It may bother you, and it may incite you to fits of rage. It may make you want to escape to a log cabin in the woods. It may even compel you to change careers and become a spam bounty hunter who tracks down spammers and eradicates them like the insects they are. But if you think you know spam, think again. Simply put, you asked for it. In this article, we take a look at how many bona fide organizations suggest that you take it and like it, and we might even reveal how you asked for it.

It can be argued that spam should be categorized into levels or degrees. Clearly, that message you received yesterday – you know, the one that read, “Dear, If I may have a moment of your precious time to consider this most tremendous offer of the utmost importance…” blah, blah, blah, kill me now, I can’t take it anymore. – is spam, plain and simple. No gray area there. How you got it is anyone’s guess, but if you’re anything like me, you take a few precautions:

• So Many email Addies, so Little Time – Multiple email addresses are the ultimate preventative medicine against those pesky little spammers.
• When Good Credit Cards go Bad, Put Them out of Their Misery – I have a specific card I use for online transactions, and it’s the only time that specific card comes out.
• Opt-Out Often – While it seems like common sense, don’t click those checkboxes which ask you to opt-in for regular emails, and don’t ever opt-in for third party offers.
• Just One More Cookie? No! – Again common sense, but most people don’t think about tweaking their browser’s cookie settings. Job number one is to block third party cookies, and if sites refuse to let you operate fully without them, then just say no to the site.

If you’re not doing these things, and other methods to reduce the risk, you’re partially to blame.

When Spam is Not Spam

Unfortunately, protecting your online presence is a battle that’s fought on different fronts, and your browser isn’t the only spam source you have to worry about. For example, I recently changed phone carriers and, within days of having the new phone number, the marketing calls started coming. Now, selling information is a necessary evil of doing business in the modern world, and we aren’t given a choice when we sign up for a service – it’s in the fine print and you can’t circumvent it. That’s why there’s something called call display.

But, when those calls evolve from spam into malicious activity, you have to wonder how a credible company like a major phone carrier can recklessly sell your information to people who wish to do you harm. Such was the case when I was targeted at least three times by the now-infamous Microsoft phishing scam. Really, phone company? It’s not enough that you bilk me for outrageous sums of money every month?

When is spam not spam? When we ask for it, and every time you sign on the dotted line, you’re at least partially responsible. Phone companies, banks, credit card companies, cable companies, insurance companies – the list goes on; companies that you have no choice but to deal with, if you want that HiDef PVR, that loan, or that legally-required car insurance. Unfortunately, there’s not a darned thing you can do about it.

Love for Sale

A few years back, an acquaintance of mine bragged that he was responsible for seventy percent of the spam emails being sent in North America. Now, knowing this acquaintance the way I do, I took his boast with a teaspoon of salt; but he did point out that the ‘spam’ activities he referred to are known in his industry as ‘qualified lead generation’ – a nice way to say that people opted-in and have asked for a perfectly legal heaping helping of spam.

Of the many activities this acquaintance partakes in, he owns a singles’ dating website. He boasted that he has a ‘qualified’ database that numbers in the hundreds of millions of users who have at one point or another given their name, age, gender, email address, credit card number… you get the point, right?

Since he has the biggest and most expensive home in the city, I’d say the love business is paying off in all sorts of ways.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Please Sir, May I Have Some More? When Spam is Not Spam

“It was 24,000 files, which is a lot,” Deputy Secretary of Defense William Lynn said. “But I don’t think it’s the largest we’ve seen.” When asked if he knew who was responsible for the attack, Lynn responded, “We have a pretty good idea,” and some pundits are pointing the finger at China as the villain in this cyber drama.

In another example, more than 80,000 residents of the Durham Region of Ontario, Canada are suing the Region in a $40 million class action that accuses the Region Health Authority of losing a USB key that contained personal information for people vaccinated against the H1N1 flu virus. In that case, a public health nurse lost the key in a parking lot. Also on the healthcare front, a former patient of a cancer treatment center in St. Louis, Missouri is suing the hospital for the loss of her confidential information when a laptop “stuffed” with patient information. The problem? The information on the laptop was unencrypted.

One more example: unless you’ve been vacationing on Mars for the past few months, you’ve probably heard a lot about a little matter known as the Sony PSN breach. The highly-publicized outage of the PlayStation Network became a bit of a joke, especially since it seems that much of the compromised data was unencrypted. Sony was quick to counter that the credit card information was secure, but they were also quick to insist (it wasn’t optional) that all users change their passwords once the network was brought back up. CBC news quoted a security expert as saying that:

“any website worth its salt these days should be built to withstand such attacks.”

The Human Factor

See a pattern here? If not, let’s spell it out: Mr. Lynn of the Department of Defense states: “I don’t think it’s the largest we’ve seen”; The public health nurse from Durham Region lost a USB key in a parking lot; the stolen laptop in St. Louis contained confidential information that wasn’t encrypted; and data on more than 100 million Sony PSN users was unencrypted.

