The year’s off to a rousing start, with all sorts of interesting security news this week: Wikipedia led a temporarily successful foray against SOPA and PIPA by joining numerous websites that went dark for a day; the founder of Megaupload had his hands slapped when law enforcement officials told him resoundingly, “no, you can’t pirate copyrighted material” – insult was heaped upon injury when dozens of expensive cars were towed away to show him they were right; and Koobface – the Facebook botnet that has been harassing Zuckerberg for years – was taken down by its own creators after the Facebook gang teamed up with The New York Times to uncover and publish the identities of the worm’s owners. To round off the week, QR codes (like the one in the image here) may just be the latest form of spam, and news out of the Twitterverse suggests that Darwin’s cardinal rule is not only true, it’s actually a dire prophecy of our impending extinction.

The year’s less than a month old and it may already be shaping up as ‘the year of anything goes’. Topping the headlines was a mass protest against seemingly inevitable anti-piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect I.P. Act), as innumerable websites intentionally went dark on January 18. Led by students’ greatest friend and perpetual source of dubious information Wikipedia, the activist movement irritated web surfers across the globe and scored one for the little guy as the bureaucrats in Washington, DC backed off the proposed legislation and shelved the bills, albeit temporarily. It’s practically inevitable that some wily spammer will take advantage of this controversy, so keep your eyes open and watch your back.

In a related story and in the spirit of fishy timing (i.e., the same week as the aforementioned protests), Megaupload founder, Kim Dotcom, was carted off along with several other geniuses who figured they would get away with providing a conduit for copyrighted material, all the while skimming millions of dollars off the illegal activity and thumbing their noses at the FBI. German national Mr. Dotcom, lamented as his lavish New Zealand mansion was raided and dozens of vintage cars were hauled away as the spoils of war. Again, there’s more here than meets the eye, especially now that Anonymous has its back up.

In an LMAO moment, individuals responsible for Koobface – a nasty piece of malware that has been frustrating Facebook and Twitter users for years – have taken down their own command and control server after Facebook teamed up with The New York Times to uncover and embarrass five of the founders – Russian nationals living in St. Petersburg, Florida. The named individuals have scrambled to scrub their online profiles, but it’s highly doubtful that erasing their cyber identities will have much of an effect in the real world, where police carry real guns and real handcuffs.

Are QR codes the newest spam threat? Some people think so. QR – or Quick Response – codes were developed in the automotive industry and have been used for a while. Slowly entering the mainstream  over the past couple of years, they are in wide use in Japan, the UK and the US, amongst other countries. Popular because of their fast readability and relatively high storage capacity (compared to bar codes), the increased use of smartphones with cameras and QR reading apps have made the codes a prime target for manufacturers and retailers; heck, even Google’s looking at getting into the game by using QR codes as a secure login method.  The problem is that QR codes can contain virtually any information, meaning that they are already being exploited by scammers and spear phishers. Keep an eye on this one, folks – and think twice before you take a picture of that code staring you in the face.

Finally, from the Twitterverse, here’s one that, no matter how much you shake your head, won’t rid that sickening feeling that the human race is on a collision course with extinction. Perhaps a case of ‘you can’t spell Twitter without ‘twit’, this recent article shows just how careless – or ignorant, or both – web users really are. Get this: over a twenty-four hour period, more than 11,000 Twitter users shared their email addies with the rest of the world. A safe practice if we were living in Thomas More’s Utopia, but it’s not the case if you reside anywhere on Earth, which is rife with people who would just love to use that information against you. This is just a guess, but it looks like spear phishing season is open and Twitter is the local watering hole.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Week in Review: You Can’t Spell Twitter Without ‘Twit’

This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.

On January 11, news erupted of a rather malicious little spoof email that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an email pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.

Sent with fake source addresses that included soc@us-cert.gov and the subject line Phishing incident report call number: PH000000XXXXXXX and an attachment named US-CERT Operation Center Report XXXXXXX.zip, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named US-CERT Operation CENTER Reports.eml.exe – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.

Oh, the Irony!

US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated

“difficulty receiving emails due to the phishing campaign”

according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.

In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns:

• Do not open the attachments in email messages from unknown sources.
• Install anti-virus software and keep virus signatures files up-to-date.
• Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
• Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.

From Russia with Malice

The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that

“Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.”

It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?

Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.

It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

US-CERT Hooked by US-CERT Phishing Attack

In Part 2 of our look at what you can expect in the coming year, faint rumblings out of Japan suggest that one prediction from Part 1 of this article has already come true. If the very real prospect of becoming an innocent casualty of war isn’t enough to make you run backward toward the year that just passed, these bold predictions reveal how hackers will develop an even stronger sense of camaraderie, and how mobility is sure to become a four-letter word. And if you thought spamming and Internet scams made it personal in 2011, you ain’t seen nuthin’ yet.

How about that? 2012 wasn’t even seven days old when news out of Japan this week revealed some eerie premonitions of the things to come and earmarks of a bold prediction made one week ago.  Engadget, ZD Net and other media outlets are reporting that the Japanese government has been working in concert with Fujitsu since 2008 to develop a powerful ‘cyber weapon’ – a piece of software that, upon the detection of a cyber attack (such as DDoS, for example) tracks the attack back to the source.

Sounds pretty straightforward, right? Sure, until you consider that the software also attacks and disables every machine it finds along the trail. The goal, Engadget reports:

“is to stop the spread of a malicious piece of code by finding and shutting down, not just the source, but all middleman PCs that are also now potential hosts. In some admittedly extreme scenarios this weapon could potentially spiral out of control, taking out far more computers than intended.”

Hmm… Botnets are nothing more than large numbers of unsuspecting computers carrying out their attacks at the behest of the infector and ignorance of the computer’s owner. Japan’s little toy, while it sounds like it might be fun to take for a spin, could have the unpleasant and unprecedented effect of being the cause of some serious collateral damage. Casualties of war? Here’s a tip for everyone: while you still have a chance, give that fave desktop or laptop of yours a great big hug before it’s too late.

1. Hackers of the World, Unite

Robin Hood met Mafia Boy last year as hacktivism took center stage. Indeed, 2011 was an entertaining year for anyone who followed the exploits of Anonymous and LulzSec. The drama unfolded like a kabuki play born in the mind of Ken Kesey and brought to life by a troupe of mimes with Tourette Syndrome, and there were even a few arrests along the way to make this reality show really…ahem… arresting.

Prediction: We will see some new hacking activity from these groups, with some high profile web takedowns in the process. While that’s not a stretch, this is: hacker groups like Anonymous and LulzSec will grow in size substantially, resembling an ‘occupy’ type movement that will take the war online. The civil and social unrest of 2011 will turn to face the financial behemoth that is the Internet.

2. Mobility Means Vulnerability

If we learned anything about spam in 2011, it’s that spam is like that proverbial bum of a brother-in-law who’s been living in your basement for the past two years. It’s not going away, good luck making it work for you, and you will be out-of-pocket at some point. Spammers continued to use every means at their disposal in 2011, with SMS spam becoming a real pain in the neck. Security flaws in the two most popular smartphone platforms – iOS and Android – just accented what we already suspected: that spammers and purveyors of malware had taken their show on the road.

Prediction: 2012 will see a massive increase in mobile spam, and mobile devices will become the swords upon which we will live or die unless we get mobile security under control.

3. It’s Nothing Personal…Well, Actually, It Is

A significant development in spam and phishing in 2011 was the way in which the scam artists were getting smarter; you know, smarter in much the same way that a chunk of igneous rock living at the bottom of a fetid riverbed is smarter than a rotting patch of lichen hanging for dear life to the side of an oak tree. Like it or not, the scambags are wilier, finding new and innovative ways to pick your pocket without actually residing in the same time zone.

