To show how serious they are about their attempts to eradicate spam, fifteen companies have joined forces to help fight one of the most dangerous spam tactics of all – phishing.

This collective, known as the Domain-based Message Authentication, Reporting and Conformance (DMARC), has come together to develop standards that they promise will help combat the practice of spammers sending emails that appear to come from a legitimate organization.

According to DMARC, its work:

“draws upon a history of private industry collaboration with 18 months of dedicated work, to outline an enhanced vision for email authentication that can scale up to today’s Internet needs.”

Who Is DMARC?

The group of fifteen who have dedicated resources to this fight consists of:

• Agari
• American Greetings
• AOL
• Bank of America
• Cloudmark
• Comcast
• Facebook
• Fidelity Investments
• Google
• LinkedIn
• Microsoft
• PayPal
• Return Path
• The Trusted Domain Project
• Yahoo!

And just what exactly they are trying to do is create a specification that allows senders and receivers of email messages to share information with each other about their authentication infrastructure to make sure that emails come from the organization they claim to be.

According to their website, DMARC attempts to address this by providing coordinated, tested methods for:

Domain owners to:

• Signal that they are using email authentication (SPF, DKIM),
• Provide an email address to gather feedback about messages using their domain – legitimate or not,
• A policy to apply to messages that fail authentication (report, quarantine, reject).

Email receivers to:

• Be certain a given sending domain is using email authentication,
• Consistently evaluate SPF (Sender Policy Framework) and DKIM(DomainKeys Identified Mail) along with what the end user sees in their inbox,
• Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks,
• Provide the domain owner with feedback about messages using their domain.

So What Makes DMARC Different?

Most companies already employ some type of analysis on incoming email messages to include SPF and DKIM so this specification isn’t turning to something new. In fact, they recommend a continued approach employing other techniques such as high quality spam filters and rate limiters to form a well rounded solution to fighting spam.

What DMARC is trying to do is to standardize and streamline the process of analyzing messages because participating companies can rely on the coordination of the group to establish trust when it comes to determining whether or not a sender is legitimate.

In plain English, DMARC looks to form a conglomerate of cooperation between email senders and receivers (the organizations like Google, Microsoft, Yahoo!, etc. not the individual users themselves) who share information about the emails they send to each other. Turning to the information made available to the group, it can be easier to see whether or not an email is spoofed spam or a legitimate message worthy of delivery.

Not only is it the hope that less spam will make it through, but that resources will be streamlined as a result of these efforts as well. Large datacenters could see a positive result if all goes as planned.

The Flipside

Of course not everyone is completely sold that DMARC’s work is a panacea when it comes to ending spoofing and spam.

John Levine, one of authors of the DKIM related Author Domain Signing Practices (ADSP) standard, had this to say in an interview with Information Week:

“It’s a good thing as far as it goes, but it does have some of the chronic Internet tendency to put a steel door on a cardboard box.” Like many security standards that are not mandatory, if it’s not implemented then it won’t fail. Neither DKIM nor SPF are at the point where a recipient can say that they will only accept messages that use them. Therefore you still need to keep your eyes open.”

Using Bank of America as an example, it was pointed out in the same article that to fight phishing and spoofing in the past domains suggestive of the name Bank of America, as well as typos, were purchased en masse. Because the pool is so large, Bank of America was not able to purchase every domain available. For example, wwwbankofamerica.com is not owned by them.

So if an email arrives from support@wwwbankofamerica.com it won’t fail any of the checks from SPF or DKIM because it is not a spoofed email address. By all accounts, the sender is legitimate.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will DMARC Have Much Impact on Spam?

Malware developers seem to appreciate a little humor when it comes to naming their schemes. One of the latest email scams to invade inboxes everywhere is no exception, it seems, and the FBI has been quick to let businesses know that if they don’t keep their eyes open for a phishing scam originating in an email from FDIC, NACHA and the Federal Reserve, opening the mail’s attachment could be one of the most devastating choices in a young 2012. Worse yet, this new scheme appears to be linked to the Lord of the Greek gods – or its eponymous malware, anyway.

‘Game over’ is never a good thing, whether it means that your last ship has been destroyed and your quarter spent, whether it’s a lame and overused witticism that yet again has found its way into the mouth of Hollywood’s action hero du jour, and yes, even when cyber criminals are searching for just the right name for their latest piece of malware. While we’re not averse to debating the first two, our interest here is firmly with the latter. It seems the U.S. Federal Bureau of Investigation shares that interest, as evidenced by a security bulletin earlier this month that identifies a new email scam, one which cyber criminals have decided to call – what else? – Gameover.

Gameover is a phishing attack that appears in the form of spam emails spoofing the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Bank, or the National Automated Clearing House Association (NACHA). Like a multitude of others, the scheme preys on users’ fears and/or lack of vigilance, informing them that there has been a problem with their bank account or an ACH transaction (ACH stands for Automated Clearing House, a network for financial institutions in the U.S.). Sufficiently frightened, recipients are encouraged to click the included link, which instead of resolving the issue, takes the user to a malicious site where the Gameover malware is executed.

The malware has been identified as a variant of ZeuS, a notorious piece of malware which has been responsible for stealing financial information through the practice of keylogging for a number of years. Once activated, the cyber crooks can steal banking information such as account numbers and passwords.

As if that wasn’t enough…

More than just a keylogger, however, ZeuS (and coincidentally, Gameover) has an added payload. According to the FBI:

“After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site — probably in an attempt to deflect attention from what the bad guys are doing.”

But wait – there’s more!

In what sounds like a novel involving international intrigue, FBI investigations have been able to trace the attacks as far as to jewelers, as the stolen funds are used to purchase “precious stones and expensive watches from high-end jewelry stores”. The crooks contact the jeweler, tell them what they’d like to purchase and inform them that they will wire the money the following day. The following day, a “money mule” – a person involved in the money laundering part of the crime – shows up at the jewelry store to pick up the merchandise. The jeweler confirms that the money (the stolen money from the spam scheme) is in their account and upon doing so, turns the merchandise over to the mule, who in turn delivers the merchandise to the crooks or converts it into cash that upon being transferred, is effectively laundered.

Wow – It really is the stuff of imagination, but even more interesting is that the FBI has suggested that the mules could be unsuspecting victims of those omnipresent ‘work at home’ schemes that we see everywhere. While the federal agency has confirmed that many of the mules are willing participants, it has also noted that an increasing number are likely people who have succumbed to these schemes and have been unwittingly recruited into laundering money stolen from victims of the spam scheme.

Be on the lookout for this one and advise your staff ASAP. At very most, it could be a story worthy of a novel. At very least, it could save you and your users plenty of headaches and lost funds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

FBI Declares ‘Gameover’, Link to ZeuS

People just weren’t spending as much money in the malls and department stores.

