Financial sector is top target for phishers.

Phishing reports were down, but that may be because cyber scammers had bigger fish to fry.

That’s one of the findings in a report released this week by the Anti-Phishing Working Group.

After reaching an all time high of 40,621 reports in August of last year, phishing reports to the organization fell a precipitous 29 percent, to 28,897, in December, the organization revealed in its Phishing Activity Trends Report for the fourth quarter of 2009.

Although raw phishing numbers declined, the organization reported a “substantial increase” in phishing focused on high-value targets, such as personnel with treasury authority.

“Spear-phishing and whale-phishing, where targeted individuals inside of corporations, or of high net worth, appears to be increasing,” APWG Chairman Dave Jevans said in the report.

“Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources,” he continued.

“These attacks do not contribute significantly to the overall number of unique phishing emails that are sent, as they are not using broad-based spam,” he added. “Rather, the attackers customize their email messages to target individual users.”

Such a targeted attack made headlines recently when it was used to break into Google’s computers.

The number of unique phishing sites identified by the group remained steady during the period. From October to December, unique site figures fluctuated by less than one percent, from 46,522 to 46,190 sites, and the end of year figure was 18 percent below the all time peak hit in August of 56,362 sites.

Attacks on brands hit a new high during the quarter, according to the report. After hitting that peak of 356 in October, though, assaults petered out to 249 by the end of the year.

“The pattern of attacks per brand is particularly noteworthy,” observed Ihab Shraim, chief security officer and vice president for network and system engineering at MarkMonitor and a contributing analyst  for the report. “While the number of targeted brands declined in each month of the fourth quarter, the total number of brands targeted in phishing attacks actually increased from
the previous quarter.”

After falling from the catbird’s seat during the first two quarters of the year, the financial services sector regained its dubious distinction as the number one industry targeted by phishers in quarters three and four. In final frame of the annum, 39 percent of phishing attacks were directed at the financial sector, followed by payment services (33 percent), auction sites (13 percent), other (13 percent) and retail (two percent).

In this edition of the group’s report, a new metric has been added: crimeware. Crimeware is malware specifically designed to attack the customers of financial institutions. During the quarter, crimeware’s slice of the malware pie remained consistent at two percent. However, the pie share held by bad apps designed to steal data fluctuated, starting at 31 percent in October, climbing to 34 percent in November and returning to 31 percent at the end of the year.

Patrik Runald, a senior security research manager with Websense and a contributing analyst to the report observed that data stealing code continues to be a major problem for White Hats. “This is due to the high success rate that hackers obtain when unleashing attacks with data stealing code,” he maintained. “These types of attacks will most likely continue at this pace, and possibly increase as attack techniques evolve.”

A popular vehicle for infecting computers in recent months has been rogueware–malware masquerading as security and anti-virus programs. A significant increase in the variants of these applications occurred at the end of the year, according to the group’s report. From the third to the fourth quarter of the annum, rogueware variants increased 36 percent, from 158,980 to 252,025. Still, the high of 122,335 for the final frame reached in December was substantially lower than the record crest of 152,197 reached in June 2009.

Despite the large numbers of new variants, the bad apps actually stem from relatively few software families, the report noted. The more than 200,000 variants in the fourth quarter, for example, belong to only four families:

• Adware/Antivirus2008
• Adware/MSAntiSpyware2009
• Adware/TotalSecurity2009
• Adware/SystemGuard2009

The report also noted that the United States was the top country for phishing sites in the world. In October and November, more than 90 percent of all the nefarious sites were located in the United States; more than 70 percent in December.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spear phishing attacks on rise

Compromised computers spew spam.

to 89.4%, a nearly 6% increase from January.  The rise is blamed on the Rustock and Grum botnets in particular with Grum’s spam output increasing by over 50%. It’s currently responsible for 26% of all spam sent.

