British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient. Continue reading ISPs Don’t Want to be Spam Cops»

Business Week reports that a study by researchers in New York reveals that as many as one in five young, overweight people have been a victim of email spam.

The study revealed some interesting statistics:

• 88% of overweight individuals reported receiving spam pitching weight loss products, compared to 73% of other respondents
• 42% of overweight individuals said they opened the spam, compared to 18% of other respondents
• 18% of overweight individuals said they bought products promoted in the emails, compared to just 5% of other respondents

Firstly why do overweight people receive more weight loss spam?  One theory is that these people are visiting more web sites on that topic than other people, and therefore end up in marketing databases.  This means that the spam is either coming from the website owner, or another party that is given access to the database of email addresses.  This access may be either from selling the list or by using co-registration, which is a legitimate lead-sharing strategy that is often abused by spammers.

For any email marketer a 42% open rate is outstanding.  It means that the subject line for the email was very effective at enticing the recipient to open the email and read more.

For a spammer sending 1,000,000 emails 42% open rates do not mean 420,000 people opened them.  Most of those recipients will never receive the spam due to anti-spam protection on their email server or their computer.  But even a 1% penetration could mean several thousand people open the email.

Finally the conversion rate for overweight people is very good at 18%.  Several hundred conversions of a weight loss product likely to cost $50-$200 is a good day’s pay for the spammer. Continue reading Weight Loss Scams Reveal Why Spam Works»

New Koobface variant exploits holiday spirit.

Malware miscreants have traded their black hats for Santa hats with their latest escapade targeting the 350 million member Facebook community.

Security experts have spotted a new variation of the Koobface worm that gives its prior social engineering techniques a holiday twist to lure Facebook users into its wicked web.

The new variant, Koobface.GK, posts a link to a Christmas video on the message wall of a Facebook user. When a social networker clicks the link, he or she is taken to a bogus video player. Clicking the play button on the spurious application produces no video, but it does download the worm to the clicker’s computer.

The malware then produces a captcha screen that threatens to shutdown the user’s computer if the captcha form isn’t filled out within three minutes. When the captcha form is filled out, the shutdown message appears again. Each time the form is filled in, a new domain is registered where infected files will be hosted. In that way, the worm propagates itself.

If a target decides not to act within three minutes, nothing will happen. However, his or her computer will become unresponsive. According to White Hats, a clean install of Windows isn’t needed to recover control of a computer infected with the worm. Presumably, the problem could be eliminated by pulling the power plug on the machine and rebooting into a state where a virus scan could be conducted on the computer or the box could be restored to a point before it was infected.

Continue reading New Koobface worm duping Facebook users»

Black Hats are finding social networking sites attractive targets for mischief.

As social networks like Facebook, MySpace and Linked-in have gained popularity among Web surfers, they’ve also attracted the attention of the Internet underworld. That’s because the likelihood of infecting a computer with malware distributed through a SocNet is much better than conventional email methods. How much better? Some security experts reported earlier this year that infection success rates were as high as 10 percent for malicious code circulated through a social network. That’s 10 times the infections that could be expected from an email spam campaign.

As Black Hats have turned their attention to SocNets, they’ve begun experimenting with going beyond exploiting the sites for distribution of bad apps and using the webposts for activities such as issuing commands and controlling the operation of botnets.

Just last week, security researchers uncovered a Trojan, dubbed Whitewall, that could use Facebook to coordinate its nefarious deeds. The sinister software is circulated by exploiting known vulnerabilities in Adobe Acrobat and Microsoft Office files. The documents look legit. They may look like communications from courier companies or headlines from news media.

The malware targets the mobile version of Facebook. It receives its marching orders by reading the notes section of that program. If a note contains the title “Wells,” it will contain a timestamp for when a machine is infected. If it’s “WebServer,” the app will execute a URL contained in the note from which it will receive commands. If the title is “White,” the Trojan will follow a URL to a site from which it will download a pernicious payload. If any other words are in the title, the software will do nothing and wait for further instructions.

Continue reading Why social networking spam reaps more rewards than email»

Last month I joined a new discussion forum.  The owner of the forum decided to charge members a monthly access fee of $1.95.  I gladly subscribed because the value of the forum far outweighs the membership cost.

Now several weeks later and with thousands of members joining the forum I realize the biggest benefit of the membership price – there is no spam.

For the average internet user everything they do online is free.  After they have paid for a computer and an internet connection from an ISP most people will not pay another cent for any of the intangible experiences that the internet has to offer.

Thousands of popular websites offer streaming videos, games, instant messaging and social networking without charging a cent for access.  Email is the ultimate free communication medium, costing nothing to acquire and use.  These services all attract spammers.

