMod wrote on its website. “Due to the high demand for the Dislike Button,” it continued, “unaffiliated people and/or groups are attempting to monetize FaceMod’s products by re-directing to online surveys. FaceMod does not require a user to fill out a survey, is not affiliated with this Scam and urges users to avoid unofficial posts.”

For the sake of clarity, FaceMod’s add-on only works with other Facebook members who have installed the app in their browsers. In other words, if you click “dislike” and the person who posted the item you disapprove of doesn’t have FaceMod’s software installed in their browser, they won’t see your thumbs down.

Initially, FaceMod sent a message to a person when a user of its app gave the thumb’s down to an item, but it removed that feature–although the company’s website still says it’s there–after receiving complaints from people who received what could be interpreted as spam messages announcing they’d been “disliked.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The curious case of the Facebook Dislike button

Thousands of UK students are furious with the country’s Universities and Colleges Admission Service after receiving an email from them with the subject line “You’ve Been Accepted”. The message, which led students to believe it was an acceptance notice from a university, was actually a spam message advertising discounted HP laptops. This infuriated students, as this is the time of year when they are awaiting their A-level results and scrambling to apply to the limited amount of university openings available. In the UK there are more qualified students than there are spots at the most sought after universities. Many students feel that the spam message was not only misleading, but cruel and in poor taste. The UCAS, red-faced, quickly offered an apology.

A UCAS spokesman said: “We understand and apologise for the confusion this has caused to some applicants, and we are looking at reviewing our quality filters to avoid this type of situation in future.”

It’s not known who approved the message or its deceptive subject line. HP has declined to comment on the matter. This story illustrates how important it is to use care in sending newsletters and other bulk mailings to the customers on your mailing list. A deceptive subject line, even if it wasn’t intended to be, can cause a real public relations headache for your company, and thanks to social networking services like Facebook, your unhappy customers can make themselves heard in a hurry! Avoid wordplay and other attempts to be cute and keep your subject lines and messages simple and straightforward. The old saying, “Keep it simple, stupid!” really is the best policy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

UK University Service Infuriates Students With Spam

Spammers have begun sending out fake LinkedIn notices that have spam attached to them. At first glance they look like the notices you get when someone wants to add you to their network but they have a linked image attached which is usually an ad for Viagra Cialis and other related types of drugs. The link leads to a site called PathTasty. PathTasty appears to be one of the hundreds of fake internet pharmacies that fall under the “Canadian Pharmacy” umbrella. This isn’t a phishing scam – if you place an order you will get it but it will be a counterfeit version of the drugs you paid for. These fake drugs are made in China and India with unknown ingredients and are completely untested and unregulated. There have been no reports of anyone getting sick or dying from taking the fake drugs but the FDA was concerned enough to issue an alert warning consumers to stay away from these sites.

Canadian Pharmacy has been around for quite sometime now. Its spam is pumped out by the massive Rustock and Mega-D botnets and is run by GlavMed, which bills itself as an “affiliate program” but most security experts consider it a criminal organization. It’s located in Russia however which makes it difficult to track down.

Ironically there is a very legit company called Canada Pharmacy and they are said to be quite irate over the association with Canadian Pharmacy. Canada Pharmacy is a real pharmacy doing business on the net and unlike Canadian Pharmacy, they won’t dispense drugs to anyone without a valid prescription for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers Using Fake LinkedIn Notifications

Office supply retailer Office Depot is the latest company to be brand-jacked by spammers. The company says they’ve received many reports of both customers and non-customers receiving fake order receipts for merchandise they never bought. The order total appears to always be the same amount, $151.06.  While they won’t say exactly how many reports they’ve got, company representatives say the problem is wide spread and have issued a warning:

“Office Depot has been alerted that both customers and non-customers have received an unsolicited email confirmation of an Office Depot order that they never placed,” Office Depot spokesman Brian Levine said in a statement. “This message was not sent by Office Depot. We are asking recipients of the email to delete it. Office Depot only sends email confirmation messages to customers who request one at the time that they place an order and this confirmation comes from an Office Depot email account. ”

No other details about the spam campaign have been released but if it’s like similar campaigns that have brand jacked big names like Amazon and UPS, there is probably some sort of attempted phishing attack or malware delivery involved. Presumably the spammers are trying to get people click on a link that leads to a fake Office Depot page, much like the Amazon attack that sent fake Amazon order confirmations included links that led to a fake Amazon login page. Spammers and scammers are getting more and more brazen about using the names of well known companies to trick people into falling for their schemes.