Prediction: The scambags will become even cleverer in their assaults, finding new methods to lull people into a false sense of security. How this will occur remains to be seen, but our bold prediction is that it will most likely involve highly targeted, multilevel campaigns where the scammer will use detailed knowledge of the targets, and multiple contact methods like email, phone, SMS and even snail mail to enact their evil schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bold Predictions for 2012 (Part 2)

In a turn of events appropriate for the most tumultuous year in cybercrime, 2011’s body is barely cold and we’re already smelling something suspicious from its decomposing carcass. Rumors of two worms, one well-known and the other relatively new on the scene, have some of us wondering what will happen next in 2012, and the year has only just begun. In an attempt to put the preceding year into perspective, we take a look at what might be in store for the new year and beyond with some bold and not so far-fetched predictions for 2012.

PREDICTION: A Shiny New Worm with Every Census Report, Tax Return and Piece of Monetary Currency

First up for 2012 is a prediction that all bets will be off when it comes to understanding the nature – and source – of some of the most insidious malware in the known universe. In fact, the threat and very nature of the state-sponsored malware will only get more confusing, and most likely more disturbing, as we discover where and how it’s being used.

Discovered in 2010, Stuxnet was in the news again in 2011. A worm designed to target and damage industrial control systems (like the kind found in nuclear plants), it has been a source of great debate over who created it and what its ultimate purpose represented; but few could argue that with more than forty percent of Stuxnet’s infections landing in Iran, the nation was most likely the target from the get-go. Russia and others wasted no time pointing the finger squarely at the United States and Israel as the benefactors of the worm, which surely must be state-sponsored.

It seemed inconceivable that anything could top the news that broke late in the year about Stuxnet’s connection to Conficker, suggesting that the latter, a notorious botnet, was used to deliver the payload for Stuxnet. If rumors are true that Stuxnet is state-sponsored, the implication that spam might have been part of the delivery method can and must only leave a bad taste in people’s mouths.

As 2011 wheezed out its last few painful breaths however, a new development occurred in this bizarre tale, as it was revealed that ongoing research by Kaspersky Labs on Stuxnet uncovered a direct link between Stuxnet and Duqu – a worm, discovered only in September, which shares many of the attributes of Stuxnet. In fact, media outlets are reporting that the worms are suggestive of an ‘arsenal’ of malware that has been in development as early as 2007. The code kernel has been dubbed ‘Tilded’, in recognition of the author’s habit of using filenames that begin with ‘~d’.

The Prediction: Keep your eyes open for Tilded. We will continue to see new pieces of the puzzle unveil, and they will point at the government of a country – or perhaps multiple countries working in concert – all but providing conclusive proof of the party (or parties) responsible for this new and nefarious form of warfare. What will make this story even more notorious, however, is when it becomes clear that an unsuspecting public has been a major delivery mechanism for this 21^st century warfare, through the use of spam, malware, and botnets. And if that is true, it could very well be the case that some of those spammers you curse on a daily basis are actually nation states using spam to mask their cyber intelligence activities.

PREDICTION: The Cloud Will Get Stormy

While the Cloud was one of those recurring themes that flew, for the most part, under the radar in 2011, companies like Apple and Microsoft continued to push it like it is a silver bullet and a cure-all for everything that ails small companies to major corporations.

The Prediction: 2012 will see at least three Cloud-based security events, most likely linked in some way to spam, malware, hack attacks or compromised mobile devices. Furthermore, they will be high profile events, targeting Fortune 1000 or Global 1000 companies, or less likely a government agency. Anonymous will take credit for at least one of the breaches, and there will be a link with one of the breaches to North Korea and/or China.

Next week, in Part 2 of this story, we’ll take a look at some other bold and controversial predictions for 2012, and how we can learn something from 2011 – but only if we’re ready and willing to listen to it.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Looking Back At 2011 And Bold Predictions for 2012 (Part 1)

It’s the most wonderful time of the year, and what better way to take a look back at the year in spam than poke a little fun at the moronic state of the crap that invades our inboxes? In a year that saw major security breaches, several high profile botnet takedowns, and an unprecedented surge in personalized scams and mobile spam, we stop to reflect upon it all and submit a simple postulate: what if Dr. Seuss had been a spammer?

As the year winds down to a close, it’s only basic human nature to look back at the year that just passed and reflect upon it. In the world of spamming and Internet scams, that’s bound to be a painfully long look, since this has been a year fraught with new scams, major cybercrime busts, and unprecedented levels of security threats. With mobile devices providing the newest threat opportunities, and SMS spam picking up a head of steam as scammers get creative, we must be even more vigilant when fighting spam-related threats.

What’s in store for 2012? One must shudder when imagining the possibilities. If anything like 2011, next year will represent an even more dangerous landscape, cluttered with mines and booby traps the likes of which we’ve never seen.

Dire prophecies and doomsday mentality aside, it doesn’t hurt to poke fun at spam once in a while, and during the holidays, no one is more fun than the venerable Theodor Seuss Geisel, known to adoring children and former children alike as Dr. Seuss. Like many households, it’s a holiday tradition around here to watch How the Grinch Stole Christmas!, an annual ritual which inspired this writer to wonder: what if Dr. Seuss was still with us, and what if, ahem, wait for it…Dr. Seuss was a spammer?

The thought itself is sure to bring a smile to the face of anyone who has endured the miserable drivel that infests inboxes like brown marmorated stink bugs. Poorly written and replete with ludicrous stories that must have been contrived during bad acid trips, these emails often frustrate us, and occasionally make us smile by virtue of their sheer stupidity. What they do not do, however, is give us any confidence that the human race is poised to survive much longer, if this epidemic of oafishness is representative of the current state of the gene pool.

So without further ado, here’s a humble attempt at imagining what spam might be like, if written by Dr. Seuss:

The Spammer Who Stole Christmas?

Dear stranger, forgive me for this intrusion

I hope my letter will ease your confusion.

I will not, cannot state it enough

This is rough stuff, even a little tough.

There’s a Libyan prince who lost his good fortune

And my offer to you is a share of the portion.

I cannot get the funds out of my land

And I hope you will aid me by lending a hand.

You see, there are sums in excess of millions

If you give me your name, I’ll give you gazillions.

It’s okay to give me personal information

They don’t extradite criminals in my tiny nation.

Your bank account and credit cards are essential

They’re only for scamming and merely referential.

This is for good cause, I must admit

Send money now and show you commit.

I do not wish to enter a heated debate

Send it fast, send it now, it cannot wait.

The funds are for my stately Kenyan mansion

It’s in great need of a major expansion.

Happy Holidays to all!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

If Dr. Seuss Was a Spammer

In a fine example of international relations, Russia and the United States exchanged gifts early this year when they announced that the two countries are entering a new level of cooperation on cyber threat analysis and the global war on cyber crime. Reports have it that the event was a festive affair, with borscht and Philly cheese steaks for all. The Russian and American Santa Clauses only got into a tiff once, when Ded Moroz, the Russian version of the jolly old elf, made a comment about his counterpart’s excessive waistline and predilection for butting into the gumbo line for seconds and thirds. The gift exchange was equally revealing, with the American delegation reportedly bursting into tears when memories of a painful childhood were wiped away with carefully wrapped Easy Bake Ovens and Tickle Me Elmos. To make matters worse, since neither side could reach agreement on a real or artificial tree, Denny’s graciously provided a chocolate waterfall – a poor choice in hindsight, since the American delegation is still recovering from the sugar highs.

Who said it isn’t the season to be jolly? Not the U.S. and Russia, who announced this week that the two countries are entering an unprecedented level of cooperation in the war against cyber crime. Reuters is reporting that the countries are planning an exchange of information on “technical threats” coming from the two countries, an interesting development considering the increasing strain on relations between the two nations.

