The Messaging Anti-Abuse Working Group (MAAWG) has released new figures that put the average volume of email spam on the internet at 90%, peaking as high as 94.2% in recent years.

Jerry Upton, MAAWG Executive Director said “We’ve been sitting at a stalemate for probably two to three years.  Taking out the highs and lows, we’re sitting at about 90%”.

Figures that regularly appear from various security vendors have been telling the same story for several years now.  With latest figures confirming the continuing trend one might be forgiven for wondering who is really winning the war against spam.

Spam fighting is a multi-billion dollar industry and businesses are spending thousands or even millions of dollars each year to try and protect their networks from spam threats.

Network providers have had some successes by disconnecting major spam networks from the internet but in most cases the spammers have resurfaced or simply distributed their infrastructure across international jurisdictions.

Consumer ISPs are generally against implementing measures to prevent their customers from adding to the problem.  This despite MAAWG’s findings that “tens of millions of Web users in North America and Western Europe have clicked on spam at least once – and many of them did it on purpose”. Continue reading The Spam Statemate»

Privacy holes in Google Buzz could attract spammers.

Google is scrambling to patch the privacy holes in its Buzz application launched last week, hopefully before spammers turn the social network into a gold mine for their repugnant activities.

When introduced last Tuesday, the yawning flaws in Buzz could be seen in its privacy agreement.

“When you first enter Google Buzz,” it stated, “to make the startup experience easier, we may automatically select people for you to follow based on the people you email and chat with most.”

Assuming a user wants to “follow” someone just because they trade emails may have seemed convenient to Buzz designers, but in fact it’s a needless usurpation of a user’s ability to choose with whom he or she associates. Sure, automating who a user follows is a quick way to build a following list, but it actually adds hassle to the process as a user must manually scrutinize who he or she is following and weed out the deadwood.

But the boners get better. “Similarly,” the Buzz privacy statement continued, “we may also suggest to others that they automatically follow you.” Automatically putting the touch on people to follow a user based on the user’s Gmail address book is an expedient way to rapidly build a socnet without the fuss of inviting people to join individually. What the Buzz designers failed to fathom is that just because a user communicates frequently with someone in his or her address book doesn’t mean that user wants to share his or her every thought with that contact. What someone might divulge through a tweet or Facebook comment isn’t always something he or she may not want divulged to a frequent email correspondent like a client or boss. Facebook understood that from the start so it’s surprising that the savvy crew at Google could make such a blunder.

Granted, a user can block any of his or her followers but why should the onus be placed on the user to comb out unwanted followers from a list created by Google?

Those inconveniences to users, though, aren’t what will be percolating the interest of spammers in the new social network. It’s the availability of a new source of public information about millions of potential marks.

Continue reading Google Buzz: socnet or spam magnet?»

A zero-day bug in Microsoft Internet Explorer was a key element in an attack on Google and other companies last week. The attack, designed to ransack the Gmail of some Chinese human-rights activists managed to clip some of the Search King’s intellectual property in the process.

          “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google,” Google said in a statement issued last week. “However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.”

“As part of our investigation we have discovered that at least 20 other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted,” Google added.

The attack illustrates that even the Google elite can be duped by a social engineering ploy wrapped in an email message. According to security experts, the email messages used by the attackers were targeted at specific Google employees likely to have access to valuable proprietary information on their company’s servers. The messages were carefully disguised to look as if they originated with sources the employees would trust.

Since the messages appeared to come from a trusted source, the Googlites didn’t hesitate in clicking links in the electronic epistles. Once that was done, the story took a familar turn. The links resulted in malware being downloaded to the employees’ computers. The malware exploited an unknown vulnerability in Internet Explorer and opened a back door on the compromised machines. The back door let the crackers snoop around the wounded computers and gain control over their operation, using them to identify meaty targets  and bleed valuable data from them.

Continue reading Browser flaw tied to attack on Google»

WhenU covers Continental with its own Google ads -- charging ad fees for traffic Continental would otherwise receive for free.

Google has been called on the carpet by a prominent spyware fighter for contributing to the bottom line of Internet snoopsters.

          “By paying spyware vendors to show advertisements, Google both enlarges and prolongs the spyware problem,” Harvard Business school Assistant Professor Ben Edelman recently wrote on his Web site.

