People just weren’t spending as much money in the malls and department stores.

However every single study of consumer spending did show that companies with a strong online presence had a significant boost in sales this past year, including the holiday shopping season. In fact during December alone, non-store sales rose 10.6 percent from the same time one year ago. Even automobile sales online boasted a 9.5 percent increase.

To make sure they can stay competitive in the online retail sector, businesses must strive to build, and at the same time maintain, a solid reputation on the Internet.

Of course it was only a matter of time before spammers realized this as an opportunity to take advantage of this trend to dupe business owners into downloading dangerous malware.

How the Scam Works

Businesses are sent an email branded with the Better Business Bureau logo that reads:

“Thank you for supporting your Better Business Bureau (BBB). Your BBB receives more than 6,500 requests for information every day and provides reliability reports to consumers 365 days a year, 24 hours a day, and 7 days a week.

As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.

We encourage you to use our ONLINE FORM to provide us with this updated information. The URL below will take you directly to this form on our website:

CLICK HERE to login to your BBB account

You may also complete the form on the reverse side of this letter and mail to PO Box 1000; DuPont, WA; 98327; or fax to (206)436-5496.

Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily. In addition, many consumers may search our database using your e-mail and/or Web address, so please be sure to include this information as well. As a BBB accredited business, you receive a free hyperlink from your online reliability report to your company Web site if provided to us.

Thank you again for your support, and we look forward to receiving this updated information.

Sincerely,

Accreditation Services”

Eager to keep their information and good standing current, business owners and managers who click the link are not taken to a legitimate site hosted by the BBB. Instead their computer downloads malware and their account credentials are compromised by the phisher.

Another version of the phishing scam informs the recipient of the email that a negative review of their company has been posted to the BBB site. To refute the claim, the recipient must click on the supplied URL and address the problem. Failure to do so would result in the complaint resulting in a bad report being filed.

The URL here also directs the victim to a malicious site and has the potential for account credentials being stolen.

Fighting Back

This newest scam is the third of its kind in the last three months targeted at business owners.

Businesses have been instructed, by the BBB, to contact them directly if they receive emails claiming that they have received a negative complaint or that their information is incorrect or incomplete.

The Better Business Bureau is also taking steps to fight the problem, enlisting the help of the FBI.

“Our national organization in Arlington, Va. has been working for three months with the FBI, and I can tell you that they’ve closed down over 50 sites”, Katie Carrol, Director of Media Relations and Communications with the BBB, said.

They have also asked for business owners to help them fight this growing problem by contacting them at phishing@council.bbb.org if they received these emails, or any others like them.

IT departments should also be aware of this scam and take necessary precautions.

In house steps that can help prevent problems related to this latest attack, as well as others, include:

• Keeping anti-malware software up-to-date.
• Make sure anti-spam solutions are configured correctly and up-to-date.
• Make sure that employees are aware of this scam.
• Put procedures in place for employees who receive this email, or other spam messages, to report it.
• Teach employees how to better recognize spam and phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Scam Targets Victims Using Better Business Bureau

This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.

On January 11, news erupted of a rather malicious little spoof email that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an email pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.

Sent with fake source addresses that included soc@us-cert.gov and the subject line Phishing incident report call number: PH000000XXXXXXX and an attachment named US-CERT Operation Center Report XXXXXXX.zip, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named US-CERT Operation CENTER Reports.eml.exe – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.

Oh, the Irony!

US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated

“difficulty receiving emails due to the phishing campaign”

according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.

In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns:

• Do not open the attachments in email messages from unknown sources.
• Install anti-virus software and keep virus signatures files up-to-date.
• Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
• Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.

From Russia with Malice

The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that

“Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.”

It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?

Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.

It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

US-CERT Hooked by US-CERT Phishing Attack

In Part 2 of our look at what you can expect in the coming year, faint rumblings out of Japan suggest that one prediction from Part 1 of this article has already come true. If the very real prospect of becoming an innocent casualty of war isn’t enough to make you run backward toward the year that just passed, these bold predictions reveal how hackers will develop an even stronger sense of camaraderie, and how mobility is sure to become a four-letter word. And if you thought spamming and Internet scams made it personal in 2011, you ain’t seen nuthin’ yet.

How about that? 2012 wasn’t even seven days old when news out of Japan this week revealed some eerie premonitions of the things to come and earmarks of a bold prediction made one week ago.  Engadget, ZD Net and other media outlets are reporting that the Japanese government has been working in concert with Fujitsu since 2008 to develop a powerful ‘cyber weapon’ – a piece of software that, upon the detection of a cyber attack (such as DDoS, for example) tracks the attack back to the source.