There are two parallel issues here. The first one is easy: a lack of proactive planning. The security expert quoted in the CBC article is correct. How could a defense contractor which builds weapon systems and other military hardware for the United States allow itself to be breached, especially since the Defense Department admitted to knowing that it’s happened before? How could Sony compromise the data of 100 million users and lose hundreds of millions of dollars in the ensuing cleanup? The answer isn’t complicated. People didn’t do their jobs. Now, it might be tempting to argue that a group of hackers, aged 15 to 28, know far more, and have more in the way of resources, than the largest military power in the world, and one of the globe’s leading technology firms. In case you missed it, that was sarcasm.

It’s the human factor. Look no further than the second parallel issue: a nurse who dropped a USB key, and a misplaced laptop loaded with unencrypted information on cancer patients. No matter how you look at these stories, the dominating factor is basic human error.

Planning, Training and Vigilance

Information is the lifeblood of any organization, but people are the body which makes the blood flow. Take spam, for example. Spam is dangerous, but not always for the reasons you think. Any IT technician is smart enough to detect spam and give it what it deserves – an unceremonious trip to the trash can. In fact, most educated people, IT professionals or not, can recognize spam for what it is: ridiculous, ill-conceived and at times, mind-numbingly stupid. However, while organizations spend tremendous amounts of money on technology, it’s distressing that they spend little educating the people who use the technology.

A few years back, I worked for a government agency that employed thousands of people. Every day, I received hundreds of emails and a substantial amount of those were ‘social spam’ – messages sent by coworkers peddling a funny joke, an interesting video, or a pithy piece of pseudo-wisdom. In fact, the task of cleaning up the social junk often represented a chunk of my time, detracting from doing what I was there to do – what I was paid to do. A week didn’t go by where I didn’t pull the IS manager aside and suggest that she convene a training session to educate the employees on the dangers of social spam. Those requests were met in the form of an agency-wide email and nothing more.

Most organizations have the planning part down, but they don’t seem to be able to educate their organizational structure. They don’t teach vigilance – some call it paranoia – the way IT people know vigilance, and that’s why data protection is so tenuous.

The fear is constant: the people who engage in social spam – you know the type, because they adopt similar practices on Facebook and Twitter – are the ones who will click an errant link, succumb to a phishing scam, lose a USB key, leave a laptop with patient data lying around, and yes, even fail to protect U.S. military documents from foreign countries. So before you go to sleep tonight, ask yourself this: can you sleep with confidence, knowing that every person in your organization – every person who has access to a PC – has your back? Ask yourself if they know enough to recognize a phishing site or a spam email when they see it.

And then strenuously lobby your senior management for rigorous training policies.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Data Insecurity: Why We Fail to Protect Our Information

Recent activity indicates a significant reduction in spam levels, but no one should find comfort in this news. Spammers are making it personal, a new report from Cisco suggests, and at fault may be the law enforcement community for taking down the likes of Rustock and other botnets.

If email spam is a recurring nightmare from which you cannot seem to wake, read on. At the half year mark of 2011, some seemingly good news has poked its head over the horizon, with the promise of a brighter future. Unfortunately, the news isn’t all good; in fact, like spammers, it’s a little deceiving.

According to a new (June 2011) report published by Cisco Security Intelligence Operations (SIO) entitled “Email Attacks: This Time It’s Personal,” cybercriminals are dumping the ‘throw it against the wall and see if it sticks’ approach of indiscriminate spam, so much so that Cisco’s reports the, “annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half.” The report goes on to state that the volume of overall random spam in the past year has declined by more than 80 percent, a figure that sounds a little on the high side, but no one can deny that spam volumes have dipped since the Rustock Botnet takedown in March.

Cisco SIO reports that the financial impact of this decline is significant.

“Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.”  

The direct impact of spam emails is even greater, down from 300 billion spam messages a day in June 2010 to 40 billion a day in June 2011.

Generally speaking, people continue to be smart enough to recognize a scam when they see one, but interestingly enough, those who aren’t are getting taken for more money. While Cisco SIO reports that the average user continues to be smart enough not to click that link, resulting in low user conversion rates (the amount of people who actually end up getting fleeced), that this figure “is partially offset by increases in the average user spending on conversions.” Cisco SIO attributes this increase in the spam artists using personalization tools, better-crafted scams and more effective malicious attacks, and reports that the level of personal information being divulged has resulted in larger paydays for the scammers.

So how much does an errant click cost? $250, according to the report. Cisco SIO explains the methodology used in arriving at this figure:

“This amount is in line with the low-end estimate of recent publicly disclosed scams and malicious attacks. For instance, in June 2011, the U.S. Federal Bureau of Investigation (FBI) announced a scam email directing recipients to send $350 to obtain a Clearance Certificate or else legal action would be taken against the recipient.”

Now for the bad news:  even though random email spam has experienced a large decline, the amount of money being made by the scammers has quadrupled. Using the estimates explained above, Cisco SIO reports that “scams and malicious attacks (as a sub-category of mass attacks) have grown from US$50 million to US$200 million over the last year on an annualized basis.”