However every single study of consumer spending did show that companies with a strong online presence had a significant boost in sales this past year, including the holiday shopping season. In fact during December alone, non-store sales rose 10.6 percent from the same time one year ago. Even automobile sales online boasted a 9.5 percent increase.

To make sure they can stay competitive in the online retail sector, businesses must strive to build, and at the same time maintain, a solid reputation on the Internet.

Of course it was only a matter of time before spammers realized this as an opportunity to take advantage of this trend to dupe business owners into downloading dangerous malware.

How the Scam Works

Businesses are sent an email branded with the Better Business Bureau logo that reads:

“Thank you for supporting your Better Business Bureau (BBB). Your BBB receives more than 6,500 requests for information every day and provides reliability reports to consumers 365 days a year, 24 hours a day, and 7 days a week.

As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.

We encourage you to use our ONLINE FORM to provide us with this updated information. The URL below will take you directly to this form on our website:

CLICK HERE to login to your BBB account

You may also complete the form on the reverse side of this letter and mail to PO Box 1000; DuPont, WA; 98327; or fax to (206)436-5496.

Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily. In addition, many consumers may search our database using your e-mail and/or Web address, so please be sure to include this information as well. As a BBB accredited business, you receive a free hyperlink from your online reliability report to your company Web site if provided to us.

Thank you again for your support, and we look forward to receiving this updated information.

Sincerely,

Accreditation Services”

Eager to keep their information and good standing current, business owners and managers who click the link are not taken to a legitimate site hosted by the BBB. Instead their computer downloads malware and their account credentials are compromised by the phisher.

Another version of the phishing scam informs the recipient of the email that a negative review of their company has been posted to the BBB site. To refute the claim, the recipient must click on the supplied URL and address the problem. Failure to do so would result in the complaint resulting in a bad report being filed.

The URL here also directs the victim to a malicious site and has the potential for account credentials being stolen.

Fighting Back

This newest scam is the third of its kind in the last three months targeted at business owners.

Businesses have been instructed, by the BBB, to contact them directly if they receive emails claiming that they have received a negative complaint or that their information is incorrect or incomplete.

The Better Business Bureau is also taking steps to fight the problem, enlisting the help of the FBI.

“Our national organization in Arlington, Va. has been working for three months with the FBI, and I can tell you that they’ve closed down over 50 sites”, Katie Carrol, Director of Media Relations and Communications with the BBB, said.

They have also asked for business owners to help them fight this growing problem by contacting them at phishing@council.bbb.org if they received these emails, or any others like them.

IT departments should also be aware of this scam and take necessary precautions.

In house steps that can help prevent problems related to this latest attack, as well as others, include:

• Keeping anti-malware software up-to-date.
• Make sure anti-spam solutions are configured correctly and up-to-date.
• Make sure that employees are aware of this scam.
• Put procedures in place for employees who receive this email, or other spam messages, to report it.
• Teach employees how to better recognize spam and phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Scam Targets Victims Using Better Business Bureau

Naturally, such tools would be very useful for IT departments and system administrators to educate employees on how to spot phishing scams. Employees falling for such scams are a leading cause of corporate data breaches, and such breaches can cost a company millions.

“The whole concept with this project started out with the discussion of, ‘Hey, wouldn’t it be great if we could phish ourselves in a safe manner?’” said Will, one of the Toolkit’s co-developers. “It seems like in every organisation there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”

While it appears the developers had honest intentions when they created the toolkit, the fact remains it could be pretty attractive to the bad guys and they have no way of controlling that. Right now it doesn’t record any data typed into the fake phishing sites it generates, but they said future versions of the kit will have that functionality. That may make it irresistible to scammers looking for a way to create phishing campaigns that’s fast and won’t eat into any profits.

What do you think? Are these toolkits helpful or just asking for trouble?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Phish Yourself?

The year’s off to a rousing start, with all sorts of interesting security news this week: Wikipedia led a temporarily successful foray against SOPA and PIPA by joining numerous websites that went dark for a day; the founder of Megaupload had his hands slapped when law enforcement officials told him resoundingly, “no, you can’t pirate copyrighted material” – insult was heaped upon injury when dozens of expensive cars were towed away to show him they were right; and Koobface – the Facebook botnet that has been harassing Zuckerberg for years – was taken down by its own creators after the Facebook gang teamed up with The New York Times to uncover and publish the identities of the worm’s owners. To round off the week, QR codes (like the one in the image here) may just be the latest form of spam, and news out of the Twitterverse suggests that Darwin’s cardinal rule is not only true, it’s actually a dire prophecy of our impending extinction.

The year’s less than a month old and it may already be shaping up as ‘the year of anything goes’. Topping the headlines was a mass protest against seemingly inevitable anti-piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect I.P. Act), as innumerable websites intentionally went dark on January 18. Led by students’ greatest friend and perpetual source of dubious information Wikipedia, the activist movement irritated web surfers across the globe and scored one for the little guy as the bureaucrats in Washington, DC backed off the proposed legislation and shelved the bills, albeit temporarily. It’s practically inevitable that some wily spammer will take advantage of this controversy, so keep your eyes open and watch your back.

In a related story and in the spirit of fishy timing (i.e., the same week as the aforementioned protests), Megaupload founder, Kim Dotcom, was carted off along with several other geniuses who figured they would get away with providing a conduit for copyrighted material, all the while skimming millions of dollars off the illegal activity and thumbing their noses at the FBI. German national Mr. Dotcom, lamented as his lavish New Zealand mansion was raided and dozens of vintage cars were hauled away as the spoils of war. Again, there’s more here than meets the eye, especially now that Anonymous has its back up.

In an LMAO moment, individuals responsible for Koobface – a nasty piece of malware that has been frustrating Facebook and Twitter users for years – have taken down their own command and control server after Facebook teamed up with The New York Times to uncover and embarrass five of the founders – Russian nationals living in St. Petersburg, Florida. The named individuals have scrambled to scrub their online profiles, but it’s highly doubtful that erasing their cyber identities will have much of an effect in the real world, where police carry real guns and real handcuffs.

Are QR codes the newest spam threat? Some people think so. QR – or Quick Response – codes were developed in the automotive industry and have been used for a while. Slowly entering the mainstream  over the past couple of years, they are in wide use in Japan, the UK and the US, amongst other countries. Popular because of their fast readability and relatively high storage capacity (compared to bar codes), the increased use of smartphones with cameras and QR reading apps have made the codes a prime target for manufacturers and retailers; heck, even Google’s looking at getting into the game by using QR codes as a secure login method.  The problem is that QR codes can contain virtually any information, meaning that they are already being exploited by scammers and spear phishers. Keep an eye on this one, folks – and think twice before you take a picture of that code staring you in the face.

