This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.

On January 11, news erupted of a rather malicious little spoof email that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an email pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.

Sent with fake source addresses that included soc@us-cert.gov and the subject line Phishing incident report call number: PH000000XXXXXXX and an attachment named US-CERT Operation Center Report XXXXXXX.zip, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named US-CERT Operation CENTER Reports.eml.exe – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.

Oh, the Irony!

US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated

“difficulty receiving emails due to the phishing campaign”

according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.

In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns:

• Do not open the attachments in email messages from unknown sources.
• Install anti-virus software and keep virus signatures files up-to-date.
• Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
• Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.

From Russia with Malice

The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that

“Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.”

It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?

Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.

It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

US-CERT Hooked by US-CERT Phishing Attack

Not a fun thing to deal with but it did get me thinking a bit more about how often individual accounts are compromised to send out spam.

Of the larger messaging services, Yahoo! Mail appeared to be the most susceptible according to an end-user survey by Commtouch with 27% of Yahoo’s users claiming to have had their account compromised. Facebook came in second with 23%, Gmail followed with 19% and Windows Live rounded out the list with 15% of people admitting that their accounts had been targeted at one time or another.

The most frightening statistic from this survey was that 62% of these people had no idea how their email account was compromised. This does not reflect carelessness on the victim’s part but instead, shows how the threat landscape has increased in sophistication.

It used to be you downloaded a malicious program that infected your email client and sent out messages to everyone in your inbox however with the malicious links appearing in social network feeds, legitimate web sites hosting malware, drive by downloads and cyber criminals snooping in on public Wi-Fi narrowing down where your credentials were stolen is akin to finding a needle in a haystack.

Why Your Personal Account is a Target

You would think that large corporate email accounts would provide a much more lucrative target for spammers. After all, if they can compromise a good number of addresses they will have much more to work with.

However, cyber criminals have long abandoned the mass spam tactics of the past. This is evidenced by the fact that the amount of email spam has reduced over the years, and trends show that this will likely continue.

People have learned not to respond, or act, when they are sent an arbitrary email message from an unknown account. Over the years, they have been warned and trained that if you don’t know the sender don’t trust the message.

Personal email accounts, for this very reason, have become much more attractive to spammers and cyber criminals. Instead of blanketing mailboxes with spam that generates extremely small returns, their email campaigns have become much more targeted.

Harvesting smaller amounts of personal accounts to send their junk may not be able to hit the sheer numbers they used to use, but the odds of someone opening the email and taking action are greater because of the trust factor.

What To Do When Your Account is Compromised

First and foremost, don’t say your account was hacked. Security experts and people who understand the definition of hacking don’t appreciate that term. Explain that your account was compromised.

Next, don’t be like the 23% of people who admitted in the Commtouch survey that they did nothing when finding out that their account was being used for nefarious purposes.

When you finally realize that something fishy is going on with your account take the following steps:

Update your anti-malware software.

You are going to scan your computer but if your signature files, or definitions, are out of date your security software very well could miss files that have infected your computer.

Boot your computer into safe mode and run scan your computer.

Many people automatically assume that you should change the password to your account first. However, if whoever compromised your email account did so by means of a keystroke logger that is still running on your computer then they will be informed of your new password. Clean your computer of any malware in safe mode before you do anything else.

Change your password.

Once your computer is malware-free you need to log into your email account and change the password. However make sure that you avoid using passwords you use to log into web sites or other types of accounts. This could very well be the place your password was stolen from since criminals know that people frequently use the same passwords over and over. Add to that the fact that many accounts use your email address as the username and you have a perfect mix for disaster.

Of course, you are going to want to also make sure you use a strong password consisting of a combination of upper and lower case letters, numbers and symbols.

Taking precautions will never completely eliminate the possibility that your email account will be taken over, but being smart and aware will certainly minimize the risk.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

When Spam Comes From a Friend

But putting things into perspective, when you consider that on average 5,000 people die from HIV every day, spam email messages just don’t seem all that bad.

By now, you are probably wondering what the two have in common.

On the surface, not much. But behind the scenes, the war on spam has produced some promising advancements towards finding a vaccine for HIV.

Leading the Charge

David Heckerman, Micrsoft’s Senior Director of their eScience Research Group was the inventor of the spam filter that protects Hotmail. However for the past seven years, his focus has been on creating a vaccine for HIV. He draws parallels between fighting spam and fighting the human immunodeficiency virus that make a clear connection between the two without trivializing the disease.

Over the years those who have been tasked with fighting spam have seen it evolve and adapt each time progress is made to eliminate it. At first, rudimentary spam filters blocked keywords found in the message so spammers started using characters and numbers. As the filters grew more intelligent, spammers reacted to stay one step ahead.

HIV evolves in a similar way. Attempts to stop the disease have shown that when attacked, the virus will mutate to beat its adversary (the human immune system).

“We have an adversarial situation going on between spam filters trying to block the spam and the spammers changing and mutating”, Heckerman said in an interview with The Los Angeles Times, “and in the case of HIV, we have the immune system fighting the virus and HIV mutating to try to get through.”

Both, he claimed, can be successfully fought by finding their Achillies’ heel. And for both, that vulnerable point of attack is the part that absolutely cannot mutate.

“In the case of spammers, they want to extract money from you. That’s what they can’t avoid. So our spam filters, at least in part, focus on that,” he said.

So now he is working on finding the spot where HIV is as equally vulnerable.

“It (HIV) mutates a lot, but it can’t mutate to where it stops functioning,” he said. “If it does do that, we win”.

Partnering with Others

Currently, Microsoft Research is working with Bruce Walker from the Ragon Institute of Massachusetts General Hospital, MIT and Harvard, the Centre for the AIDS Programme of Research in South Africa and the KwaZulu Natal Research Institute for Tuberculosis and HIV to study the virus in Durban, South Africa.

Of course drawing a parallel to study how HIV reacts to a vaccine is only a part of the solution.

To develop a working vaccine based on the principles used to fight spam, researchers are cataloging fragments of HIV that are vulnerable to attack by the human immune system to find that piece that cannot mutate. This research generates enormous amounts of data for researchers to analyze. Enough that one computer dedicated to crunching the numbers could take years. However, relying on Microsoft’s data centers, what would take years only takes a few hours.

This is thanks in part to the use of a Microsoft Computational Biology Tool called PhyloD . This software enables efficient data mining which then leads to specific cell analysis that helps detail virus patterns for further analysis. PhyloD contains an algorithm, code and visualization tools to perform complex pattern recognition and analysis – enabling Heckerman and his colleagues to learn how different individual immune systems respond to the many mutations of the virus.

While the research definitely shows some promise, a cure for HIV does not appear to be on the immediate horizon, nor does the eradication of spam.

Yet the nature of this study shows an enormous amount of progress towards how the different disciplines of science and technology are so interrelated that methods used to fight something like malware or spam could wind up someday saving millions of lives worldwide.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

From Fighting Spam to Fighting HIV

1. Counterfeit Goods: Designer bags, watches, and other knock-offs are a favorite of spammers. They hope to lure shoppers in with hard to resist deals on sought after brand names such as Rolex, Louis Vuitton, and Prada. Some of these spams are honest and actually brag about being high quality “replicas” while others do all they can to convince buyers they are getting the real thing. Remember, if it sounds too good to be true – it is!

2. Fake Delivery Notifications: This malicious spam has been around for a while and to keep right on going. Since this is the time of year people tend to ship lots of packages to distant friends and family, it’s a sure bet spammers will try and take advantage of that to trick people into downloading Trojans that will add their computers to  botnets.

3. Pharmaceutical Spam: This old favorite is still going strong as well. Expect lots of cheesy subject lines with holiday themed innuendo designed to sell a variety of male enhancement products.