It’s difficult to keep your brand from ending up in a scammer’s campaign so it’s important to make sure you have a strong response strategy. Take any reports of such activity very seriously. Send an immediate take down order to any domain you find hosting a fake copy of your company website and issue warnings to all your customers and vendors. Being proactive is your best defense.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Office Depot Latest Brand To Be Exploited By Spammers

A new spam campaign has begun spreading across the net. Disguised to look like a ticket purchase email from Midwest Airlines, it is an attempt to spread the Zbot Trojan. The email thanks the recipient for using the company’s new “Buy Airline Ticket Online” feature and provides the login details of an account that was created in their name along with the receipt for a purchase of over $800 that was charged to their credit card. It goes on to tell them the ticket is in the email’s attachment.

Of course the feature, receipt, ticket, and charge are all fake and if the user opens it the Zbot Trojan is downloaded and installed.

Zbot is distributed by the Zeus botnet and is a virulent banking Trojan that has stolen millions from bank accounts around the world. Last month alone it was responsible for stealing over $1 million from customers of a bank in the United Kingdom. Once installed it monitors the system and strikes when the user visits a site on its list. These include e-commerce sites and most major banks, credit card companies, and other financial institutions. Once a site is visited a keylogger drops and records the login info, then sends it back to the command and control server. After the stolen information is used to transfer funds from the account to the criminals, a fake statement is created to hide the crime.

Investigators and researchers aren’t sure who is behind ZBot, but given that the C&C servers are located in Eastern Europe some suspect the stolen funds are being siphoned to the Russian mafia.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Zbot Spam Campaign Unleashed

Six people, five men and one woman, have been arrested for their parts in a huge phishing ring. UK authorities say that the group has so far stolen over $550,000 and compromised over 20,000 credit card and bank accounts but say the tab could potentially reach over $6 million once they are able to establish the full extent of the operation. The five were arrested in London and County Meath, Ireland by the Metropolitan Police as part of an investigation called Operation Dynamophone.

          “We have taken this action to shut down an organised criminal network running an online phishing and account take-over operation,” said the Met’s Detective Inspector Colin Wetherill.”A great deal of personal information was compromised and cleverly exploited for substantial profit. By disrupting the operation we have hopefully prevented further loss to individuals and institutions across the UK.”

The group sent out fake emails made to look like they came from legit banking institutions in an attempt to trick them into going to the lookalike sites they created and turning over their login info. Once the info was in their hands they went to town cleaning out bank accounts and maxing out credit cards. Detective superintendent Charlie McMurdie of the Police Central eCrime Unit (PCeU) said they are also trying to determine if the gang distributed malware as part of their operation.

          “In high-volume phishing, malware infection goes on,” said McMurdie. “One million emails through various channels and in various forms will get a certain percentage of response.”

The accused remain in custody in London on suspicion of conspiracy to commit online banking fraud and violations of the Computer Misuse Act.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Six Arrested in UK Phishing Operation Bust

Google and Verizon set off a blizzard of chatter on the Internet this week when they aired their “open Internet framework.” The framework bars a provider of broadband Internet access “from engaging in undue discrimination against any lawful Internet content, application, or service in a manner that causes meaningful harm to competition or to users.”

Under the proposal, any “[p]rioritization of Internet traffic would be presumed inconsistent with the non-discrimination standard.” “Prioritization” is a euphemism for a service provider acting as a traffic cop for content aimed at the users of their systems.

When pulling the wraps off their proposal, the companies have put a pro-consumer, open-Internet spin on their proposal.

          “Google and Verizon have been working together to find ways to preserve the open Internet and the vibrant and innovative markets it supports, to protect consumers, and to promote continued investment in broadband access,” they said in the preamble to the framework.

But consumer groups aren’t buying the pitch. Their criticisms of the framework are similar to those expressed by the Free Press’s Joel Kelsey.

          “Google and Verizon can try all they want to disguise this deal as a reasonable path forward, but the simple fact is this framework, if embraced by Congress and the Federal Communications Commission, would transform the free and open Internet into a closed platform like cable television,” he said in a statement.