Oh, the irony!

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.” The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.”

Oh, the humanity! If what this report states is true (and it sure sounds about right), then by deposing the former ruler – the incessant glut of email-pushing online pharmacies, instant university degrees, Internet casinos, and secret fortunes waiting to be smuggled out of some foreign country – in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Evolutionary Change and Survival of the Craftiest

In fact, Cisco SIO reports:

“as part of the evolution of the criminal ecosystem, [the growing number of scams and malicious] attacks are becoming highly focused.”

Scammers are taking greater care in their approach as they carry out schemes designed to rob people of their hard-earned Benjamins. They’re taking to other means – such as SMS, social media like Facebook, Twitter and Tumblr, the tried-and-true telephone scam, and even  eBook readers – and they “are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position.” Examples of these scams, Cisco SIO reports, are:

• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user or group of users for financial gain

Spearphishing is on the rise and has experienced its own evolution, Cisco SIO states:

“Spearphishing attacks are aimed at a specific profile of users, often high-ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content.”

If the cyber scammers are getting smarter, then it’s imperative that we, too, evolve. Cyber criminals made $150 million this year from spear phishing, according to Cisco, and that kind of return on investment speaks for itself. Spam won’t go away, ever. But like a nasty super virus that evolves and mutates into an antibiotic-resistant strain, spam marches on, even if it’s only to the beat of a new drum.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Reduced, Targeted Attacks on the Rise: Cisco

As a quick refresher to those new to this blog, spear phishing involves the use of e-mail that are crafted so that they appear to be coming from colleagues or friends.  The idea behind it is simple: users are far more likely to open an attachment or click on a URL from an e-mail coming from a known party.  And the elegance of spear phishing from the point of the attackers is how it takes only one successful message for their foray to succeed.  The stakes of a successful incursion are high indeed, if the “political dynamite” nature of the information stored within the IMF network is any indication.

And before you are tempted to think that spear phishing can’t be that common an occurrence, I’ve highlighted 4 Recent Cyber Crimes Involving Spear Phishing and Emails just a few weeks ago on sophisticated attacks such as Operation Aurora and the widely-publicized RSA network breach.  My personal take: Spear phishing will only increase in the months and years ahead.

The shift from juvenile fun to profit and espionage

I was reading news reports about the recent statements made by FBI director Robert Mueller, who gave his testimony as part of President Obama’s request to extend Mueller’s term by two years.

In a nutshell, the FBI is working hard to ensure that “the personnel in the bureau have the equipment, the capability, the skill, the experience to address those [cyber] threats.”

It seems inconceivable that some of the largest computer crimes that the agency is currently investigating include attempted hacks into the Gmail accounts of U.S. government officials and military personnel, and which are alleged by Google to originate from China.  What is clear however is that hacking has graduated from the juvenile fun to a deadly seriously game involving substantial profit or as part of state or industrial espionage.

It is also worth noting that hackers are resorting to the use of phishing techniques in order to open up the first cracks in the defenses of large and well-funded organizations.  In effect, the humble e-mail inbox has become a location that not only influences the relative productivity of employees, but is now seen as a comparatively weaker gateway into the core systems of corporate and government networks.

How does it concern me?

Businesses receive hundreds and thousands of e-mails on a daily basis and, in spite of automated systems and web platforms, e-mails continue to hold an important place in the conducting of business. Even when used against other companies, spear phishing erodes at and threatens to harm the trust placed in this important communication channel.

In addition, it is also unlikely that all the capabilities exhibited by the alleged state-sponsored hackers are developed internally.  There is essentially nothing to prevent these same tools from leaking into the larger hacker underground, or for these highly-skilled and trained professionals from leveraging their skills and tools for personal profit – at the expense of your company.

Fighting spam as part of the solution

The somber truth is that reducing spam will not solve the spear phishing problem.  However, it is not a task that is unnecessary either, since excessive spam lowers the guard of employees from actual spear phishing attempts that may be taking place.  It is undeniable too that the ability to correctly identify the authenticity of a message effectively filters out spear phishing attempts.

Not all is doom and gloom, however.  The news coverage and sheer scale and damage of recent spear phishing attacks are causing senior executives to recognize the threat that is trying to slip into the corporate Inbox.  Harnessed correctly, administrators and IT managers can harness this new awareness and expanded budget to take spam filtering and email management to the next level.

Has your company or yourself ever fallen prey to (or come across) a spear phishing attack?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The rise of state-sponsored spear phishing and why it matters to you

This is a pertinent issue as an increasing number of consumer electronic products starts incorporating the ability to go online via embedded web browsers.  The team conducted its tests on the iPhone smartphone, as well as the Nintendo DS and Nintendo Wii gaming devices; the more technically inclined will be interested to know that the iPhone runs a modified version of the Apple Safari browser, while the Nintendo DS and Wii use modified Opera browsers.  As you can imagine, the common denominator among these devices has to do with their significantly smaller display area, which the researchers pegged at 12.5% to 40% of a typical browser on a desktop computer.

