There have recently been two publicized, high profile attacks on email marketing services.  The two services are Aweber and iContact, each confirming the attacks within about a month of each other.

These companies, and many others like them, provide email marketing services to websites and other online businesses.  Email marketing, when done properly, is a legitimate practice and is not spam although some people do not make the distinction between the two.

A legitimate email marketing service will require a subscriber to deliberately opt-in to a list, usually by sending them a confirmation email before they are added to a marketer’s email list.  This stops spammers from simply harvesting email addresses, importing them into one of these services, and starting to spam them.

This opt-in requirement, plus other measures, assures a high deliverability rate for the customers of the email marketing service because antispam systems on the receiving end can have a high level of confidence that the marketing messages are opt-in and not spam.

Among the more paranoid web users there is a tendency to use unique emails for each mailing list that they sign up to.  So if they were to sign up to ABC Corp’s mailing list, they would use paul_abc@somewhere.com, and then for XYZ Pty Ltd would use paul_xyz@somewhere.com.

This might seem like a lot of hassle to go to, generating unique email addresses for every list you subscribe to, but when the attacks on these companies occurred it was these people who noticed the problem first.  Suddenly their secret, unique addresses began receiving pharmaceutical spam emails.   Your average person who uses one single email address probably would not have noticed this additional spam.

Initial reports were sketchy but eventually first Aweber, and then later iContact determined that a data breach had occurred in their systems.  In both cases the outcome was the same – subscriber email addresses were compromised, but customer account and billing information was not. Continue reading Email Marketing Services Targetted by Hackers»

Security researchers say botnet herders, malware authors, spammers, and other cybercriminals have begun taking matters into their own hands and creating their own ISPs. Now that even so-called “bulletproof” ISPs are being pursued and shut down, cybercriminals have decided that doing it themselves is their best bet.

They start by setting up data centers and stocking them with servers, then they seek out a local Internet registry (LIR) or a regional (RIR) one that doesn’t have the resources to verify applications as they should. In most cases anyone applying for a block of IP space must go through a screening process that includes submitting legal documents showing their business name, the names of the officers in their company, a written explanation of why they need the space, a listing of the company’s PCs, router configurations, network maps and more. By going through either local registries or ones that for one reason or another can’t or won’t do a full screening, cybercriminals are getting set up as ISPs. In many cases these less than thorough registries require nothing more than a letter explaining why the space is needed.

Once the criminals are granted the space they themselves become bulletproof. They obviously will ignore any take down orders. The best example of this kind of set up is the infamous Russian Business Network, which hosted hundreds of spammers, botnet herders, phishers, hackers and other cybercriminals. They firmly ignored take down orders and fiercely protected their customers. RBN was able to get a block of IP space because by going through a European LIR they didn’t bother doing a thorough screening and the RIR, RIPE NCC granted the space based on the LIR’s report.  RIPE defended itself saying they had no way of knowing if an applicant is up to illegal activities or not.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case.

RIPE was eventually able to close down the LIR and reclaim the space from the RBN, but the practice is still flourishing. To stop it, it’s up to LIRs and RIR to stay on the ball and thoroughly screen applicants.

Last week we told you about a huge data breach that was affecting Hotmail, Yahoo!, and GMail accounts – hundreds of thousands of them at last count.  Now experts say that the amount of spam messages coming from those sites has shot up dramatically and believe those hacked accounts are to blame. The spams are personalized and were sent to the contacts in each account’s address book. Links in the spam messages lead to fake shopping sites set up to steal personal information such as credit and debit card numbers, names, addresses, and email addresses – a textbook phishing operation.

Some experts believe that the breach is just too large to have been achieved through phishing alone and suspect malware, mainly keyloggers, may have been involved as well.

“The quantity of people hit makes me think that it was key logging — the success rate for phishing is only about one in 1,000,” Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet. “Secondly, when I went through the list of e-mail account credentials, there were entries with the same username, but a slightly different password, which suggests that they’re typos. I don’t think people would keep falling for a phishing scam and entering their details, it looks more like people are making mistakes and the key-logging software is recording them,” he said.

So far researchers have been unable to pinpoint the exact cause of the breach or determine who is responsible. They recommend that everyone, regardless of what email service they use, change their passwords immediately and then do so every six months. Passwords should be a combination of numbers and letters and every account you have should have its own unique password.

Hackers and spammers are taking advantage of the DDoS attack that hit Twitter and Facebook last week. The attack was apparently targeted at a single user of the sites, a Georgian blogger named Cyxymu. Cyxymu has used the sites to speak out against the 2008 war between Russia and his country.

Hackers are using the high profile nature of the attack to spread scareware. They are poisoning search engine results so that people searching using the keyword Cyxymu will be given results that redirect to malicious sites that push rogue anti-virus programs.