          “This is much worse than a business arrangement between two companies,” he continued. “It’s a signed-sealed-and-delivered policy framework with giant loopholes that blesses the carving up of the Internet for a few deep-pocketed Internet companies and carriers.”       

          “If codified,” he added, “this arrangement will lead to toll booths on the information superhighway. It will lead to outright blocking of applications and content on increasingly popular wireless platforms. It would give companies like Verizon, Comcast and AT&T the right to decide which content will move fast and which should be slowed down. And it will destroy the open Internet as a platform for small business innovation and job creation, cementing companies’, like Google’s, dominant market power online.”

While the Google-Verizon proposal has generated a lot of heat, one of its implications that appears to have slipped through the cracks is its impact on spam. It could very well result in more of the junk ending up in the inboxes of consumers. That’s because much of the spam circulating on the Internet is “legal” under the broad definition of the framework. And if any content is “lawful,” then it can’t be discriminated against–even if it’s unwanted by the people receiving it.

It’s obvious that is not what the framework’s authors intend because in the “network management” section of the proposal, they state that broadband providers can employ “any technically sound practice…to address traffic that is unwanted by or harmful to users.”

But here’s the rub. The framework actually turns on its head how Internet service providers operate now. Now, if provider one receives spam from provider two, provider one can turn off the spigot from provider two. Then it’s incumbent on provider two to persuade provider one to turn the spigot on again.

Under the framework, when provider one turns off the spigot, a purveyor of “legal” spam can go running to the FCC to challenge that decision.

          “Even if the ISP can show that they have users complaining about his stuff, so the network management exception applies, the FCC, being a government agency, is likely to tell the ISP not to block anything until they rule on his complaint, which could easily take months, if not years, during which time the spam continues to flow,” explained John Levine in a column posted at CircleID.   

          “Although network neutrality sounds like a good idea, it’s not, because it breaks the underlying model of the way the Internet works,” Levine maintained.

          “It’s certainly true that in most parts of the country, there’s only one or two viable broadband ISPs, the phone company and the cable company, and they can’t be trusted to run the network the way their users want,” he continued. “But the right way to address the excessive market power isn’t to regulate the ISPs, it’s for the FCC to put the rules back the way they were in the early 1990s, so telcos and, ideally, cable companies have to provide the underlying connections to any ISP on the same terms, so we have enough competing ISPs that if you don’t like one, you can just switch to another.”

          “This isn’t a pipe dream–countries including the UK have done exactly that, with the result that their residents have a wide range of ISPs, who provide faster service at lower prices than we get in the US,” he added.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is Verizon-Google plan boon to spammers?

A new spam statistics report is out that names the top 10 most spammed states. Let’s take a look:

1. North Carolina-91.3
2. New Hampshire-91.3%
3. Washington-91.3%
4. Utah- 91.5%
5. Illinois-91.8%
6. Tennessee-92.1%
7. Indiana-92.7%
8. South Carolina-93.6%
9. Alabama- 94.4%
10. Idaho- 95.2%

North Carolina, New Hampshire, and Washington were all tied for the 10^th spot while Idaho came in first for the second year in a row. All 10 states had spam levels well above the national average of 89.3%. On the other end of the spectrum, Puerto Rico came in as the least spammed U.S. state or territory for the second year in a row. It’s not known exactly why some states get more spam than others, but it may have to do with state spam laws and advertising regulations.

Some other facts the study revealed:

Most Spammed Industries: Engineering, Construction and Automotive.

Least Spammed: Admin, Public Sector, and Finance.

Most Spammed Countries: Luxembourg, China, Hong Kong, Germany, and The Netherlands.

As far a phishing goes, New Zealand takes the top spot while Japan was the least phished country. A new phishing scam was discovered – this one sent came in the form of emails offering a brand new PDF reader. Overall phishing levels increased with 1 in every 557.5 emails being a phishing attempt, an increase of .02% over June.

The report also found that the Storm botnet has come raging back and is pumping out pharmaceutical spam using URL shortening services. The masked URLs are easier to get by spam filters and blacklists. Storm was once the largest botnet in the world.