Well, the report concluded that the majority of users without security backgrounds were unable to detect phishing attacks, including those who are familiar with the iPhone.  The heart of the problem has to do with inherent design vulnerabilities or limitations inherent to these smaller devices.  I examined the research and highlighted some areas where the deck appears to be stacked against mobile users.

Smaller, more limited displays

The first victim of a smaller display size is often the status bar, which is hidden in order to maximize use of limited screen space.  This may extend to the hiding of the URL bar, as well as the truncating of the displayed URL so as to fit within the limited screen width.  Hiding either of the above elements is not optimal from an anti-phishing point of view unfortunately, since the ability to read and vet URLs is crucial to defend against phishing attacks.  Moreover, tricksters can exploit the limited display space by constructing a lengthy subdomain to emulate targets such as the Bank of America.  As noted by the report, a URL of “welcometo.bankofamerica.com.phishydomain.com/longfilenamehere” would show up as Figure 1 below, for example.

Figure 1

More cumbersome user input

A commonly suggested and effective defence against phishing is to type in the desired URL manually.  Many consumer electronic devices and most touch-screen smartphones lack a physical keyboard however, eschewing that in favor of a soft keyboard.  While functional, the use of a soft keyboard can be a clunky experience, and often result in slower and less accurate typing.  This essentially discourages users from keying in their destination Web address, which steers them towards clicking directly on URL links instead.

Limited options with incorrect SSL certificates

Navigating to a site that does not have a correct SSL certificate will see the Mobile Safari browser popping up a short dialog offering users the opportunity to abort.  No additional explanation is furnished, and users are also unable to examine the digital certificate at that point in time.  While “expert” users refused to proceed, the study found that “Average and knowledgeable” users generally ignored the invalid certificate error.

Simplicity of Web browser

The simplicity of the iPhone Safari browser interface made the browser relatively easy to “game.”  A technique involving the use of a scrollTo() JavaScript function was illustrated, which causes the page to jump to a predefined location on the webpage.  By showing an image of a fake URL bar at the location, users were deceived into believing that they are at the correct website.  Most tellingly is how even expert users “failed to notice the fake address bar sliding over the real one very quickly on page load.”  In fact, only one user out of 37 noticed the fake, and this was only because the user thought the SSL lock icon (in the fake address bar) “did not look quite right.”

Difficulty of performing software updates

One final factor that makes the web browsers in mobile devices more prone to exploitation is due to the difficulty of applying security updates.  For example, the report noted that updating Mobile Safari on the iPhone required users to first dock it with iTunes on a desktop computer.  The Nintendo Wii forced users to navigate a setup menu, while the Nintendo DS can only be updated via the use of a read-only memory cartridge.

While there is no evidence that it is happening yet, it is not hard to imagine how spammers will eventually leverage the above weaknesses into their nefarious phishing schemes as more users begin to rely on their smartphones as their email client of choice.  Finally, users who regularly check their webmail on mobile web browsers are also subject to heightened risks of being phished.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Vulnerabilities Found in Mobile Web Browsers

And then I come across a story like this one.

The mammoth media company Condé Nast – publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker and Wired magazines, to name a few – was targeted by a spear phishing attack last November that cost the company $8 million in a series of wire transfers sent over several weeks. Last week, the US Attorney’s Office filed a complaint in Manhattan District Court alleging that the publishing giant got hooked by a single phishing email that was fabricated to appear as if it had come from Quad/Graphics, a company that prints Condé Nast’s magazines.

The email came in the form of an attached PDF file. According to one of Condé Nast’s companies, Wired.com, “The e-mail instructed Condé Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.”

The alleged spammer – who has been identified as one Andy Surface of Alvin, Texas – established a bank account under the name Quad Graph and then sent the mail to the publishing company requesting that future payments be made to the new account. Condé Nast’s accounts payable department had no issues with the request, apparently, because someone from the department signed the Electronic Payment Authorization form and faxed it back to Surface, who is alleged to have shown BBVA Compass Bank in Alvin documents establishing that the company Quad Graph had been registered in a different country.

When Condé Nast authorized the form, they effectively gave their bank, JP Morgan Chase, permission to deposit funds in the fake account. Between November 17th and December 30th, they did just that, depositing a little less than $8 million in payables, intended for Quad/Graphics, into Surface’s account. The scam might have gone on longer, but on December 30th, Quad/Graphics (the real one) contacted Condé Nast to ask why the company hadn’t paid its outstanding invoices. According to eWeek.com, “Conde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface.”

Condé Nast was able to recover about $36,000 by reversing one of the wire transfers. The company immediately alerted the authorities and on January 10th, the US Secret Service was able to secure a warrant freezing the accounts before the scammer was able to transfer the money elsewhere. A forfeiture lawsuit is pending, and presumably criminal charges that might include wire fraud and money laundering. Surface has not yet been formally charged, but Wired.com reports that, “Forbes dug up a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.” The US Attorney’s office declined comment.