Sounds pretty straightforward, right? Sure, until you consider that the software also attacks and disables every machine it finds along the trail. The goal, Engadget reports:

“is to stop the spread of a malicious piece of code by finding and shutting down, not just the source, but all middleman PCs that are also now potential hosts. In some admittedly extreme scenarios this weapon could potentially spiral out of control, taking out far more computers than intended.”

Hmm… Botnets are nothing more than large numbers of unsuspecting computers carrying out their attacks at the behest of the infector and ignorance of the computer’s owner. Japan’s little toy, while it sounds like it might be fun to take for a spin, could have the unpleasant and unprecedented effect of being the cause of some serious collateral damage. Casualties of war? Here’s a tip for everyone: while you still have a chance, give that fave desktop or laptop of yours a great big hug before it’s too late.

1. Hackers of the World, Unite

Robin Hood met Mafia Boy last year as hacktivism took center stage. Indeed, 2011 was an entertaining year for anyone who followed the exploits of Anonymous and LulzSec. The drama unfolded like a kabuki play born in the mind of Ken Kesey and brought to life by a troupe of mimes with Tourette Syndrome, and there were even a few arrests along the way to make this reality show really…ahem… arresting.

Prediction: We will see some new hacking activity from these groups, with some high profile web takedowns in the process. While that’s not a stretch, this is: hacker groups like Anonymous and LulzSec will grow in size substantially, resembling an ‘occupy’ type movement that will take the war online. The civil and social unrest of 2011 will turn to face the financial behemoth that is the Internet.

2. Mobility Means Vulnerability

If we learned anything about spam in 2011, it’s that spam is like that proverbial bum of a brother-in-law who’s been living in your basement for the past two years. It’s not going away, good luck making it work for you, and you will be out-of-pocket at some point. Spammers continued to use every means at their disposal in 2011, with SMS spam becoming a real pain in the neck. Security flaws in the two most popular smartphone platforms – iOS and Android – just accented what we already suspected: that spammers and purveyors of malware had taken their show on the road.

Prediction: 2012 will see a massive increase in mobile spam, and mobile devices will become the swords upon which we will live or die unless we get mobile security under control.

3. It’s Nothing Personal…Well, Actually, It Is

A significant development in spam and phishing in 2011 was the way in which the scam artists were getting smarter; you know, smarter in much the same way that a chunk of igneous rock living at the bottom of a fetid riverbed is smarter than a rotting patch of lichen hanging for dear life to the side of an oak tree. Like it or not, the scambags are wilier, finding new and innovative ways to pick your pocket without actually residing in the same time zone.

Prediction: The scambags will become even cleverer in their assaults, finding new methods to lull people into a false sense of security. How this will occur remains to be seen, but our bold prediction is that it will most likely involve highly targeted, multilevel campaigns where the scammer will use detailed knowledge of the targets, and multiple contact methods like email, phone, SMS and even snail mail to enact their evil schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bold Predictions for 2012 (Part 2)

University students in the United Kingdom and their parents should be on the lookout for emails purporting to be from the Student Loans Company. Responsible for administering the thousands of government loans for higher education taken out by UK students each year, the Student Loan Company recently sent out warnings to its customers about the phishing campaign.

Like so many other phishing attacks that claim new victims daily, this attack involves emails designed to look like they are from the Student Loan Company, but of course are not actually from this agency. At no time were the Student Loan Company’s servers or data compromised or involved, but the attackers have many ways to develop lists of students with loans being serviced by the Student Loan Company. Many students’ social media settings make their email addresses available, and discussing finances is not the taboo topic amongst today’s college students that it was to their parents’ generation.

The emails were sent to victims advising them to update their personal details on the loan servicer’s website, and included a link to a bogus site set up to look like the Student Loan Company site. Victims who clicked on the link and entered their personal details into the phishing site were providing their personal information, including user names and passwords to the attackers.

Unusual activity on student accounts may have been what enabled the company to discover that students’ accounts were compromised. The manager of Fraud Prevention and Detection, Heather Laing, was quoted as saying:

“We are currently contacting a number of students by telephone who we have identified as being at risk of having their details compromised, to advise them of the necessary security steps they should follow to ensure their details are protected”.

Without indicating how many students may have been impacted, the Student Loans Company is contacting all customers who may have been affected by this attack. They are also contacting all customers, reminding them of how to verify an email is from them, and reminding them that no email will ever be sent to them requesting account information.