Free online services face a difficult challenge in preventing spam.  Their users want free access, but also resist overt monetization efforts by the website owner.  And yet without a revenue stream the websites can’t afford to invest heavily in security and support.  Without the money to fund a developer focus on proactive spam prevention, and a support team to handle reactive spam prevention, the spammers have a large window of opportunity to exploit these free services for their own gains.

The fallback monetization strategy for most of these websites is simple advertising.  MySpace added advertising early on.  YouTube is slowly introducing advertising models to support their massive infrastructure costs.

Facebook’s advertising system has an ironic twist – spammers can indirectly exploit the system by using free Facebook apps and games to gain access to users’ profile information, then use that information to personalize advertisements and target them more closely to certain demographics.  These advertisements are often unethical – for example targeting 15 year old girls to sign up their mobile phone (paid for by their parents) to a ringtone subscription service in order to earn more points to use within a popular Facebook game.

The irony is that so much money is made by the advertiser, who in turn pays fees to Facebook, that the spammers are largely responsible for generating the revenue streams that make it more feasible for Facebook to invest more in security and spam prevention.  Would this problem exist if services such as Facebook were not free? Continue reading Would Spam Exist if the Internet Wasn’t Free?»

Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.

The Sydney Morning Herald reports that a South Australian woman became a victim of identity theft when her Facebook account was taken over by hackers.  The hijacked account was then used to send messages to her friends saying that she was stranded overseas after being robbed and requested that money be wired to her to help her get back home.

The victim became aware of the hijack only after a friend phoned her from Singapore to verify the story.  This was unfortunately too late for one other friend who had already wired $1000 to the scammers.

This type of phishing scam occurs all too often on free social networking services due to several combined factors. Continue reading Facebook Friends Lead to Big Money Scams»

On Thursday Facebook shut down six rogue apps that were attempting to steal personal info from its users. Within hours after the apps, called “Streams”, “Posts”, “Your Photos”,  “Birthday Invitations” , “Inbox (1)” and “Inbox (2)”, were shut down, five new ones appeared. Those apps, called “Friends”, “Friends Gifts”, “Matching”, “Pok” and “Your Photos”, where also shut down.

When the fake notifications generated by the apps were clicked, users were asked to log in with their FB username and password. This information was transmitted to a remote server. At the same time, the app spammed everyone on the user’s friends list with the same fake notification they clicked on.

Rogue apps have been a constant issue on Facebook. Since the site doesn’t require anything more than an email address in order to be given the developer tools needed to create apps, and doesn’t have an app approval process in place, it’s very easy for scammers to get access to the hundreds of millions who use Facebook.

It’s not yet known if the same person/group is responsible for all 11 apps.

A new study says phishing scams make up 7% of all spam sent and that on average, 55,000 people a month fall for them and give up their personal info. Social networks such as Twitter and Facebook are an increasingly popular target for phishers. Twitter has been hit by two phishing attacks lately. One, the Twitter Porn Name scam, claimed to be a seemingly harmless game where Twitter users were told to put the name of their first pet with their mother’s maiden name and/or first street they lived on to get their “porn name” and then tweet it. Those particular pieces of information are gold to a phisher because they are the answers to the questions most websites ask when a user needs to retrieve or change their password. The second scam was the TwitViewer scam. Users got a tweet inviting them to check out the TwitViewer site to find out the last 200 people who visited their Twitter profile. The site asked for their Twitter name and password. Once entered the visitor was shown a screen full of thumbnails that claimed to be those of the last 200 people that had visited their profile. They weren’t, they were just random people, and the visitor found their account spammed everyone they were following and Twitter at large with the same invite they had responded to, and if they clicked on any of the thumbnails their account automatically followed them. Twitter claims to be working on tightening security but their recent roll out of their new URL blocking system shows they have a long way to go.

Continue reading Study Finds Phishing Scams Fool Over 55,000 a Month»

The first electronic spam that many businesses ever encountered came via email.  Before that spam was only in the form of “junk mail” delivered by post or received by fax.  Although a minor annoyance most pre-electronic spam was fairly harmless.  Rarely was a piece of junk mail intended to be malicious or an outright scam (beyond a normal degree of outlandish marketing hype anyway).

As email became a crucial business tool the spam problem rose rapidly to become the major problem it is today.  Regular research is released that puts spam at over 90% of global email traffic.  Despite this not every business takes it seriously enough to actually do something about preventing it.  Those that do will implement a quality anti-spam solution for their email and continue about their business hopeful that it will protect them from those on the internet with malicious intent.

However as the web evolves new spam threats have emerged that also need to be considered by businesses.

Email Spam

Email spam is a continually shifting landscape of new threats as spammers develop new techniques.  For example, spammers have gone from putting spam content in emails, to putting it in file attachments, to putting it in password-protected file attachments, to putting it in image files, to putting it on web pages that they link to, each technique intended to keep them a step ahead of anti-spam vendors and the protective measures built in to their products.

Continue reading Dealing With New Spam Threats to Business»