Reuters reports that Caitlin Hayden, spokeswoman for the White House National Security Council, explained that a series of mechanisms “aimed at confidence building and crisis prevention” are being developed to “cope with alarming events in cyberspace.” While not giving up the entire goose, she is quoted by Reuters as saying in an e-mail that new measures include:

“regular exchanges on technical threats that appear to emanate from one another’s territory [and] no-fail communications mechanisms to help prevent crisis escalation and build confidence.”

Whose confidence exactly is a bit of a mystery, but perhaps the two nations will unveil that little gem at their New Year’s Eve gala in Vegas.

Admittedly, such partnerships have been in place for a while, such as the Nuclear Risk Reduction Center, but Hayden said that new initiatives are:

“cyber-specific and [the U.S.] would begin working with Moscow for the first time.”

Reuters points out that this development is nothing new, as U.S. Vice President Biden has been discussing potential joint ventures for the last month or so, but in a sound bite that will surely resonate through the ages, Biden stated:

“It’s a great deal harder to assess another nation’s cyber-capabilities than to count their tanks.”

So, what does it all mean? Well, even ill-informed cyber junkies know that Russia has been a significant source of problems in cyberspace, spam included. Whether this particular initiative will target spamming and scamming initiatives themselves or just the fallout from them – worms, botnets, phishing, and a litany of other unpleasantries – remains to be seen. Some might argue that spamming is a ‘white collar’ crime affecting Joe User and not befitting superpower focus and information sharing, but others would argue that the fallout from spam and its brethren actually rain hellfire down upon national security and international relations. At very least, they keep law enforcement agencies extremely busy and sometimes even left holding the bag. Recent suggestions that Stuxnet was delivered on the back of Conficker certainly leaves a bad taste in many mouths, not the least of which is Russia itself, which in September called out the U.S. and Israel over the insinuations.

From the get-go, this seems problematic, and it doesn’t get any better when one considers the strained relationship between the two nations purported to be partnering in this new initiative. On the heels of Russia’s accusations over Stuxnet, a Stuxnet-like attack occurred for the first time on U.S. soil when a water treatment plant in Illinois was attacked in November, an attack that, curiously, originated in Russia. As Reuters points out, there’s no love lost between the two nations, and in October a U.S. Intelligence report to congress revealed that Russia’s Intelligence services are:

“conducting a range of activities to collect economic information and technology from U.S. targets.”

Ouch. Sounds like this is going to be one of those Christmases where the in-laws end up tearing down the tree, setting the family dog on fire, and where the neighbors end up calling-in a domestic dispute. Here’s hoping the U.S. included a gift receipt with those matryoshka dolls.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Russia and U.S. Celebrate an Early Festive Season

Stuxnet, arguably the most interesting and bone chilling discovery in the history of computer security threats, is back in the news this week. This time, however, it’s brought a friend – one familiar to security experts and IT personnel alike. If the report from one of the world’s foremost experts is accurate, then it’s going to be a merry Christmas indeed for conspiracy theorists and lovers of international intrigue – and potentially a headache for a couple of governments which are being pressed to fess up about the true origins of Stuxnet and Conficker.

When its presence became known in June 2010, the mere existence of the Stuxnet worm sent shudders through international cybersecurity circles. In case you were off-world at the time of the incident, here’s the skinny: Stuxnet is spread via Microsoft Windows and targets Siemens industrial software and equipment. Although it’s not the first time hackers have targeted industrial systems, it is the first malware to spy on and compromise industrial equipment, and the first to include a programmable logic controller (PLC) rootkit.

What made Stuxnet particularly interesting to conspiracy theorists was where, specifically, it landed. 60% of occurrences of Stuxnet infections were in Iran, and five variants of the worm were discovered at various Iranian facilities, with the apparent target being Iran’s nuclear programme. Stuxnet’s ability to control Supervisory Control And Data Acquisition (SCADA) systems – the kind found in industrial plants – has wreaked havoc on the Iranian nuke programme, particularly at the country’s uranium enrichment facility at Natanz, where, according to Haarretz, “the centrifuge operational capacity has dropped over the past year by 30 percent.”

News of the industrial worm quickly became the stuff of a Tom Clancy novel or Hollywood thriller. Stuxnet’s sheer sophistication and the level of resources required to enact such an attack made it clear that Stuxnet was most likely state-sponsored. Accusations flew about the originator of the worm, and in a fine example of inductive reasoning, fingers were squarely pointed at the U.S. and Israel.

Enter Conficker

Much ado has been made of Stuxnet, and as might have been expected, nothing’s been proven about the source of the worm; but in what is sure to be only the beginning of a heated new debate, this week several media outlets have reported that a

“a celebrated ‘uber-hacker’ with 18 years of service in Special Operations and intelligence,” has linked Stuxnet to Conficker. No, that wasn’t a typo.

John Bumgarner, a retired U.S. Army special-operations veteran, former intelligence officer, and current CTO of the not-for-profit U.S. Cyber Consequences Unit, says he discovered the link between Stuxnet and Conficker only after,

“spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code,” according to Reuters.

In case you’ve been off-world AND living under a rock, Conficker is one of the most devastating and pervasive worms, discovered in 2008 and infecting millions of computers in over 200 countries. The worm is traditionally thought to be the work of an organized crime gang in Eastern Europe, because, much like Stuxnet, Conficker is very sophisticated, probably required immense resources to create, and is extremely difficult to detect and destroy.

“Conficker was a door-kicker,” Reuters quoted Bumgarner. “It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet.”

Let’s be clear: Bumgarner thinks he knows who is behind the two programs, but he’s not saying who, because the matter is “too sensitive to discuss.”

According to Reuters, “The White House and the FBI declined to comment,” and, “Prime Minister Benjamin Netanyahu’s office, which oversees Israel’s intelligence agencies, also declined comment.”

Is it really possible that the botnet propagated by Conficker was all for the purpose of setting up a state-sponsored attack?

Huh?

Things get even stranger from here. In September, Techworld reported that for the first time the Russian government has officially blamed the U.S. and Israel for Stuxnet, calling it “the only proven case of actual cyber-warfare”. And wouldn’t you know it? In related story, a water plant in Illinois was hacked in mid-November, an attack that apparently originated from Russia, and like Stuxnet, targeted the plant’s SCADA system.  In the attack, the hackers gained control of the plant’s equipment and damaged it, the first such type of attack on U.S. soil.

Confused? You should be. If we’re to glean anything from these latest developments, let’s at least take away the following: that a) Conficker may have been the delivery mechanism for Stuxnet, and b) Jerry Bruckheimer’s probably finalizing scripts at this very moment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Conficker Linked to Stuxnet, Conspiracy Theory Activity Up 530%

Regardless, you can learn quite a bit from stats; and the ones below are listed for just that purpose. Each one will teach you a little something about spam to keep your inbox as safe as possible.

1. The Rustock botnet comprised of up to 1.7 million computers.

Sure, Microsoft engineered the takedown of this botnet but think about this, there were close to two million computers infected with the software that turned them into zombies.

This means that traditional anti-malware isn’t providing the protection that people thought it does. To keep a computer or network as clean as possible there needs to be a comprehensive anti-malware solution that protects the desktop, mobile devices, servers, email and web sites.

2. 90% of spam is in English.

On the surface this may seem insignificant. But a year ago, 96% of all spam was written in English.

What this means for you is that spammers are coming from many different countries so anti-spam laws in places like the United States and Canada won’t be as much of a deterrent to these people.

3. One in 445 emails is a phishing email.

Phishing leads to financial, confidential, and personal information being stolen to the tune of over 2 billion dollars every years. Since the average professional receives more than 100 emails each day odds are you are coming into contact with some type of phishing attempt at least once a week, and possibly more.

4. One in 284 emails contains malware.

When people stopped falling for the Nigerian scams and the pharmaceutical email advertisements spammers had to look for other avenues in which to make money. Delivering malware via email is one. Think of how many times people fall for fake anti-virus pop-ups or have been infected with various Trojans that turn their computers into zombies that can be rented out with various botnets and you can see why many spammers turn towards these money making opportunities.