“Phishing now makes up 23 percent of all attacks in the realm of social media,” Paul Henry, forensics and security analyst at Lumension, told eWeek.com. “A recent IBM X-Force Trend and Risk Report found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X–Force.”

As for Condé Nast, it’s not surprising that they’re keeping mum on the whole situation.

“A Condé Nast representative said the company could not comment on a pending investigation,” eWeek.com also reports, and Henry raised an interesting perspective on the whole thing. “What’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” he said.

It is frightening. One might write this incident off as a very large corporation with so many transactions to fulfill that it might be ripe for the picking in a phishing scam like the one that netted Condé Nast. But Condé Nast got bilked out of $8 million off of one email. If it is that easy, then are there other incidents like this one – successful scams of other major corporations, scams that we’re not hearing about? Or is this just a blip, a random case of the one that didn’t get away?

The answer is unclear. However it happened, this much is clear: if a big fish like Condé Nast can fall victim to a simple spear phishing scam, what does that say for the state of enterprise wide security to protect against these types of schemes? With phishing schemes becoming more sophisticated (relatively speaking), is anyone safe?

I must make a confession. In 2006, I awoke one morning and while I enjoyed my first cup of coffee of the day, I read my email when I noticed what appeared to be a message from PayPal. The email asked me to update my account information, and without thinking (it was 6:15 AM and it was my first cup of coffee), I clicked the link provided by the email and was routed to a page that looked authentic enough. I proceeded to enter my username and password and after clicking ‘Enter’ I was shown a big ‘Thank You!’ and nothing else. It was only then that I remembered: I had recently changed my PayPal password, but the site had accepted the old one. I got off easy that morning, but as an IT professional, the revelation shook me to the core. Coffee or not, big corporation or not, we’re only one click away from financial mayhem.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spear Phishing Email Nets $8m from Media Giant Condé Nast

Subscribers to the Trapster service may be able to avoid speed traps while driving their cars but they may not be able to avoid spammers when operating their computers. That’s because some 10 million users of the service may have had their email addresses compromised.

In a letter sent to its users last Thursday, the service wrote,

“The Trapster team has recently learned that our website has been the target of a hacking attempt, and it is possible that your email address and password were compromised.”

“We have taken, and continue to take, preventive measures to avoid future incidents but we are recommending that you change your Trapster password,” the missive continued. “As always, Trapster recommends that you use distinctive passwords for each site you visit, but if you use the same password on Trapster that you use on other services, we recommend that you change your password on those services as well.”

Within 24 hours of the caution letter being sent to subscribers, Trapster said it had rewritten the vulnerable code to prevent a recurrence of the incident in the future. It’s also working on additional security measures to better protect its customers’ data in the future, it added.

What may be preventing the breach from becoming one of the largest in Internet history is the fact that the service doesn’t require its users to register with it.

“[A] majority of our users who download the app do not register which means they did not provide an email address (as it is not a requirement),” Trapster noted in an FAQ on the incident. “So the figure is well below the 10 million users which has been reported.”

The company, which makes an app for smartphones, emphasized that its advice about changing passwords was a “better safe than sorry” measure.

“While we know that we experienced a security incident, it is not clear that the hackers successfully captured any email addresses or passwords, and we have nothing to suggest that this information has been used,” it said.

A big concern in a security breach like this is that stolen email addresses and passwords can have a multiplier effect. That’s because users–myself included–tend to be lazy and use the same password for multiple sites.

“[Y]ou may not care very much if your credentials on Trapster have been compromised and may think that not too much harm can come from that,” Graham Cluley noted at the Naked Security blog. “But what if you use the same email address/password combination on other websites such as your Twitter account, or web email address?”

That prospect wasn’t lost on Twitter’s security maven Del Harvey, who chirped this tweet to the service’s minions: “Sign up for Trapster? You need to change your password there. Don’t use the same password on multiple sites!” No doubt prominent in Harvey’s mind were reports that usernames and passwords purloined from Gawker accounts in December were used to compromise Twitter accounts and then use those accounts to flood the microblogging service with spam.

The Trapster breach occurred a little over a month after hackers went on a break-in spree at Gawker, McDonalds and Walgreen. During the Gawker attack mounted by a group called Gnosis some 400,000 accounts were compromised. McDonalds and Walgreens didn’t release specific numbers for their breaches, which are thought to be linked to a spear-phishing campaign against email service providers that’s been going on for months.

If all 10 million user accounts had been compromised at Trapster, the break-in would be 25 times larger than the Gawker breach. Still, as Gregg Keizer points out in Computerworld, if only one in 10 accounts were compromised, the raid would be 2.5 times the size of the Gawker fiasco.

Trapster was picked by Wired magazine in 2009 as one of the best location-aware apps.

“[E]veryone can benefit from Trapster, a program that pulls together crowdsourced info about the location of police traps,” Wired noted. “Drivers report red-light cameras, speed cameras, or cops hiding in wait, which all get added to a map of law enforcement hot spots for the next lead-foot coming down the highway. You can even set your phone to warn you audibly when approaching the fuzz. Coast clear? Floor it.”