This is not the first such attack to target students. Last week, the Metropolitan Police Service announced the arrest of six suspects in connection with a phishing attack targeting students back in August of this year. More than £1 million was stolen from victims’ accounts after they were fooled into entering their personal information into another bogus website. The six suspects face charges including conspiracy, money laundering, and violations of the Computer Misuse Act.

Readers should take a few moments now to share this story with their coworkers, family, and friends. Phishing attacks continue to plague users because they work – people are fooled into entering their confidential information into websites every day. Whether the attackers play upon victims’ fears, gullibility, or ignorance, they continue to attack users because they continue to succeed in exploiting their victims. By raising awareness, we can help others to not be victims themselves.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Latest Subject of Phishing Attacks: UK Student Loans Company

It’s the most wonderful time of the year, and what better way to take a look back at the year in spam than poke a little fun at the moronic state of the crap that invades our inboxes? In a year that saw major security breaches, several high profile botnet takedowns, and an unprecedented surge in personalized scams and mobile spam, we stop to reflect upon it all and submit a simple postulate: what if Dr. Seuss had been a spammer?

As the year winds down to a close, it’s only basic human nature to look back at the year that just passed and reflect upon it. In the world of spamming and Internet scams, that’s bound to be a painfully long look, since this has been a year fraught with new scams, major cybercrime busts, and unprecedented levels of security threats. With mobile devices providing the newest threat opportunities, and SMS spam picking up a head of steam as scammers get creative, we must be even more vigilant when fighting spam-related threats.

What’s in store for 2012? One must shudder when imagining the possibilities. If anything like 2011, next year will represent an even more dangerous landscape, cluttered with mines and booby traps the likes of which we’ve never seen.

Dire prophecies and doomsday mentality aside, it doesn’t hurt to poke fun at spam once in a while, and during the holidays, no one is more fun than the venerable Theodor Seuss Geisel, known to adoring children and former children alike as Dr. Seuss. Like many households, it’s a holiday tradition around here to watch How the Grinch Stole Christmas!, an annual ritual which inspired this writer to wonder: what if Dr. Seuss was still with us, and what if, ahem, wait for it…Dr. Seuss was a spammer?

The thought itself is sure to bring a smile to the face of anyone who has endured the miserable drivel that infests inboxes like brown marmorated stink bugs. Poorly written and replete with ludicrous stories that must have been contrived during bad acid trips, these emails often frustrate us, and occasionally make us smile by virtue of their sheer stupidity. What they do not do, however, is give us any confidence that the human race is poised to survive much longer, if this epidemic of oafishness is representative of the current state of the gene pool.

So without further ado, here’s a humble attempt at imagining what spam might be like, if written by Dr. Seuss:

The Spammer Who Stole Christmas?

Dear stranger, forgive me for this intrusion

I hope my letter will ease your confusion.

I will not, cannot state it enough

This is rough stuff, even a little tough.

There’s a Libyan prince who lost his good fortune

And my offer to you is a share of the portion.

I cannot get the funds out of my land

And I hope you will aid me by lending a hand.

You see, there are sums in excess of millions

If you give me your name, I’ll give you gazillions.

It’s okay to give me personal information

They don’t extradite criminals in my tiny nation.

Your bank account and credit cards are essential

They’re only for scamming and merely referential.

This is for good cause, I must admit

Send money now and show you commit.

I do not wish to enter a heated debate

Send it fast, send it now, it cannot wait.

The funds are for my stately Kenyan mansion

It’s in great need of a major expansion.

Happy Holidays to all!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

If Dr. Seuss Was a Spammer

A variety of phishing attacks are pounding the net this month.

While some claim phishing may be a dying art, as long as there are people foolish enough to fall for the scams, phishers will stick around. Here’s a look at the current phishing topics making news.

Phishing Scam Hits StubHub Users:

 http://www.ticketnews.com/news/StubHub-warns-customers-about-phishing-scam101127538

Netflix Brandjacked for Phishing Campaign:

http://www.nbcdfw.com/news/tech/Phishing-Email-Tries-to-Net-Netflix-Customers-133659803.html

Spear Phishers Target Chemical and Defenese Company:                                          

http://arstechnica.com/business/news/2011/11/nitro-spear-phishers-attacked-chemical-and-defense-company-rd.ars

Paypal Labeled Major Phishing Risk:

http://www.spamfighter.com/News-17027-E-mail-Phishing-Threat-PayPal-Users-at-Risk.htm       

Holiday Shoppers Warned About Phishing Attacks:

http://www.gmanews.tv/story/238156/technology/holiday-shoppers-warned-vs-12-online-scams-of-christmas   

Let us know about stories we missed and what you’re thinking about the stories above!      