5. 91% of all spam emails contain a link.

If the spam you receive doesn’t contain a malicious program that doesn’t mean you are out of the woods just yet. The link you clicked on could be sending you to a malicious website that infects your computer just as easily. What’s worse is that most spam filtering solutions don’t actively block emails that contain links like they do when it comes to executable file attachments.

Users need to be aware that links can be just as dangerous as downloads when it comes to malware. Part of any user education training should include a section about malicious websites and the fact that spammers often send links to them via email.

6. Two thirds of all spam is related to the pharmaceutical industry.

Spammers don’t waste their time sending out advertisements for things they don’t make money on. So when you see so much effort being placed on the Internet pharmacy industry you know that someone is buying from these guys.

The problem isn’t just that these email messages are tying up your inbox, but that people are actually buying medicines that are often unregulated or even counterfeit.

What people should take away from this is the fact that spammers tend to stick with what works for them. When the money dries up from Pharma spam, they will turn to something else.

The thing about statistics is that they can be tweaked to provide facts for whatever it is you are trying to prove. In fact, some statistics show that spam is actually at an all time low. What they don’t tell you is that email spam is at an all time low because spammers have simply taken different approaches to how they send junk emails to their victims.

No matter what the statistics say about spam, the problem still exists and it still costs businesses and individuals time and money.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

6 Spam Stats You Can Learn From

Whether it arrives in the form of a junk email advertising for prescription drugs or a shared post in Google+, spam is one of the most annoying and costly things we have to deal with every time we log onto our computers.

However spam can be kept under control. By understanding some of the fundamentals about how spam, and spammers, work you can reduce the amount of junk you receive to a minimum.

1. Spammers are in this business to make money.

Most spammers will try to legitimize their emails by including the disclaimer stating you can be removed from future mailings by replying to the message with a specific subject line or message content.

Understand that if they obtained your email illegally or illicitly then politely asking them to remove you from their list isn’t going to stop them. It is simply telling them that the email address they have is one that is actively monitored by you. This means more spam.

Spammers are also creative in how they deliver spam. They understand that once a market dries up, they have to move on to something more lucrative.

Take email for example; for a long time, email was the preferred delivery method of spam. Once spam filters became more effective, the spammers moved on to comment spam. Akismet and other tools have worked to fight spam on comment enabled websites so the spammers turned their attention towards social networks like Facebook and Google+.

2. Spammers are good at social engineering.

The reason spam is so successful is that spammers know exactly what to say, or promote, to make people fall for their schemes.

Take the Nigerian 419 scams. Those actually worked. People fell for those scams because the spammers knew to tap into the driving force of greed. The mass advertisements for Viagra also make spammers a nice chunk of change. Why, because men are too embarrassed to go to their doctor or pharmacy to get this drug. If they order it online from an advertisement promising discreet ordering and delivery then the embarrassment factor is removed.

These skills have followed them to the social networking world as well. Spammers know that the more followers or friends a person has, the more popular, important or relevant they appear to others. They simply weasel their way into as many social circles as they can.

3. Spam is not going anywhere.

There are always reports that the amount of spam is reducing or that we are winning the war on spam. This is simply not true. In fact one company that recently claimed spam was down has just turned around to state that the number of spam messages has increased.

The truth is, spam is a see-saw battle because the battlefield changes so often. For a while email spam might be down but social network spam up. Then comment spam takes over until people catch on and concentrate their efforts on fighting it there. Spammers might move to SMS spam at that point. But as long as money can be made, spam will continue.

4. Spam is cheap to produce.

The reason spam is so effective is that it is so cheap to send. Spammers rent huge networks of computers, or botnets, that flood email inboxes with spam for as little as 9 dollars an hour or 67 dollars for 24 hours according to a report from ZDNet.

Even as spam filters learn how to better identify mailings sent from botnets, humans in developing countries can be hired to send spam through various channels. Log into any number of freelance worker sites and see how many people are bidding on jobs that look eerily similar to spam.

For a couple of bucks a legion of foreign workers can be hired to post comments, send or retweet messages, post to a wall, etc. None of which is meant for real interaction or adding value. It simply exists as spam.

5. Spam costs money to fight.

The truth of the matter is, spam is costly. These messages cost money to filter, to store, to read, to delete, etc.

But if you go into the fight thinking that you can simply download a bit of free software and your problems will disappear then you may be adding to the problem because some of the things you get for free actually spreads the malware that builds bigger botnets.

To effectively fight spam you have to be diligent. Research the tools that fit your organization’s needs and make an educated decision based on what solution can provide you with adequate protection while also fitting into your budget.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Things You Need to Know About Spam

With the world about to end on Tuesday, you probably have more pressing matters on your agenda, like kissing your kids goodbye, donning your tinfoil hat, booking the first available space ark to Mars, and spending some last special moments with the one you love the most – the Internet – using that quality time to finish those Torrent downloads, grab some virtual games for the long trip, and search for a good recipe for soylent green. But just in case the Earth doesn’t get into a smackdown with an asteroid the size of an aircraft carrier and we’re not all converted into the cosmic equivalent of a badly shipped box of corn flakes, you may want to take note of the latest SSL Certificate security breach. And when you hear how long the purported malware has been infecting their servers, you may be tempted to dust off your old typewriter and dig your fax machine out of the rummage pile in the basement.

The encryption method that provides nearly every secure online transaction today is reliant upon third parties – the Certificate Authorities – to ensure that every connection is digitally signed as a reliable source; so what if those certificates are compromised? Well, for starters, we may be taking on some new computer overhead in the form of botnets or spyware. But that’s just speculation, right? CAs offer secure digital transactions and we can all sleep at night, right?

[Sigh]. The hits just keep on coming in a year that has seen massive security breaches and data breaches, the unprecedented rise of hacktivism, the hacking of SSL/TLS, deadly new botnets and smarter spammers. Amidst all these high-profile stories, it may be tempting to turn a blind eye from a number of security breaches at SSL Certificate Authorities in 2011, and in case you were wondering, there have been a few. In fact, more than a half dozen CAs have been breached this year, including four different Comodo resellers, DigiNotar, StartSSL, and the ubiquitous GlobalSign. Now, the fine people over at The Register are reporting that KPN Corporate Market, based in the Netherlands, has ceased issuing any new Secure Sockets Layer certificates after it discovered attack tools stored on its servers.

The tools in question were Distributed Denial of Service (DDoS) attack mechanisms and while that may seem like serious business to most of us, KPN wants to assure us that it probably isn’t anything to worry about.

“There is no evidence,” The Register states, “that the compromise affects KPN servers used to generate the certificates that Google, eBay, and millions of other services use to cryptographically prove their websites are authentic, rather than easily created imposters. But the possibility cannot be completely excluded” KPN officials said in a statement issued Friday (Google translation here).

Okay, it most likely isn’t anything. Well, it could be something, but how can anyone possibly know? I mean, it’s not like the malicious software has been sitting there on the certificate servers, for like, oh, I don’t know, four years or anything. Right?

KPN states that they were taking action while they continue to investigate the breach, “which may have taken place as long as four years ago.”

C’MON, MAN! Four years? Are you freaking kidding me? To put that into perspective, that’s one-fifth of the lifetime of the World Wide Web. CA’s are supposed to be the front line of defense against botnets, spyware, adware, and a host of other security risks. I don’t know if it’s even possible (I’m sure it is) to estimate just how many certificates have been assigned in four years, but when you consider the aforementioned breaches of other CAs – all this year – it makes one wonder if we’ve been treading water in the River Styx all these years. “The compromise underscores the fragility of an SSL system that’s only as trustworthy as its most insecure, or most corrupt, member,” notes The Register. Around since 1994, there is plenty of speculation today to suggest that SSL is truly broken.