Finally, from the Twitterverse, here’s one that, no matter how much you shake your head, won’t rid that sickening feeling that the human race is on a collision course with extinction. Perhaps a case of ‘you can’t spell Twitter without ‘twit’, this recent article shows just how careless – or ignorant, or both – web users really are. Get this: over a twenty-four hour period, more than 11,000 Twitter users shared their email addies with the rest of the world. A safe practice if we were living in Thomas More’s Utopia, but it’s not the case if you reside anywhere on Earth, which is rife with people who would just love to use that information against you. This is just a guess, but it looks like spear phishing season is open and Twitter is the local watering hole.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Week in Review: You Can’t Spell Twitter Without ‘Twit’

This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.

On January 11, news erupted of a rather malicious little spoof email that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an email pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.

Sent with fake source addresses that included soc@us-cert.gov and the subject line Phishing incident report call number: PH000000XXXXXXX and an attachment named US-CERT Operation Center Report XXXXXXX.zip, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named US-CERT Operation CENTER Reports.eml.exe – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.

Oh, the Irony!

US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated

“difficulty receiving emails due to the phishing campaign”

according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.

In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns:

• Do not open the attachments in email messages from unknown sources.
• Install anti-virus software and keep virus signatures files up-to-date.
• Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
• Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.

From Russia with Malice

The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that

“Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.”

It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?

Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.

It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

US-CERT Hooked by US-CERT Phishing Attack

In Part 2 of our look at what you can expect in the coming year, faint rumblings out of Japan suggest that one prediction from Part 1 of this article has already come true. If the very real prospect of becoming an innocent casualty of war isn’t enough to make you run backward toward the year that just passed, these bold predictions reveal how hackers will develop an even stronger sense of camaraderie, and how mobility is sure to become a four-letter word. And if you thought spamming and Internet scams made it personal in 2011, you ain’t seen nuthin’ yet.

How about that? 2012 wasn’t even seven days old when news out of Japan this week revealed some eerie premonitions of the things to come and earmarks of a bold prediction made one week ago.  Engadget, ZD Net and other media outlets are reporting that the Japanese government has been working in concert with Fujitsu since 2008 to develop a powerful ‘cyber weapon’ – a piece of software that, upon the detection of a cyber attack (such as DDoS, for example) tracks the attack back to the source.

Sounds pretty straightforward, right? Sure, until you consider that the software also attacks and disables every machine it finds along the trail. The goal, Engadget reports:

“is to stop the spread of a malicious piece of code by finding and shutting down, not just the source, but all middleman PCs that are also now potential hosts. In some admittedly extreme scenarios this weapon could potentially spiral out of control, taking out far more computers than intended.”

Hmm… Botnets are nothing more than large numbers of unsuspecting computers carrying out their attacks at the behest of the infector and ignorance of the computer’s owner. Japan’s little toy, while it sounds like it might be fun to take for a spin, could have the unpleasant and unprecedented effect of being the cause of some serious collateral damage. Casualties of war? Here’s a tip for everyone: while you still have a chance, give that fave desktop or laptop of yours a great big hug before it’s too late.

1. Hackers of the World, Unite

Robin Hood met Mafia Boy last year as hacktivism took center stage. Indeed, 2011 was an entertaining year for anyone who followed the exploits of Anonymous and LulzSec. The drama unfolded like a kabuki play born in the mind of Ken Kesey and brought to life by a troupe of mimes with Tourette Syndrome, and there were even a few arrests along the way to make this reality show really…ahem… arresting.

Prediction: We will see some new hacking activity from these groups, with some high profile web takedowns in the process. While that’s not a stretch, this is: hacker groups like Anonymous and LulzSec will grow in size substantially, resembling an ‘occupy’ type movement that will take the war online. The civil and social unrest of 2011 will turn to face the financial behemoth that is the Internet.

2. Mobility Means Vulnerability

If we learned anything about spam in 2011, it’s that spam is like that proverbial bum of a brother-in-law who’s been living in your basement for the past two years. It’s not going away, good luck making it work for you, and you will be out-of-pocket at some point. Spammers continued to use every means at their disposal in 2011, with SMS spam becoming a real pain in the neck. Security flaws in the two most popular smartphone platforms – iOS and Android – just accented what we already suspected: that spammers and purveyors of malware had taken their show on the road.

Prediction: 2012 will see a massive increase in mobile spam, and mobile devices will become the swords upon which we will live or die unless we get mobile security under control.

3. It’s Nothing Personal…Well, Actually, It Is

A significant development in spam and phishing in 2011 was the way in which the scam artists were getting smarter; you know, smarter in much the same way that a chunk of igneous rock living at the bottom of a fetid riverbed is smarter than a rotting patch of lichen hanging for dear life to the side of an oak tree. Like it or not, the scambags are wilier, finding new and innovative ways to pick your pocket without actually residing in the same time zone.

Prediction: The scambags will become even cleverer in their assaults, finding new methods to lull people into a false sense of security. How this will occur remains to be seen, but our bold prediction is that it will most likely involve highly targeted, multilevel campaigns where the scammer will use detailed knowledge of the targets, and multiple contact methods like email, phone, SMS and even snail mail to enact their evil schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bold Predictions for 2012 (Part 2)

In a turn of events appropriate for the most tumultuous year in cybercrime, 2011’s body is barely cold and we’re already smelling something suspicious from its decomposing carcass. Rumors of two worms, one well-known and the other relatively new on the scene, have some of us wondering what will happen next in 2012, and the year has only just begun. In an attempt to put the preceding year into perspective, we take a look at what might be in store for the new year and beyond with some bold and not so far-fetched predictions for 2012.

PREDICTION: A Shiny New Worm with Every Census Report, Tax Return and Piece of Monetary Currency

First up for 2012 is a prediction that all bets will be off when it comes to understanding the nature – and source – of some of the most insidious malware in the known universe. In fact, the threat and very nature of the state-sponsored malware will only get more confusing, and most likely more disturbing, as we discover where and how it’s being used.

Discovered in 2010, Stuxnet was in the news again in 2011. A worm designed to target and damage industrial control systems (like the kind found in nuclear plants), it has been a source of great debate over who created it and what its ultimate purpose represented; but few could argue that with more than forty percent of Stuxnet’s infections landing in Iran, the nation was most likely the target from the get-go. Russia and others wasted no time pointing the finger squarely at the United States and Israel as the benefactors of the worm, which surely must be state-sponsored.

It seemed inconceivable that anything could top the news that broke late in the year about Stuxnet’s connection to Conficker, suggesting that the latter, a notorious botnet, was used to deliver the payload for Stuxnet. If rumors are true that Stuxnet is state-sponsored, the implication that spam might have been part of the delivery method can and must only leave a bad taste in people’s mouths.