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

November Phishing Roundup

Think you know everything there is to know about phishing? Think you know how to protect yourself and your users from phishing attacks? Think again. Here are some common beliefs about phishing that just aren’t true.

1.  All phishing attacks come from foreign countries. The amount of so-called “Nigerian scams” that have been flooding the net may make it seem that way, but studies have shown that most phishing attacks are actually launched from the United States.

2. My spam filter will protect me. Not true. No software solution is 100% effective and filtering phishing attacks is particularly tricky when you consider that many phishing attacks are made to look like emails from legit companies, and convincingly so. It’s difficult to program spam filters to be able to tell the difference.

3. I’ve made sure my users are educated, so they will never click on a phishing link.  Employees at government agencies and top corporations have fallen for phishing scams, so don’t rely on education as protection. Phishing attacks, especially spear phishing, are becoming more and more convincing.

4. I never give my username and password out so I don’t have to worry. Not true. There is a great deal of malware out there designed to get this info without the user ever knowing. Keyloggers, spyware, and fake websites designed to look exactly like the real thing can all get your to hand over your information to a criminal.

5. I’ll never fall for a phishing scam. I know how to spot them.  Unfortunately, this isn’t true. Not all phishing scams involve emails.  Many involve compromising legit websites and redirecting visitors to an exact copy of their login screen. When the user logs in however, their information is sent to the scammer. Phishing schemes are getting more and more sophisticated so don’t get complacent!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Untruths About Phishing

In a world where the only thing standing between us and the spammers, phishers and hackers is a little piece of tunneling security that keeps IT admins dreaming about warm and snuggly things, the idea of that security being breached is a beastly demon no one could have envisioned. Unfortunately, the pleasant dreams are over and the BEAST is a nightmare that will rock the Internet world, and warm milk ain’t gonna fix this one, folks.

When I go to sleep at night, I do it with the comforting belief that when I awake in the morning and put my feet on the floor, there will be a floor underneath me. In much the same way, I traverse the web knowing full-well that my surfing habits, private information and transactions are snugly tucked away inside a warm blanket of encryption known as SSL/TLS. So when the floor gets yanked out from underneath my feet, you can understand how I might get a little pissed off. And that’s exactly how I felt this morning when I discovered that the floor that protected me from the creeps has begun to sway, as if I had just spent Saturday night at the pub and the floor wasn’t particularly happy about it.

If you want to share the experience, look no further than The Register, which is reporting that at the Ekoparty security conference in Buenos Aires last week, researchers Thai Duong and Juliano Rizzo unveiled their work – BEAST, short for Browser Exploit Against SSL/TLS – which attacks TLS and SSL, the protocols that heretofore kept us warm at night. BEAST is a nifty piece of JavaScript that works alongside a network sniffer to decrypt user account cookies and gain access to restricted user accounts. Yes, you heard it right.

Sing Along: It’s the End of the World as We Know it…Or is it?

Duong and Rizzo made news last year when they unveiled a point-and-click tool that exposes private information and executes arbitrary code. According to Duong, the demo decrypted an authentication cookie used to access a PayPal account. The exploit of SSL and TLS is not a new idea, actually, since the idea was conceived back in 2002; but for years it’s been considered theoretical at best – until now, that is.

Duong noted in an email published by The Register that “BEAST is different than most published attacks against HTTPS. While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

In case you’re wondering how many canned goods you have in the pantry, worry not: it’s not yet time to strip naked and run through the streets proclaiming the end of the world.

“The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust,” The Register reports.

It’s not all good news, though.

“Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.”

Furthermore, independent security analyst Trevor Perrin writes:

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection. If the attack works as quickly and widely as [Duong and Rizzo] claim, it’s a legitimate threat.”

Note: Those who run a web server and who may be concerned about security should modify the servers to favor the rc4-sha cipher, which is widely supported and not vulnerable to the attack unveiled by Duong and Rizzo.

Time to Call Some People Out

It’s being reported that:

“Duong and Rizzo tipped off the major browser vendors about their findings months ago but so far the only response appears to have come from the folks at Chrome. A fix for the attack is currently under test in the development version of their browser.”

REALLY? Shame on you, browser makers. Not surprisingly, two days after The Register first published their article, Google released a developer version of its Chrome browser designed to thwart the attack.

Time to go and huddle in a corner. Now, where did I put that tin foil hat?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

“Holy [Insert Expletive Here]! Et Tu, SSL?”