Porn was the most popular delivery method with 63.6% of spam messages using this tactic. Phishing has seen a slight decline with claiming 1% of all threats detected. A whopping 84% was malware and 15% was spyware. Cutwail continues to pump out record setting amounts of spam that push scareware such as fake anti-virus programs. These types of campaigns remain wildly popular with cybercriminals because of their high profitability. Experts say Cutwail is also for hire. The botnet’s controllers are apparently offering it up for rent to other cybercriminals, further increasing their profits. The specific services being offered for sale aren’t known but are likely to be spam, malware delivery, DDoS attacks and other criminal activities.

The cybercriminals that run the major botnets have largely turned away from attachment spam, most likely because most ISPs and spam filters automatically block or filter them. Only about .56% of spam contains attachments now. Instead they rely on links because malicious URLs tend to pass easily through spam filters without detection. Use of URL shortening services is also still popular.

What is the best way to fight these surging threats? Security experts recommend a multilayered shield comprised of URL filtering, a strong, constantly updated anti-virus solution, and real-time code analysis.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Levels Continue to Surge

In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

King of Informercial Scams Avoids Jail for Spamming Judge

It takes over MIPS-based devices running Linux by launching a password guessing dictionary and changes the DNS settings of the router, and then redirects the user to a poisoned webpage that downloads even more malware. It also scans the network for other devices to infect.  Experts say the botnet has infected machines from South America to Asia. There’s no information on exactly how many machines have been compromised, who is behind it, but like other botnets, its goal is to steal personal information like passwords and bank account numbers. Some researchers say it may also conduct DDoS attacks.

For a botnet named after Chuck Norris (it got the name from a line in its code: “in nome di Chuck Norris” which means “In the name of Chuck Norris”) the malware it delivers has a surprising weakness. Since it is installed in the router’s RAM, a simple restart will remove it. To protect against it, make sure all routers and modems on your network are not using the default password and that each device has a unique and hard to guess one.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New “Chuck Norris” Botnet On The Loose

One of the more effective methods of reducing spam in recent years is through IP filtering.  This technique involves checking the IP address of the computer or server that is trying to send you email against a list of known or highly suspect spam sources.  The lists are provided by various third party organizations such as Spamhaus and are typically integrated into the products sold by security vendors.

The best part of this technique is that the check occurs at the earliest stage of the initial communication between the two servers.  If the IP address is considered to be a spam source then the connection is terminated before time and server resources are wasted by accepting any further part of the email content.

This meant greater efficiency in spam protection systems compared to earlier techniques that involved checking the entire message content for certain keywords or strings that matched a database of known spam.  This technique is still used today, but it is only performed on email that first passes the IP filtering checks.

Some estimates put the amount of spam that is typically stopped by IP filtering at around 80-90%.  That is up to 90% of spam (not of total email traffic) that can be prevented by IP filtering, usually with very few false positives.

The remaining 10-20% poses a bigger challenge.  These emails need to be checked more thoroughly for other characteristics such as:

• Sender address/domain
• Email body content such as text or URI (Uniform Resource Identifier, often called a URL by web users)
• Images and file attachments

This is because spam emails can come from trustworthy sources such as webmail providers and ISPs in which specific accounts have been compromised by a phishing attach.  As a result they cannot be blocked reliably on the basis of sender address/domain.These checks are also computationally more expensive and more prone to false negatives when new spam techniques emerge.  One of these new techniques is the use of URL shortening services to cloak malicious website addresses.

URL shortening sites typically do not police the links that people create using their services, which elevates the risk of them being used for malicious purposes.  However, the services do often provide an API that can be accessed by other applications, which has led to the emergence of sites and web browser add-ons that can be used to manually check a shortened URL before it is clicked on.

This process is manual and tedious though, and relies on the weakest point in spam prevention – the end user.  Only the most security conscious end user will do this check even some of the time.

But the combination of URI filtering and URL shortening APIs offers the chance for the problem to be attacked from two angles.  Email security products could possibly detect shortened URLs and perform a check against the provider’s API to determine the actual destination address.  That destination address can then be checked against URI filtering lists for known malicious sites.