As 2011 wheezed out its last few painful breaths however, a new development occurred in this bizarre tale, as it was revealed that ongoing research by Kaspersky Labs on Stuxnet uncovered a direct link between Stuxnet and Duqu – a worm, discovered only in September, which shares many of the attributes of Stuxnet. In fact, media outlets are reporting that the worms are suggestive of an ‘arsenal’ of malware that has been in development as early as 2007. The code kernel has been dubbed ‘Tilded’, in recognition of the author’s habit of using filenames that begin with ‘~d’.

The Prediction: Keep your eyes open for Tilded. We will continue to see new pieces of the puzzle unveil, and they will point at the government of a country – or perhaps multiple countries working in concert – all but providing conclusive proof of the party (or parties) responsible for this new and nefarious form of warfare. What will make this story even more notorious, however, is when it becomes clear that an unsuspecting public has been a major delivery mechanism for this 21^st century warfare, through the use of spam, malware, and botnets. And if that is true, it could very well be the case that some of those spammers you curse on a daily basis are actually nation states using spam to mask their cyber intelligence activities.

PREDICTION: The Cloud Will Get Stormy

While the Cloud was one of those recurring themes that flew, for the most part, under the radar in 2011, companies like Apple and Microsoft continued to push it like it is a silver bullet and a cure-all for everything that ails small companies to major corporations.

The Prediction: 2012 will see at least three Cloud-based security events, most likely linked in some way to spam, malware, hack attacks or compromised mobile devices. Furthermore, they will be high profile events, targeting Fortune 1000 or Global 1000 companies, or less likely a government agency. Anonymous will take credit for at least one of the breaches, and there will be a link with one of the breaches to North Korea and/or China.

Next week, in Part 2 of this story, we’ll take a look at some other bold and controversial predictions for 2012, and how we can learn something from 2011 – but only if we’re ready and willing to listen to it.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Looking Back At 2011 And Bold Predictions for 2012 (Part 1)

Skammers (see what I did there?) have once again started contacting Skype users using contact names that seem designed to convince users to answer the call. Culprits include NOTIFICATION™ URGENT ACTION REQUIRED, URGENT SYSTEM NOTIFICATION, URGENT NOTICE, and others. Each of these is an attempt to use social engineering to convince the victim that the call is legitimate. I particularly like the one that bears the trademark logo for the word NOTIFICATION.

If a user answers the call, they will typically hear a prerecorded message warning them that their system has been infected or is at risk, and then they read a URL which tells them that they should immediately visit this site for further assistance. Typically these sites are phishing sites, and they may have downloads purporting to be antivirus software or security fixes, but of course they all contain malware. Some of these sites are set up to attempt to exploit your browser using a variety of attacks, hoping you are running an unpatched browser, Flash player, etc. And in at least one instance, the target reported that the site had a chat applet which connected them to an apparent human who tried to get personal information from them to set up an account for assistance.

Skype users can easily block calls from people not on their contact list, if they wish. Note that the Windows client, by default, will allow calls from anyone. If you are using Skype for business, and want to enable potential customers to call you without first requesting permission to add you to their contact list, you’re going to have to deal with potential spam calls. The rest of us can be a little more restrictive, changing the Allow calls from… to “people in my Contact list only”.

While logged on to Skype, click Skype on the menu bar, and then click “Privacy…”

In the Privacy settings tab, change the default “Allow calls from…” from “anyone” to “people in my Contact list only”.

Click “Save” and you are done.

Users of the smartphone clients will need to make these settings using a full PC client; not all settings are available in the mini versions, and this is one of those that are not, but the settings apply to the account, and not to the specific instance of the software.

Skype has recently updated the visual appearance of both calls and contact list requests to make it more obvious to users when another user tries to either call them, or add them to a contact list. If you do receive a fraudulent call, Skype encourages you to right click the contact and report them for abuse. To do this, right click the contact and select “Block This Person…” and then tick the box to “Report abuse”. Click the “Block” button and not only will the user be blocked from contacting you, but their account will be investigated for abuse, and if they are violating Skype’s terms of service, their account will be cancelled.

Skype is a great communications tool, but just like IM and email, users will have to deal with skam, err, spam. Fortunately Skype and Microsoft take this very seriously, provide the settings to help reduce this, and take reports of violations very seriously.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should We Call It Skam?

Sung to the music of “The Twelve Days of Christmas”

On the first day of Christmas my admin gave to me,
a mailbox that’s completely spam free.

On the second day of Christmas my admin gave to me,
two herbal viagra ads,
and a mailbox that’s completely spam free.

On the third day of Christmas my admin gave to me,
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the fourth day of Christmas my admin gave to me,
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the fifth day of Christmas my admin gave to me,
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the sixth day of Christmas my admin gave to me,
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the seventh day of Christmas my admin gave to me,
seven phishing site databases
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s completely message free. (oops)

On the eighth day of Christmas my admin gave to me,
eight requests to update my account
seven phishing site databases
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox with lots of spam to see.

On the ninth day of Christmas my admin gave to me,
nine content filters
eight requests to update my account
seven phishing site databases
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the tenth day of Christmas my admin gave to me,
ten loan offers
nine content filters
eight requests to update my account
seven phishing site databases
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the eleventh day of Christmas my admin gave to me,
eleven blacklist entries
ten loan offers
nine content filters
eight requests to update my account
seven phishing site databases
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s mostly spam free.

On the twelfth day of Christmas my admin gave to me,
twelve quarantined messages…
eleven blacklist entries
ten loan offers
nine content filters
eight requests to update my account
seven phishing site databases
six Nigerian money scams
five Bayesian filters…
four fake friend requests
three DNS blacklists
two herbal viagra ads,
and a mailbox that’s completely spam free.

On behalf of all of us at AllSpammedUp.com, we wish you a very happy holiday season, and healthy and prosperous New Year. I don’t know what new spams 2012 will bring us, but I expect to see some of them predicting the end of the world and offering to share the secrets of the Mayans. Until then, keep laughing!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Twelve Spams of Christmas

It’s the most wonderful time of the year, and what better way to take a look back at the year in spam than poke a little fun at the moronic state of the crap that invades our inboxes? In a year that saw major security breaches, several high profile botnet takedowns, and an unprecedented surge in personalized scams and mobile spam, we stop to reflect upon it all and submit a simple postulate: what if Dr. Seuss had been a spammer?

As the year winds down to a close, it’s only basic human nature to look back at the year that just passed and reflect upon it. In the world of spamming and Internet scams, that’s bound to be a painfully long look, since this has been a year fraught with new scams, major cybercrime busts, and unprecedented levels of security threats. With mobile devices providing the newest threat opportunities, and SMS spam picking up a head of steam as scammers get creative, we must be even more vigilant when fighting spam-related threats.

