Spam-ready tablets off the shelves? Zombie PCs out of the box? Testifying before U.S. Congress this week, a top official for the Department of Homeland Security said that technology being imported into the country is sometimes known to contain preloaded security threats. The disturbing news leaves us wondering what’s next – perhaps our credit card numbers automatically being published to Twitter and Facebook when we sign up for an account?

As if the raging war on spam isn’t bad enough, an ominous moment in U.S. Congress this week should leave an unsettling feeling in anyone who has purchased a PC, tablet, or any other connected device; anyone who worries about the safety of their information, for that matter – in other words, pretty much everyone.

Testifying before Congress at the House Oversight and Government Reform Committee this week, Greg Schaffer –the Department of Homeland Security (DHS) Assistant Secretary for Cybersecurity and Communications – admitted that Homeland Security and the White House are aware that electronics and software imported into and sold in the United States are sometimes pre-installed with malware, spyware, keyloggers, and even the components of botnets. Not only are they aware of these threat-laden devices, various media outlets report, but in fact they have been aware for quite some time.

Fast Company first reported the story on Friday. Schaffer was testifying in a tense exchange between himself and Representative Jason Chaffetz. “When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that ‘I am aware of instances where that has happened,’” but not before a long pause where Schaffer seemingly considered the implications of his answer.

According to PC World, Schaffer didn’t go as far as singling out PCs, tablets, or even DVDs and smart phones.

“Schaffer admitted he is aware of instances when foreign-made technology was built with embedded security risks but did not elaborate on what kind of equipment DHS has encountered. He also pointed out that overseas components are found in many domestically manufactured electronics.” [Emphasis added]

It’s not news that some consumer devices and products have entered the retail world with viruses or other malware. Several years ago, digital picture frames with USB ports were found to be infected, and every so often a piece of software is inadvertently set into the wild with some sort of Trojan or some such malware. What makes this story chilling, however, is Schaffer’s implication that the problem could be far larger than just the odd digital photo frame or errant code in a piece of software. If the malware is actually hard-coded onto a chip – as opposed to pre-installed on a hard disk drive – then these chips could be finding their way into everything that has a wired or wireless connection with the Internet. The problem? Hard drives can be wiped. Onboard chips are like taxes – they’re there for life.

Neal Ungerleider of Fast Company suggests that something sinister may be at work here, drawing from the White House’s Cyberspace Policy Review:

“[In the review] is a small acknowledgment that the Executive Branch knows something weird is happening in imported tech:

‘The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions…The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.’” [Emphasis added]

Don’t Panic!

As disturbingly eerie as this information certainly is, it poses the question: what can we do about it? The answer is readily available. Nothing – at least not as single consumers or even as IT/IS Managers. Some might decide to throw out all their devices and in a Walden moment, return to nature, resorting to carrier pigeons and smoke signals to communicate with the outside world; but most of us recognize that technology owns us now, and for good or for bad, better or worse, we like it. Heck, we love it! We refuse to reject technology because, well, how could we? It makes our lives easier. It makes our lives better, at least if you believe the mantras of GE (We Bring Good Things to Life) and LG (Life’s Good).

Conspiracy Theory

Assume for a moment that the White House and other governments know far more than they’re saying (not a leap at all). Then assume that detecting and removing these hard-coded security risks not only represents a huge difficulty, but rather a virtual impossibility (not a stretch). Now imagine that the threats represented by this built-in malware could be a mixture of state-sponsored and/or private interests – some in it for innocuous concepts like ‘national security’ and some in it for more tangible returns like money. Finally, imagine if the whole truth got out – how it would create such a panic that Greece’s finances would seem rock-solid next to what was left of the global economy. No wonder Schaffer took so long to answer.

As much as it sounds like the stuff that Hollywood is made of, the truth is in there somewhere. If so, then (for all you Star Trek fans) like the Borg, this new threat is lurking and waiting, ready to pounce and assimilate your information, and there’s not a darned thing you – or anyone else – can do about it. Come to think of it, spam is the equivalent of the Borg – maybe even a progenitor of the 24th Century race.

I think I’m going to avoid the rush and post all my personal information on Twitter. I hate waiting.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Official Admits Imported Computer Tech is Known to be Infected

Apple’s iTunes store, situated behind the company’s walled ecosystem, has been a tough nut to crack for cyber miscreants, although it has had problems with them from time to time. The other site, LinkedIn, an online community oriented toward networking for professionals, has done a good job of guarding its members’ accounts from Internet low lifes.