Though this check may be effective it is not particularly efficient.  Email servers will need to send API requests and wait for responses before determining if an email is malicious or not.  And it does not solve the issue of these services being used by spammers in the first place.

As an alternative, the URL shortening services could make use of URI filtering lists when providing shortened URLs to their anonymous users, and deny the creation of short URLs that lead to malicious sites.  This might eliminate the problem at the source.

As a positive flow on effect of this type of change the use of shortened URLs by spammers on social networks and other non-email communications would also be reduced, reducing the risk of several different threats at once.

These checks are obviously not being performed by shortening services yet.  I tested several spam URLs from a URI filtering list on a few of the popular services and none of them prevented me from creating a shortened URL.  I wonder if soon we will see them forced into action as spammers exploit their systems to the point where they are completely untrusted and actively blocked by security systems.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Could Better URI Filtering Cure Email Spam?

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Slays Waledec

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bank/Customer Lawsuits Over Phishing Scams Rising

“I’m very proud of our staff in terms of their reaction. We have dealt with this very responsibly, and notified customers immediately of the breach,” Mayer added. “We are doing everything in our power to reclaim our customers’ trust and provide the credit monitoring services that are necessary.”

Small Dog’s customers appear to be less satisfied with the company’s response, claiming the letters sent explaining the incident offer no compensation or credit protection and that although the company will provide the service if asked, many don’t realize they can ask.

Should a company offer credit protection in the event of a data theft? I believe so. It’s an important step in keeping your existing customers’ trust and gaining that of potential new customers. Data breaches are a growing threat. Last year the average total cost of a data breach was $6.75 million for an average of $204 per compromised record. Security experts say there are three main causes of data breaches, System glitches, which account for 36%, malicious attacks, which account for 24%, and the most common cause, negligence or simple human error, which accounts for a whopping 40% of all data breaches.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

3000 Credit Cards Compromised in Data Breach

SPF is good but not perfect at flagging spam.

How effective is sender authentication in contributing to the fight against spam? A recent analysis of Microsoft’s email volumes revealed some interesting findings on the subject.

The analysis conducted by Terry Zink studied the impact of two sender authentication technologies, DKIM and SPF, on his company’s email flows.

DKIM, or DomainKeys Identified Mail, allows the sender of an email message to take responsibility for it while it’s in transit. It’s a way to validate a domain name identity associated with a message through cryptographic authentication.

While DKIM can be a way to block spam sent from hijacked domains, it’s less effective against spammers who create their own domains and spew junk from them. However, when used with some form of reputation analysis, it can contribute to cutting down spam traffic from those sites, too. The reasoning being that if a domain sent “good” mail to you in the past, it will continue to do so in the future.

SPF, or Sender Policy Framework, was designed to blunt another tactic used by spammers: address spoofing. It allows senders to specify which hosts are permitted to send their emails. It does that by creating an SPF record in the DNS, or Domain Name System. When a message arrives at its destination, the recipient system can check where it was sent from to the SPF record in the DNS. If it was sent from a host specified in the SPF record, the address can be assumed to belong to the originator of the message. If it’s sent from a host not in the SPF record, then it’s likely the message is spoofing its origin and can be trashed as spam.

One of the problems with SPF is that it can create more problems than it solves. A case in point: a recent attempt by Intersessions, a Web site hosting services provider, to implement the technology.

After implementing SPF enforcement, the company had to turn it off after three days. According to the owner of the company, Jeff Koch, here are some of the reasons for abandoning SPF:

• Domain owners and their employees regularly send email from servers that violate their own SPF.
• Customers were unable to receive email from important contacts.
• Customers didn’t understand why Intersessions was blocking important email.
• Customers couldn’t explain SPF to their business contacts, who would need to inform their IT departments to correct their SPF records.

“Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do,” Koch wrote recently. “Since we like our customers and they pay the bills it is now a dead issue.”