Depending on the severity of last week’s break-in, Trapster may be eligible for another “best” kudo–best spam platform.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Have 10 million Trapster users been exposed to spammers?

Now, before the rush of the season gets into full swing, it would be a good idea for you to prepare your users, and your systems for this surge. By tending to some simple proactive and preventative maintenance activities now and starting a gentle, but insistent campaign of raising user awareness you will be in good shape to fend off the coming storm.

Here are five steps you can take to get ready for the holidays.

1. Patching

Make sure that all of your systems are fully patched and up to date on all operating system and application patches. If your clients use Outlook, be sure to include updates to the junk mail filter, and don’t forget your antivirus software, Java, Flash and PDF software.

2. Preventative server maintenance

When was the last time you defragmented your databases, or the operating system hard drives of your mail servers? Perform any database management, including offline database defragmentation now as a part of your planned system maintenance.

3. Backups

Sure, you run backups throughout the week, and you check the logs, but when was the last time you confirmed your backups by performing a restore? Test your backups to make sure that they are usable before you find yourself in a situation where they are not.

4. DNS records

While you are performing some year-end maintenance, take a look at your DNS records to make sure that all A, MX, PTR, and SPF records are up to date an accurate. Pay close attention to your MX records. Make sure that they are all still valid for your environment, and that your anti-x protections are fully in place and up to date for all of these. Some spammers will target your secondary MX servers, in the hope that they are not as closely watched as your primary.

5. Secondary servers

And speaking of your secondary servers, are they able to handle the load if your primary goes down? Test them, even if that means staying up late for a Saturday night maintenance window to take your primary offline to force all incoming mail through your secondary. You’d rather find out on your own terms if there is a problem, instead of walking in on a Monday morning to find out something crashed.

In an upcoming post, we’ll cover some user education and awareness actions you should take to help your users help you and to better secure their home systems against spam. Be sure to check back for that soon.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Five steps to take before the holiday season spam starts

The group discovered that a program on AT&T’s website would display the email addresses when given the unique identification number given to each iPad. Once they wrote a script to automate the process it took them just 6 hours to collect 114,000 email addresses. AT&T said it fixed the security hole promptly once it was informed of it.

           This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses,” a written statement by AT&T said. “The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS [iPad identification numbers] may have been obtained. “We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”

The breach could have serious legal implications for the company, which says it will inform all the affected users.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Data Breach Exposes Email Addresses of Over 100,000 iPad Users

An example of defence in depth would be a perimeter network firewall, a secondary firewall, third tier firewalls at branch offices, and maybe even client firewalls.  If one firewall fails, or is circumvented somehow, another one potentially saves the day.

It is a good concept but it naturally adds complexity to any environment.  And when applied to email spam and virus protection the complexity sometimes undermines the effectiveness and efficiency of the system.

Why Defence In Depth for Email Threats?

Quite a few years ago IT departments had a problem.  Email viruses would sometimes get through their servers and infect the network.  It happened when your server did not receive a new signature database from the vendor in time to stop the infection.

There were two underlying weaknesses with the older generation of email security products.  Firstly, they updated usually only once per 24 hours.  Secondly, they utilised a single engine for scanning emails for threats.

Under those conditions it made sense to deploy more than one product in a multi-tiered fashion, so that more than one detection engine could inspect the content.  If an outbreak did occur, you hoped that one of your vendors would get an update out fast enough to stop it.

Too Much Complexity for Today’s Business

The defence in depth strategy for email security is less attractive these days.  Server consolidation is in vogue both for cost reduction and because of “green IT” initiatives.  But more importantly, the best email security products now ship with multiple detection engines included in them.

So instead of multiple products on multiple servers, you can deploy several detection engines within a single product on a single server.  The number of actual engines in effect is only limited by your choice of email security product, and by the power of your server.  But with computing power a relatively low cost these days, running two or three detection engines on a single host is easily within the reach of most businesses.

Most products are in themselves a defence in depth solution anyway.  A single product can perform RBL lookups, sender verification, recipient filtering, reputation checks, URL filtering, and content filtering all within the one package, with no need to deploy multiple products to gain all of those security features.

For those companies still holding on to a defence in depth strategy the final argument is that of complexity.  The more servers you have in your email transit path the more points at which a failure can occur.  And the more security products you have in the mix the harder it is to apply a consistent security policy across the network, and the more places you need to look for missing or quarantined emails.

There is no ‘set and forget’ anti-spam solution, but you still want it to be as low maintenance as possible.  So adding complexity for no gain is not a strategy to stick with any longer.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should You Use More Than One Anti-Spam Product?