A key point of vulnerability for both services, though, is email. On occasion, the services communicate with their members through ordinary email. That gives electronic grifters an opportunity to gouge subscribers with a minimum of ingenuity.

For example, anyone who has ever bought anything at the iTunes store expects to receive a receipt from it after making a purchase. So the arrival of an email containing a receipt becomes so routine that it wouldn’t raise any red flags in a recipient’s mind.

Black Hats are aware of that and in their recent escapade exploited it. They sent phishing spam to a pool of users. Since iTunes has 160 million members, odds were good that a significant number of the guppies in the pool would be iTunes users. The spam resembled a receipt from the iTunes store. To catch the recipient’s attention, the purchase total on the receipt was some outrageous number. If you’re used to purchasing a song or two at a time at 99 cents or an app under $10, then a receipt for $100 for merchandise is going to attract your notice as quickly as the Rockettes dancing on your lawn.

All too conveniently, the receipt contained a link to click to remedy any problems that recipients have with charges levied on them by the store. When the concerned iTunes store user clicks on the link, they’re asked to download an Adobe player file. The file, of course, is fake. It installs malware on the target’s computer then sends their browser to one of more than 100 black websites in the .info domain where  a particularly vicious Trojan named after the lord of the Greek gods, Zeus, is activated.

Among members of the security community, Zeus is considered one of the most lucrative malware programs ever created by cyber thieves. In a typical Zeus adventure, after the badware steals a victim’s banking  information, it’s used to withdraw money from the victim’s accounts through a nation’s automated money transfer system. The money is usually sent to bank accounts set up by “money mules.” The mules take a cut of the filched cash sent to the account and ship the rest to the ringleaders of the operation who are usually located overseas.

Recently, a large global Zeus operation was taken down by a multinational law enforcement task force. According to authorities, the gangsters clipped $70 million from their victims and had another $150 million in the pipeline before they were busted. Much of that money was stolen from small businesses or non-profit organizations that had to absorb the losses into their bottom lines.

Although the latest blow against Zeus produced significant results, it’s doubtful its impact will be long-lasting, according to one analyst at the technology research firm, Gartner.

          “[T]he arrests will not stop ACH and wire fraud,” opines Gartner analyst Avivah Litan. “It just slows down the ability for the fraudsters to use Zeus to commit it.”

“There are many other attack vectors that enable the crooks to get into online bank accounts and money transfers that don’t use Zeus,” she continues. “For example, there’s a relatively new piece of malware called Spyeye. It’s a landmark infection that doesn’t require administrative privileges on the PC and operates as a relatively quick hit-and-run type of attack.”

Be that as it may, law enforcement agencies appear to be getting a handle on Zeus networks once they’re uncovered. In the iTunes case, the Zeus websites were blacklisted in a matter of days.

The iTunes scam was similar to one apparently launched from Russia against LinkedIn members in the prior week.

          “In the past few days, we’ve noticed an increase in phishing emails doing the rounds using the LinkedIn name,” the service’s Principal Product Manager Vincente Silveira wrote in a blog on October 1. “As you can imagine, we are working round the clock with leading email service providers to combat this problem,” he added.

He recommended the following tips for protecting yourself against phishing attacks.

• Please use caution when clicking or opening emails, seemingly from sites you trust.
• Spammers try to mimic legitimate emails, but they often make mistakes like typos or include information that’s not relevant to you. Be suspicious of emails that include names you don’t recognize.
• Keep in mind that a site like LinkedIn would never ask you to open an email attachment or install a software update.
• These spurious emails can infect your computer with a virus or spyware. To protect yourself, make sure you have anti-virus and anti-spyware software installed and it is up-to-date.
• Before clicking on a link in an email, place your cursor over the link to verify that they lead to the appropriate site.
• When in doubt, open a new browser window and go directly to LinkedIn.com to check your inbox and verify the connection request or message.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishers target iTunes, LinkedIn users