In his analysis of Microsoft’s email over a 45 day period, Zink estimated that 14 percent of the messages contained DKIM signatures, while 38 percent were validated with SPF checks.

Admittedly, not all the messages identified as non-spam by the sender authentication technologies were pristine, but that’s to be expected, Zink contended. “I don’t know of anyone worth their salt in the anti-spam world that would assume that a message authenticated using either of those two technologies must therefore be valid,” he said.

Nevertheless, as a first pass through email, the technologies did well. Only eight percent of the messages with DKIM signatures were later flagged by content filters as spam. The success rate for SPF was good, too–only 10 percent of the messages passing SPF muster were later canned by the email system’s spam filters.

“So,” Zink concluded, “the probability that an authenticated technology is high, but it is no guarantee.”

A more detailed analysis by Zink of the SPF results also proved intriguing.

That analysis looked at the various ways an SPF record can be evaluated and how it may influence the likelihood of a message being tagged by content filters after being classified as non-spam. For example, evaluations such as “neutral”–meaning no host was specified in the SPF record; “hard fail”–meaning the message came from a host not designated as an appropriate sender; and “none”–meaning a domain does not have an SPF record–don’t seem to have any influence on whether or not a message is subsequently marked as spam.

“This can be interpreted in two ways,” Zink wrote. “Either (1) there are lots of people out there who aren’t spamming despite doing no authentication, or (2) authentication hasn’t really caught on yet the way we in the email industry would like.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Sender authentication effective, but no panacea against spam

Another recent trend has been the appearance of botnets that have the ability to detect when they are being studied by security researchers.  Often this study is taking place using honey pots, which are fake systems set up by researchers to be deliberately infected with malware so that they can study its behaviour.

This has lead some security experts to predict that soon it will be common for botnets to actively look for the signs of a honey pot and either deactivate those systems, or perhaps even generate DDOS attacks against the researchers.

The CTO of database security firm Imperva, Amichai Shulman, suggests that “Most honeypot machines are based on a virtualization platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there.”

The intersection of these two trends could have a positive outcome for businesses concerned about botnets infecting their corporate systems.  If botnets actually did begin shutting down when virtualization platforms were detected, then the use of virtual desktops could in itself prevent a botnet from becoming active.

As it stands now virtualizing desktops does offer some benefits for malware prevention.  Virtualized desktops will usually operate in a more locked down state than hardware-based desktop fleets.  This is not always because of poor administration of the hardware fleet, often it is more due to the administrative effort required to secure a hardware fleet making it more prone to exception or error than a centralized virtual desktop environment.

The rapid deployment capabilities of virtualized desktops also mean that any malware infections that do occur can be quickly dealt with by destroying that particular instance and provisioning a new one.

It will be interesting to see if botnets do continue along this trend of attempting to detect honey pot systems, and whether that does deliver an unintended benefit to businesses that are embracing desktop virtualization.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will Virtualization Protect Businesses from Botnet Infection?

Unlike most phishing attacks, which tend to target banks and other financial firms with the goal of monetary gain, this attack is much more worrisome. While the kind of information that could be stolen in such an attack could be sold for huge sums on the black market, the other implications are far more serious. Should a hacker gain access to a military or intelligence computer there is no telling what kind of havoc they could wreak. It could result in a national security crisis. This should be of particular concern to the US government, which has come under fire in recent months for its poor cyber security practices. Last week, the Bipartisan Policy Center hosted a simulation of a cyber attack on the US and the government failed miserably. Security experts say the government is woefully unprepared for a cyber attack and that it’s no longer a question of if one will occur, but when.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Military Personnel Targeted by Zeus

The Zeus botnet has over 74,000 infected PCs under its control and is using them to carry out the attack. 10 federal agencies are among the victims and there is no telling just how much sensitive data the hackers have stolen. Security firm NetWitness did manage to intercept 75GB of stolen data, but there is likely much more out there.