Virus levels decreased slightly with only 1 in ever 306 emails containing malware. That’s a drop of .04% from June.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 10 Most Spammed States

BusinessWeek has a great article about the FTC and how they’ve evolved to become a fixture in the war against spam and online fraud. They have a server that holds over 314 million spam messages and receives over 200,000 more a day. Investigators analyze the messages in their efforts to track down spammers and prosecute them under the CAN-SPAM law. Successful investigations lead to spammers being fined and sometimes jailed. They’ve also begun moving into the areas of social networking and identity theft.

I wonder though, of all the spam messages they collect what percentage originates from somewhere other than the U.S. Most hardcore spamming operations are safely overseas on bullet proof hosts in countries that don’t investigate or prosecute cybercrime either due to lack of understanding, lack of resources, or law enforcement corruption. Since these spammers can be convicted and fined without having to actually appear in court, yet can’t be made to pay up unless they enter the U.S., it seems such investigations could all be done in vain. Suing spammers doesn’t work well either – they just declare bankruptcy and move on to a new scam. There have been a few cases lately about spammers who’ve gotten themselves pretty hefty jail sentences but again, it doesn’t really work when the spammer is overseas somewhere.

So yes, the FTC is doing a great thing by investigating spammers and holding them accountable under the CAN-SPAM Act, but fighting spam will only be truly effective when all countries do so together and have similar anti-spam laws.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The FTC gets over 200,000 Spam Messages a Day

The folks over at Softpedia have an interesting article about a new spam campaign being run by the Cutwail botnet. It’s pumping out hundreds of millions of messages claiming to be Social Security statements:

          “Due to possible calculation errors, your annual Social Security statement may contain errors. Open attached file to review your annual Social Security statement,” the rogue messages read. The attachment is an archive file called statement.zip

They come with a zipped attachment that the message claims is the actual statement, but it really contains a variant of the Zbot Trojan. It downloads keyloggers and other malware designed to steal banking log ons and other personal information as well as a rootkit that allows a hacker to control the system remotely.  Zbot is programmed with a list of popular e-commerce and banking sites such as eBay, Paypal, Bank of America and and Amazon and when one of them is visited, the keylogger activates, records the log in info and sends it back to its command and control server.

Zbot has been around for three years and in the last 6 months infections have skyrocketed. The U.S. has been most affected, claiming 75% of all Zbot infections globally. The UK is second.

For the record the Social Security Administration only sends out statements via postal mail. They usually go out once a year about 6 months before your birthday. It’s not surprising that they are trying to use the SSA in their campaign as previous campaigns have exploited the IRS and other agencies.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Cutwail Botnet Unleashing New Malicious Spam Campaign

Spammers appear to have taken their summer vacation in July, if the junk mail that evaded my gauntlet of garbage filters is any indication of their activities during the period. They stuck to shopworn and even hoary pitches with little in the way of inventiveness.

One vein that was worked extensively prior to July faked support messages from my Internet Service Provider. It seems my ISP wised up to these attacks and only a pair managed to make it to my inbox in July. One was a typical inept attempt to obtain my user ID and password. If the fact that the sender of the message spelled user incorrectly wasn’t enough of a tip off, the “reply to” address to an AOL account sealed the deal. The other lame pitch had a security angle. “This message is from Your Service provider kindly send your Login information because we noticed your account is being accessed from three different location,” it said. I don’t know about your service provider, but mine doesn’t refer to itself as “Your Service Provider.” It also knows a thing or two about punctuating sentences and when to use plural nouns.

One of the oddest messages landing in my inbox had a subject line in an alphabet I didn’t recognize, but had an English message beckoning me to go to kasate.com for a sealed lead acid automatic battery charger.

Speaking of battery recharging, by far the most effective spam penetrating my defenses dealt with drugs. The good old-fashioned “From Canada to you” subject line butchered in some fashion–Fro’m %Cana#da to y’ou, for example, or From| “+Canada to yo%u”–still seems to be working. However, rather than hawking male performance drugs, these junk emails simply offer cheap meds. Given that pharmaceutical spam has been a rising star in the spam universe, it shouldn’t be surprising that some of it makes it through mail sieves. The category has grown to 85 percent of all spam on the Internet from 65.5 percent last year. What is surprising to me, though, is how little of it reaches my inbox.

I’m also surprised as to how anyone could fall for the pitches in these messages. It’s obvious that the authors of this sputum aren’t on the level. Why else would they pepper their ploys with so many oddball characters to foil filters looking for words that flag messages as spam, words like Canadian, meds and money. I mean, who in their right mind responds to “Meds% are onsale &al(l ^week” or “Canad&ian m”eds ]are cheaper/Check our meds/ line up and __choose w|hats best.”