What’s in store for 2012? One must shudder when imagining the possibilities. If anything like 2011, next year will represent an even more dangerous landscape, cluttered with mines and booby traps the likes of which we’ve never seen.

Dire prophecies and doomsday mentality aside, it doesn’t hurt to poke fun at spam once in a while, and during the holidays, no one is more fun than the venerable Theodor Seuss Geisel, known to adoring children and former children alike as Dr. Seuss. Like many households, it’s a holiday tradition around here to watch How the Grinch Stole Christmas!, an annual ritual which inspired this writer to wonder: what if Dr. Seuss was still with us, and what if, ahem, wait for it…Dr. Seuss was a spammer?

The thought itself is sure to bring a smile to the face of anyone who has endured the miserable drivel that infests inboxes like brown marmorated stink bugs. Poorly written and replete with ludicrous stories that must have been contrived during bad acid trips, these emails often frustrate us, and occasionally make us smile by virtue of their sheer stupidity. What they do not do, however, is give us any confidence that the human race is poised to survive much longer, if this epidemic of oafishness is representative of the current state of the gene pool.

So without further ado, here’s a humble attempt at imagining what spam might be like, if written by Dr. Seuss:

The Spammer Who Stole Christmas?

Dear stranger, forgive me for this intrusion

I hope my letter will ease your confusion.

I will not, cannot state it enough

This is rough stuff, even a little tough.

There’s a Libyan prince who lost his good fortune

And my offer to you is a share of the portion.

I cannot get the funds out of my land

And I hope you will aid me by lending a hand.

You see, there are sums in excess of millions

If you give me your name, I’ll give you gazillions.

It’s okay to give me personal information

They don’t extradite criminals in my tiny nation.

Your bank account and credit cards are essential

They’re only for scamming and merely referential.

This is for good cause, I must admit

Send money now and show you commit.

I do not wish to enter a heated debate

Send it fast, send it now, it cannot wait.

The funds are for my stately Kenyan mansion

It’s in great need of a major expansion.

Happy Holidays to all!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

If Dr. Seuss Was a Spammer

I explained to him that I was writing up a report on the muti-day outage a business had and that led them to call my company for assistance. You see, they weren’t using any kind of email filtering system, preferring to let clients fend for themselves. It seems that plan didn’t work out too well for them, because some grinch sent a message with links to bad things dressed up in boughs of holly, a user clicked a link, visited a malicious page, and brought down a particularly nasty malware in the form of an Elf Bowling game. That got passed around the office faster than a plate of cookies, until everyone was running it; of course you know what that meant. All of the machines were at that point zombies connecting to a command and control network, and shortly thereafter starting spewing out spam by the sleigh load.

Their ISP only bothered to do anything about it after getting bombarded by complaints from receiving systems. The ISP’s reaction was to cut off my new client’s Internet access until they could clean up their systems. And that’s when they called us in.

I flew in the late the next day, and the first thing I did was reconfigure their firewall to block outbound SMTP from anything other than their mail server, called their ISP, and got them back online. Total time without Internet access was about two days. Another two days helping their IT team to get all their workstations cleaned up, and we were at the point where they were just a bad off as they were before things started.

Fortunately the owners were at this point very open to hearing about ways to avoid this ever happening again. I worked up a proposal for a multi-layer defense strategy that closed many of the gaping holes in their network’s security. Take a look at the list of what we suggested, and how it would help protect them from another nightmare before Christmas like this:

1. Configure the firewall so outbound SMTP is only allowed from the email server. Should another infection occur, nothing will get out that would make their ISP disconnect them.
2. Configure the email server to only relay for authenticated connections, or the ip.addrs of devices approved to send email and that cannot authenticate, like scanners. This should also help ensure only legitimate email gets out.
3. Deploy email content filtering on the email system that provides both antispam and antiphishing, and also does content scanning for malware. This could have stopped that first user from clicking the link in that first email message, and will help make sure no more such emails get to end users who, as we all know, can be rather click happy.
4. Deploy web content filtering so that users’ web access is protected. We recommended a product that could do a combination of URL filtering and content scanning.
5. Deploy a managed antivirus system to ensure clients are protected from malware, kept up to date, and scanned regularly.
6. Deploy a patch management system to enable them to centrally patch operating systems and applications for all their workstations and servers. We recommended one that could handle third party software to make sure no naught Flash or PDF gremlins could affect them.
7. We also recommended they implement a vulnerability scanning application and use it regularly. This would help them to detect any new vulnerabilities in their environment before they became victims once again.
8. Finally, we suggested they start a program of user education to help their users help themselves and to contribute to the overall security of the system.

My fellow passenger seemed impressed. “You seem to have made quite a list and checked it twice my friend” he said with a jolly chuckle. “I may have to talk to my own IT team about doing the same thing back at the workshop.” I thought that was an odd thing to refer to the office as, so I asked him what line of business he was in. “Oh we do a lot of things, but this time of year we’re mostly a shipping concern”. I commented that he must be very busy this time of year. “You have no idea” he chuckled with a merry grin.

The flight was a short one for me, and as we reached the terminal to deplane, I asked if he was getting off or continuing on. Apparently he had quite a bit further to go with a final destination somewhere North of anywhere I had ever heard of. As I was wrestling my carryon bag out of the overhead bin, my companion offered me a last piece of wisdom: “Remember that users will always do things that baffle you, shock you, perhaps even infuriate you. But without them, would you have a job?”

The above was written with a little holiday spirit, but also with an eye towards 2012. As years wrap up and IT teams everywhere start to consider what projects to take on in the new year, review the list above and see how many you already do, how many are simple procedural changes, and which would make great projects for the new budget year. All of them will help with the security of your company’s IT resources, your users’ productivity, and will cut down on all the spam and phishing that grinches continue to throw our way.

As the holiday season gets into full bloom, I wish you all a very happy and joyous time with your friends and family, and the best wishes for 2012.

-Cas

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Incident Before Christmas

In a fine example of international relations, Russia and the United States exchanged gifts early this year when they announced that the two countries are entering a new level of cooperation on cyber threat analysis and the global war on cyber crime. Reports have it that the event was a festive affair, with borscht and Philly cheese steaks for all. The Russian and American Santa Clauses only got into a tiff once, when Ded Moroz, the Russian version of the jolly old elf, made a comment about his counterpart’s excessive waistline and predilection for butting into the gumbo line for seconds and thirds. The gift exchange was equally revealing, with the American delegation reportedly bursting into tears when memories of a painful childhood were wiped away with carefully wrapped Easy Bake Ovens and Tickle Me Elmos. To make matters worse, since neither side could reach agreement on a real or artificial tree, Denny’s graciously provided a chocolate waterfall – a poor choice in hindsight, since the American delegation is still recovering from the sugar highs.