The Register points out that there are more than 600 CAs trusted by today’s mainstream browsers and all that’s needed to forge a replica of a credential for [insert website here] is unauthorized access to one CA. From an anti-spam perspective, it’s bad enough that we have to worry about the websites that represent a clear and present danger. What happens when we can’t trust any sites?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Latest SSL Certificate Breach Sparks Renewed Interest in Phone Booths, Typewriters and Fax Machines

That’s right, we are talking about CAPTCHA.

CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is a simple challenge-response test given to make sure that whoever is filling out an online form is actually a human being, not a bot trolling the Internet for victims. Those bots are usually looking for email or contact forms that they can spam, or trying to register for services that they can use to send spam.

So despite the fact that many humans had trouble reading CAPTCHA phrases and entering them correctly, we put up with these little tests because it helped fight spam.

Little did we know that CAPTCHAs can easily be thwarted.

Past Problems with CAPTCHA

Most people have encountered that one site with a CAPTCHA code so illegible that they try time and time again to enter it only to be met with: “Incorrect code, please try again.”

After too many unsuccessful attempts, people grow frustrated to the point that many web designers nowadays don’t recommend using CAPTCHA as a method for preventing spam. One designer used the analogy:

“Using a CAPTCHA code on most sites is like using a Humvee to crack an egg”

to show how overly aggressive this technique can be.

In addition to user frustrations, these codes haven’t always been the solution to problems with spam.

In 2008 Google found that bots were being used to create thousands of fake Gmail accounts despite their practice of using CAPTCHA to block fake, computer generated registrations. Microsoft also found their Live Mail service was being targeted by bots which were also creating fake accounts.

Both of these instances proved that CAPTCHA had been broken. And like any responsible security service, the folks who developed CAPTCHA went to work on fixing the holes that were used to bypass their security measures.

But that only lasted so long as well. In addition to fighting scammers who use technology to exploit the vulnerabilities in CAPTCHA there is also the problem of outsourcing.

Spammers who don’t want to fight the system via superior technology have simply taken to paying people in China, India, Bangladesh and other developing countries to register by hand. These people sift through the jumbled text diligently typing each character into the box and hitting submit all for a whopping 80 cents per 1000 boxes deciphered. Some pay as high as $1.20 per 1000 and jobs like this are plentiful on the many freelancer sites out there.

New Vulnerabilities Found

Luckily, a good number of vulnerabilities are found by researchers whose intentions are to make security products better. People with phenomenal programming skills and the ability to think outside the box spend hours researching ways they can defeat computer systems in order to make them more secure.

So when a research team out of Stanford University claimed that they have found a way to defeat a number of CAPTCHA systems with a program called Decaptcha, people had to take notice.

The team, consisting of Elie Bursztien, Matthieu Martin, and John Mitchell, created a five step process that removes all of the distortion and noise from the images so that the computer can more easily read the challenge so that it can provide the correct response. And the results are pretty interesting. Visa’s Authorize.net was beat 66% of the time, Blizzard Entertainment’s CAPTCHA system was bypassed 70% of the time, other sites like CNN, eBay and Wikipedia also saw high success rates.

The only ones that were not beat by Decaptcha were those used by Google and reCaptcha.

The Stanford team said they have no plans to release Decaptcha to the public, however their findings mean that it is only a matter of time before criminal organizations find new ways to circumvent CAPTCHA yet again without having to exploit armies of third-world employees to do their dirty work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

CAPTCHA Cracked Again

Just in time for Halloween, one of the world’s stealthiest, most pervasive, and just plain terrifying botnets has received a complete makeover. A disturbing development in an arena where adware, malware, botnets and Trojans are already making our worst nightmares come true, the new face of TDL4 suggests that our anti-spam efforts will become even more trying. Not to be outdone, M. Night Shyamalan is rumored to be taking the directing helm for an overtly artsy movie treatment of the situation. Mercifully, reports suggest that the movie will circumvent theaters and go straight to Blu-Ray.

In an attempt to reinforce the gravity of the situation – and in keeping with the time of the year – we could implement some irritatingly flashing lights, pithy onomatopoeias, and ghoulish sound effects to convey the gravity of the situation; but like some of the greatest horror movies in the history of Hollywood, this is one of those instances where special effects and overdramatics just aren’t needed. This one is standalone scary. The TDL4 botnet, also known as Alureon and TDSS, recently received a thorough makeover, and if it’s as bad as some of the researchers are reporting, we may be the ones picking up the tab for the rootkit’s sexy new look.

Considered by many as the most sophisticated threat out there, TDL4 already had a reputation for being a naughty little boy before this most recent development in its evolution. With the ability to evade detection – either signature or heuristic based – and its encryption-based communication between bots and the botnet command and control center, TDL4 also contains a rootkit component which forces payloads of keyloggers, adware and other malware onto infected systems.

A major aspect of TDL4’s new look is in the way it infects its prey. According to The Register, “The makeover includes changes to the way TDL4 attempts to remain undetected by antivirus programs and other defenses. Newer versions create a hidden partition at the end of the infected machine’s hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run.” Furthermore, the malware has a nasty way of protecting itself against removal. “The partition is equipped with an advanced file system that checks the integrity of TDL4 components. If any of the files are corrupted, they’re removed.”

A chilling aspect to this story is the premonition that the reason for TDL4’s overhaul is most likely due to some new opportunities to conduct some nefarious business. “The code overhaul,” writes The Register, “may mean that operators of TDL4, which is used to force keyloggers, adware, and other malicious programs onto compromised machines, may have started providing services to other crimeware groups.” It’s pervasive and fast-moving, too. In June, the rootkit overtook 4.5 million computers in just three months.

In 2010, Vyacheslav Rusakov examined the rootkit in great detail and noted that, “There is no doubt that TDL-4 is ‘armed to the teeth’ and poses a very serious threat to users.” He also notes an increase in infections of 64 bit systems, not surprising since TDL4 was, “among the first rootkits to infect 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy. With the continued and increased usage of 64 bit systems, it’s inevitable that more and more malware will target these systems, and there are inherent problems with this new breed of malware. Rusakov points out that, “most contemporary antivirus, and specifically anti-rootkit, technologies are no match for threats targeting 64-bit platforms, which makes the average malware writer’s life much easier.”

As usual, we’re either just keeping up, or more likely, falling behind in the battle against malware. “The latest changes suggest that the relentless innovation of those developing TDL4 shows no signs of slowing,” reports The Register, and there’s no arguing with the obvious.

As I write this article on the eve before Halloween, I stop to stare out my window at the first snowfall of the pending winter. The last remnants of the summer – the dead and dying leaves – are unceremoniously ripped from the trees by an unfriendly arctic blast. Perhaps it’s my overactive imagination combined with the starkness of Halloween, but the imagery seems fitting.  If this new demon that is TDL4 is half the monster that they’re saying it is, 2012 is going to be a scary year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

BOO! TDL4 Botnet Makeover Scary as Hell

Microsoft has filed a lawsuit against the head of a Czech malware ring that controlled a botnet that infected tens of thousands of computers. The company believes Dominique Alexander Piatti, a Czech resident, is the mastermind behind the Kelihos botnet, and says Piatti rented it out to other cybercriminals. A company named dotFREE Group S.R.O is also named in the suit.

“The Kelihos Botnet operators sell botnet capacity as a service, including the capability of sending spam email to perpetuate fraud, to collect financial and personal data, and to distribute harmful and malicious software,” Microsoft alleged in court papers filed in U.S. District Court for Eastern Virginia.

Last week, Microsoft won a court order that demanded that the U.S. based hosts of the botnet’s  cz.cc domain to cut service to it, thereby severing the domain’s link to the computers it infected. It says this is the first time a botnet operator has been named in a civil suit.

“Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate,” a company attorney said in a statement.