4. Fake Auction Notices: This phishing scam uses emails designed to look like they’ve come from eBay. Usually they say you’ve won an item or that a buyer is trying to get in touch with you. Naturally you’ll have no idea what they are talking about because you haven’t bought or sold anything  and want to check your account. Don’t follow the links in the message! They’ll lead to a fake eBay page and when you submit your login details, they’ll go straight to a scammer, who will likely use them to hijack your account and rip people off.

5. Fake Greeting Cards: Perhaps the most popular holiday spam of all are fake, virus ridden electronic greeting cards. A good rule of thumb is if the notification doesn’t tell you who it’s from, it’s probably fake. All the major e-card sites will tell you the name of the person who sent the card in the notification email.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 5 Christmas Themed Spams

With Christmas just around the corner, the FBI can’t be accused of waiting until the last minute to get their Christmas shopping done. This week, the U.S. law enforcement agency – in partnership with several U.S.-based and international agencies – gave users around the world an early present when it announced the culmination of a two year operation dubbed ‘Operation Ghost Click’, which netted the Feds six Estonian nationals and saw the Christmas tree lights yanked on the infamous DNSChanger malware scam.

It’s been a busy year for the law enforcement community and its ongoing war against Internet crime, which has experienced some success with the takedown of two major botnets in Rustock and Coreflood. But global law enforcement agencies have frantically been creating a shopping list of new targets for investigation, which undoubtedly include a carousel of security breaches, both in major corporations and government departments, the wafting scent of state-sponsored and industrial hacking, the persistent and growing threat of hacktivism, and a raft of other exotic security threats. All of the above are wreaking havoc on the connected world, so when law enforcement wins one for the little guys, we damn well want to give credit where credit is due. We even have to send out kudos for coming up with a sexy name for a two-year long operation that saw six dirtbags paraded away in handcuffs. ‘Operation Ghost Click.’ How cool is that?

Anyone familiar with malware should be all-too-familiar with the DNSChanger scam, a Trojan horse distributed through multiple means, particularly spam e-mails. When activated, DNSChanger modifies DNS settings so that legitimate URLs are redirected to malicious sites bent on stealing information and earning ad revenues for the scam artists. Since 2007, DNSChanger has infected over four million unsuspecting computers, both Mac- and Windows-based. A half million of those are estimated to have been infected in the U.S., and the total haul for DNSChanger is estimated at $14 million over the past four years – reason enough for the joint collaboration of the FBI, NASA, the Estonian Police and Border Patrol, and the National High Tech Crime Unit of the Dutch National Police Agency, to name a few of the involved partners.  The full list of parties responsible for the takedown can be found on the FBI’s official news release here.

DNSChanger and its Mac OSX variants – known as OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C – prompted antivirus and antimalware developers to create tools to detect and remove its malevolent ass, but the malware continued to propagate, which is where Operation Ghost Click comes in. On November 8, two data centers – in New York and Chicago – were raided and more than a hundred command and control servers were taken offline. “To reduce the disruption to infected machines,” The Register reports, “the rogue DNS servers have been replaced with modified machines that are being operated for the next four months by the not-for-profit Internet Systems Consortium.”

Infected users should now be experiencing healthy DNS activity, even if the IP addresses of their systems have been compromised by DNSChanger. Users who wish to check if their systems have been compromised can use the FBI’s rogue DNS checker site. CNET also has some helpful information for Mac users who wish to manually check for DNSChanger infection.

Now for the fun part: simultaneous with the server shutdown, Estonian police took six individuals into custody.  According to The Register,

“Federal prosecutors in Manhattan said the scam was controlled by an Estonian company known as Rove Digital. Six Estonian nationals have been arrested by local authorities, and the federal prosecutors plan to seek the defendants’ extradition to the US. The defendants include Vladimir Tsastsin, 31; Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; and Anton Ivanov, 26. A seventh defendant, 31-year-old Russian national Andrey Taame, remains at large.”

Each defendant is charged with five counts of wire fraud and computer intrusion crimes, and Tsastisin faces an additional twenty-two counts of money laundering. If convicted, six of these geniuses are looking at 85 years. Tsastsin is looking at an additional ten years for each of the money laundering charges, which, if convicted on all counts, would make him 336 years old by the time he gets out – and they say that bad things don’t happen to bad people!

Some are calling it the biggest cyber-bust ever. Whether or not that’s true, it was still a pretty good day for the law enforcement and Internet security communities. Keep up the good work, and thanks for the early Christmas present!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

‘Operation Ghost Click’ Biggest Cyber-Bust Ever?

When we think of businesses most affected by sustainable practices industries like construction, waste management, transportation and manufacturing often come to mind.

However, much has been done over the years in the information technology field to go green. Web hosting companies promote their use of wind, hydro and solar power for their data centers. Companies that manufacture servers and desktops promote power saving features that reduce carbon footprints and even planting trees to offset any negative effects their products may have on the environment.

But when WebpageFX Weekly released an infographic detailing just how bad spam can be for the environment it made people take notice to just how much can be done to by the information technology field when it comes to saving the planet.

According to the data presented, spam is more than just an annoyance and more than a security threat. It is a bona fide problem that wreaks havoc on the environment.

The data states that the green house gas emissions associated with opening one spam email is equal to that of driving three feet in your car.

But the three feet equivalency does little to show the real problem behind spam and the environment.

Multiply that number by the 95 trillion spam emails sent in 2010 and it is comparable to the emissions that would result in a car driving around the world two million times.

If that is too hard to grasp, consider this. Each year 28.5 million metric tons of carbon dioxide is created due to spam.

The emissions are a direct result of the power used by having the computer on, the processor cycles required to open your mail client and the power required by your server to store and deliver that message to you. It also takes into consideration the process of harvesting your email address and storing it, writing the email and of course sending the message. But just how much does each step of the process affect the planet? Let’s take a look at the numbers:

• Harvesting addresses – less than 1%
• Creating spam campaigns – less than 1%
• Sending spam messages – less than 1%
• Incoming mail servers processing spam messages – less than 1%
• Storing messages – less than 1%
• Transmitting spam messages over the Internet – 2%
• Filtering spam messages – 16%
• Searching for false positives – 27%
• Viewing and deleting spam – 52%

So looking at these numbers you see that fighting and deleting spam makes up 95 per cent of the carbon footprint associated with spam.

Filtering email accounts alone makes up a sizeable chunk of this number, and if you break it down to something a bit more visual, spam filters account for 4, 560,000 metric tons of carbon dioxide.

So shouldn’t we just ignore spam if we really wanted to save the planet?

After all, fighting spam seems to take a much greater toll on the environment than the sending and receiving of these messages.

There is one last statistic that negates this thought. Should companies fail to filter spam on their incoming email green house gas emissions would increase by 270 per cent.

Companies shouldn’t rely on these statistics alone as a reason to put a solid anti-spam solution in place. While the efforts would make for a more socially responsible workplace, the fact that when spam is able to make its way into the inboxes of your users it not only puts an organization at greater risk for cyber threats, but it significantly reduces worker productivity.

When you consider that over 100 billion hours are spent each year reading and deleting spam it is easy to make a case for the need to stop it from ever reaching the inbox.

It is nice, however, to do the environmentally conscious thing and let people know that you are doing your part to go green by eliminating as much spam as possible.

To see these numbers in all their graphical glory, check out WebpageFX’s infographic.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Fighting Spam and Going Green

In this edition of Spamfoolery, we uncover the all-seeing eye of Sauron to take a sobering look at the state of intelligent thought in the spam world. Hold onto your boots. This one is not for the sense of humor challenged.

Each Sunday, I write my blog post, and while my mind’s always thinking about what I’ll be writing this coming week, I don’t really consciously come up with anything salient until Sunday morning itself rolls around. Sitting with my first cup of coffee, I browse the spam news and discover what nefarious new exploits the scumbags (spambags? I don’t know, it has a nice ring to it) are unleashing on the world; and in the course of that haphazard process, something shakes loose.