“The botnet is still active and still actively being managed by the organized criminal activity behind it,” NetWitness CTO Tim Belcher told The Register. “Over the last month, we’ve seen it retask its (victim) members half a dozen times looking for different types of information.”

In a surprising twist, the firm discovered that the affected PCs were also infected with Waledec. This could mean there are two cybergangs working together or merely that a solitary gang is using more than one strain of malware to avoid detection.

Among the organizations attacked are Merck, Paramount Pictures, and Cardinal Health. All in all organizations in 196 countries around the world have been attacked. Rumors are swirling that even the Pentagon was hit, but they are declining to confirm any such breach.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Nearly 2,500 Companies Hacked in Ongoing Cyberattack

When a Berkley law student received the spam and demanded to be removed, citing the CAN-SPAM rant, Brodie sent off a rant to the school’s dean claiming free speech and that she was being harassed, and also that the CAN-SPAM Act did not apply to her because she was not selling anything. She also threw in some racist slurs for good measure.

          Also, the CAN-SPAM Act of 2003 (the “ACT”) applies only to emails which are commercial in nature. It is obvious that the email which was sent was not intended to sell any goods or services, but rather was political in nature. As such, Ms. PERFECTLY-REASONABLE-BOALTIE also misrepresented the content of the ACT in order to trick and deceive me as to the state of the law in order for the unsolicited email to stop . This attempt to mislead and trick an opponent as to the content of the law is a very serious misconduct which also reflects negatively on her moral character.

Please instruct your students/faculty/staff at Boalt Hall to refrain from making any more threats concerning unsolicited emails which they receive via the U.C. email system. That system does not belong to them, but to the People of the State of California.

She then turned around and spammed her rant to even more firms, law schools and legal blogs. What makes the whole campaign even more bizarre is Brodie’s reasons for launching the spam attack: She received a bad grade in James Wagstaffe’s CivPro class. That’s right. It’s all because of a bad grade! Unbelievable. Not only that but her identity is shrouded in mystery. UC Hastings has no record of law student by that name, nor the does the California State Bar.

This case is a good reminder that it isn’t just hackers and scammers that spam. Sometimes disgruntled employees, customers, or vendors will launch a vindictive spam campaign like Brodie did. Has this ever happened to your company? Let us know!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Disturbed Spammer Targets Law Firm

NoScript is a free Mozilla extension that can counter drive-by infections.

One of most frightening threats facing Web surfers is the drive-by infection. The thought that their computer could be infected just by entering a Web site is a sobering one to many websters. Peace of mind, though, may be on the way, as researchers are preparing a free tool that will shield netizens from drive-by menaces.

The tool is called BLADE–Block All Drive-By Download Exploits–and is designed to protect cybernauts from the roughly 5.5 million Web pages containing drive-by malware.

“Unlike push-based approaches adopted by Internet scanning worms and viruses, contemporary malware publishers rely on drive-by exploits for silent dissemination of spyware, trojans and bots,” the researchers from SRI International and Georgia Tech’s School of Computer Science wrote in “BLADE: Slashing the Invisible Channel of Drive-by Download Malware.”

“Drive-by downloads, which result in the unauthorized installation of code through the browser and into the victim host,” they added, “have become one of the dominant means through which mass infections now occur.”

Drive-by traps typically ambush Net goers who have been tardy in keeping their computers’ operating systems and applications current with the latest security patches. Browser vulnerabilities and plug-ins like Adobe Reader and Flash are favorite targets of malicious software writers. They even have “exploit packs” that will probe a Web site visitor’s computer and intelligently determine if any number of vulnerabilities remain unpatched.

According to the researchers, BLADE is a kernel-based monitor designed to block any malware attempted to be delivered through a browser. The tool is based on a simple principle. All browser downloads fall into two categories. There are supported files–files that make Web pages, for instance, HTML, images and such–and unsupported files, EXE, ZIP and so forth. Typically, browsers fetch supported files silently and they’re supposed to alert a user if an unsupported file type is being downloaded. Nefarious Web sites subvert the unsupported file notification function so they can plant their dirty wares on a target computer. What BLADE does is introduce capabilities on the operating system level that prevents execution of all downloaded unsupported content that has not been directly consented to by user-to-browser interaction.