This isn’t the first time a botnet operator has been sued, but does it make sense? Winning such a suit really doesn’t achieve much as the likelihood of collecting whatever judgment is levied against the botnet operator is slim to none, and it’s not likely to stop them from committing their crimes either. Are the legal fees and time spent worth it to simply prove a point? Do you think suing spammers and botnet operators is a good practice?  Has your company ever sued a spammer? Please leave a comment and tell us what you think!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Taking Aim at Kelihos Botnet

In a shocking development for anyone still living in 2009, this week the U.S. Government has decided to tackle botnets head-on. Some have speculated that a high-up mucky-muck over at DHS thought it would be ‘a pretty neat thing to do,’ considering the timing (Hugh Jackman’s Rocky reboot robot revival Real Steel also hit theatres this week). While government spokespeople deny rumors that Optimus Prime is involved in this radical move, most ISPs are groaning, rolling their eyes, and wondering where they put their contact information for Megatron.

Sigh. In a world of the mundane, the lamest is the King of nothing special. Once again this week, the U.S. Government proved that axiom and their incessant ability to underwhelm when it comes to the ever-heated battle of the botnets. Multiple reports have cited the Department of Homeland Security (DHS), National Institute for Standards and Technology (NIST), and others as generating a wormhole in space-time this week and stepping back into 2009, when and where they encouraged ISPs to adopt a code of conduct for preventing, detecting, and dealing with botnet activity.

Okay, the wormhole may be a stretch, but perhaps you now understand the tone of this article. This baffling move on the part of the government is strange, uncomfortable and highly inappropriate, for several reasons. First, it’s not and never should be the role of government to ‘gently suggest’ (i.e., threaten to legislate) best practices in a business and technology they know nothing about. Let’s face it: the U.S. Government has problems of its own without pointing out to someone else that their fly  is open. If you doubt me, look here, here, and here.

Second – and not to sound like a conspiracy theorist – but any time there’s a threat of the government sticking its fingers into people’s personal information, one cannot help but feel uncomfortable. In a request for information on the Federal Register on a voluntary ‘Code of Conduct,’ DHS said that one possible suggestion was to “encourage ISPs to send consumer support queries to a centralized consumer resource center that could be supported by a wide number of players. Such a resource center could reduce the burden on corporate customer support centers by pooling resources.” If you’re anything like me, reading that passage is probably giving you an irritating twitch in your right eye just now.

Finally, and most importantly, if one is to take a leadership role, one actually must…uhm, how can I put this delicately? Lead. There it is. The fact is, what the U.S. Government is trying to do seems like a severe act of self-deprecation, if the purpose of the meeting this week was to point out to the world that they weren’t aware that the ISPs have been doing just fine, thank you very much, in dealing with botnets over the past few years. Writes Kelly Jackson Higgins on Dark Reading: “ISPs such as Comcast, which two years ago was one of the first to employ a bot-notification service, notify customers whose machines they spot as bot-infected. Comcast’s free Constant Guard Security program directs the infected user to the antivirus center, where he follows directions to remove the bot malware.”

Fortunately, I’m not the only one who sees it that way. In fact, there’s a long line of private sector organizations who are ready to tell the government to keep their greasy paws off of something they know nothing about: “The Messaging Anti-Abuse Working Group (MAAWG), which is made up of ISPs, email providers, and security vendors including AT&T, Cisco, McAfee, Facebook, and Verizon, sees the federal effort as unnecessary and redundant, and is balking at the idea of the government legislating how ISPs handle bot-infected customers.”

Boo-yah! No kidding. No one can blame the ISPs for getting antsy when government suggests a central repository (it incites thoughts of a suppository. Just saying.) for information on their clients – us – and I can’t see this one going too far, based on early reactions from the non-government players.

So where does that leave us? Well, we can’t dismiss some of the information that came out of this event. According to press release from NIST, there are an estimated 4 million new botnet infections each month. The White House’s Cybersecurity coordinator pointed out in his keynote address that fighting these infections “requires a combination of efforts in which everyone has a role to play.”

Great, now get out of the way and let the ISPs do what they do best.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Gov’t Time Travels to 2009 to Fight Botnets; No One Cheers

Spam-ready tablets off the shelves? Zombie PCs out of the box? Testifying before U.S. Congress this week, a top official for the Department of Homeland Security said that technology being imported into the country is sometimes known to contain preloaded security threats. The disturbing news leaves us wondering what’s next – perhaps our credit card numbers automatically being published to Twitter and Facebook when we sign up for an account?

As if the raging war on spam isn’t bad enough, an ominous moment in U.S. Congress this week should leave an unsettling feeling in anyone who has purchased a PC, tablet, or any other connected device; anyone who worries about the safety of their information, for that matter – in other words, pretty much everyone.

Testifying before Congress at the House Oversight and Government Reform Committee this week, Greg Schaffer –the Department of Homeland Security (DHS) Assistant Secretary for Cybersecurity and Communications – admitted that Homeland Security and the White House are aware that electronics and software imported into and sold in the United States are sometimes pre-installed with malware, spyware, keyloggers, and even the components of botnets. Not only are they aware of these threat-laden devices, various media outlets report, but in fact they have been aware for quite some time.

Fast Company first reported the story on Friday. Schaffer was testifying in a tense exchange between himself and Representative Jason Chaffetz. “When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that ‘I am aware of instances where that has happened,’” but not before a long pause where Schaffer seemingly considered the implications of his answer.

According to PC World, Schaffer didn’t go as far as singling out PCs, tablets, or even DVDs and smart phones.

“Schaffer admitted he is aware of instances when foreign-made technology was built with embedded security risks but did not elaborate on what kind of equipment DHS has encountered. He also pointed out that overseas components are found in many domestically manufactured electronics.” [Emphasis added]

It’s not news that some consumer devices and products have entered the retail world with viruses or other malware. Several years ago, digital picture frames with USB ports were found to be infected, and every so often a piece of software is inadvertently set into the wild with some sort of Trojan or some such malware. What makes this story chilling, however, is Schaffer’s implication that the problem could be far larger than just the odd digital photo frame or errant code in a piece of software. If the malware is actually hard-coded onto a chip – as opposed to pre-installed on a hard disk drive – then these chips could be finding their way into everything that has a wired or wireless connection with the Internet. The problem? Hard drives can be wiped. Onboard chips are like taxes – they’re there for life.

Neal Ungerleider of Fast Company suggests that something sinister may be at work here, drawing from the White House’s Cyberspace Policy Review:

“[In the review] is a small acknowledgment that the Executive Branch knows something weird is happening in imported tech:

‘The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions…The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.’” [Emphasis added]

Don’t Panic!

As disturbingly eerie as this information certainly is, it poses the question: what can we do about it? The answer is readily available. Nothing – at least not as single consumers or even as IT/IS Managers. Some might decide to throw out all their devices and in a Walden moment, return to nature, resorting to carrier pigeons and smoke signals to communicate with the outside world; but most of us recognize that technology owns us now, and for good or for bad, better or worse, we like it. Heck, we love it! We refuse to reject technology because, well, how could we? It makes our lives easier. It makes our lives better, at least if you believe the mantras of GE (We Bring Good Things to Life) and LG (Life’s Good).

Conspiracy Theory

Assume for a moment that the White House and other governments know far more than they’re saying (not a leap at all). Then assume that detecting and removing these hard-coded security risks not only represents a huge difficulty, but rather a virtual impossibility (not a stretch). Now imagine that the threats represented by this built-in malware could be a mixture of state-sponsored and/or private interests – some in it for innocuous concepts like ‘national security’ and some in it for more tangible returns like money. Finally, imagine if the whole truth got out – how it would create such a panic that Greece’s finances would seem rock-solid next to what was left of the global economy. No wonder Schaffer took so long to answer.