This week was no exception as the spam gods smiled upon me once again. This morning, I checked my email to discover that one of my former students sent me messages in Twitter. A nice fellow this former student, I instantly recognized the messages as Twitter intercepts…clearly, his Twitter account has been compromised and, wouldn’t you know it? As I’m writing these words, another message just came through. All the messages are the standard shenanigans one expects from spammers: “you too can be three inches taller,” “The most defiant fillies [sic] will strive for riding your new big Italian stallion” (seriously, that’s a real one. For more, look here), “I saw your wife naked with the village idiot last week, check pictures here,” “I know what you did last summer…” Okay, that last one may have come from a movie, but you get the point.

In the case of my former student, a clear tip-off – beside the apparent lunacy of his messages – was a common factor: a Russian URL at the end of each message. Now, I may be cozied up in the Great White North of Eastern Canada, but the northern climate is my only connection to Moscow. Well, maybe that and I like Borscht, but those are the only two similarities. Vodka too, but those are the only three similarities. Solzhenitsyn, Dostoevsky, Tolstoy, Rachmaninoff, Tchaikovsky, those funny dancing bears, Anna Kournikova…ah hell. Look, as the crow flies, Russia is 5,000 miles due east, okay?

So receiving these messages (you can see them above), I was forced to wonder, once again, just how stupid these spammers think I am – and by association, just how stupid they must be. Anyone following my blog knows exactly what I think of spammers, so it shouldn’t come as any surprise that I have an extremely low regard for these scum-of-the-earth, little-old-granny-scamming, make-my-inbox-flood-with-pure-crap-on-a-daily-basis, scam artists. Try saying that ten times fast.

All this ire forced me to consider, once again, whether spammers really are stupid, or whether they just act stupidly. Once again, I came up with a frustrating answer: it’s all of the above and everything in between. Yes, spammers are stupid and yes, they are wily, calculating and yes, even intelligent. Confused yet? Me too.

Look, it would be so much easier if we could simply write them off as being morons, and the bulk of the spam email sent each day would give any jury an easy way out when deliberating whether these guys are guilty of being just plain dumb. It would be so much easier going to bed each night knowing that we had nothing to fear from these jerks. Reality however, is a harsh mistress, and the simple fact is they’re not as dumb as we want them to be.

Spam IQ, Anyone?

With that in mind, I set out to categorize the spammers in the best possible way I could imagine: the Spam IQ test. Like the widely-criticized Intelligence Quotient, there’s no real science to it, but it is fun to consider. So, without further ado:

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamfoolery: Stupid is as Stupid Does Edition

It may bother you, and it may incite you to fits of rage. It may make you want to escape to a log cabin in the woods. It may even compel you to change careers and become a spam bounty hunter who tracks down spammers and eradicates them like the insects they are. But if you think you know spam, think again. Simply put, you asked for it. In this article, we take a look at how many bona fide organizations suggest that you take it and like it, and we might even reveal how you asked for it.

It can be argued that spam should be categorized into levels or degrees. Clearly, that message you received yesterday – you know, the one that read, “Dear, If I may have a moment of your precious time to consider this most tremendous offer of the utmost importance…” blah, blah, blah, kill me now, I can’t take it anymore. – is spam, plain and simple. No gray area there. How you got it is anyone’s guess, but if you’re anything like me, you take a few precautions:

• So Many email Addies, so Little Time – Multiple email addresses are the ultimate preventative medicine against those pesky little spammers.
• When Good Credit Cards go Bad, Put Them out of Their Misery – I have a specific card I use for online transactions, and it’s the only time that specific card comes out.
• Opt-Out Often – While it seems like common sense, don’t click those checkboxes which ask you to opt-in for regular emails, and don’t ever opt-in for third party offers.
• Just One More Cookie? No! – Again common sense, but most people don’t think about tweaking their browser’s cookie settings. Job number one is to block third party cookies, and if sites refuse to let you operate fully without them, then just say no to the site.

If you’re not doing these things, and other methods to reduce the risk, you’re partially to blame.

When Spam is Not Spam

Unfortunately, protecting your online presence is a battle that’s fought on different fronts, and your browser isn’t the only spam source you have to worry about. For example, I recently changed phone carriers and, within days of having the new phone number, the marketing calls started coming. Now, selling information is a necessary evil of doing business in the modern world, and we aren’t given a choice when we sign up for a service – it’s in the fine print and you can’t circumvent it. That’s why there’s something called call display.

But, when those calls evolve from spam into malicious activity, you have to wonder how a credible company like a major phone carrier can recklessly sell your information to people who wish to do you harm. Such was the case when I was targeted at least three times by the now-infamous Microsoft phishing scam. Really, phone company? It’s not enough that you bilk me for outrageous sums of money every month?

When is spam not spam? When we ask for it, and every time you sign on the dotted line, you’re at least partially responsible. Phone companies, banks, credit card companies, cable companies, insurance companies – the list goes on; companies that you have no choice but to deal with, if you want that HiDef PVR, that loan, or that legally-required car insurance. Unfortunately, there’s not a darned thing you can do about it.

Love for Sale

A few years back, an acquaintance of mine bragged that he was responsible for seventy percent of the spam emails being sent in North America. Now, knowing this acquaintance the way I do, I took his boast with a teaspoon of salt; but he did point out that the ‘spam’ activities he referred to are known in his industry as ‘qualified lead generation’ – a nice way to say that people opted-in and have asked for a perfectly legal heaping helping of spam.

Of the many activities this acquaintance partakes in, he owns a singles’ dating website. He boasted that he has a ‘qualified’ database that numbers in the hundreds of millions of users who have at one point or another given their name, age, gender, email address, credit card number… you get the point, right?

Since he has the biggest and most expensive home in the city, I’d say the love business is paying off in all sorts of ways.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Please Sir, May I Have Some More? When Spam is Not Spam

In an increasingly litigious world, it’s easy to tune out when you hear that one company is getting sued by yet another company for infringements – real or imagined. But in this edition of Spamfoolery, you’ll want to stay tuned to hear how much e360 Insight was awarded in the culmination of its long-running feud with the Spamhaus Project.

At very least, the endless litany of lawsuits in the tech world provide great fodder for blog writers. Even better, they also offer up a hearty chuckle once in a while, and the recent verdict in the long-running suit of e360 Insight LLC. v. the Spamhaus Project is no exception.

First, a little background to whet your appetite: in case you weren’t already familiar with it, the Spamhaus Project is a not-for-profit organization based in the U.K. and founded in 1998 by Steve Linford for the sole purpose of identifying and tracking spammers. All in all, pretty good stuff, since most spammers suck. I say ‘most’ because I still contend that the world needs some spammers – in much the same way I hate spiders, yet I acknowledge the need for spiders to keep other nasty vermin from spreading the way the Spanish Flu did in 1918.

Tune in for Another Episode of “As the Spam Turns…”

e360 Insights, LLC, on the other hand, is the alleged vermin in this soap opera. Way back in 2006, American Dave Linhardt, operating under the umbrella of e360, filed suit against Spamhaus for blacklisting his emailings and effectively labelling Mr. Linhardt a – you guessed it – spammer. Initially, the suit was tried in U.S. Federal District Court in Illinois, but the American law firm hired by Spamhaus petitioned the court to relocate the trial to the U.K., arguing that Spamhaus did not fall under U.S. jurisdiction. It gets more interesting from here on in, because the judge at the time ignored the request and British M.P. Derek Wyatt called for the American judge to be suspended from his post. Spamhaus also pulled out of the trial, prompting the judge to award e360 $11.7 million in damages.