1. Have a solid anti-virus/anti-spam solution and a firewall in place. This may seem obvious but many small and midsize businesses still don’t recognize the importance of securing their networks and data.
2. Limit how many people have certain login privileges. Have only one or two people responsible for doing any online banking. The fewer people have such sensitive info the better. It cuts down on the risks of falling for a phishing attack.
3. Isolate sensitive data. You should have one computer that is completely unconnected to your company network and the internet. This system is where financial data should be kept. That way, should a hacker infiltrate your network, they won’t be able to access it.
4. Discourage the use of removable media. More and more viruses use flash drives and other type of removable media to propagate.
5. Have a solid, clear internet usage policy. Limiting where your employees can go online solves a lot of problems. Make sure your policy prohibits any unauthorized downloads and ask your IT department about blocking bittorrents and adult sites, two of the easiest places to pick up malware. You’ll also want to discourage any use of company addresses for non-company business. Employees that use them to register on websites risk opening themselves and your network up to spam.
6. Change passwords regularly. You and your employees should change your passwords every 3-6 months and if an employee is ever fired, shut down their email account and change all common passwords immediately.
7. Discourage non-company devices. Employees should use company owned laptops for any offsite work. This allows your IT department to monitor them and deal with any issues quickly. Letting employees log into your network from their personal computers is risky. If their systems are infected with malware, it can easily travel into the network.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

7 Ways to Keep Your Company Network Safe

Organization-Wide Anti-Spam Settings

At the organization level there are several anti-spam settings that can be applied.

SCLJunkThreshold – This is the Sender Confidence Level (SCL) score that will cause an email to be delivered to the Junk Email folder of a mailbox instead of the Inbox.  SCL is scored from 0-9 with 9 being the most likely to be spam.  By default the SCLJunkThreshold is set to 4.

[PS] C:\>Get-OrganizationConfig | fl SCLJunkThreshold

SCLJunkThreshold : 4

There are also a series of SCL thresholds configured on the Content Filter Agent.

[PS] C:\>Get-ContentFilterConfig | fl *SCL*

SCLRejectThreshold     : 7
SCLRejectEnabled       : True
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled   : False

With the default settings shown above a spam message that scores an SCL higher than 7 will be rejected by the Transport server.  A spam message that scores an SCL higher than 4 but not more than 7 will be sent to the mailbox Junk Email folder.

Mailbox-Level Anti-Spam Settings

These anti-spam settings can also be configured on a per-mailbox basis.

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL

AntispamBypassEnabled  : False
SCLDeleteThreshold     :
SCLDeleteEnabled       :
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

When configured at the mailbox level the settings take precedence over the organization-wide settings.

For example, if the organization has the SCLDeleteThreshold disabled it can be enabled for a specific user.

[PS] C:\>set-mailbox Alan.Reid -SCLDeleteEnabled $true -SCLDeleteThreshold 9

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL*

AntispamBypassEnabled  : False
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : True
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

Note that when enabling a delete, reject, or quarantine for a mailbox you must also specify a threshold between 0-9 at the same time if one has not previously been configured for that mailbox.

Another example would be a user who is requesting a different junk threshold than the rest of the organization if too many spam emails are still reaching their inbox.

[PS] C:\>set-mailbox Alan.Reid -SCLJunkEnabled $true -SCLJunkThreshold 3

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL*

AntispamBypassEnabled  : False
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : True
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       : 3
SCLJunkEnabled         : True

There is also the option to bypass anti-spam filtering for a mailbox completely.  This would be useful for scenarios such as sales or customer service mailboxes where you do not want to risk legitimate email being blocked.

[PS] C:\>set-mailbox Alan.Reid -AntispamBypassEnabled $true

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL*

AntispamBypassEnabled  : True

When a mailbox has the anti-spam bypass enabled this isn’t reflected in the organization-wide configuration.

[PS] C:\>Get-ContentFilterConfig | fl BypassedRecipients

BypassedRecipients : {}

However you can still locate all such recipients when needed using this shell command.

[PS] C:\>Get-Mailbox | where {$_.AntispamBypassEnabled -eq $true}

Name                      Alias                ServerName
----                      -----                ----------
Alan.Reid                 Alan.Reid            ex1

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Configuring Exchange Server 2010 Anti-Spam Settings for Individual Mailboxes

Over the summer Zbot showed up in spam that was made to look like a critical update to Microsoft Outlook. Once downloaded, it unleashed a keylogger that captured log in credentials when the computer visited a banking or credit card website. The Trojan also scans infected computers for financial information and is programmed with a long list of sites to steal log ins from including Facebook, Bank of America, Paypal, Amazon.com, and eBay.