As much as it sounds like the stuff that Hollywood is made of, the truth is in there somewhere. If so, then (for all you Star Trek fans) like the Borg, this new threat is lurking and waiting, ready to pounce and assimilate your information, and there’s not a darned thing you – or anyone else – can do about it. Come to think of it, spam is the equivalent of the Borg – maybe even a progenitor of the 24th Century race.

I think I’m going to avoid the rush and post all my personal information on Twitter. I hate waiting.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Official Admits Imported Computer Tech is Known to be Infected

Recent activity indicates a significant reduction in spam levels, but no one should find comfort in this news. Spammers are making it personal, a new report from Cisco suggests, and at fault may be the law enforcement community for taking down the likes of Rustock and other botnets.

If email spam is a recurring nightmare from which you cannot seem to wake, read on. At the half year mark of 2011, some seemingly good news has poked its head over the horizon, with the promise of a brighter future. Unfortunately, the news isn’t all good; in fact, like spammers, it’s a little deceiving.

According to a new (June 2011) report published by Cisco Security Intelligence Operations (SIO) entitled “Email Attacks: This Time It’s Personal,” cybercriminals are dumping the ‘throw it against the wall and see if it sticks’ approach of indiscriminate spam, so much so that Cisco’s reports the, “annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half.” The report goes on to state that the volume of overall random spam in the past year has declined by more than 80 percent, a figure that sounds a little on the high side, but no one can deny that spam volumes have dipped since the Rustock Botnet takedown in March.

Cisco SIO reports that the financial impact of this decline is significant.

“Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.”  

The direct impact of spam emails is even greater, down from 300 billion spam messages a day in June 2010 to 40 billion a day in June 2011.

Generally speaking, people continue to be smart enough to recognize a scam when they see one, but interestingly enough, those who aren’t are getting taken for more money. While Cisco SIO reports that the average user continues to be smart enough not to click that link, resulting in low user conversion rates (the amount of people who actually end up getting fleeced), that this figure “is partially offset by increases in the average user spending on conversions.” Cisco SIO attributes this increase in the spam artists using personalization tools, better-crafted scams and more effective malicious attacks, and reports that the level of personal information being divulged has resulted in larger paydays for the scammers.

So how much does an errant click cost? $250, according to the report. Cisco SIO explains the methodology used in arriving at this figure:

“This amount is in line with the low-end estimate of recent publicly disclosed scams and malicious attacks. For instance, in June 2011, the U.S. Federal Bureau of Investigation (FBI) announced a scam email directing recipients to send $350 to obtain a Clearance Certificate or else legal action would be taken against the recipient.”

Now for the bad news:  even though random email spam has experienced a large decline, the amount of money being made by the scammers has quadrupled. Using the estimates explained above, Cisco SIO reports that “scams and malicious attacks (as a sub-category of mass attacks) have grown from US$50 million to US$200 million over the last year on an annualized basis.”

Oh, the irony!

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.” The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.”

Oh, the humanity! If what this report states is true (and it sure sounds about right), then by deposing the former ruler – the incessant glut of email-pushing online pharmacies, instant university degrees, Internet casinos, and secret fortunes waiting to be smuggled out of some foreign country – in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Evolutionary Change and Survival of the Craftiest

In fact, Cisco SIO reports:

“as part of the evolution of the criminal ecosystem, [the growing number of scams and malicious] attacks are becoming highly focused.”

Scammers are taking greater care in their approach as they carry out schemes designed to rob people of their hard-earned Benjamins. They’re taking to other means – such as SMS, social media like Facebook, Twitter and Tumblr, the tried-and-true telephone scam, and even  eBook readers – and they “are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position.” Examples of these scams, Cisco SIO reports, are:

• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user or group of users for financial gain

Spearphishing is on the rise and has experienced its own evolution, Cisco SIO states:

“Spearphishing attacks are aimed at a specific profile of users, often high-ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content.”

If the cyber scammers are getting smarter, then it’s imperative that we, too, evolve. Cyber criminals made $150 million this year from spear phishing, according to Cisco, and that kind of return on investment speaks for itself. Spam won’t go away, ever. But like a nasty super virus that evolves and mutates into an antibiotic-resistant strain, spam marches on, even if it’s only to the beat of a new drum.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Reduced, Targeted Attacks on the Rise: Cisco

There are a number of reasons why I believe this is inevitable, which I list out below:

Data leakage of email addresses

Ever signed up for a new social networking service, or online storage provider?  The chances are 10 out of 10 that you will be asked for your email address.  Ditto when signing up for an Internet forum, downloading a “free” white paper or even when posting a comment on a blog (mostly).  While I am not in any way downplaying the trustworthiness of your favorite haunts on the web, every additional website on which your email address is surrendered represents another location from which your email address may be pilfered by unethical employees or stolen outright by hackers.

The latter is not an idle assertion either, given the number of online break-ins that have made the news of late.  Remember, we are not even talking about successful raids that went undetected, or where administrators have decided not to keep quiet.

Use of email addresses as usernames

Every online service that I can think of encourages (or enforces) the use of the email address as a username.  Using fake or throwaway addresses is not an option in many of these situations due to validation procedures as well as their role in recovering from misplaced passwords.  This practice results is more spam, since online services typically include the right to send “important messages” your way as part of the terms and conditions for their use.  While not malicious in nature, users can expect the occasional ads for new services or even regular news updates – which can stack up to a hefty number.

What is frustrating here are the lengthy steps usually required to opt out of them or to shut down the associated accounts.  Moreover, these email addresses could also be resold by unscrupulous service providers, or result in more spam if users unwittingly cede permission for “selected third party” vendors to get “in touch.”  Indeed, the value of such email addresses are higher given that they are validated – more so if they were accessed recently.

Reusing of passwords

The number of high profile breaches in which unencrypted passwords were exposed is clear evidence that not all websites adhere to best practices when it comes to protecting passwords.  I believe that this is but the tip of the iceberg when it comes to reusing passwords across multiple sites.  While not directly related to one’s receipt of spam, it is bad news for the security of email accounts – it will certainly be an easy matter for spammers to log into legitimate email accounts using stolen passwords to distribute spam or nick your email contacts.

Spam campaigns run from botnets

It used to be that spam messages are sent using open relays left there by careless administrators, exploiting the vulnerabilities of existing email servers or by means of backscatter techniques.  However, these vectors are increasingly being dwarfed by the use of infected computers shepherded into sophisticated and resilient botnets for the sending of spam.

For example, consider the TDL-4 botnet which was dissected and found to contain measures that make it “practically indestructible.”  With an estimated 4.5 million nodes in the mega botnet, it is understood that an installation of the TDL-4 botnet also incorporates a spambot.  While blacklists can certainly be used to defend against direct spam originating from end-user IP addresses; the sheer number of nodes does throw the door wide open for a wide variety of indirect attack methods.  Moreover, some of the infected nodes may include legitimate email servers, which can only serve to lower the effectiveness of blacklisting techniques as more mail servers end up being blacklisted.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why The Spam Threat Will Only Get Bigger

Robert Soloway, the spammer who made $20,000 a day back in the 1990s and was forced to pay $17 million in civil judgments, made it back into the news cycle when he was recently quoted as saying  that in current times

“(spamming is) not something financially feasible for anyone to even consider”

only months after his release from the Federal Correctional Institute in Oregon for his hand in violating the CAN-SPAM Act.

Over the years, we have seen the takedown of quite a few infamous spammers. So many that we have forgotten some of the pioneers and true dregs of cyber-society. Let’s see how many of this list you remember, or if you can think of any that can be added.

Dave Rhodes

The author of the famous MAKE.MONEY.FAST chain letter that made the rounds in the late 80s.  Legend has it that the letter was uploaded as a text file on a BBS in 1987 and then worked its way around until 1994 when it really became big.

The nature of this scam was that the recipient was instructed to send $1 to six different people via Paypal. Upon doing so, the recipient’s name would be placed on the list to receive money from others, and so on.