Spamhaus refused to accept the judgement, stating that the court’s ruling had, “no validity in the U.K. and cannot be enforced under the British legal system.” Following the ruling, e360 filed suit to force ICANN to remove Spamhaus’ domain records until the matter was settled, inciting another interesting development. ICANN, a U.S. based entity with international responsibility for domain names, refused, stating they didn’t have the authority to cancel a British website’s domain records. In this matter, the same judge who awarded e360 the big chunk of cash sided with ICANN and Spamhaus, and poor little e360 found itself facing new problems.

It Gets Better…

In 2007, Chicago law firm Jenner & Block took Spamhaus’ case pro-bono and had the original damages overturned, thus sending the case back to district court. In early 2008, e360 filed for bankruptcy and terminated operations, citing its excessive legal costs in the matter of e360 v. Spamhaus.

Wait for it…

In 2010, another court reduced the damages from $11.7 million to $27,000, all this in the face of e360 filing for $135,173,577 (adjusted to $122,271,346 a week before trial) in damages!

Keeping in mind that: “the district court cited…Linhardt’s testimony regarding contracts with three customers who collectively paid e360 $27,000 per month for services performed,” it’s no surprise that the new judge in the case blasted e360’s counsel, stating: “this is just totally irresponsible litigation… You can’t just come into a court with a fly-by-night, nothing company and say ‘I’ve lost $130 million.’”

Wins Enough to Buy a Coffee!

Now for the really good part. On September 2, 2011, the soap opera finally came to an end, with the judge in the matter awarding e360 $3 in damages - no, that wasn’t a typo – from an asked $130 million to an award of $11.7 million, to $27,000, to (almost) enough to buy a coffee at Starbucks!

Who Said There’s no Justice for Spammers?

It sucks to be you, e360! It’s fun writing these articles, and I often find myself giggling like a schoolgirl when I write them. The case of e360 v. Spamhaus has been no exception, except that the ear-to-ear grin on my face has been accompanied by outright laughter as I sit alone by the pool, typing like a banshee. A strange sight, to be sure, and if any of the neighbors are watching, they must think me mad.

Maybe I am, but today I’m very happy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamfoolery: Sucks to be You Edition

We were in line to check out of one of the nicer department stores in our community today, and during the course of the checkout, the clerk asked us if we wanted to save 10% by opening a store charge card, which we of course declined. She then asked us if we would like to save $10. Since our total was just shy of $100, my first assumption was that she was trying a different tact on the store charge card, and assuming we couldn’t do basic math in our heads. I was about to blast her with both barrels of my sardonic wit canon when my wife headed me off by asking “what’s the catch?” The catch was that to save $10 instantly, we just had to provide them with our email address.

How much is your email address worth? I guess that really depends on whether the value is calculated by you, or by a marketer. I know that I have a metric ton of things tied to my email address; it’s my login ID to countless websites including banking, credit cards, and insurance, and it is where all those “forgot your login ID/forgot your password” messages go for the sites that won’t let me use my email address as my user ID. To me, that makes it a very valuable commodity, and one I would be unlikely to part with at any price. To this retailer, it is apparently worth $10 to have the email address of a known customer so that they can send marketing messages and know that that the recipient has at least shopped with them before. Interesting.

Is $10 a fair price? Should we all begin to charge others for the privilege of sending us their marketing emails? Some very fast, very unscientific Googling led me to the conclusion that an email address costs about $0.0013 when purchased in bulk. My bet is that a legitimate retailer sending emails to such a list might get one sale for every 10K messages sent, and that they would anger at least twice that many current customers by sending UCE. These numbers are of course swags, but I’m using hyperbole to make a point – Stick with me here.

If you work for a company that uses email campaigns, consider developing your own opt-in mailing list like the retailer in my story above, offering real value for a real email address of a customer, rather than purchasing an allegedly opt-in email address list from some other source. Whether you offer an instant $10 savings, or send a $10 off a purchase of $100 or more coupon, or offer some other real, tangible value, by developing an email list at the register you could accomplish the following:

• You know that you are getting opt-in email addresses.
• Your list is made up of 100% customers (assuming none of them fib and give you someone else’s address.)
• By providing the customer instant value in exchange for this contact point, you are building up some good will with them.

Personally, I would make the value exchange an immediate one, offering the discount on the current purchase in exchange for the email address, though you might instead choose to send out coupons as the first email to make sure you are giving a discount for a fake address. I think you are more likely to get participation if the benefit is right then and there, but I am neither a marketer nor a psychologist. I just know that I did give my email address to the cashier so I could get that $10 off, and probably would not have if it had been a “we’ll mail you a coupon” exchange. I figure I shop there anyway, and can always set up a spam filter later if the signal to noise ratio from this merchant gets too high.

What about you? Would you give your email address out to a retailer you are spending money with to get a discount on the spot?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How Much Is Your Email Address Worth?

The purists may suggest that we should never have made things smaller. They might even postulate that the age of innocence is over, and they would probably be right; but a new age is just beginning, and the dinosaur-sized PC that sits on your desk is now just that: a dinosaur. The ‘Big Ol’ Beast,’ as I like to call mine, sits there and stares at me sometimes, seemingly pleading with me: “pay attention to me!” “Use me!” it begs. “Bigger is better!” it pouts.

I just chuckle and Swype my finger across a shimmering sheet of Gorilla Glass, giggling like a school girl when a word is transposed into the message I’m composing, without my finger ever leaving the virtual keyboard.  Holding a fully functional computer in the palm of my hand is surreal and downright unbelievable, especially when I think about my first computer, an Atari 400 with a flat membrane keyboard, 4 Kilobytes of RAM, and the ability to display a whopping 256 different colors onscreen simultaneously. The wonderment I felt while pounding out (literally – you had to press hard on those keys) games in Atari BASIC seems like only yesterday, but the tech world is a time machine and I’ve been transported into the 21st century – where smaller is better, and just when you thought it was safe to download that new Sudoku game for your shiny new mobile device, you should think again. For as our tech gets smaller, so too does the world we live in.

“Mr. Data – Engage”

Allow me to dispense with a formality: it is Android of which I speak. I’m not going to get into a lengthy debate here, but I’m dismissing the iPhone and iOS from this discussion. While there are many millions who would vehemently disagree with me, I believe the Android OS, and the phones that support it, to be vastly superior to Apple’s offerings – and it appears there are many millions who would agree with me. As a developer who strongly believes in sharing over hoarding, I’m an open-source guy and always have been.

The problem with open-source is that while it promotes the highly admirable philosophies of collaboration, sharing, and (often) freeness, it also sends a message to the lowlifes and scum of the earth. You know the types: those who will scam little old grandmothers out of their life savings. The despicable cross-section of society that often makes me ashamed to admit I’m part of that society. The scammers and spammers – the pond-scum phishermen, as I like to call them.

Security Breach

Herein lies part of the problem: society just can’t turn down something that’s free. If the Android OS has one significant problem, it’s that its open-source nature allows anybody to put free or advertising-supported content on the Android Market. It’s no secret that Google has had their share of problems with previously valid applications being reupped to the Market, replete with all sorts of security exploits. And while it seemed strange to me to install a firewall and antivirus software on my phone, in my mind it was a pure necessity and the first thing I did when I set up my phone. (Note: this is where I tip my hat to Apple’s closed, often oppressive, approach to its marketplace. Oppressive or not, I never sensed a security threat to my iPhone).

Spam Magnet

That device in your pocket is infinitely more dangerous than anything you ever plugged a keyboard and mouse into. The open-source feeling and the sense that you’re holding a teeny-tiny little PC in the palm of your hand provides a false sense of security, one that turns your phone into a spam magnet. It’s easy to forget, especially if you’re not an IT professional, that not all spam filters are created equal. Indeed, the very nature of mobile devices means we use them on the go, making that device in your pocket a spam attack waiting to happen.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bigger is Better: Why Your Pocket is Filled with Spammy Goodness

“It was 24,000 files, which is a lot,” Deputy Secretary of Defense William Lynn said. “But I don’t think it’s the largest we’ve seen.” When asked if he knew who was responsible for the attack, Lynn responded, “We have a pretty good idea,” and some pundits are pointing the finger at China as the villain in this cyber drama.

