It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers. Continue reading 2009, The Year in Spam»

A security researcher recently discovered a new malware attack that has poisoned nearly 300,000 websites. The SQL attacks began last month and use a hidden iframe to redirect visitors to a malicious site that is programmed to look for and exploit known vulnerabilities in several different apps including Adobe Flash, ActiveX, IE, and several other Microsoft applications. If found, a rootkit called Backdoor.Win3.Buzus.croo is installed. This malware steals banking information and likely downloads even more malware to the infected system. It’s believed to be related to the Rustock botnet.

Rustock, along with Cutwail, Zeus and Mega-D, control over 5 million computers and send out billions of spam messages. The shutdowns of cybercrime friendly ISPs McColo and Real Host have done little to stop them-in fact current spam levels have exceeded pre-McColo ones. Experts say botnet herders no longer rely on a single ISP or domain so that if a shut down happens they will be back up in hours instead of weeks or months.

Experts say those with properly updated and patched systems are in no danger so make sure all your users are protected.

The FBI has issued a warning about a new phishing attack targeting PR firms and lawyers. The messages contain business specific subject lines designed to trick the recipient into thinking it is a legit message. The body of the message contains either a malicious link or attachment that when clicked will download a file called “srhost.exe” from a site called d.ueopen.xom (URL purposely mistyped to avoid accidental clicks). The FBI is warning IT departments to block any traffic discovered from ueopen, a domain registered in China as it is a definite sign their network has been compromised.

Security experts say attacks against legal agencies are increasing due to the large amount of personal and financial information they possess. Such personal data is highly sought after on the underground cybercrime market and can be used or sold for a handsome profit.

This latest warning came as the Government Accountability Office released a report saying that cyberattacks against the U.S. are rising sharply and that as a result of the increasing connections between the Internet and information systems, hackers are being presented with more and more opportunities to do things like disrupt telephone service or the power grid. The GAO says it is critical that the U.S. do more to protect its infrastructure and critical services and increase its level of cyber security.

I came across an article today written last week that proclaimed “We won the war on spam”.  The general thrust of the article is that “despite continued hysteria, unwanted e-mail is largely a thing of the past”.

This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience.  Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account.  In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won.  Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business.  Businesses spend thousands of dollars each year on protecting their email systems from spam and malware.  This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over. Continue reading We Have Not Won The War On Spam»

Last week, a Wall Street Journal article entitled “The fallacy of identity theft” may have given some people the mistaken impression that there’s nothing to worry about, and that everyone’s identities are safe. Unfortunately, however, that’s not quite the case, and yes, you do need to be paranoid about it. It’s the real deal, and identity thieves can, and do on a regular basis, steal peoples’ identities and wreak havoc on their lives.

The article starts out by deconstructing the term “identity theft” which makes it seem less dangerous than it really is and states that “identity theft” doesn’t steal anybody’s true identity, or personhood of what makes them what they are. When you are a victim of this crime, you remain you, but that’s only a small consolation when a stranger is charging up luxury cruises and fur coats on your credit card. It’s a semantic bit of theory that was actually played out on the “Family Guy” cartoon when actor James Woods stole the identity of cartoon character Peter Griffin, to the point of moving into Peter’s home, sitting at his dinner table and sleeping in his bed. It was a funny episode, but of course, that’s not what identity theft really is.

The article comments about how experts “hounded” people into shredding bank statements and being vigilant about monitoring credit reports, but the fact is, doing so really is a good idea. It’s not a conspiracy by manufacturers of shredding machines, or of companies offering various fee-based monitoring and protection services. And here’s the real kicker, at the end of the article: “It turns out that ‘identity theft’ is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money—but your soul. Maybe it’s time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don’t need.”

Advice like this is what lulls people into a false sense of security and prevents them from taking the precautions that they need to take. Is it a fear campaign? To a degree, yes, it is. But it’s based on fear of something very real. So there is reason to be afraid and one must take the necessary steps to protect oneself – because you could be a victim.

A recently discovered Trojan has a sneaky and disturbing new trick up its sleeve. It can alter a victim’s online bank statement. Dubbed URLZone, the Trojan is able to alter HTML coding before it’s displayed. This lets it rewrite bank statements to hide the fraudulent activity underway. This buys the scammers more time to clean out the account.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” says Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan. “It’s a very sophisticated technique. They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there. If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

The money is then sent to money mules who were tricked into doing the scammer’s dirty work. Most fell for the fake job posting spam advertising a lucrative work at home position and have no idea they are being scammed too.