That approach may have some problems. It could interfere with legitimate downloads of unsupported files–downloads, for instance, by programs updating themselves or patching themselves for security reasons.

The tool also focuses on downloads that are written to a hard disk. Some malware is never written to disk and lives only in memory. Those programs would be able to evade BLADE.

According to MIT’s Technology Review, the BLADE researchers have been testing their tool since January.  They have a number of virtual desktops with BLADE installed on them and expose them on a daily basis to exploit sites identified by security experts. Each black Web address is being tested against multiple software configurations covering different browsers and plug-ins.

The researchers told the MIT publication that more than 5150 malicious programs have been thwarted from some 1205 Web sites with drive-by capabilities. Of the total of bad apps, more than half of them targeted vulnerabilities in Adobe Reader. Another quarter focused on Sun Microsystem’s Java platform. The remaining malware zeroed in on weaknesses in Adobe Flash and Microsoft Internet Explorer.

Some anti-virus programs include drive-by protection in their arsenal and a free extension called NoScript for all Mozilla-based browsers, like Firefox, makes a similar claim.

NoScript allows JavaScript, Java, Flash and other plug-ins to only be executed by trusted Web sites chosen by a user. It also boasts that it provides the most powerful cross-site scripting (XSS) protection that can be found in a browser.

Cross-site scripting exploits programming errors made by Web developers. Those errors permit a cracker to inject malicious code from a black site into a white site. The code, for example, could be used to steal a user’s credentials to his or her banking site and allow the cracker to impersonate that user at that site.

With NoScript, execution of JavaScript and other plug-ins can be limited to trusted sites. Sites omitted from the white list of trusted sites, won’t be able to execute scripts, which will foil drive-by locations attempting to surreptitiously install malevolent payloads on a computer.

“NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality,” the company maintains.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Boffins releasing tool to foil drive-by attacks

Jerry Upton, MAAWG Executive Director said “We’ve been sitting at a stalemate for probably two to three years.  Taking out the highs and lows, we’re sitting at about 90%”.

Figures that regularly appear from various security vendors have been telling the same story for several years now.  With latest figures confirming the continuing trend one might be forgiven for wondering who is really winning the war against spam.

Spam fighting is a multi-billion dollar industry and businesses are spending thousands or even millions of dollars each year to try and protect their networks from spam threats.

Network providers have had some successes by disconnecting major spam networks from the internet but in most cases the spammers have resurfaced or simply distributed their infrastructure across international jurisdictions.

Consumer ISPs are generally against implementing measures to prevent their customers from adding to the problem.  This despite MAAWG’s findings that “tens of millions of Web users in North America and Western Europe have clicked on spam at least once – and many of them did it on purpose”.

Were the ISPs to implement the sort of changes to their email infrastructure that some people say would reduce spam, this would do little for the emerging threats in non-email spam.

MAAWG members voiced concerns over the growing trend of “spam distributed through social networks”, a problem that is quickly becoming a serious threat to businesses.

Although security vendors quickly act on new threats and techniques by spammers and criminals the biggest vulnerabilities remain in the end user.  Many of the new attacks use strong social engineering techniques made possible by the increasingly public way in which people live their online lives.

And despite authorities attempting to educate the public on new threats the criminals are able to exploit these campaigns by delivering malware as fake antivirus and spyware programs, which users often eagerly accept thinking they are protecting themselves from the threats they have been warned about.

For businesses the most alarming trend is the increase in targeted attacks on high profile corporate officers.  It is thought that this type of attack was used in the recent hacks of Google and other US companies.