In another example, more than 80,000 residents of the Durham Region of Ontario, Canada are suing the Region in a $40 million class action that accuses the Region Health Authority of losing a USB key that contained personal information for people vaccinated against the H1N1 flu virus. In that case, a public health nurse lost the key in a parking lot. Also on the healthcare front, a former patient of a cancer treatment center in St. Louis, Missouri is suing the hospital for the loss of her confidential information when a laptop “stuffed” with patient information. The problem? The information on the laptop was unencrypted.

One more example: unless you’ve been vacationing on Mars for the past few months, you’ve probably heard a lot about a little matter known as the Sony PSN breach. The highly-publicized outage of the PlayStation Network became a bit of a joke, especially since it seems that much of the compromised data was unencrypted. Sony was quick to counter that the credit card information was secure, but they were also quick to insist (it wasn’t optional) that all users change their passwords once the network was brought back up. CBC news quoted a security expert as saying that:

“any website worth its salt these days should be built to withstand such attacks.”

The Human Factor

See a pattern here? If not, let’s spell it out: Mr. Lynn of the Department of Defense states: “I don’t think it’s the largest we’ve seen”; The public health nurse from Durham Region lost a USB key in a parking lot; the stolen laptop in St. Louis contained confidential information that wasn’t encrypted; and data on more than 100 million Sony PSN users was unencrypted.

There are two parallel issues here. The first one is easy: a lack of proactive planning. The security expert quoted in the CBC article is correct. How could a defense contractor which builds weapon systems and other military hardware for the United States allow itself to be breached, especially since the Defense Department admitted to knowing that it’s happened before? How could Sony compromise the data of 100 million users and lose hundreds of millions of dollars in the ensuing cleanup? The answer isn’t complicated. People didn’t do their jobs. Now, it might be tempting to argue that a group of hackers, aged 15 to 28, know far more, and have more in the way of resources, than the largest military power in the world, and one of the globe’s leading technology firms. In case you missed it, that was sarcasm.

It’s the human factor. Look no further than the second parallel issue: a nurse who dropped a USB key, and a misplaced laptop loaded with unencrypted information on cancer patients. No matter how you look at these stories, the dominating factor is basic human error.

Planning, Training and Vigilance

Information is the lifeblood of any organization, but people are the body which makes the blood flow. Take spam, for example. Spam is dangerous, but not always for the reasons you think. Any IT technician is smart enough to detect spam and give it what it deserves – an unceremonious trip to the trash can. In fact, most educated people, IT professionals or not, can recognize spam for what it is: ridiculous, ill-conceived and at times, mind-numbingly stupid. However, while organizations spend tremendous amounts of money on technology, it’s distressing that they spend little educating the people who use the technology.

A few years back, I worked for a government agency that employed thousands of people. Every day, I received hundreds of emails and a substantial amount of those were ‘social spam’ – messages sent by coworkers peddling a funny joke, an interesting video, or a pithy piece of pseudo-wisdom. In fact, the task of cleaning up the social junk often represented a chunk of my time, detracting from doing what I was there to do – what I was paid to do. A week didn’t go by where I didn’t pull the IS manager aside and suggest that she convene a training session to educate the employees on the dangers of social spam. Those requests were met in the form of an agency-wide email and nothing more.

Most organizations have the planning part down, but they don’t seem to be able to educate their organizational structure. They don’t teach vigilance – some call it paranoia – the way IT people know vigilance, and that’s why data protection is so tenuous.

The fear is constant: the people who engage in social spam – you know the type, because they adopt similar practices on Facebook and Twitter – are the ones who will click an errant link, succumb to a phishing scam, lose a USB key, leave a laptop with patient data lying around, and yes, even fail to protect U.S. military documents from foreign countries. So before you go to sleep tonight, ask yourself this: can you sleep with confidence, knowing that every person in your organization – every person who has access to a PC – has your back? Ask yourself if they know enough to recognize a phishing site or a spam email when they see it.

And then strenuously lobby your senior management for rigorous training policies.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Data Insecurity: Why We Fail to Protect Our Information

Just recently spammers have again taken advantage of the current economic situation by sending emails out that pose as a warning that credit cards have been going unpaid.

According to recent reports a junk email scam has been launched that delivers a Trojan downloader that works to install phony antivirus software, or scareware, on the victim’s computer.

Recipients of this type of spam receive an email addressed simply to client and contains multiple spelling and grammatical errors in addition to referring to the recipient as YOU throughout the message. All the while, no reference to a specific bank is made.

The context of the message explains that the recipient has a credit card whose payment is one week overdue and references the card’s supposed limit, customer number and date when the payment was supposed to be made. Further on, the email claims that a 25 dollar fine along with finance fees will be charged to the account if a payment is not received within two days. Attached to the message is a zipped file that the email message claims is the credit card statement.

Should the recipient fall for this scam and actually download and unzip the file they find the payload file disguised as an Adobe PDF by using the icon so often seen with this type of file.

Over the years we have seen spammers try to entice victims to open their emails by using current events:

• Osama bin Laden captured!
• Osama hanged!
• We could settle your IRS debt now
• help for japan 8.9 earthquake!
• Fw: Japan Earthquake  – News Alert #1
• EARTHQUAKE HELP
• [LetUsPray] Additional Prayer for Japanese Earthquake and Tsunami victim
• Don’t let them foreclose!
• Homes given away

Of course as Google + invitations are sought after by anxious users, spam that promises membership into this exclusive beta test will also be used more and more as a way to draw potential victims into their scams. As these scams make the news, people become aware of what to look out for. The key is finding ways to mitigate these types of threats before they become common knowledge.

Preventing your users from falling victim

While malware of this type does not steal information through keystroke loggers or any other type of spyware, it can cause disruptions in service as network and desktop resources are used up by the program running constantly in the background and keeping an Internet connection open.

Teaching users to look out for things that identify a message as spam not only helps keep your network free of malware but it also helps fight spam over all as users who understand how to identify this type of email are less likely to open these messages at home.

Deploying a filtering solution that addresses file types and the body of the message can help immensely when it comes to keeping malware from being delivered to your users via email.

Coupling perimeter defenses with a good malware protection solution should keep infections like these from disrupting your computer services for existing threats, but antivirus alone will not do the trick as zero-day exploits are used to beat these defenses.

When you take a look at this newest attempt by cybercriminals it further proves that while spam, as we have come to think of it, may be seeing lower levels than the past, it is in no way something that we should stop worrying about. As I stated, email is going to always be one of the preferred delivery methods for malware and failing to secure against the threats that are delivered this way will continue to leave organizations vulnerable to attack.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Unpaid Credit Card Notifications Linked to Spam

Recent activity indicates a significant reduction in spam levels, but no one should find comfort in this news. Spammers are making it personal, a new report from Cisco suggests, and at fault may be the law enforcement community for taking down the likes of Rustock and other botnets.

If email spam is a recurring nightmare from which you cannot seem to wake, read on. At the half year mark of 2011, some seemingly good news has poked its head over the horizon, with the promise of a brighter future. Unfortunately, the news isn’t all good; in fact, like spammers, it’s a little deceiving.

According to a new (June 2011) report published by Cisco Security Intelligence Operations (SIO) entitled “Email Attacks: This Time It’s Personal,” cybercriminals are dumping the ‘throw it against the wall and see if it sticks’ approach of indiscriminate spam, so much so that Cisco’s reports the, “annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half.” The report goes on to state that the volume of overall random spam in the past year has declined by more than 80 percent, a figure that sounds a little on the high side, but no one can deny that spam volumes have dipped since the Rustock Botnet takedown in March.

Cisco SIO reports that the financial impact of this decline is significant.

“Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.”  

