Featured Article

UCSF Doctor Falls For Phishing Scam and Causes Data Breach

A doctor at the UC San Francisco School of Medicine fell for a phishing scam and turned over his log in credentials to hackers, exposing the personal information of over 600 patients. Demographic and clinical information on the patients, and …

UCSF Doctor Falls For Phishing Scam and Causes Data Breach
   

2009, The Year in Spam

It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

  • Season spam such as Valentine’s Day and Christmas remains predictable
  • Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
  • Spam networks are becoming more distributed and resistant to shutdown attempts
  • Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
  • Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers.

2009, The Year in Spam
   

Spammer Fined nearly $200,000 By Australian Court

A judge in Brisbane, Australia has fined a man accused of being one of the world’s biggest spammers nearly $200,000. The fine was levied against Lance Atkinson after the court found him in violation of the Australian Spam Act of …

Spammer Fined nearly $200,000 By Australian Court
   

Project Honey Pot: One billion spams and counting

Billionth spam received by Project Honey Pot.

Project Honey Pot announced earlier this month a dubious achievement. It had attracted its one billionth spam message. The ejunk purported to be from the U.S. Internal Revenue Service and informed its recipient:

“After the last annual calculation of your fiscal activity we have determined that you are eligible to receive 760,635 tax refund under section 501(c)(26) of the Internal Revenue Code. Please submit the Tax Refund Request form and allow us 3-9 days to process it.

“Yours faithfully,
“Sarah Hall Ingram, Commissioner”

Although the spammers forgot to put a dollar sign in front of the refund amount, they were accurate in some other details in the message. There is a section 501(c)(26) of the Internal Revenue Code. It lists non-profit organizations exempt from some federal income taxes, and subsection (26) includes in that category “State-Sponsored Organization Providing Health Coverage for High-Risk Individuals.”

Sarah Hall Ingram is an IRS commissioner, but not the IRS commissioner, as the letter would lead one to believe. However, she is the commissioner of the agency’s Tax Exempt/Government Entities Division, which would be a believable source for the message.

Project Honey Pot is a community of tens of thousands of web and email administrators from more than 170 countries around the world who are working together to track online fraud and abuse.

According to the Project, the IRS spam was sent from bot malware running on a compromised machine in India. It noted that the email address used by the bot was originally harvested on Nov. 4, 2007 by a grim reaper that has sent more than 53 million messages to the address since that time.

Project Honey Pot: One billion spams and counting
   

Hackers and Spammers Now Creating Their Own ISPs

Security researchers say botnet herders, malware authors, spammers, and other cybercriminals have begun taking matters into their own hands and creating their own ISPs. Now that even so-called “bulletproof” ISPs are being pursued and shut down, cybercriminals have decided that …

Hackers and Spammers Now Creating Their Own ISPs
   

Hackers and Spammers Already Exploiting Starlet’s Death

Actress Brittany Murphy’s sudden death yesterday at the age of 32 shocked Hollywood and her fans, but hackers and spammers wasted no time in exploiting the tragedy. Already the top results for searches about her death are all malicious, leading …

Hackers and Spammers Already Exploiting Starlet’s Death
   

New Malware Attack Infects Nearly 300,000 Sites

A security researcher recently discovered a new malware attack that has poisoned nearly 300,000 websites. The SQL attacks began last month and use a hidden iframe to redirect visitors to a malicious site that is programmed to look for and …

New Malware Attack Infects Nearly 300,000 Sites
   

Unreported Spam Costing Billions

Sky News UK has reported on the results of research into victims of online fraud.  The survey revealed that some fraud is never reported due to embarrassment, indifference, or simply not being aware that the fraud has even occurred.

These reasons might seem strange to some people who would assume that any fraud victim would want to see justice and would immediately report the matter to authorities.  Unfortunately online fraud caused by spam, phishing, and other scams often does go unreported.  Let’s take a closer look at the reasons for this, and why those reasons should be put aside in favour of more reporting.