When a Wyoming bank’s employee unwittingly created a large data breach, an innocent GMail user paid the price. It all began when a clerk at Rocky Mountain Bank sent an email containing nearly 1500 customer names, addresses, SSN numbers and loan information to a random GMail address. It’s not known who the email was actually intended for nor how it got sent to the wrong one. Perhaps it was a typo. When the accidental breach was discovered a second email was sent to the address asking that the first email be destroyed and that the owner of the account contact them. They got no response, so the bank contacted Google and demanded the user’s information be turned over to them. Google (and rightly so) refused saying they did not honor such requests unless accompanied by a court order. Rocky Mountain bank went to court and not only got that court order, but they took it a step further and asked that the account be shut down. The judge agreed and ordered Google to do so, so now a completely innocent person, who probably ignored both emails thinking they were spam or a phishing scam, has lost their email account.

Google says it has been able to resolve the situation to the bank’s satisfaction and they have filed a motion to dismiss the case. But until the judge approves it they are barred from giving that innocent user their account back.

The bank hasn’t had any comment. One can hope they will become a little more tech savvy and also that they will apologize to the GMail user their employee’s blunder so inconvenienced.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bank Forces Google to Shut Down a GMail Account After Data Breach

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook.

For the cyber criminal, spoofing an email message is only half of the equation. A hacker must also know the email address of the mailbox that’s being used as the journal repository. With these two factors in place, it’s fairly easy for a hacker to sneak a spoofed message into the journaling mailbox.  By changing certain properties of an email (i.e. From, return path,  reply to fields etc.), the bad guys can make an email appear to be from someone other than the actual sender. The result is the email appears to come from a fake email address indicated in the “From” field, when it actually comes from a totally different source.

Other journaling defense methodologies include the protecting Exchange email archives from spoofing attacks. The key component to protecting your archives against these types of attack is a clear understanding that there is a difference between the sender and the display name. The display name is the name the email recipient sees. It has no value in authenticating the user. The user’s true identity is connected to the account’s globally unique identifier (GUID).

Within the same Exchange Server organization an email recipient can be deceived by a  spoofed display name, when an authenticated email user sends a spoofed message to that  email recipient’s mail box. The Exchange server is not fooled. It knows exactly who actually sent the message, because of how the sender was authenticated.

This authentication process is significant, because journaling always sends messages to the designated recipient mail box in a consistent manner regardless of who sent or received the message being placed in the journal mail box. For example, let’s say email user #1 sends a message to email user #2. The Exchange mail server is also set up to journal a copy of the message to a mail box called “Journal”.  In this scenario, email user #1 or email user #2 won’t send the message to the Journal mailbox. The email will be sent to the Exchange hub server. Then the Exchange hub server sends the message as a Microsoft Exchange message on behalf of the message’s original sender.

If we know that all email messages sent to the journaling mailbox are only supposed to be from Microsoft Exchange, some easy steps can be taken to prevent anyone else or any other entity from sending messages to this mail box. Not publishing the mailbox in the directory is one way to do this.

A further step would be to ensure that only the Exchange server can place items into the journaling mail box.  Below is the process for creating a tunneling mechanism only between the Exchange server and the journal mail box. This ensures the journal mail box does not accept email from any outside entity.

1. Open the Exchange Server Management console.
2. Select Recipient Configuration > Mailbox.
3. Right click on the journal mail box and choose Properties from the menu. This causes the console to display the mailbox’s properties sheet.
4. Go to the properties sheet’s “Mail Flow Settings” tab
5. Select the Message Delivery Restrictions option.
6. Click the “Properties” button to display the Message Delivery Restrictions dialog box.  At this point you can require that all senders to this mailbox be authenticated.  You can also choose to accept only specific senders.  For the journal mail box, accept only messages from Microsoft Exchange.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Beyond Encryption with a Tunnel

          Good Afternoon

I work in the PGP Business Development team, working with organisations that have a need to prevent the exposure of intellectual property that can result in financial loss, legal ramifications, and significant brand damage. I understand that you may have an interest in securing sensitive company and/or customer data using PGP encryption solutions.

The PGP evaluation that you may have downloaded from the web does not include PGP Universal version 2.8 – a core component of the PGP Platform, for automated operations, key management, password recovery and enforced security policies across the enterprise. I am more than happy to provide this to you, should this be important.

What’s the problem? Well, according to The Register, PGP sent the message without using BCC and so the recipients were able to see each others email addresses. The situation was then made even worse when irate recipients used “Reply to All” when firing off their complaints to the sender of the email. Ouch! For a company that specializes in email security – and whose customers are probably much more security/privacy concsious than most people – this was certainly a silly boo-boo.

PGP are certainly not the first company to have made such an error, and nor shall they be the last. In fact, while it’s not a particularly common problem, it doesn’t seem to be a particularly uncommon one either. Once a month or so I see a CC’d email which should really have been BCC’d – and those emails are often sent by people and companies that should really know better. Actually, they almost certainly *do* know better – mistakes happen.

What surprises me is that the vendors of most messaging products do not provide a mechanism that would enable admins to force users to use the BCC option in certain situations (when an email is being sent to X or more people, for example). This would be easy enough to do and would certainly spare some blushes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

BCC Blues

Despite this effort some businesses fail to also consider filtering outbound emails.  Often the outbound email path bypasses the system that scans incoming emails from the internet, and instead sends the emails directly out to the destination.

