AOL users are being warned of a new phishing attack targeting the popular ISP. Customers are receiving emails claiming to be from the company’s “Safety and Security Team”. The emails claim they need to verify the recipent’s billing and account information. A link is provided, and if the recipient clicks on it they are sent to a fake AOL site and prompted to log in, then are asked to provide their credit card number and other personal info, all of which is sent to the scammers behind the attack.

This is far from the first time AOL has been exploited by scammers. Back in the 90′s AOL users were routinely sent fake emails claiming to be from AOL and asking for their login info. The scammers then logged into the compromised accounts and sent spam. The very first phishing scam I remember running into was on AOL as well, back in 1995 or so. I got an email that looked like it was from AOL saying the credit card I had on file had expired and asking me to log in and update it. I almost fell for it too, until I realized the email hadn’t been sent to the master screen name on my account, just that one sub account. Phishers and scammers have gotten a lot more sophisticated since then!

Anti-spam companies around the world generally agree that the average volume of spam travelling through the internet is as much as 90% of total global email traffic.

That is an alarming, but not surprising statistic.  Spammers have relatively low business expenses.  They only need to harvest an email address database, buy a swarm of virus infected computers to send the emails through, and they are able to pump out millions of spam emails in minutes.

Effective spam prevention costs money.  Just like insuring your property against theft, it would be nice not to have to pay to protect oneself from the evil-doers of the world, but free solutions are simply not as effective as dedicated commercial email security products.  Some businesses would prefer not to pay though, and will give some consideration to not installing an anti-spam system.

What does it cost to NOT prevent spam?

When planning an Exchange server deployment there are formulas used to size the servers and storage that will host the email system.  One of the elements of the formula is the type of mailbox user.  An “average” mailbox user is considered one who sends 10 email messages and receives 40 email messages each day.

Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technologies. How did Phishing come about?

The word “phishing” originally came from the analogy of early Internet criminals using email lures to “fish” for passwords and financial data from a large sea of unsuspecting Internet users. The use of the “ph” in this terminology has been forgotten about over time.  It was most likely linked to hacker naming conventions such as “Phreaks”.

This can be traced back to early hackers who were involved in “phreaking” – the hacking of telephone systems.  The term was  coined during 1996, by hackers who were stealing America Online (AOL) accounts. They were picking off passwords from AOL users. The first mention on the Internet of phishing was made in 2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker magazine called “2600”.

In the early days of AOL you could create a fake account as long as you had a credit card generator. AOL smartened up to  this technique. AOL now uses banks to verify every credit card submitted.  By 1996, hacked accounts were called “phish”.  By the time 1997 rolled around phish were actively being traded between hackers as a form of currency. There are instances where Phishers would routinely trade 10 working AOL phish for a piece of hacked software. This type software was referred to as “warez“, which is stolen copyrighted applications and games.

Currently, there are 16 Top Level Domains (TLDs) including the well-known .com, .net, .edu and .org and the not-so-well known .cat, .coop, .jobs and .mobi. However, the body responsible for coordinating the internet’s address system – the Internet Corporation for Assigned Names and Numbers (ICANN) – plans to radically change that this year by creating between 200 and 800 new TLDs. What’ll this mean? Basically, that companies and organizations will be able to register their brand name as a domain – in other words, walmart.com could become shop.walmart or allspammedup.com could become blog.allspammedup.

ICANN’s plans are not without support. “It offers the fastest and cheapest mechanism to create a new layer of cyber-brand with global visibility,” claims Naseem Javed of the E-Commerce Times. But the scheme has also been widely criticised, and for very good reasons. The first problem with ICANN’s plan relates to ease-of-use. The current system, while cetainly not perfect, is nonetheless predictable and, even if we don’t know a company’s web address, we can usually work it out (for example, it’s safe to assume that eBay’s address in ebay.com). But what’ll it be under the new systems? Shop.ebay? Ebay.ebay? Or still ebay.com (should they not be prepared to spend on a personalized domain)? In short, it’s not going to be as easy to find websites. This isn’t a major problem, I suppose – it will simply mean that we’ll need to make more extensive use of search engines. Still, it will certainly be less convenient than at present.

The second problem is that companies have already made a considerable investments in the current domain name system. Websites are designed around .com and restructuring would be a major exercise (antiques.shop.ebay.com may have to become shop.antiques.ebay). This is one of the reasons that so many companies have objected to the new plan rather than seeing it as means of creating “a new layer of cyber-brand with global visibility.”

There’s a new service that lets advertisers target Twitter users by monitoring Twitter posts for keywords and allowing them to send ads to users based on their location and/or if they’ve posted links or questions in their posts. However, the company behind the service, called TwitterHawk seemed unaware that the service is basically a tool for spammers, even though they’ve already changed the TOS so the advertisers can only send one ad a day to Twitter users. (That’s not likely to do much, if they have 100 advertisers and they are allowed to send just one ad a day each, that’s still 100 ads a day being sent!)

          In response, TwitterHawk owner Chris Duell has restricted advertisers to sending only one message a day per Twitter account, and said that the restrictions on advertisements may be increased again if the service is abused or causes the Twitter community “unwanted problems”.

“We did not expect such an explosion in use of the tool and considerably underestimated its effect on the social medium,” he said.

Duell said that he would not condone the use of spam, and wanted the service to bring relevant information and services to Twitter users that would “add value” to their social networking experiences.

He added that he wanted to provide a “non-intrusive service” similar to Google Adwords, which allows marketers to target people according to their search terms.

According to a report on Internet News, some spammers are trying to game Google’s AdWords program. The spammers manipulate Google’s ad program to try to get their malicious sites to show up at the top of the paid ads. AdWords …

I read about a very innovative, though probably unlikely solution to the global spam problem in Glyn Moody’s column on Computerworld UK. Glyn takes note of the recent revelation that the US Justice Department sent out phishing emails to its …

A recent ComputerWorld story noted that a very efficient way to overcome exploits in Windows is to limit the rights of end users. ITWorld’s James Gaskin responded today with a wonderful and to-the-point piece of advice on how to handle the inevitable …

Anti-spam organization KnujOn  has released a list of the Top 10 Spam friendly registrars. Some of registrars, such as eNom, are already known to harbor spammers and malicious sites.  Since spammers and hackers tend to register large amounts of domains …

When talking about email servers the term “open relay” means a mail server that allows anyone to send email through it to any destination.  An email server may become an open relay through accidental misconfiguration by the server administrator, or from malicious action by an attacker.

How do open relays cause spam?

Open relays are like gold to spammers.  When a spammer knows about an open relay they will use it to send thousands or even millions of spam emails to recipients via the open relay server.  The benefit to the spammer is twofold – they can mask their own location by relaying through another source; and they can leverage the positive reputation of the email server they are relaying through (at least until that reputation is ruined).

What damage can an open relay do to your business?

There are many ways in which an open relay email server can harm your business -