Phishing scams are more popular than ever. Here’s a look at the latest phishing news for September:

1. Romanian Authorities Cracking Down on Phishing

2. Mitsubishi Hit By Spear Phishing Attack

3. Over 400 Go Daddy Sites Pummeled by Phishers

4. Melbourne Bank’s Twitter Feed Hijacked By Phishers

5. New Phishing Scam Targets University of Delaware Students

If you know of a story we missed or have something to say about one of the above, leave a comment and let us know what’s on your mind!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

September Phishing Roundup

The phishing email text is, like so many, full of typos and grammatical errors. You’d think these criminal masterminds could afford to hire a desperate student (preferably an English major) to proofread their messages before sending them out. Here is the text in the current run of messages:

 

Dear MobileMe member,
Please sign up for iCloud and click the submit botton, you’ll be able to keep your old email address and move your mail, contacts, calendars, and bookmarks to the new service.
Your subscription will be automatically extended through July 31, 2012, at no additional charge.
AfterThat date, MobileMe will no longer be available.
Click here to update iCLOUD (link removed)
Sincerely,The Apple store Team

The phishing email has many of the tell-tale signs that most spam and phishing messages carry, but it looks good enough to fool some people I’m sure, especially since it includes classic social hacking tricks like offering the user something extra at no charge if they act soon. However, the spelling errors, strange capitalization of words, like iCLOUD instead of iCloud, should jump out at most people. A couple of more subtle indicators include that it is signed by The Apple store Team which is capitalized strangely, and is also a team that is completely separate from the iCloud and MobileMe teams. The email also comes from no-reply@iCLOUD.com which not only carries the strange capitalization, but is not an official email domain for Apple. That, unfortunately, is not something most people would know, and as marketing departments try to establish more brands, becomes increasingly hard to use as an acid test.

The link in the email, if clicked, takes the user to a webpage that looks eerily like an iTunes Store page, where the user is prompted to update their credit card details, and to enter their iTunes Store username and password. I won’t link to the page here, but if you have ever shopped with Apple, the page is very convincing as long as you don’t worry about the fact that the page is not an apple.com URL and isn’t secured using HTTPS. They may not have hired an English major, but they got a pretty good web designer on their team.

In addition to making sure your users are aware of this scam, use this message to help go over the tell-tale signs of a fake message. These are more what you’d call guidelines than actual rules, but they are a good start for most:

• Spelling errors
• Grammatical errors
• Non-standard punctuation
• Links that go to unusual domains

Make sure users know that if they have any doubts, they can always go to the company’s website by typing in the URL manually, and searching for any promotion if the link isn’t featured prominently on the website. Remind your users that it really is better to be safe than sorry.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

MobileMe Users Beware – Now the Phishers Are out to Get You

This arrogance about his business practices probably won’t win him any friends as he faces 11 new counts – six for electronic mail fraud, three for intentional damage to a protected computer and two for criminal contempt. All of which he pleaded not guilty to in his most recent court appearance on August 4, 2011. If found guilty of these charges, Spamford faces up to 40 years in prison and up to a 2 million dollar fine.

The charges stem from Wallace compromising roughly 500,000 Facebook accounts between November 2008 and March 2009 and using them to send over 27 million spam messages to other users.

And just how did he manage to capture this many accounts? By sending phishing messages out on compromised accounts he was able to trick more victims into giving up their user information. These accounts would also be used to capture more compromised accounts to send out even more spam.

Released on a 100,000 dollar bond, Sanford is due back in court August 22. Of course these charges haven’t prevented him from creating a Google+ account to take the place of his court ordered ban from accessing Facebook or MySpace.

Didn’t reports say spam levels are at an all time low?

Stories like these often get buried by stories with a bit more flair. That is unfortunate because if more people were to read up on this story it could be a significant weapon in the fight against spam. Need a bit more explanation?

Other recent spam related news boasts on how spam is on the decline. When the public hears this, they immediately look for a new boogey man to worry about. I have written quite a few posts here explaining why I think that thinking we have won in the fight against spam is dangerous. Sanford Wallace’s recent indictment proves that.

Spam levels may be down when it comes to email spam, but as we all know this is only one way spammers are able to make money. As the playing field shifts, so will their tactics.

And should we let our guard down and think less of protecting our inboxes rest assured, they will pounce back to using email more frequently.

The story of Sanford Wallace should be used to show people that the threat of spam remains, regardless of reports that it is fading away.

Are people still that oblivious?

Something else that we can use in the fight against spam is the knowledge that people are still willing to give up their account credentials without question.