In addition to the profuse use of oddball characters in words, some passages are tacked on to the bottom of the messages. The idea behind that tactic is to make the junk look like a real email message to automated spam fighting systems which have limited intelligence. Those passages used to be true nonsense, meaningless collections of letters and words. In more recent times, though, the passages are snatched from literary works. In the batch of junk that last month survived my defenses, the most popular authors for the passages were Sir Arthur Conan Doyle, noted for his immortal detective Sherlock Holmes, and Sun Tzu, who penned the classic treatise The Art of War. Other authors cadged by the spammers were Lewis Carroll (Alice’s Adventures in Wonderland), H.G. Wells (The Invisible Man), A. E. Burgett (The Door of Heaven) and J.K. Huysmans (Là-Bas).

It seems no month of spam would be complete without a Nigerian scam sneaking through the cracks. Although this scam dates back to the 20th century, spammers apparently never tire of recycling it. In the version of the bunkum that ended up in my inbox, the spammer claims to be a 24-year-old Senegal woman who is an heiress to $7 million. She is writing to me “with due respect and heartful of tears since we have not known or meet ourselves previously” and trusts me with her money because “I have gone through a profile that speaks good of you.” In exchange for helping her transfer her inheritance from a “financier company” to her, she’ll give me 30 percent of the seven million. Further details about the transaction will be conveyed to me once she sees a copy of my passport, home address and telephone numbers. Actually, as Nigerian schemes go, this is a mild one. Usually, they ask for some cash upfront.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers lack imagination in July

A new report analyzing spam trends for the first half of 2010 has found that Canadian Pharmacy spam accounted for a whopping 66% of the total global spam volume for that time period. Spam hawking fake designer goods came in a distant 2^nd with 7% of total global spam volume.

Canadian Pharmacy, which dubs itself the #1 internet pharmacy, isn’t Canadian or even a pharmacy at all. It’s run by a Russian cybercrime group that hides behind a rogue affiliate program called GlavMed. The site sells fake versions of well known prescription drugs such as Viagra, Cialis, Vicodin, and Oxycontin, a practice so dangerous the FDA issued a warning about it, as well as fake vitamins and male enhancement products. There’s no actual pharmacist overseeing things and they take and fulfill orders without asking for a prescription. The fake drugs are made in, and shipped from, India and China.

The GlavMed group uses botnets to pump out its spam and has been known to control up to 8 of them. They avoid being shut down by using so-called bulletproof hosts that ignore all take down requests and complaints.

The so-called “Replica Products” spam campaign may comprise only 7% of global spam volume but look for that to rise as the holidays approach. Those spammers will be out in full force hawking fake Rolex watches, Louis Vuitton and Coach handbags, Rayban sunglasses, and more as they try to appeal to cash strapped shoppers looking for bargains. With the economy still on shaky ground you can be sure they’ll do what they can to take advantage.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Canadian Pharmacy Dominates Spam

A new spam campaign has a disturbing twist. The messages aren’t selling anything or attempting to lure the recipients to a malicious site. Instead, they tell them they have only days to live.

With subject lines like “Somebody you call friend wants you dead!” they can’t help but get the recipient’s attention. The message is even scarier. The writer claims to be a hitman hired by one of their friends and says they will be killed within 10 days and are being tracked down by the hitman’s associates. However, it goes on to say, they are willing to make a deal and spare the recipient’s life for $8,000. The instructions are to wire $3,000 immediately and the rest at a later date. The message ends with a warning not to go out after dark.

Fortunately the threats are bogus, and the hitman just another cybercriminal. It’s just a new play on the old Nigerian scam, only they appear to be getting tired of making up stories about lost family fortunes, exiled royalty, and fake inheritances from fake relatives and have turned to simple threats. Pay up or die. It’s unknown how many people have fallen for the threatening scam but one thing is clear, those who do will get more messages with more threats and extortion as they’ve indentified themselves as an easy mark.

The Nigerian or 419 scam (named after the Nigerian criminal code covering it) has been around almost as long as the web itself. Sadly, many people have lost their life savings and a few have even lost their lives after traveling to Nigeria to find their promised fortune.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Campaign Delivers Death Threats