The benefit of MAAWG is the open forum in which competing companies can meet and share information with ISPs, government agencies, and each other in an effort to better understand online threats.  Unfortunately their ongoing efforts seem to have maintained a long running stalemate at best.  But we should appreciate their initiative, because it’s clear that without it our situation might be far worse.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Spam Statemate

In addition scammers have set up a fake Twitter account that sends out tweets disguised to look like Olympic updates. The URL has a subtle typo but at first glance looks like the official Olympics site, Vancouver2010.com  When users visit the site they are prompted to download a codec or Flash update. The fake update is actually a Trojan.

“Given the popularity of the Winter Olympics, it is not surprising that attackers are taking advantage of the event to spread malware,” said Michael Sutton, vice president of research at Zscaler. “Given the authentic nature of the attack site, lack of anti-virus signatures, use of Twitter to advertise the campaign and timing of the attack, it is reasonable to assume that it will succeed.”

Other Olympic themed spam campaigns include messages offering travel tips for those going to Vancouver or offering bus tickets and transit passes. Scammers have also used Black Hat SEO techniques to poison search results for top Olympic athletes like Bodie Miller, Sasha Cohen, and Jennifer Rodriquez.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hackers Pumping Out Olympics Spam

Max Ray Vision was also ordered to pay over $27 million in restitution. He ran CardersMarket, a forum where cybercriminals bought and sold malware and stolen card numbers, swapped war stories and socialized. His crimes, which included harvesting stolen banking and credit card information, came to a halt after the Secret Service infiltrated the site. When arrested he had near 2 million stolen credit card numbers in his possession.

Vision was facing a life sentence but it was reduced due to his cooperation with authorities. It won’t be his first time-in 2001 he spent 18 months in jail for participating in a scripting attack against the Pentagon.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hacker Gets 13 Years in Prison

A new botnet called Spy Eye has an interesting twist. Once installed it searches for traces of the Zeus Trojan, and if found, deletes it. Called “Kill Zeus”, the feature is meant to give Spy Eye exclusive control over the infected computer. It’s also capable of stealing data as it is transferred to Zeus’ command and control servers, drops a keylogger on to the system, steals and deletes cookies in IE and Firefox, and can update itself via email. Spy Eye works much like Zeus, targeting financial information and bank accounts. The FBI says Zeus is responsible for over $100 million in losses and damages.

Like Zeus, Spy Eye comes as a toolkit that allows anyone with $500 to set up their very own botnet. It may be the new kid on the block but it’s far from alone. Three other botnets, Filon, Clod, and Bugat, have also been recently discovered.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Botnet Targets Zeus

Privacy holes in Google Buzz could attract spammers.

Google is scrambling to patch the privacy holes in its Buzz application launched last week, hopefully before spammers turn the social network into a gold mine for their repugnant activities.

When introduced last Tuesday, the yawning flaws in Buzz could be seen in its privacy agreement.

“When you first enter Google Buzz,” it stated, “to make the startup experience easier, we may automatically select people for you to follow based on the people you email and chat with most.”

Assuming a user wants to “follow” someone just because they trade emails may have seemed convenient to Buzz designers, but in fact it’s a needless usurpation of a user’s ability to choose with whom he or she associates. Sure, automating who a user follows is a quick way to build a following list, but it actually adds hassle to the process as a user must manually scrutinize who he or she is following and weed out the deadwood.

But the boners get better. “Similarly,” the Buzz privacy statement continued, “we may also suggest to others that they automatically follow you.” Automatically putting the touch on people to follow a user based on the user’s Gmail address book is an expedient way to rapidly build a socnet without the fuss of inviting people to join individually. What the Buzz designers failed to fathom is that just because a user communicates frequently with someone in his or her address book doesn’t mean that user wants to share his or her every thought with that contact. What someone might divulge through a tweet or Facebook comment isn’t always something he or she may not want divulged to a frequent email correspondent like a client or boss. Facebook understood that from the start so it’s surprising that the savvy crew at Google could make such a blunder.

Granted, a user can block any of his or her followers but why should the onus be placed on the user to comb out unwanted followers from a list created by Google?