Most recently it is being delivered in a new campaign featuring fake IRS and shipping spam. The IRS spam attempts to scare the recipient by telling them they were discovered as having underreported their income and are now under investigation for fraud. An included link claims to direct them to the IRS site where they can review their tax return. Instead it downloads Zbot. The shipping spam involves a fake shipping confirmation and label from UPS. The label is supposedly located in the attached Excel file but that file is really a hidden executable that downloads Zbot.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ZBot Trojan Not Detectable By Anti-Virus Programs

The other type of spam uses a new technique-blank messages. Spammers are sending messages with no subject line or body with the sole purpose of finding out what addresses are valid, usually within specific domains and presumably to harvest those addresses for future spam and/or phishing attacks.

Additionally, malicious spam masquerading as delivery failure notices from Western Union continues to flood the net. This type of spam informs the recipient that a Western Union money transfer could not be completed and directs them to open the included attachment, print out the receipt and bring it to their local Western Union office to get the money back. The scammers are hoping to find a few greedy souls who think they’ve gotten a chance to receive some free money. The attachment actually contains a nasty Trojan.

It’s important to keep all anti-virus products up to date and make sure you have an effective spam filter installed on your network, and as always make sure your employees know to never click on links or open attachments in emails from people they don’t know.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Attack Features Blank Messages

The most disturbing part of the attacks is that many of the sites belong to elementary schools and are visited by students. The hackers behind the attack apparently have no problem directing children to porn sites. Even the search results for these sites have been changed to refer to porn and shady pharmacies.

It’s not known who’s behind the attack and the UK government has not yet had any comment. One thing is sure however, and that’s that they need to take a serious look at the security and software on their sites. It’s poorly designed software and careless security (such as not disabling unused FTP logins) that lead to these types of attacks. Experts warn that it’s possible that people who are infected by compromised sites may begin to file lawsuits against them for negligence.

However I’m not sure that’s the way to go-after all it is up to each of us to properly secure our computers and use up to date anti-virus software!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hundreds of UK Government Sites Hacked

The discussion raged on sites such as Slashdot and on forums across the internet. Symantec fanned the flames when they started deleting questions about PIFTS which had been posted to their web forum without explanation. What did they have to hide? To make matters worse, users searching for information on PIFTS found that they were being directed to malicious websites. Brian Krebs of the Washington Post noted:

          Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Symantec finally issued a statement which confirmed what had happened:

          Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

What about the deleted posts? Symantec explained that too:

          There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation.  At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:

O LAWD IM CHOKIN ON PIFTS PLZ HALP
OH GOD YOU GOT CHOCOLATE IN MY PIFTS
If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
I LOVE MY PIFTS.EXE

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

So, it seems that it was all due to human error; an innocent mistake. PFTS did not perform any malicious activity and the web forum posts were not deleted as part of a corporate cover-up. But, boy, could Symantec have handled this any more badly? Why didn’t they issue a statement sooner? Had they done so, they could have been spared a considerable amount of bad publicity – and spared their users from being lured to malicious websites in a hunt for information which should have been made available by Symantec. And will users really be comforted to know that PFTS could have phoned-home without their knowledge had the executable been signed? Hmmm …

What’s also noteworthy about this incident is the speed with which the malicious websites appeared. If only Symantec had been as fast to respond as the bad guys!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The PIFTS.exe Conspiracy

Once infected, a pop-up will appear, stating, “Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it’s me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity.”

There have been over the years, many such emails, spam messages, viruses and worms which were designed as part of some social protest, and the perpetrators in their righteousness believe that they should be excused from their mischief because of their noble cause. Pure poppycock of course; an attack is an attack, regardless of the reason. But, this one only uses the “noble protest” as a ruse to sell useless anti-malware software.

Regardless of how you may feel about the vague “human rights violations” mentioned in the pop-up, most of us will feel put upon to receive this unannounced missive. The first reaction is to conduct a Web search on the word “MonaRonaDona”, at which point one would be referred to one of several forums or YouTube videos that discuss it, and point the reader to a particular anti-malware solution to fix it. The anti-virus software, called Unigray, claims to detect hundreds of thousands of threats, but the company domain was registered only on February 20.

That’s the first red flag. It’s a marketing scheme. The perpetrators have created these Web sites and references ahead of time, so that when victims conduct a search, they will find these links, which promote their own $40 anti-virus software, which removes the MonaRonaDona virus, but does nothing else.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Beware of bogus anti-virus software