Who said it isn’t the season to be jolly? Not the U.S. and Russia, who announced this week that the two countries are entering an unprecedented level of cooperation in the war against cyber crime. Reuters is reporting that the countries are planning an exchange of information on “technical threats” coming from the two countries, an interesting development considering the increasing strain on relations between the two nations.

Reuters reports that Caitlin Hayden, spokeswoman for the White House National Security Council, explained that a series of mechanisms “aimed at confidence building and crisis prevention” are being developed to “cope with alarming events in cyberspace.” While not giving up the entire goose, she is quoted by Reuters as saying in an e-mail that new measures include:

“regular exchanges on technical threats that appear to emanate from one another’s territory [and] no-fail communications mechanisms to help prevent crisis escalation and build confidence.”

Whose confidence exactly is a bit of a mystery, but perhaps the two nations will unveil that little gem at their New Year’s Eve gala in Vegas.

Admittedly, such partnerships have been in place for a while, such as the Nuclear Risk Reduction Center, but Hayden said that new initiatives are:

“cyber-specific and [the U.S.] would begin working with Moscow for the first time.”

Reuters points out that this development is nothing new, as U.S. Vice President Biden has been discussing potential joint ventures for the last month or so, but in a sound bite that will surely resonate through the ages, Biden stated:

“It’s a great deal harder to assess another nation’s cyber-capabilities than to count their tanks.”

So, what does it all mean? Well, even ill-informed cyber junkies know that Russia has been a significant source of problems in cyberspace, spam included. Whether this particular initiative will target spamming and scamming initiatives themselves or just the fallout from them – worms, botnets, phishing, and a litany of other unpleasantries – remains to be seen. Some might argue that spamming is a ‘white collar’ crime affecting Joe User and not befitting superpower focus and information sharing, but others would argue that the fallout from spam and its brethren actually rain hellfire down upon national security and international relations. At very least, they keep law enforcement agencies extremely busy and sometimes even left holding the bag. Recent suggestions that Stuxnet was delivered on the back of Conficker certainly leaves a bad taste in many mouths, not the least of which is Russia itself, which in September called out the U.S. and Israel over the insinuations.

From the get-go, this seems problematic, and it doesn’t get any better when one considers the strained relationship between the two nations purported to be partnering in this new initiative. On the heels of Russia’s accusations over Stuxnet, a Stuxnet-like attack occurred for the first time on U.S. soil when a water treatment plant in Illinois was attacked in November, an attack that, curiously, originated in Russia. As Reuters points out, there’s no love lost between the two nations, and in October a U.S. Intelligence report to congress revealed that Russia’s Intelligence services are:

“conducting a range of activities to collect economic information and technology from U.S. targets.”

Ouch. Sounds like this is going to be one of those Christmases where the in-laws end up tearing down the tree, setting the family dog on fire, and where the neighbors end up calling-in a domestic dispute. Here’s hoping the U.S. included a gift receipt with those matryoshka dolls.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Russia and U.S. Celebrate an Early Festive Season

Activity – up; average phishing uptime – down

For starters, the group has discovered that there’s been an increase in global phishing attacks, from 42,674 in the second half of 2010 to 112,472 in the first half of 2011. To anyone following the trends in phishing activity, this isn’t earth-shattering news, but interestingly enough, even though overall activity is on the rise, the average uptime of phishing attacks has dropped significantly. In the first half of 2011, the average uptime of a phishing attack was 54 hours and 37 minutes, compared to an average uptime of 73 hours in the second half of 2010.

“The “uptimes” or “live” times of phishing attacks,” the report states, “are a vital measure of how damaging phishing attacks are, and are a measure of the success of mitigation efforts. The longer a phishing attack remains active, the more money the victims and target institutions lose.”

The report notes that the first 48 hours of a phishing attack are the most critical, as they represent the most lucrative time for the scammers, so quick takedown is an essential component of anti-phishing efforts.

More than a third of attacks involved shared servers

APWG’s report cites the increased use by phishers of shared virtual servers as a primary reason for this.

“Nearly every year we see a new tactic being used by phishers that drastically affects our Statistics,” APWG says, but this year the group has seen “a dramatic rise in what is actually an old tactic, but one that has been obscure until recently.”

As stated, the hacking of servers that host a large number of domains isn’t a new tactic, but the technique employed by the hackers is interesting, to say the least. According to APWG’s findings, the phishers, upon hacking the server, are placing a single copy of their phishing content on the server and then updating the server configuration to include that content in all the domains hosted by the server – effectively, every site on the server now has an infected section that can be accessed via a specific subdirectory.

To wit, the report states, “instead of hacking sites one at a time, the phisher can infect dozens, hundreds, or even thousands of web sites at a time, depending on the server.” The numbers are a tad staggering, according to APWG, which “identified 42,448 unique attacks that utilized this tactic, each using a different domain name. This was 37% of all phishing attacks worldwide.”

Phishers, apparently, have a hankering for Chinese

Perhaps most interesting in the new report is the massive increase in targeted activity by Chinese at Chinese.

“Attacks perpetrated largely by Chinese criminals,” APWG reports, “victimize Chinese Internet users and steal their credentials for Chinese e-commerce and banking sites.”

Attacks increased by 44% over the first half of 2011 and a mind-blowing 70% of malicious domain registrations worldwide were specifically targeted at Chinese institutions in the past six months. While APWG is identifying the source of these phishing attempts as being from China and directed at China, interestingly enough the Chinese phishers are using “free and low-priced” domain providers outside of China.

For whatever reason, the Chinese phishers have chosen to bypass the hacked domain route.

“Unlike most phishers, Chinese phishers do not use many hacked domains. Instead, they continue to register domains, on which they set up their phishing pages. Of the 11,192 domains used in 1H2011, at least 10,179 of them (91%) were maliciously registered, up from 5,895 in 2H2010.”

Interesting stuff this, and well worth the read. There’s more in the report to keep your head spinning, so head on over to APWG’s site and check out the downloadable PDF.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

APWG: Massive Surge in Phishing Targets Chinese Sites

A variety of phishing attacks are pounding the net this month.

While some claim phishing may be a dying art, as long as there are people foolish enough to fall for the scams, phishers will stick around. Here’s a look at the current phishing topics making news.

Phishing Scam Hits StubHub Users:

 http://www.ticketnews.com/news/StubHub-warns-customers-about-phishing-scam101127538

Netflix Brandjacked for Phishing Campaign:

http://www.nbcdfw.com/news/tech/Phishing-Email-Tries-to-Net-Netflix-Customers-133659803.html

Spear Phishers Target Chemical and Defenese Company:                                          

http://arstechnica.com/business/news/2011/11/nitro-spear-phishers-attacked-chemical-and-defense-company-rd.ars

Paypal Labeled Major Phishing Risk:

http://www.spamfighter.com/News-17027-E-mail-Phishing-Threat-PayPal-Users-at-Risk.htm       

Holiday Shoppers Warned About Phishing Attacks:

http://www.gmanews.tv/story/238156/technology/holiday-shoppers-warned-vs-12-online-scams-of-christmas   

Let us know about stories we missed and what you’re thinking about the stories above!      