Wallace was able to con half a million users out of their passwords. Granted, it is a drop in the bucket when you consider Facebook has over 700 million users. But still, that number represents a large number of people who trust things on the Internet far too easily.

According to the Internet World Statistics site there are 2,095,006,005 Internet users worldwide. If just over 7 percent of Facebook uses were willing to fork over their credentials to a phishing attack, then 149,583,429 people could logically fall for a similar con.

There is still money to be made

Wallace had formally retired from the spam business in 1998 but has since been linked to pop-up advertising and scareware scams before jumping back into the game.

In 2004 he was ordered to pay over 5 million dollars in fines for his SmartBOT marketing scam and in 2008 he was ordered to pay 230 million dollars in fines for a later spam campaign using MySpace. In 2009, a judge ordered him to pay 711 million dollars to Facebook for compromising their servers. The order also prevented him from accessing Facebook.

This didn’t stop the Spam King from trying his hand at sending spam via the world’s largest social network gain creating the account called “David Sinful—Saturdays Fredericks”. Why? Obviously because there is still money to be made if you job is to send spam.

So spam fighters, users and curious onlookers beware. If nothing else, the tale of Sanford Wallace shows us that spam is still a problem we face every time we access any communication device. Be it our email, cell phone, mobile device or social network.

So will spam ever stop? Not as long as there is enough money to be made allowing you to pay close to a billion dollars in fines. But it can be controlled.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Sanford Wallace Back in Court: A Win For Spam Fighters?

The purists may suggest that we should never have made things smaller. They might even postulate that the age of innocence is over, and they would probably be right; but a new age is just beginning, and the dinosaur-sized PC that sits on your desk is now just that: a dinosaur. The ‘Big Ol’ Beast,’ as I like to call mine, sits there and stares at me sometimes, seemingly pleading with me: “pay attention to me!” “Use me!” it begs. “Bigger is better!” it pouts.

I just chuckle and Swype my finger across a shimmering sheet of Gorilla Glass, giggling like a school girl when a word is transposed into the message I’m composing, without my finger ever leaving the virtual keyboard.  Holding a fully functional computer in the palm of my hand is surreal and downright unbelievable, especially when I think about my first computer, an Atari 400 with a flat membrane keyboard, 4 Kilobytes of RAM, and the ability to display a whopping 256 different colors onscreen simultaneously. The wonderment I felt while pounding out (literally – you had to press hard on those keys) games in Atari BASIC seems like only yesterday, but the tech world is a time machine and I’ve been transported into the 21st century – where smaller is better, and just when you thought it was safe to download that new Sudoku game for your shiny new mobile device, you should think again. For as our tech gets smaller, so too does the world we live in.

“Mr. Data – Engage”

Allow me to dispense with a formality: it is Android of which I speak. I’m not going to get into a lengthy debate here, but I’m dismissing the iPhone and iOS from this discussion. While there are many millions who would vehemently disagree with me, I believe the Android OS, and the phones that support it, to be vastly superior to Apple’s offerings – and it appears there are many millions who would agree with me. As a developer who strongly believes in sharing over hoarding, I’m an open-source guy and always have been.

The problem with open-source is that while it promotes the highly admirable philosophies of collaboration, sharing, and (often) freeness, it also sends a message to the lowlifes and scum of the earth. You know the types: those who will scam little old grandmothers out of their life savings. The despicable cross-section of society that often makes me ashamed to admit I’m part of that society. The scammers and spammers – the pond-scum phishermen, as I like to call them.

Security Breach

Herein lies part of the problem: society just can’t turn down something that’s free. If the Android OS has one significant problem, it’s that its open-source nature allows anybody to put free or advertising-supported content on the Android Market. It’s no secret that Google has had their share of problems with previously valid applications being reupped to the Market, replete with all sorts of security exploits. And while it seemed strange to me to install a firewall and antivirus software on my phone, in my mind it was a pure necessity and the first thing I did when I set up my phone. (Note: this is where I tip my hat to Apple’s closed, often oppressive, approach to its marketplace. Oppressive or not, I never sensed a security threat to my iPhone).

Spam Magnet

That device in your pocket is infinitely more dangerous than anything you ever plugged a keyboard and mouse into. The open-source feeling and the sense that you’re holding a teeny-tiny little PC in the palm of your hand provides a false sense of security, one that turns your phone into a spam magnet. It’s easy to forget, especially if you’re not an IT professional, that not all spam filters are created equal. Indeed, the very nature of mobile devices means we use them on the go, making that device in your pocket a spam attack waiting to happen.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bigger is Better: Why Your Pocket is Filled with Spammy Goodness

Myths pervade every society and ours is no different. There are things that we hear, or read on the Internet, that we take as gospel truth because we fail to understand the truth behind the statements.