The true identity of Dave Rhodes has never been established.

Oleg Nikolaenko

The infamous King of Spam is currently awaiting trial in a detention facility in Milwaukee, Wisconsin for violating the CAN-SPAM Act after being arrested by the FBI in 2009.

Messages advertising counterfeit Rolex watches, herbal supplements and pharmaceuticals was the spam of choice for the 24 year old who was also credited with running the Mega-D botnet.

Davis Wolfgang Hawke

The press called him the spam Nazi because he not only made money from spam, but also use it to spread messages to bolster membership in his neo-Nazi groups.

Hawke started Amazing Internet Products with Brad Bournival in 2003 and the two began grossing roughly $500,000 per month advertising for a Yohimbe product called Pinacle.  He has also been linked to the famous Time Travel Spammer, Robert Todino.

In 2004 AOL was awarded a $12.8 million judgment against Hawke for sending unwanted emails to its subscribers. His current whereabouts are unknown.

Richard Colbert

After searching AOL profiles for keywords like multilevel marketing or business opportunity this Miami based “businessman” would spam the profiles he found to advertise his spam business charging around $900 for one million addresses. In a 2003 interview, Colbert claimed that because he honored unsubscribe requests he was a legitimate marketer.

Colbert retired from spamming in 2003 and was removed from the Spamhaus Project’s list of prolific spammers.

Eddie Davidson

Davidson was an active spammer between the years 2002 to 2007 under the business name Power Promoters. His company, along with several sub-contractors, would advertise the usual gambit of merchandise and pharmaceutical until he was indicted in 2007 for violating the CAN-SPAM Act.

Spam, however, turned out to be the least damaging of his crimes.

After serving a portion of his 21 month sentence and paying over $700,000 in restitution, Davidson was released from prison only to be found dead along with his three year old daughter and wife in a murder-suicide. His 16 year old daughter was also found shot but survived. His 7 month old son was the only member of the family that was left unharmed.

Laurence Canter and Martha Siegel

A modern day Bonnie and Clyde, these two lawyers posted the first massive commercial Usenet spam in 1994. Their Green Card lottery scam came shortly after the National Science Foundation lifted the ban on commercialization on the Internet.

The two went on to advertise their craft both spamming for hire and with a book titled How to Make a Fortune on the Information Superhighway: Everyone’s Guerrilla Guide to Marketing on the Internet and Other On-line Services.

In 1997 Canter was disbarred by the Tennessee Supreme Court for his participation in illegal advertising practices.

Bonus – Gary Thuerk

Gary earns the honor of the “Father of Spam” since he is the one who sent out the first unsolicited mass emailing back in 1978. His target, 600 ARPANet members. Yet while he really didn’t do too much damage compared to some of the others, he did pave the way.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Five Infamous Spammers You May Have Forgotten About

With all the focus on deliberate hacks and the sheer amount of data that’s being released into the cloud, spammers must feel like their lives are getting easier, what with the news media focusing on the former and law enforcement agencies scrambling to lock their virtual doors and windows from the likes of Anonymous and LulzSec. True, the art of spamming suffered a major blow earlier this year with the takedown of Rustock; but when the U.S. declared war on hackers a few weeks back, it was easy to forget the junk that infests our inboxes and focus on the ‘other show’ – cyber hacking.

Spam may not be as splashy and headline-driven as cyber attacks but it can be just as devastating. In a time when it really hasn’t gone away – other bots have taken up the standard since the death of Rustock – we decided to consider the main reasons why spam, as detestable and irritating as it is, is not going away.

The Art of the Scam is as Old as Time

Sometimes it’s easy to think that spam is a new concept, given rise by the enabling technology of the Internet. In fact, the con is as old as society itself. In the old days (i.e., pre-Internet), the scammer was the confidence man, the hustler, the snake oil charmer, the grifter. There is even a certain romantic notion about these types, glorified in Hollywood movies like The Freshman, The Sting and Paper Moon. For good reason, too. There’s always been a certain guilty pleasure in rooting for the scoundrel. In literature, this character is known as the antihero, the protagonist who doesn’t deserve to be liked. Think Sam Spade or Dirty Harry.

In fact, if the Internet has done anything, it’s made the scam – something regarded as an art form in some circles – available to nonprofessional scammers. All the Internet has managed to do is help spread the infection and empower the scammers to take their show on the road, even if they’re horrible at it.

Greed Is Good

A phrase immortalized by the fictional Gordon Gecko in Wall Street, “Greed is good” has a certain ring of truth to it when one thinks about the opportunities the Internet gives us. New forms of commerce have exploded in the information age. Industries have sprouted and billions have been made, all thanks to the Internet. One has to look no further than Google or Facebook to see how profoundly the Internet has changed the world’s economy.

So why is it wrong for spammers to get in on the greed? Because obviously, most of us were brought up to understand that one does an honest day’s work for an honest day’s pay. There’s nothing honest about bilking people out of their life savings.

Intelligence is a Rare Commodity

Let’s face it: spam often comes in the forms of ill-conceived schemes and ridiculous grammar. The quality in these schemes is distressingly mediocre. ‘Distressing’ because it baffles the mind how people can still be scammed when the collective IQs of the schemers appear somewhere on the scale between rocks and lichen. But this is good news. After all, if the sum of all the cheap drugs, phishing scams and scareware schemes were finessed, elaborate and effective, perhaps the U.S. would be declaring war on the spammers instead of the hackers.

It’s not just the poor writing, however. It’s also the ludicrous scenarios that these guys are selling. Let’s take a look at some passages from actual spam:

• Microsoft Corporation wish to notify all online customers as we celebrates the 35th year anniversary 2011;
• But if you do not remember me, you might have receive an email from me in the past regarding a multi-million-dollar business proposal which we never concluded.
• This is not a deception or anything related to scam because I do not need you to send me money.I will like to know you well enough.

We’ve all seen it, time and again. So much so that the head shaking stops and we become desensitized. But the sad news remains that people are being scammed.

It Will Always Be Easier to Break Something than to Make Something

No matter how much attention is given to spam schemes, phishing scams and scareware tactics, the spammers are always going to be more effective, since it’s easier to break something than it is to make something. Like hackers, they always find a way. When Rustock was taken down, it wasn’t long before Bagle and other botnets took up the slack.

And spammers are getting more resourceful. On June 16, Microsoft announced the results of a survey which stated that 22% of respondents had received a spear phishing phone call from someone pretending to represent Microsoft in an attempt to gain access to the person’s computer and or credit card number. This story hits home a bit, since this writer received such a phone call last week.

It Works

Perhaps the most compelling reason why spam isn’t going away is that it works. In the Microsoft phishing scheme mentioned above, of the 22% of respondents who reported receiving the call, 3% were scammed (not this writer – the fake Microsoft caller was quickly dispatched). But if you doubt that these guys are making money, look no further than this story from the Mail Online, which reports that spammers using text messages to find accident victims and redirect them to law firms are raking in £175 million a year.

Guess it works.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Reasons Why Spam Isn’t Going Away

New Zealand’s Anti-Spam Law Being Surveyed

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10734862

Travelodge Apologies for Data Theft Related Spam

http://www.infosecurity-magazine.com/view/18938/travelodge-uk-confirms-no-financial-data-has-been-breached/

Japan Bans Spam

http://www.dailymail.co.uk/news/article-2005891/Japan-passes-law-viruses-spam-emails-carrying-years-jail-time.html

Researchers Crack Audio CAPTCHA

http://www.geekosystem.com/audio-captchas-defeated/

FBI Shuts Down Coreflood Botnet

http://www.computerworld.com/s/article/9217883/Feds_claim_victory_over_Coreflood_botnet?taxonomyId=17

Have a story you’d like to share or have something to say about one of the ones we’ve listed? Leave a comment – we’d love to hear it!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam News Roundup