Why should we scan and filter outbound email messages?

Outbound email messages should be checked for spam or malicious content because of the risk such content poses to the organization’s reputation.

An organization found to be sending spam or viruses risks:

• Damage to their brand names
• Loss of trust and reputation with customers and business partners
• Being blocked by other email administrators
• Being added to IP block list provider databases such as SpamHaus
• Bandwidth saturation impeding other online communications

How can spam or viruses be sent from our business networks?

I’ve worked with a lot of customers over the last 10 years and it is not uncommon to find more than one of the following weaknesses in their network security:

• Unsecured wireless networks
• No doors or security barriers in offices
• Firewalls that allow any device on the network to sent outbound SMTP
• Email servers that permit any device on the network to relay SMTP

Some of these combinations create very serious security problems.  If I can get access to your network via an unsecured wireless access point, and your email server permits any device on the LAN to relay so that the photocopiers can automatically order more toner from the supplier, then what is to stop me sending spam or virus emails from your network?

A worse scenario is what can potentially be done with a legitimate user account without any of the abovementioned security weaknesses existing.  A disgruntled staff member, or someone who gains access to an unlocked computer in an insecure part of the office, could use those network credentials to send email out of the network.

How do we filter outbound email messages?

Although Exchange Server 2007 contains anti-spam features that can be used to protect an organization from incoming spam, they provide no protection for outgoing threats.  The inbound protection also suffers from some disadvantages such as a lack of Bayesian capabilities, poor reporting, and cumbersome quarantine management.

Combine this with the habit of many email administrators of sending outbound email directly from Exchange to the destination on the internet and the risks become clear.

The solution to this problem is to implement an email security solution into the network.  This carries a dual benefit in that it can be used to filter both inbound and outbound email for the organisation.  The email security solution solves the weaknesses and deficiencies of the built in Exchange Server 2007 anti-spam features as well as provides outbound protection to preserve the reputation of the business.

Always consider outbound filtering when planning your email protection strategy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The importance of filtering outgoing email in Exchange environments

A chain email is just like an old-fashioned chain letter. A message is sent to thousands of people, encouraging them all to “pass it on”, often because of either extreme cuteness, or because some bogus message is being trotted out as so incredibly important that recipients will see it as their duty to send it on to as many people as possible. It’s surprising too, how many intelligent and well-educated people actually take the bait, and send it on to everyone in their address book. Here’s a tip: Don’t do it! You’re not going to win a prize from Microsoft. You’re not going to help a sick little girl, and you’re not going to help your favorite cause. In most cases, all you will do is help spread misinformation. But even if on rare occasions the claim does turn out to be true, spreading it through chain emails is still not a good idea–first, because it does very little for whatever cause you may be trying to promote, and second, because there is a security risk involved.

Besides the risk of spreading misinformation, there are greater dangers afoot. When you receive one of these emails, if you scroll down through it, you will notice that there are perhaps hundreds of email addresses contained in the thread, from all of the people who have passed it on before you. The security of your own email account is at risk here. If you pass on that chain email, your own personal email address will be exposed to a great many people, as it continues to get passed on down the line. You may well trust the person who sent it to you, and you may well trust your friends that you would send it to. But do you trust your friends’ friends? How about your friends’ friends’ friends? We’re talking about complete strangers here. When it comes to Internet security, the watchword always should be, “trust no one.” All those email addresses could be very easily harvested for use in spamming operations or worse.

A quick look at BreakTheChain.org shows some of the most popular of these chain hoaxes. Many of them sound very realistic, and are often designed to tug at your heartstrings and get your sympathy. Don’t fall for it! Here’s just a few examples:

“Bonsai cats”–completely false. This long-running hoax claims that a Japanese man sells kittens that he has placed in a bottle and feeds through a tube, so that they take on the shape of the bottle. This plays on your sense of outrage, and includes a petition to sign which will somehow end up at the US Animal Protection Society. Unfortuantely, petition-based chain emails don’t work, because once they are in the wild, they are, well, wild! There’s no direction to them, and no way to get the so-called petition to its intended destination.

Petition to stop religious programming. This one plays the religion card, claiming that the FCC is going to put a stop to all religious broadcasting on television, and asks for your help (and your signature on a petition). Also completely false, the FCC does not have the authority to do what the email claims, nor is it seeking such authority.

Dunkin’ Donuts involved in unpatriotic activity. Come on now! My favorite donut shop! There have been a few variations of this one, claiming that owners of Dunkin’ Donuts shops have burned the American flag, that somebody saw an American flag with Arabic writing on it, and that Dunkin’ Donuts shops won’t serve American servicemen. As BreakTheChain put it, this is “ridiculous paranoia masquerading as patriotism.” And not to mention, it’s maligning a pretty darn good donut, too. Completely bogus. DON’T pass it on. Enjoy your donuts instead.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Don’t Pass It On!