“In particular,” he continued, “Google’s funding supports software that users struggle to remove from their computers. Google’s payments make it more profitable for vendors to sneak such software onto users’ computers in the first place.”

Edelman’s criticism of Google is largely based on the search king’s relationship with two firms: InfoSpace and WhenU. InfoSpace, among other things, distributes Google pay-per-click advertising. It uses subcontractors, like WhenU, to assist in circulating those ads.

According to Edelman, WhenU, through its spyware, collects cash from Google through some questionable ad practices. Here’s the problem.

When an advertiser buys a pay-to-click ad, it pays when a consumer clicks on the ad and goes to the advertiser’s site. If the consumer makes a purchase, the value of that ad increases and that added value is taken into account when the ad is renewed.

Continue reading Spyware linked to Google ads»

The last few years have seen a sharp rise in the power and features of smart phones such as the Blackberry, Apple iPhone, and most recently Google Android-based phones.

Coupled with this rise is a new ecosystem of mobile application development, made mainstream by Apple’s App Store for the iPhone which boasts over 30,000 applications available for download.

This trend has reached a new, troubling milestone with the discovery of several fraudulent banking applications on the Google Android online store.  The programs were disguised as genuine mobile banking applications and were designed to steal online banking credentials from anyone using them.

Although the applications have now been removed it highlights the constant evolution of the security threat landscape.  As technology becomes more ubiquitous it extends the threats in what are frankly quite predictable directions, at least for the security-minded among us. Continue reading Phishing and Malware in the Smart Phone Era»

Despite denials from Google, a security researcher continues to assert that the Search King’s reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers.

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.

CAPTCHA–which stands for Completely Automated Public Turing test to tell Computers and Humans Apart–is a method for foiling automated attacks by spammers on Web sites. Before a Net surfer can perform at a site a task, such as setting up an email account or adding comments to a blog posting, he or she is presented with the image of a word or phrase that has been distressed in some way. The warped image is intended to thwart scanners and optical recognition software programs used to automate the compromising of web sites by spammers. The idea is that humans can read the characters in the image and type them into a form while machines can’t.

Some simple math reveals just how alarming Wilkins’ findings are. The operator of even a modest botnet of 10,000 machines would be perfectly happy with a success rate of 0.01 percent. That would mean 10 new gmail accounts could be created every second or 864,000 new accounts a day from which spam could be launched.

Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.” Continue reading Google reCAPTCHA cracked»

A new report by security researchers claims that Google’s reCAPTCHA system is flawed – so flawed that it would allow a botnet with just 10,000 zombies to manage 10 recognition successes an hour resulting in over 850,000 fake accounts being registered each day. The researchers say the flaw is the same one that has plagued all CAPTCHA services -the human factor- but with a twist.

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Google’s new Google Voice feature lets subscribers get a ten-digit phone number that links all your other numbers, and rings them simultaneously. It also lets you make calls for free in the US and inexpensively for international calls, which will position the feature as a formidable competitor to Skype. The voice service adds a lot of extra value as well, with an SMS feature that converts voice messages into text, so you can read them at your convenience. You can also listen to your voicemails either online or from your phone, and get notifications of voicemail by email or SMS. All in all, it’s a cool sounding service with plenty of useful features. So why am I worried?

Continue reading Google Voice: Good and bad»

In what Google officials are blaming on human error, for a while every site on the Internet was labled as malicious. For about an hour on Saturday morning, every search result had the warning “This site may hurt your computer.” Users who clicked anyway were brought to a page blocking access and advising them to choose another site. According to the official Google blog, the error occurred during a routine update of the list of malcious sites Google uses to block malicious sites. Unfortunately the human doing the upload made a simple typo: 

          Unfortunately (and here’s the human error), the URL of ‘/’ was mistakenly checked in as a value to the file and ‘/’ expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.

While Google fixed the problem quickly and issued a swift apology, it still has many people upset. Having your site labeled as malicious by Google can be very damaging!

A study by Roaring Penguin has discovered that during the past three weeks, the amount of spam originating from Gmail has risen sharply while spam originating from Yahoo and Hotmail remained flat or dipped slightly. Experts say this huge rise in spam is thanks to the cracking of Google’s CAPTCHA system. Spammers came up with an OCR scanner that was smart enough to read it and as a result were able to create large numbers of accounts to spam with.

Continue reading Spammers Choose GMail»