The direct impact of spam emails is even greater, down from 300 billion spam messages a day in June 2010 to 40 billion a day in June 2011.

Generally speaking, people continue to be smart enough to recognize a scam when they see one, but interestingly enough, those who aren’t are getting taken for more money. While Cisco SIO reports that the average user continues to be smart enough not to click that link, resulting in low user conversion rates (the amount of people who actually end up getting fleeced), that this figure “is partially offset by increases in the average user spending on conversions.” Cisco SIO attributes this increase in the spam artists using personalization tools, better-crafted scams and more effective malicious attacks, and reports that the level of personal information being divulged has resulted in larger paydays for the scammers.

So how much does an errant click cost? $250, according to the report. Cisco SIO explains the methodology used in arriving at this figure:

“This amount is in line with the low-end estimate of recent publicly disclosed scams and malicious attacks. For instance, in June 2011, the U.S. Federal Bureau of Investigation (FBI) announced a scam email directing recipients to send $350 to obtain a Clearance Certificate or else legal action would be taken against the recipient.”

Now for the bad news:  even though random email spam has experienced a large decline, the amount of money being made by the scammers has quadrupled. Using the estimates explained above, Cisco SIO reports that “scams and malicious attacks (as a sub-category of mass attacks) have grown from US$50 million to US$200 million over the last year on an annualized basis.”

Oh, the irony!

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.” The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.”

Oh, the humanity! If what this report states is true (and it sure sounds about right), then by deposing the former ruler – the incessant glut of email-pushing online pharmacies, instant university degrees, Internet casinos, and secret fortunes waiting to be smuggled out of some foreign country – in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Evolutionary Change and Survival of the Craftiest

In fact, Cisco SIO reports:

“as part of the evolution of the criminal ecosystem, [the growing number of scams and malicious] attacks are becoming highly focused.”

Scammers are taking greater care in their approach as they carry out schemes designed to rob people of their hard-earned Benjamins. They’re taking to other means – such as SMS, social media like Facebook, Twitter and Tumblr, the tried-and-true telephone scam, and even  eBook readers – and they “are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position.” Examples of these scams, Cisco SIO reports, are:

• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user or group of users for financial gain

Spearphishing is on the rise and has experienced its own evolution, Cisco SIO states:

“Spearphishing attacks are aimed at a specific profile of users, often high-ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content.”

If the cyber scammers are getting smarter, then it’s imperative that we, too, evolve. Cyber criminals made $150 million this year from spear phishing, according to Cisco, and that kind of return on investment speaks for itself. Spam won’t go away, ever. But like a nasty super virus that evolves and mutates into an antibiotic-resistant strain, spam marches on, even if it’s only to the beat of a new drum.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Reduced, Targeted Attacks on the Rise: Cisco

There are a number of reasons why I believe this is inevitable, which I list out below:

Data leakage of email addresses

Ever signed up for a new social networking service, or online storage provider?  The chances are 10 out of 10 that you will be asked for your email address.  Ditto when signing up for an Internet forum, downloading a “free” white paper or even when posting a comment on a blog (mostly).  While I am not in any way downplaying the trustworthiness of your favorite haunts on the web, every additional website on which your email address is surrendered represents another location from which your email address may be pilfered by unethical employees or stolen outright by hackers.

The latter is not an idle assertion either, given the number of online break-ins that have made the news of late.  Remember, we are not even talking about successful raids that went undetected, or where administrators have decided not to keep quiet.

Use of email addresses as usernames

Every online service that I can think of encourages (or enforces) the use of the email address as a username.  Using fake or throwaway addresses is not an option in many of these situations due to validation procedures as well as their role in recovering from misplaced passwords.  This practice results is more spam, since online services typically include the right to send “important messages” your way as part of the terms and conditions for their use.  While not malicious in nature, users can expect the occasional ads for new services or even regular news updates – which can stack up to a hefty number.

What is frustrating here are the lengthy steps usually required to opt out of them or to shut down the associated accounts.  Moreover, these email addresses could also be resold by unscrupulous service providers, or result in more spam if users unwittingly cede permission for “selected third party” vendors to get “in touch.”  Indeed, the value of such email addresses are higher given that they are validated – more so if they were accessed recently.

Reusing of passwords

The number of high profile breaches in which unencrypted passwords were exposed is clear evidence that not all websites adhere to best practices when it comes to protecting passwords.  I believe that this is but the tip of the iceberg when it comes to reusing passwords across multiple sites.  While not directly related to one’s receipt of spam, it is bad news for the security of email accounts – it will certainly be an easy matter for spammers to log into legitimate email accounts using stolen passwords to distribute spam or nick your email contacts.

Spam campaigns run from botnets

It used to be that spam messages are sent using open relays left there by careless administrators, exploiting the vulnerabilities of existing email servers or by means of backscatter techniques.  However, these vectors are increasingly being dwarfed by the use of infected computers shepherded into sophisticated and resilient botnets for the sending of spam.

For example, consider the TDL-4 botnet which was dissected and found to contain measures that make it “practically indestructible.”  With an estimated 4.5 million nodes in the mega botnet, it is understood that an installation of the TDL-4 botnet also incorporates a spambot.  While blacklists can certainly be used to defend against direct spam originating from end-user IP addresses; the sheer number of nodes does throw the door wide open for a wide variety of indirect attack methods.  Moreover, some of the infected nodes may include legitimate email servers, which can only serve to lower the effectiveness of blacklisting techniques as more mail servers end up being blacklisted.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why The Spam Threat Will Only Get Bigger

Robert Soloway, the spammer who made $20,000 a day back in the 1990s and was forced to pay $17 million in civil judgments, made it back into the news cycle when he was recently quoted as saying  that in current times

“(spamming is) not something financially feasible for anyone to even consider”

only months after his release from the Federal Correctional Institute in Oregon for his hand in violating the CAN-SPAM Act.

Over the years, we have seen the takedown of quite a few infamous spammers. So many that we have forgotten some of the pioneers and true dregs of cyber-society. Let’s see how many of this list you remember, or if you can think of any that can be added.

Dave Rhodes

The author of the famous MAKE.MONEY.FAST chain letter that made the rounds in the late 80s.  Legend has it that the letter was uploaded as a text file on a BBS in 1987 and then worked its way around until 1994 when it really became big.

The nature of this scam was that the recipient was instructed to send $1 to six different people via Paypal. Upon doing so, the recipient’s name would be placed on the list to receive money from others, and so on.

The true identity of Dave Rhodes has never been established.

Oleg Nikolaenko

The infamous King of Spam is currently awaiting trial in a detention facility in Milwaukee, Wisconsin for violating the CAN-SPAM Act after being arrested by the FBI in 2009.

Messages advertising counterfeit Rolex watches, herbal supplements and pharmaceuticals was the spam of choice for the 24 year old who was also credited with running the Mega-D botnet.

Davis Wolfgang Hawke

The press called him the spam Nazi because he not only made money from spam, but also use it to spread messages to bolster membership in his neo-Nazi groups.

Hawke started Amazing Internet Products with Brad Bournival in 2003 and the two began grossing roughly $500,000 per month advertising for a Yohimbe product called Pinacle.  He has also been linked to the famous Time Travel Spammer, Robert Todino.

In 2004 AOL was awarded a $12.8 million judgment against Hawke for sending unwanted emails to its subscribers. His current whereabouts are unknown.

Richard Colbert

After searching AOL profiles for keywords like multilevel marketing or business opportunity this Miami based “businessman” would spam the profiles he found to advertise his spam business charging around $900 for one million addresses. In a 2003 interview, Colbert claimed that because he honored unsubscribe requests he was a legitimate marketer.

Colbert retired from spamming in 2003 and was removed from the Spamhaus Project’s list of prolific spammers.

Eddie Davidson

Davidson was an active spammer between the years 2002 to 2007 under the business name Power Promoters. His company, along with several sub-contractors, would advertise the usual gambit of merchandise and pharmaceutical until he was indicted in 2007 for violating the CAN-SPAM Act.