When it comes to spam, there are many different myths that surround it. None so epic as people flying too close to the sun or men fighting Cyclops on their way home from a far away land; however they are stories that shouldn’t be trusted none the less.

Myth 1 – If I include an unsubscribe link, I am not a spammer.

If you send unsolicited marketing messages indiscriminately, you will be considered a spammer. Including an unsubscribe link is only one of the requirements that marketers must do to be compliant with CAN-SPAM Act laws. Simply placing a link, and even honoring unsubscribe requests, will not help you shed the label of spammer.

To legitimately send bulk marketing messages, your recipients need to opt-in to receive messages from you. A double opt-in process is actually considered a best practice here so that people can confirm that they want to hear from you.

Myth 2 – Anti-spam software or appliance will stop phishing attacks.

While phishers use similar methods as spammers, the differences between the two are quite complex. Enough so that traditional spam filters have a hard time catching phishers who know what they are doing. Since phishing attacks are more sophisticated and targeted rather than random, anti-spam filters have a hard time finding these attacks.

Most quality anti-spam filters, both software and hardware based, include some type of anti-phishing engine that protects users against these attacks. Installing, and properly managing, anti-phishing technology can help prevent users from falling victim to these scams.

Myth 3 – If I click on unsubscribe, I won’t get any more spam.

When a legitimate marketer sends you a message and you unsubscribe, odds are they will remove you from their list. But remember, spammers aren’t legitimate marketers. And if they cared about CAN-SPAM they wouldn’t be sending you junk messages in the first place. What happens when you click unsubscribe is that the spammer realizes that they have an active email address. Knowing this, they will send you more spam. Worse than this, these links sometimes take you to a malicious website where malware will infect your computer so now you have something worse to deal with.

Only click on unsubscribe links from mailers that you know you subscribed to. Everything else you should add to your spam box and simply delete it.

Myth 4 – Spam is an email problem.

When we think of spam we tend to think of email messages offering pharmaceuticals, European lottery winnings or promises of instant riches from a Nigerian prince. But spam keeps up with technology and as we use more and more tools to communicate, spammers have more tools at their disposal to get their messages out. Text messaging, search engines, social networks and blog comments are just some of the newer targets for spammers.

Using appropriate spam fighting techniques for the various ways spam is sent can be a big factor in reducing the amount of junk messages you are sent.

Myth 5 – Educating users is the best way to fight spam.

Even the most technology-wise user will still be sent spam. Once a spammer has a way to contact them, efforts will be made to send them spam. While educated users are less likely to fall for the scams and lofty promises of spam, they are still the recipients of these messages. All it takes is one slip up and they could easily find themselves infected with malware or falling victim to illicit claims.

Education is a key component of any spam fighting strategy but it needs to be complimented with trustworthy anti-spam, anti-phishing and anti-malware technologies.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Common Spam Myths

I’ve put together five recent developments in the fight against spam below:

1. Google Voice tweaks spam filtering

While we don’t write much about the problem of voice spam, it is gratifying to read that Google Voice has recently tweaked its blocking system so that spam callers can be flagged as such – and the results percolated to other users.  Like a regular spam filter, numbers that are wrongly identified as spam can be unblocked by selecting and clicking on the “Not Spam” button in the spam folder.  Otherwise, calls, text messages and voicemails from numbers flagged as spam will be automatically redirected into the spam folder.

2. Use of emails as malware vector

As noted by colleague Jamie Campbell in the article Spam Reduced, Targeted Attacks on the Rise, criminals are making using of emails as a way from which to conduct security attacks against businesses and governments.  While it can be argued that malware falls outside the immediate jurisdiction of the spam administrator, I have always argued that a reduction in spam is relevant – given how fewer spam messages means employees can devote more time and attention in filtering out spear phishing emails.  This is one of the key reasons why I believe spam filtering will remain relevant despite the rise of spear phishing attacks.

3. Inadvertent spam

Google inadvertently sent out a massive wave of notification messages when its recently-launched Google+ social network tripped over the rather mundane problem of insufficient storage space.  As reported by Search Engine Journal, some users complained of “as many as 50 duplicate notifications for a single on-site action.”  While not common, this is a reminder that it is entirely possible for malfunctioning appliances or bugs in legitimate software to unwitting generate spam.  Although it is not a regular occurrence, the effects can be damaging given how many of us configure our smartphones to receive these days.  As such, it is probably a good idea to configure a filter that will automatically kick in when multiple copies of the same email messages are received consecutively.  My colleague Ed Fisher wrote more about the brief spam storm from Google+, which you can read about here.