URLZone is controlled by a server in the Ukraine. While officials there announced they had suspended its domain, count on it to simply find a new home. As we saw after the McColo shutdown last year it doesn’t take long at all for hackers and scammers to set up shop somewhere else. Finjan says the URLZone operation could easily make over $7 million a year.

A new spam campaign is targeting Outlook Web Access users with the goal of distributing a nasty Trojan.  The messages are slick and professional-looking and tell the recipient that they need to update their mail settings by clicking on the included link. The link leads to a very well made, but fake, Outlook Web Access site.  Those that keep going and thinking that they are downloading the new settings, download the Zeus Trojan instead.

Zeus lurks on the victim’s hard drive, doing nothing, until the infected computer visits a page related to financial matters, such as a brokerage firm, online banking, Paypal, or a credit card account page. A keylogger is activated when such a page is detected and the login details are stolen.  The Trojan can also hijack a browser and redirect the user to a fake version of a bank’s webpage. These so-called  “Man in the Browser” attacks are hard to detect.

“This attack illustrates how organized internet crime syndicates are expanding their focus from consumers to enterprises, by targeting employees with credentials to access high value banking, financial, and other web-based applications,” said Mickey Boodaei, CEO of Trusteer. “The level of personalization used in these Phishing messages and the fact that they appear to be coming from the company’s IT department makes this attack very convincing and by extension very dangerous. We are urging enterprises to warn their employees and lock down browser settings to prevent unauthorized code execution inside the browser.”

Experts say that the hackers behind Zeus are targeting corporate users because business accounts tend to have much higher balances than consumer ones.  The malicious sites linked to in the spam message are located all over the world in places like Romania, Russia, Columbia, and Hungary, and so far Zeus is not being detected by many anti-virus programs.

The FBI, depending on the news story you read, either “netted,” “snared,” “hooked,” “reeled in” or “lured” a huge number of cybercriminals in a massive phishing investigation. We’ll resist the temptation to add to the trend by referring to the FBI as “fishing for phishers,” although we may reserve the right to wonder aloud at “the one that got away.”

This week, the FBI announced that a multinational investigation, conducted both in the US and Egypt, resulted in 53 defendants being indicted in the US, and 47 more charged in Egypt, for an even hundred, which according to Computerworld, is the largest number of people ever charged with the same cybercrime. Looks like they “bagged their limit.” Of the 53 US defendants, 33 have already been arrested.

Continue reading Media overloads with fishing analogies in Operation Phish Phry reports»

The personal information of at least 4 million Britons and a whopping 40 million others, most of whom are Americans, is being bought and sold online. This includes usernames and passwords, credit card details, bank account numbers and more. Most of the information was gathered from individuals who fell for phishing schemes. As a result over 250,000 bank and credit card accounts have been broken into by the cybercriminals behind the scams.

The information is bought and sold on forums and websites that cater to the booming underground economy of cybercrime. Along with consumer details, corporate FTP and email usernames and passwords are also offered for sale.

          “I’m concerned, but I’m not surprised in the least,” said Mikko Hyppönen, chief research officer at F-Secure, the computer security experts. “We’ve seen this going on for quite a while. There’s a mind-boggling amount of information that’s being sold on the underground forums.”

A British company has managed to intercept the data and has compiled it into one central database. The company’s owner, Colin Holder, says he plans to charge individuals for access to it to check whether their info has been stolen. The ethics of such a plan are being debated as is whether Holder’s database itself is legal.

A growing number of web hosting services in China have begun offering anyone willing to pay roughly $700 the ability to send an unlimited amount of spam. It’s called “bulletproof hosting” and it was originally meant to allow users more freedom in the types of files they could upload, but these days it is used mostly by spammers, porn sites and online gambling services.

China’s government has begun cracking down on porn sites and online gambling services located within the country, so these hosts have begun offering their services internationally, and they aren’t beating around the bush. Here’s an excerpt from one host’s website:

          “Your web hosting provider will shut down your web site within days or even sooner, if they find out you are sending bulk emails and directing people to your site on their server. Bullet-Proof Web Hosting helps you to direct customers to your web site, and you won’t have to worry about being shut down because of spam complaints.”

They’ve even begun hosting domain names-in fact more than 22,000 spam sending domains were all traced back to six bulletproof computers in China, and since these domains are behind bulletproof hosting, the take down requests are simply ignored. The Waledec Trojan calls some of these protected domains home.

There is little that can be done about the problem until China decides to go after them under its tough new cybercrime laws, but it could be a very very long time before that happens.