Spam, however, turned out to be the least damaging of his crimes.

After serving a portion of his 21 month sentence and paying over $700,000 in restitution, Davidson was released from prison only to be found dead along with his three year old daughter and wife in a murder-suicide. His 16 year old daughter was also found shot but survived. His 7 month old son was the only member of the family that was left unharmed.

Laurence Canter and Martha Siegel

A modern day Bonnie and Clyde, these two lawyers posted the first massive commercial Usenet spam in 1994. Their Green Card lottery scam came shortly after the National Science Foundation lifted the ban on commercialization on the Internet.

The two went on to advertise their craft both spamming for hire and with a book titled How to Make a Fortune on the Information Superhighway: Everyone’s Guerrilla Guide to Marketing on the Internet and Other On-line Services.

In 1997 Canter was disbarred by the Tennessee Supreme Court for his participation in illegal advertising practices.

Bonus – Gary Thuerk

Gary earns the honor of the “Father of Spam” since he is the one who sent out the first unsolicited mass emailing back in 1978. His target, 600 ARPANet members. Yet while he really didn’t do too much damage compared to some of the others, he did pave the way.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Five Infamous Spammers You May Have Forgotten About

With all the focus on deliberate hacks and the sheer amount of data that’s being released into the cloud, spammers must feel like their lives are getting easier, what with the news media focusing on the former and law enforcement agencies scrambling to lock their virtual doors and windows from the likes of Anonymous and LulzSec. True, the art of spamming suffered a major blow earlier this year with the takedown of Rustock; but when the U.S. declared war on hackers a few weeks back, it was easy to forget the junk that infests our inboxes and focus on the ‘other show’ – cyber hacking.

Spam may not be as splashy and headline-driven as cyber attacks but it can be just as devastating. In a time when it really hasn’t gone away – other bots have taken up the standard since the death of Rustock – we decided to consider the main reasons why spam, as detestable and irritating as it is, is not going away.

The Art of the Scam is as Old as Time

Sometimes it’s easy to think that spam is a new concept, given rise by the enabling technology of the Internet. In fact, the con is as old as society itself. In the old days (i.e., pre-Internet), the scammer was the confidence man, the hustler, the snake oil charmer, the grifter. There is even a certain romantic notion about these types, glorified in Hollywood movies like The Freshman, The Sting and Paper Moon. For good reason, too. There’s always been a certain guilty pleasure in rooting for the scoundrel. In literature, this character is known as the antihero, the protagonist who doesn’t deserve to be liked. Think Sam Spade or Dirty Harry.

In fact, if the Internet has done anything, it’s made the scam – something regarded as an art form in some circles – available to nonprofessional scammers. All the Internet has managed to do is help spread the infection and empower the scammers to take their show on the road, even if they’re horrible at it.

Greed Is Good

A phrase immortalized by the fictional Gordon Gecko in Wall Street, “Greed is good” has a certain ring of truth to it when one thinks about the opportunities the Internet gives us. New forms of commerce have exploded in the information age. Industries have sprouted and billions have been made, all thanks to the Internet. One has to look no further than Google or Facebook to see how profoundly the Internet has changed the world’s economy.

So why is it wrong for spammers to get in on the greed? Because obviously, most of us were brought up to understand that one does an honest day’s work for an honest day’s pay. There’s nothing honest about bilking people out of their life savings.

Intelligence is a Rare Commodity

Let’s face it: spam often comes in the forms of ill-conceived schemes and ridiculous grammar. The quality in these schemes is distressingly mediocre. ‘Distressing’ because it baffles the mind how people can still be scammed when the collective IQs of the schemers appear somewhere on the scale between rocks and lichen. But this is good news. After all, if the sum of all the cheap drugs, phishing scams and scareware schemes were finessed, elaborate and effective, perhaps the U.S. would be declaring war on the spammers instead of the hackers.

It’s not just the poor writing, however. It’s also the ludicrous scenarios that these guys are selling. Let’s take a look at some passages from actual spam:

• Microsoft Corporation wish to notify all online customers as we celebrates the 35th year anniversary 2011;
• But if you do not remember me, you might have receive an email from me in the past regarding a multi-million-dollar business proposal which we never concluded.
• This is not a deception or anything related to scam because I do not need you to send me money.I will like to know you well enough.

We’ve all seen it, time and again. So much so that the head shaking stops and we become desensitized. But the sad news remains that people are being scammed.

It Will Always Be Easier to Break Something than to Make Something

No matter how much attention is given to spam schemes, phishing scams and scareware tactics, the spammers are always going to be more effective, since it’s easier to break something than it is to make something. Like hackers, they always find a way. When Rustock was taken down, it wasn’t long before Bagle and other botnets took up the slack.

And spammers are getting more resourceful. On June 16, Microsoft announced the results of a survey which stated that 22% of respondents had received a spear phishing phone call from someone pretending to represent Microsoft in an attempt to gain access to the person’s computer and or credit card number. This story hits home a bit, since this writer received such a phone call last week.

It Works

Perhaps the most compelling reason why spam isn’t going away is that it works. In the Microsoft phishing scheme mentioned above, of the 22% of respondents who reported receiving the call, 3% were scammed (not this writer – the fake Microsoft caller was quickly dispatched). But if you doubt that these guys are making money, look no further than this story from the Mail Online, which reports that spammers using text messages to find accident victims and redirect them to law firms are raking in £175 million a year.

Guess it works.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Reasons Why Spam Isn’t Going Away

Here’s a look at the top security headlines for the first half of the year, in no particular order.  It’s been a busy year so far  and it looks like it’s going to stay that way!

1. Epsilon Data Breach

When this third party email marketer had their database broken into in early April, it affected millions of customers from some of the world’s top companies, including Chase, Capital One, Best Buy, and GlaxoSmithKline. Names, email addresses, and in the case of GlaxosmithKline some health information, were stolen. Experts have warned customers of the affected companies to be on alert for spear phishing attacks.

2. Sony Data Breach

Just as the dust was settling in the Epsilon case, Sony announced that their databases had been broken into as well. This affected customers of the PlayStation Network, Qriocity music and video service, and Sony Online Entertainment.  The company says the breach, which may have compromised financial data as well and email addresses, will cost them over $100 million.

3. Microsoft and the FBI Take Down Coreflood

In April Microsoft teamed up with the FBI to knock out the Coreflood botnet. The FBI seized the command and control servers and Microsoft reprogrammed them to wipe out the malware that the unknown hackers behind the operations used to infect and control millions of PCs.

4. Microsoft Defeats Rustock

In March, Microsoft announced that with help from the U.S. Marshalls they had succeeded in taking down one of the world’s largest botnets. Seven hosting companies across the country were raided and several servers believed to be the command and control servers were seized. Rustock had previously been responsible for nearly 40% of the world’s spam.

5. Sony Suffers Another Data Breach

This week a red-faced Sony announced yet another data breach. This time it struck the company’s Canadian based mobile phone unit. The  company says the breach at Sony Ericsson Mobile Communications compromised several thousand email addresses, passwords and usernames but no financial information.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 5 Security Headlines For The First Half of 2011

With SPAM costing millions in fraud, identity theft and malware removal every year it is hard to find any humor when it comes to fighting SPAM. When you add the inconvenience of having to sort through the avalanche of junk email that is sent on a daily basis, SPAM becomes even less funny.

Still, you have to admit that some of the SPAM we see makes us chuckle at bit. Some of us are even guilty of forwarding some of the funnier subject lines we have received to others who may find a laugh in the indecipherable or awkward English used to get us to open SPAM.

For those of us who can find humor in the irony of SPAM, here are some of the funniest headlines that won’t offend readers as the X-rated ones have been left out.

10. My heartbeat are killing me!

Yes, and all our base are belong to you also.