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

November Phishing Roundup

While I personally do not understand the appeal of Facebook, I have to acknowledge that it is a major force on the Internet, and an important part of a lot of Internet-savvy folks’ lives. It’s not just for the kids; even my CEO is on Facebook, and I swear his VCR was blinking 12:00 at last year’s Christmas party! Look around your office, and then check your web proxy logs (or your DNS server’s cache if you don’t filter Internet access) and I guarantee you’ll see that Facebook is a big deal in your office too. It’s that almost universal appeal that makes it such a useful tool for attacking unwitting users.

I’m starting to see dozens of emails each day that on the surface appear to be notifications from Facebook to users informing them that they have a lost message on Facebook. The sender shows up as “Facebook.” The graphics are simple but accurate (let’s face it, Facebook isn’t exactly known for its stunning visuals,) the fonts are the same, and the text is just close enough to realistic to be believable. Here’s a snap of the most commonly encountered message.

obviously NOT a real Facebook notification

Of course, this message is a fake, and can easily be identified as such by anyone who takes more than a second to look at it. Mousing over the blue Facebook, the link to the “lost message,” the link in the FAQ, or even the unsubscribe at the bottom of the message (not shown), all reveal that this is a phishing message. All of those links go to some website in an .FR domain which is definitely NOT a Facebook site, but is designed to deliver malware to vulnerable browsers. But it’s not the vulnerable browsers that worry me nearly so much as it is the vulnerable users that will click on those links.

I can protect my users at the office by filtering out these messages, but I’m absolutely certain that they are getting through lesser filtering systems maintained (or not) by my users’ personal ISPs. Considering the almost rabid addiction many of them exhibit towards Facebook (come on, next time a coworker’s phone beeps in a meeting, get up to see whether it’s really a work-related message, or just a notification that someone posted on their wall), the likelihood that they will click on the link to see what message was lost is dangerously high.

And while you may think that their personal computer is not your problem, think again. Do you not offer webmail? Do you prohibit (and enforce) working on company files using home computers? Those users check their company webmail using that computer. They work on company documents at home when they are on a deadline, or staying home with a sick child. And any malware they get on their personal computer becomes a problem for you. Key-loggers alone should be enough to keep you up at night.

Once again, I am calling upon you to raise awareness amongst your users. Let them know these messages exist, and that they should not be fooled. Point them to this post or better yet, go over it in a company meeting. Do whatever you can to help your users identify this sort of thing and avoid becoming a victim. Trust me, you’re also helping yourself.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phony Facebook Notifications – More Trick, Less Treat

In this edition of Spamfoolery, we uncover the all-seeing eye of Sauron to take a sobering look at the state of intelligent thought in the spam world. Hold onto your boots. This one is not for the sense of humor challenged.

Each Sunday, I write my blog post, and while my mind’s always thinking about what I’ll be writing this coming week, I don’t really consciously come up with anything salient until Sunday morning itself rolls around. Sitting with my first cup of coffee, I browse the spam news and discover what nefarious new exploits the scumbags (spambags? I don’t know, it has a nice ring to it) are unleashing on the world; and in the course of that haphazard process, something shakes loose.

This week was no exception as the spam gods smiled upon me once again. This morning, I checked my email to discover that one of my former students sent me messages in Twitter. A nice fellow this former student, I instantly recognized the messages as Twitter intercepts…clearly, his Twitter account has been compromised and, wouldn’t you know it? As I’m writing these words, another message just came through. All the messages are the standard shenanigans one expects from spammers: “you too can be three inches taller,” “The most defiant fillies [sic] will strive for riding your new big Italian stallion” (seriously, that’s a real one. For more, look here), “I saw your wife naked with the village idiot last week, check pictures here,” “I know what you did last summer…” Okay, that last one may have come from a movie, but you get the point.

In the case of my former student, a clear tip-off – beside the apparent lunacy of his messages – was a common factor: a Russian URL at the end of each message. Now, I may be cozied up in the Great White North of Eastern Canada, but the northern climate is my only connection to Moscow. Well, maybe that and I like Borscht, but those are the only two similarities. Vodka too, but those are the only three similarities. Solzhenitsyn, Dostoevsky, Tolstoy, Rachmaninoff, Tchaikovsky, those funny dancing bears, Anna Kournikova…ah hell. Look, as the crow flies, Russia is 5,000 miles due east, okay?

So receiving these messages (you can see them above), I was forced to wonder, once again, just how stupid these spammers think I am – and by association, just how stupid they must be. Anyone following my blog knows exactly what I think of spammers, so it shouldn’t come as any surprise that I have an extremely low regard for these scum-of-the-earth, little-old-granny-scamming, make-my-inbox-flood-with-pure-crap-on-a-daily-basis, scam artists. Try saying that ten times fast.

All this ire forced me to consider, once again, whether spammers really are stupid, or whether they just act stupidly. Once again, I came up with a frustrating answer: it’s all of the above and everything in between. Yes, spammers are stupid and yes, they are wily, calculating and yes, even intelligent. Confused yet? Me too.

Look, it would be so much easier if we could simply write them off as being morons, and the bulk of the spam email sent each day would give any jury an easy way out when deliberating whether these guys are guilty of being just plain dumb. It would be so much easier going to bed each night knowing that we had nothing to fear from these jerks. Reality however, is a harsh mistress, and the simple fact is they’re not as dumb as we want them to be.

Spam IQ, Anyone?

With that in mind, I set out to categorize the spammers in the best possible way I could imagine: the Spam IQ test. Like the widely-criticized Intelligence Quotient, there’s no real science to it, but it is fun to consider. So, without further ado:

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamfoolery: Stupid is as Stupid Does Edition

Think you know everything there is to know about phishing? Think you know how to protect yourself and your users from phishing attacks? Think again. Here are some common beliefs about phishing that just aren’t true.

1.  All phishing attacks come from foreign countries. The amount of so-called “Nigerian scams” that have been flooding the net may make it seem that way, but studies have shown that most phishing attacks are actually launched from the United States.

2. My spam filter will protect me. Not true. No software solution is 100% effective and filtering phishing attacks is particularly tricky when you consider that many phishing attacks are made to look like emails from legit companies, and convincingly so. It’s difficult to program spam filters to be able to tell the difference.

3. I’ve made sure my users are educated, so they will never click on a phishing link.  Employees at government agencies and top corporations have fallen for phishing scams, so don’t rely on education as protection. Phishing attacks, especially spear phishing, are becoming more and more convincing.