Those inconveniences to users, though, aren’t what will be percolating the interest of spammers in the new social network. It’s the availability of a new source of public information about millions of potential marks.

“Your name, photo, and the list of people you follow and people following you will be displayed on your Google profile, which is publicly searchable on the Web,” the Buzz statement said.

In addition to appearing on a public profile page, users also appear on pages of people they’re following or who are following them, if those people choose to make public their lists of followers or who’re they’re following.

These public lists of followers could be juicy morsels for Black Hats planning spear phishing or impersonation attacks. They could take a list of related followers and craft an enticing targeted message at them. When you consider that such an attack was used recently by Chinese crackers to break into Google’s treasure chest of data, you’d think the search giant would be a little more sensitive to that issue.

Buzz can also be used by spammers to validate email addresses. When a user checks the page of a follower and that follower allows the list of his or her followers to be public, the email addresses of those followers will appear on screen if the user has communicated with them in the past. A spammer could create a number of bogus Gmail accounts and use them to join Buzz. Then the junk mail perpetrator could follow a bunch of Buzz users, as well as the followers of those users. After collecting the user names of the followers, the spammer could begin making guesses about the email addresses of those followers. The junko artist will know when a valid email address has been created because it will be displayed on any Buzz member’s page with a public list that includes the owner of the email address as a follower.

Of course, the grunt work of gathering followers and followers of followers would be automated by spammers, as would be the trial and error testing needed to construct email addresses. As a bonus, a spammer could exploit the email addresses to perform targeted attacks on the members of a particular Buzz member’s network. Followers are likely to lower their guard if they believe a message asking them to open an attachment or click a link originates from someone they’re following.

Google appears to be just a little embarrassed by the Buzz debacle and, according to the BBC, has set up a “war room” to quickly address immediate and potential problems with the application.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google Buzz: socnet or spam magnet?

The Twitter Grader application uses an algorithm to calculate, or grade, a Twitter user’s ranking among their peers.  This type of tool has been very popular with Twitter users who willingly grant access to their Twitter accounts for websites that offer this type of ego-feeding information.

The compromise resulted in thousands of unauthorized messages being sent from Grader users’ Twitter accounts containing a link to a web page that hosted an embedded video.  The content turned out to not be malicious and it has been speculated that this was an attempt to increase the search engine rankings of the website.

The hack was quickly acknowledged by Hubspot who proceeded to take down the Grader application while they investigated the issue.  Grader users are advised to revoke access for Grader to their Twitter accounts and also to consider changing their account password.In this particular incident the fallout is mainly embarrassment for Hubspot and some disgruntled users.  With no serious data breach of Hubspot’s paid customer base the matter will quickly fade into the background with no ongoing attention paid to it.

The potential impact of these sorts of breaches cannot be ignored.  Social networks carry a much higher degree of trust between relative strangers than other online communications.   One of the most popular users of these networks is sharing of interesting links, often masked by URL shortening services.

Simply put, the timing of the unauthorized message may have meant that it was sent by a particular user while they were conversing with an online friend and sharing a series of links with each other.  In that situation the recipient would not hesitate in clicking the spam link as well.

If the link was to a malicious web page that contained a web browser exploit then the number of compromised computers from this one hack would have been enormous.  The sad fact is that many computers connected to the web use outdated, unpatched operating systems, web browsers and other applications.  Even those that are completely up to date may have undisclosed vulnerabilities that hackers can exploit before security researchers can discover and patch them.  One of the most common exploits today is using PDF files.

For a home user a compromised computer can be a moderate inconvenience.  For a business network a compromised computer can be a major disaster.

So what can be done about these threats to businesses?

Technical Solutions – filtering of social networks to only approved users, blocking of URL shortening sites, and real-time scanning of file downloads.

Human Solutions – the cornerstone of any network’s security is the level of awareness of the end users to the potential threats that are out there.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Twitter Grader Hack Highlights Social Network Spam Risks