9. Antidote for crocodile

Just what you need when you feel a little crodilia coming on.

8. John Mccain Denies Allegations That He Is A Politician

Politicians deny many things on the campaign trail, but I think this one is quite a stretch.

7. Sarah Jessica Parker Arrested For Gross Negligee

Maybe she should stick to Victoria’s Secret.

6. Dating girls 20-60 years old

When there are plenty of fish in the sea it helps to cast a wide net.

5. Britney Spears To Donate Eggs For Darfur

Britney hatchlings will be ready just in time for Easter.

4. IT consultant of perfect love making art.

Many people are taking on side jobs but this may be taking things a bit too far.

3. Your wife need your attention? Solve all the problems with IT.

This must be our IT consultant’s second attempt at Email marketing.

2. I learned what females do on a farm. NEVER leave them there abandoned!

At long last, their secret has been exposed to us all.

Finally, the top of our list is one that deserves the entire email to be printed here in all it’s glory:

1. Dimensional Warp Generator Needed ork uw g xmufucpebz

Subject: Dimensional Warp Generator Needed ork uw g xmufucpebz
From: “” <adm@chiche.com>
Date: Mon, 28 Jul 03 10:04:05 GMT

Hello,

I’m a time traveler stuck here in 2003. Upon arriving here my dimensional warp generator stopped working. I trusted a company here by the name of LLC Lasers to repair my Generation 3 52 4350A watch unit, and they fled on me. I am going to need a new DWG unit, prefereably the rechargeable AMD wrist watch model with the GRC79 induction motor, four I80200 warp stabilizers, 512GB of SRAM and the menu driven GUI with front panel XID display.

I will take whatever model you have in stock, as long as its received certification for being safe on carbon based life forms.

In terms of payment:
I dont have any Galactic Credits left. Payment can be made in platinum gold or 2003 currency upon safe delivery of unit.

Please transport unit in either a large brown paper bag or box to below coordinates on Monday July 28th at (exactly 3:00pm) Eastern Standard Time on the dot. A few minutes prior will be ok, but it cannot be after. If you miss this timeframe please email me. Twenty-three inches in from the outside edge of the corner at the South West Corner of Cummings Ave. & Village Street in Woburn, Mass. is at Latitude 42.4845467 & Longitude -71.1576157 and the ground is 101.3′ above sea level.

WARNING: DO NOT ATTEMPT TO TRANSPORT ITEM BY REGULAR MEANS OF TELEPORTATION. THEY ARE MONITORING AND WILL REDIRECT THE SIGNAL!! (NOBODY HAS BEEN ABLE TO TRANSPORT ANYTHING SO FAR WITHOUT THE TRANSFER BEING DEFLECTED). I DO NOT CARE HOW YOU HAVE TO GET IT HERE, JUST DO IT IN A WAY THAT NO SPYING EYES WILL POSSIBLY BE ABLE TO REDIRECT THE TRANSFERENCE. IT IS VERY IMPORTANT THAT YOU BE ABLE TO MONITOR THE TRANSFER.

Although those coordinates are a secure guarded area, these channels through email are never secure. Unfortunately it is the only form of communication I have right now.

After unit has been sent please email me at: info@federalfundingprogram.com with payment instructions. Do not reply directly back to this email.

Thank You

thunder
vckt qnl

Now how bizarre is that? Going through the message it has all the makings of a SPAM message but for the life of me I couldn’t figure out how this person will profit from this unless they own serious stock in the manufacturers of the dimensional warp generator unit they claim to be in desperate need of.

After a bit of research it turns out that the mysterious time traveler has been identified by some sources as James R. Todino, an infamous spammer who sent out roughly 100 million requests for help. Unfortunately, as was uncovered by Wired Magazine, Todino was actually serious about obtaining the parts as a result of psychological problems he had been diagnosed with. But that didn’t get Todino off the hook completely. His company, RT Marketing was apparently ordered to cease sending our fraudulent emails advertising for free government grants and detective software.

So next time you sit down to clear out your SPAM folder, take a moment to look over the subject lines. If you find something that even makes you smile, add it to the list here in the comment section.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

10 Funniest Spam Subject Lines

And then I come across a story like this one.

The mammoth media company Condé Nast – publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker and Wired magazines, to name a few – was targeted by a spear phishing attack last November that cost the company $8 million in a series of wire transfers sent over several weeks. Last week, the US Attorney’s Office filed a complaint in Manhattan District Court alleging that the publishing giant got hooked by a single phishing email that was fabricated to appear as if it had come from Quad/Graphics, a company that prints Condé Nast’s magazines.

The email came in the form of an attached PDF file. According to one of Condé Nast’s companies, Wired.com, “The e-mail instructed Condé Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.”

The alleged spammer – who has been identified as one Andy Surface of Alvin, Texas – established a bank account under the name Quad Graph and then sent the mail to the publishing company requesting that future payments be made to the new account. Condé Nast’s accounts payable department had no issues with the request, apparently, because someone from the department signed the Electronic Payment Authorization form and faxed it back to Surface, who is alleged to have shown BBVA Compass Bank in Alvin documents establishing that the company Quad Graph had been registered in a different country.

When Condé Nast authorized the form, they effectively gave their bank, JP Morgan Chase, permission to deposit funds in the fake account. Between November 17th and December 30th, they did just that, depositing a little less than $8 million in payables, intended for Quad/Graphics, into Surface’s account. The scam might have gone on longer, but on December 30th, Quad/Graphics (the real one) contacted Condé Nast to ask why the company hadn’t paid its outstanding invoices. According to eWeek.com, “Conde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface.”

Condé Nast was able to recover about $36,000 by reversing one of the wire transfers. The company immediately alerted the authorities and on January 10th, the US Secret Service was able to secure a warrant freezing the accounts before the scammer was able to transfer the money elsewhere. A forfeiture lawsuit is pending, and presumably criminal charges that might include wire fraud and money laundering. Surface has not yet been formally charged, but Wired.com reports that, “Forbes dug up a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.” The US Attorney’s office declined comment.

“Phishing now makes up 23 percent of all attacks in the realm of social media,” Paul Henry, forensics and security analyst at Lumension, told eWeek.com. “A recent IBM X-Force Trend and Risk Report found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X–Force.”

As for Condé Nast, it’s not surprising that they’re keeping mum on the whole situation.

“A Condé Nast representative said the company could not comment on a pending investigation,” eWeek.com also reports, and Henry raised an interesting perspective on the whole thing. “What’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” he said.

It is frightening. One might write this incident off as a very large corporation with so many transactions to fulfill that it might be ripe for the picking in a phishing scam like the one that netted Condé Nast. But Condé Nast got bilked out of $8 million off of one email. If it is that easy, then are there other incidents like this one – successful scams of other major corporations, scams that we’re not hearing about? Or is this just a blip, a random case of the one that didn’t get away?

The answer is unclear. However it happened, this much is clear: if a big fish like Condé Nast can fall victim to a simple spear phishing scam, what does that say for the state of enterprise wide security to protect against these types of schemes? With phishing schemes becoming more sophisticated (relatively speaking), is anyone safe?

I must make a confession. In 2006, I awoke one morning and while I enjoyed my first cup of coffee of the day, I read my email when I noticed what appeared to be a message from PayPal. The email asked me to update my account information, and without thinking (it was 6:15 AM and it was my first cup of coffee), I clicked the link provided by the email and was routed to a page that looked authentic enough. I proceeded to enter my username and password and after clicking ‘Enter’ I was shown a big ‘Thank You!’ and nothing else. It was only then that I remembered: I had recently changed my PayPal password, but the site had accepted the old one. I got off easy that morning, but as an IT professional, the revelation shook me to the core. Coffee or not, big corporation or not, we’re only one click away from financial mayhem.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spear Phishing Email Nets $8m from Media Giant Condé Nast