Continue reading DDoS Attack Against Georgian Blogger Inspires Spam, Malware Attacks»

A British security vendor has discovered that the ZBot Trojan has harvested the FTP credentials of over 68,000 websites including Bank of America, the BBC, Amazon, Cisco, Monster.com and most of the major anti-spam software makers. The credentials could allow hackers to compromise legitimate sites with malicious code and drive by downloads.

To make matters worse the list of FTP credentials is stored on a server in China in plain text, making it available to anyone who stops by. Experts say they were all stolen within the past 2 weeks and most are still valid.

The ZBot Trojan has also been spotted in several email attacks masquerading as everything from a ticket confirmation from Delta Airlines to a critical update for Microsoft Outlook. If downloaded it steals personal information using a keylogger.

It’s crucial to make sure any unused FTP credentials on your website are disabled and that active ones have their passwords changed regularly. As we saw recently when hundreds of government sites in the UK were compromised and redirected visitors to internet pharmacies selling Viagra or porn sites, hackers are eager to infect legit sites. If they hit yours it could be a real nightmare for you and your customers, so stay alert and keep an eye on your servers and FTP logins!

A message posted on a security forum raised concerns of a possible data breach at T-Mobile, but the company says it never happened. A group claiming to have hacked the cellular service provider claimed to have a massive amount of stolen information and was offering it for sale.

“We have everything — their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009,” read the message on the Full Disclosure message board. “We are offering them for the highest bidder.”

To prove their claim they showed information related to the company’s operating systems, IP addresses, and software vendors. It’s not yet certain if the message is telling the truth. Full Disclosure claims that the majority of the posts made on its site are hot air,  and T-Mobile seems to concur:

          “Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers’ information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible”, said a company spokesperson.

Interestingly, no one seems to be able to contact the hackers who are offering the stolen data for sale. Emails sent to them by reporters received no response.

University of California Santa Barbara researchers gave us a rare look inside of a botnet, when they recently took control of the Torpig botnet for a period of ten days and observed its malicious dealings. According to a report on Ars Technica, the researchers observed the botnet stealing 56,000 passwords in a single hour. During the ten days when UCSB’s researchers had access to the botnet’s innards, 300,000 unique login credentials were gathered.

In addition to seeing what type of information the botnet collects and how, researchers also got a good look at victim vulnerability and weaknesses that could have been prevented. Twenty-eight percent of the victims reuse credentials for accessing multiple web sites, which researchers speculate makes it easier for attackers to gather more information on victims. This may be true, although using the same password for multiple non-essential sites isn’t necessarily bad, as long as you don’t use the same password for your bank account. It’s common for some people to be members of dozens of informational web sites which require password access, although for the most part, these don’t log any sensitive information. Ars also notes that Torpig also gathered hundreds of email, forum, and chat messages–also reminding us that it is never safe to give somebody sensitive information, account numbers, or passwords, over instant message. What’s more shocking is that during the ten day period, Torpig gathered credentials for 8,310 accounts at 410 financial institutions. Forty percent of those credentials were stolen from browser password managers instead of from actual login sessions. Researchers say that many of the thefts were the result of weak passwords.

The report also highlighted an interesting phenomenon it calls “Botnets-as-a-service”, suggesting that multiple groups are actually profiting from the stolen data and that Torpig operates as a malware service. But the biggest conclusion that researchers drew is not surprising at all–”the malware problem is fundamentally a cultural problem,” reinforcing the need for not just good anti-malware technology, but also for better education as to proper use and common sense precautions.

Security researchers at TRACELabs has found that the top botnets on the net today are Rustock and Xarvester. Rustock, which was temporarily laid low by the shutdown of spammer friendly McColo, has returned with a roar and is now sending out 25,000 spam messages an hour, or 600,000 a day. This still pales in comparison with the Srizbi botnet, which never returned to its former glory after McColo shut down. At its peak it was capable of sending 60 billion spam messages a day.

Sharing the top spot is the Xarvester botnet, which rose from the ruins of Srizbi and also sends out 25,000 spam messages an hour. Mega-D, a former giant, brings up the rear with 15,000 spam messages a day being sent. Interestingly, Waldec, the botnet behind Conficker, is far below the top three, sending only 7,000 spam messages a day. There are a total of 9 botnets that are responsible for most of the spam on the net.

What does this all mean? Well it proves that as far as spammers are concerned, where there’s a will there’s a way, and if their host is shut down, they’ll just find somewhere else to set up shop. Since there are still many countries, such as Romania and Estonia, that do little or nothing to fight cybercrime, there will always be someplace for these cybercriminals to hide. It will take a truly global effort for the war against hackers, spammers and other cybercriminals to truly become effective.