Embarrassment

There are a few different reasons why someone may be too embarrassed to report a fraud.  The first is if the amount of money lost is very high.  Being scammed out of your life savings would be a devastating and embarrassing event that a lot of people would feel so ashamed about they may want to keep it secret.  An attitude of “I should have known better” can sometimes play a role in this.

Another reason is when the nature of the scam is sensitive and embarrassing.  Examples of this include Russian mail order bride scams, and fake male enhancement drug scams.  In both cases a person could easily be too embarrassed to admit they were attempting to purchase those items in the first place, on top of the embarrassment of being a fraud victim.

It takes a lot of bravery to come forward and admit you were fooled.  Two things should be remembered here – firstly these are professional criminals often with very effective methods for tricking people.  Secondly, reporting your incident to authorities can help prevent other people from becoming victims in future.

Indifference

Say what you want about criminals, but they usually aren’t stupid.  It might seem strange to look at them this way but a lot of online criminals are basically malicious marketers, and have all of the skills that honest marketers have.  One of these is an understanding of human nature, and one of the natural instincts of a lot of humans is not to bother with trivial matters.

Unreported Spam Costing Billions
   

Heartland Reaches Settlement with AmEx Over Data Breach

Heartland Payment Systems announced it has reached a settlement with American Express regarding the massive data breach revealed earlier this year. The $3.6 million dollar settlement is only the beginning for Heartland as they are also working on reaching settlements …

Heartland Reaches Settlement with AmEx Over Data Breach
   

MP3 Spam Returns

Surprised researchers have discovered that MP3 spam has returned. It was last seen in 2007 and like PDF spam, was thought to have been discarded by spammers in favor of simple link spam. However, late last week security researchers discovered …

MP3 Spam Returns
   

Last Comments

  • Aussie on India Tops List of World’s Biggest Spammers August 16, 2014

    ALL my SEO spam comes from Indians. They are a big pain in the arse.

  • Andrew on Spammers Get Sleazier with Attachment within Attachment Technique August 14, 2014

    This is more relevant to the home user, who typically operates with a low level of protection against such threats. Businesses will employ sophisticated techniques at the border (eg: removal of or cloaking of ZIP files to render inert). Home users have no such luxury available to them at a reasonable cost. Until ISPs actually start offering business grade mail protection/filtering to their customers, then the consumer is on his/her own and must remain diligent. If you didn't initiate a request with the sender, then don't open the damned attachment. If you get an email claiming to be from your bank which contains an attachment, don't open it - your bank would never send you a ZIP'd archive to open anyway. Check links contained in email body before you go ahead an click on them - for instance, hovering over a link in an email will ususally display a tooltip with the actual web address encoded, rather than the false link displayed in the email content. Simple checks that anyone can perform before committing a single or double-left click on something that could cost dearly.... Diligence people! If you are, then you already made the spammers hit-rate that much lower, by simply not sleep-walking into an infection. Relying on anti-virus/malware protection apps is allowing people to abrogate themselves of a basic responsibility to know what you're doing and how it can affect your machine - adversely or otherwise. We insist that people reach a basic level of proficiency to drive a car. We need something similar for the consumer directed web....

  • Santine on Does Legitimacy Make LinkedIn and Zoosk Spam All Right? July 31, 2014

    Before we go any further--let's skip Papa John's--let's go back to the main issue: these huge companies that are allowed to spam simply because they are, well, and sending mails is just a way of marketing their products and services more. That's definitely a bull, don't you think? The title is even misleading since there's nothing legitimate with spamming.

  • Elizabeth on Do You Trust Your Bank Not to Spam You? Read This July 31, 2014

    I've come across a book about innovation, and it mentioned that banks are some of the worst in this department simply because it is very traditional. Simply put, it just continues what it has been doing for many years, even as long as hundreds of years for those very large European banks. In the process, they don't really protect themselves when they attempt to go online and make our hard-earned money and very important personal information extremely vulnerable to identity theft, among others.