4. I never give my username and password out so I don’t have to worry. Not true. There is a great deal of malware out there designed to get this info without the user ever knowing. Keyloggers, spyware, and fake websites designed to look exactly like the real thing can all get your to hand over your information to a criminal.

5. I’ll never fall for a phishing scam. I know how to spot them.  Unfortunately, this isn’t true. Not all phishing scams involve emails.  Many involve compromising legit websites and redirecting visitors to an exact copy of their login screen. When the user logs in however, their information is sent to the scammer. Phishing schemes are getting more and more sophisticated so don’t get complacent!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Untruths About Phishing

In the immortal words of Homer Simpson, “D’Oh!” Just when you thought you had things figured out, a new report from IBM states that desktop computers will become the craze and everyone will want one, that everyone in the world will be able to send messages over this new thing called “the Internets”, and that a new pop star named Lady Gaga will take the world by storm. Oh yeah, they also advise us that mobile spam is on the rise. In other words, they’ve stated the blatantly obvious.

Haters of spam and phishing, beware. We’ve got some bad news for you. Really bad news. You’d better be seated for this one. We’ll wait.

[waits]

OK, good. Now that you’re seated, we have some earth-shattering news that will rock you to your socks: mobile spam is on the rise. Now that we’ve said it, we’ll wait while you catch your breath.

[waits]

Better now? Good, because it came as a shock to us, too. ComputerWeekly.com reported this week that IBM has just released its X-Force 2011 Trend and Risk Report, and the news is, well, just as we expected. Now that our sarcasm is expended, let’s take a look at the facts, for IBM does, in fact, put together a pretty sweet report, replete with fancy graphics and yes, some pretty interesting reading.

BYOB or BYOD?

Personally, I prefer BYOB, but IBM’s report focuses on the growing trend of BYOD, or bring your own device. A nifty if not so advantageous upgrade to the bring your parent to school days, BYOD, simply put, is a natural occurrence in a world that’s fascinated by mobile devices, such as smartphones and tablets. The offshoot of people bringing their devices to work, of course, is that they want to connect those devices to the company network, and that’s where the problem lies. According to IBM’s report, as stated by ComputerWorld.com:

“Mobile vulnerabilities are expected to grow at least 15% year-on-year, while mobile exploits are predicted to double compared with 2010.”

IBM’s report, it seems, is bringing to bear our greatest fears.

“’For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices. It appears that the wait is over,’ said Tom Cross, manager of threat intelligence and strategy for IBM X-Force.”

IBM is advising IT departments everywhere to increase their vigilance (and maintain their software) by ensuring that anti-malware software and patches are kept up-to-date. Malware being delivered through SMS and the privacy risks that arise from personal devices that may not be secure are, of course, primary concerns for any network that might be compromised through a wireless connection with the infected devices.

Not So Anonymous Anymore

The report has identified a tripling in the amount of malicious activity between 2010 and 2011.

The reason for this massive increase is due in no small part, “to ‘hacktivist’ groups, such as LulzSec and Anonymous, using SQL injection attacks, and ‘whaling’ or spear-phishing, whereby company senior executives with access to critical data are targeted. Anonymous proxies have more than quadrupled compared with three years ago.”

It’s Not all Bad

Even though malware is on the rise, it’s worth noting that the X-Force report found that web application vulnerabilities have decreased for the first time in five years. This can probably be attributed to the rise in more personalized and targeted attacks.

ComputerWeekly.com notes that IBM found “levels of vulnerabilities in web browsers and spam had also declined significantly while traditional attacks on weak passwords and databases were still commonplace.”

I Thought it Was the Year of the Rabbit

IBM’s preamble to their analysis is a little chilling in what it predicts, and it should stand as a dire warning to anyone with a vested interest in maintaining security.

“An explosion of breaches has opened 2011 with continuing, near daily new reports, marking this year as ‘The Year of the Security Breach.’ These breaches have been notable not just for their frequency, but for the presumed operational competency of many of the victims.”

The environment is changing, they go on to state, and in that snippet of knowledge we can begin to understand what’s happening here.

If 2011 is the ‘Year of the Security Breach,’ then what, in God’s name, does 2012 have in store for us? If the victims, as IBM suggests, are atypical targets due to their high levels of ‘operational competency,’ then what’s next?

We’re not in Kansas, anymore, Toto.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

IBM Report: Mobile Spam on the Rise, Sun Sets in the West

Spear phishing attackers in Texas have begun targeting drivers with a low-tech calling scheme designed to capture their credit card details. In the United States, traffic light enforcement frequently uses photographic cameras to document violations and identify offenders. When a driver runs a red light, a camera mounted nearby takes a picture of the driver while another camera takes a picture of the vehicle’s license plate, providing sufficient proof of an offense to issue a traffic citation. These traffic tickets are sent to the driver through the postal service, and a fine must be paid.

Unless you have received such a citation, or are very familiar with law enforcement procedures, you may not be aware of how this works, and that is what the phishers are counting on. Attackers use classic social engineering tactics, including:

1. Speaking with authority (impersonating a law enforcement officer),
2. Knowing something about the victim (their name, address, phone number, and license plate),
3. Playing upon the victim’s fears (in this case, of arrest),

to bilk their targets out of their credit card details. The attacker calls the victim, identifies themselves as a law enforcement officer, and informs the victim that they have an outstanding violation for a traffic offense which must be paid immediately, or risk arrest. The victims are offered the chance to pay their fine over the phone, using their credit card, which is exactly what the attacker is counting on them to do. If they are hesitant, the attacker becomes more aggressive and threatens them with arrest and increased fines. If the victim believes the call is legitimate, at that point they are willing to pay the “fine.” The victim provides the attacker their credit card details, including expiration date and CSC code, and thinks that their fine has been paid; problem solved.

The attacker of course now has all that they need to run up fraudulent charges until the credit card company detects suspicious activity, or the victim gets their next statement. If an attacker exercises restraint, they may have several weeks to use the compromised credit card before fraudulent activity is detected and the credit account is cancelled. They can use the account to make online purchases, or can sell the account details to other criminals who can use the information to create counterfeit cards.

This particular style phishing attack seems to have started in Texas and is beginning to spread to other locations. Because the attackers are able to get so much information about a potential victim by simply looking up most of the information online, and then driving by the victim’s home to get the license plate information, this attack is very effective, if somewhat limited by geography.

Readers are cautioned to always be suspicious of callers purporting to be law enforcement, creditors, banks, or other persons asking for personal details or asking for financial information. When in doubt hang up, and find the contact information on line to verify things. Remember, it is relatively easy to fake Caller-ID information, so do not rely upon what your phone displays to confirm a caller is who they say.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Traffic Cams Latest Low-Tech Phishing Bait