4. Phishing is big bucks

As reported on SPAMfighter News, three men were arrested for defrauding bank clients in Britain and Ireland of a staggering three million pounds via phishing.  The three Nigerian fraudsters sent out spam emails to entice users into visiting fake websites that were crafted to be indistinguishable from the authentic ones.  Once hooked into visiting the fake links, these unsuspecting victims were hence tricked into surrendering their private information, which were subsequently used to perform illegal bank transfers or credit card payments.  When arrested, the three men were found to possess more than ten thousand credit and debit card numbers as well as details of numerous bank accounts.  If anything, this case serves as a somber reminder that there are scammers actively engaged in phishing attempts; real money is being swiped from users tricked into releasing their credit card and banking data.

5. How scammers manipulate the credit card system

Researchers from the University of California infiltrated three rogue scareware (fake antivirus) affiliate networks in a bid to expose how they work.  What the two-year study discovered is a trio of thriving businesses generating combined revenues estimated at more than $130million.  What most of us do not realize is how both scareware rackets and spammers have to go through banks in order to process credit card payments.  The study noted how these fake antivirus companies are “actively monitoring the chargebacks that customers demand from their credit card providers.”  At times when chargebacks increase within short periods of time, these swindlers react quickly by granting more refunds and help ensure they do not earn the ire of payment processors and credit card companies.  You can read more about it here.

Have you come across new developments on the spam front which are not mentioned above?  Feel free to chip in with a comment below, or drop me an email and I’ll be sure to include it in my next article.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Recent Developments in the Fight against Spam

Quoting from a new study, eWeek noted that:

“Worldwide revenues of high volume spamming decreased from $1.1 billion in June 2010 and $300 million in June 2011, or a drop of two-thirds. In comparison, revenues for targeted attacks quadrupled from $50 million to $200 million over the same time period.”

So what’s happening here?

The article pointed to the difficulty of protecting against spear phishing attacks, a point that I concede with.  However, one important observation is that while spear phishing by definition suggests a degree of customization, there is no current evidence that the widespread sending of unique messages is happening.  Aside from cases involving attempts to breach specific company networks, what scammers appear to be doing at the moment is simply fine-tuning spam techniques to autonomously send messages to dozens, or hundreds of targets.

For example, the education institution where I lecture has received at least two or three such attempts over the past few months.  Purporting to be from the school IT department, a number of campus-wide emails were sent out that cited various official-sounding activities such as “Clearing of email space” to “Removing of redundant accounts.”  The correct terms and designations gleaned from information obtainable from the education institution’s website were liberally used in order to lure readers into responding with their usernames and passwords.

The death of spam filters?  Hardly

So is investing in anti-spam technology akin to throwing good money away?  My personal opinion is no; spam filtering technologies continue to be relevant today.  Recent research  concluded that heavy email users are more susceptible to phishing scams.  The logic here is inescapable: Eliminating as many of the “obvious” spam as possible means fewer items that a user is forced to sieve through when working via their inbox.  This translates into a correspondingly lower likelihood of them falling for phishing attempts.

As mentioned earlier, aside for emails customized for individuals within a company, the majority of phishing emails today is automated and hence retains their “spammy” nature.  This means that the bulk of such messages can still be identified and stopped using tools designed to stop spam messages.  Moreover, while there is no doubt that phishing emails are gradually increasing in volume and in terms of monetary losses incurred, “traditional” spam remains a bug-bear that continues to plague all email users.  For instance, I personally average about 60 spam emails per day – and would be left flustered (and more unproductive) without the existence of good spam filters.

And I’ve not even factored in more sophisticated vectors such as leveraging spam in attack against DNS infrastructure, or mistakes such as when Google inadvertently sent a “massive amount of notification email messages” from its Google+ service after a service ran out of disk space.

Higher quality spam coming up

Of course, one effect of lesser takings can only result in spammers at the lower-end of the profitability spectrum being pushed out of the game.  This appears to dovetail with the assertion in the same report about how worldwide spam volumes have dropped 80% to just 300 billion spam messages a day – from a staggering 40 billion spam a day in the past.  Yet a fixation on the absolute spam volume can only obscure our attention from the higher quality spam headed for inboxes.  After all, users are known to be tricked about the legitimacy of an email and recover them from the spam folder.

Finally, the rise of phishing messages does mean that traditional ways of manually filtering and identifying such spam may not necessarily work.  And given a recent large-scale study that pointed to outdated notions of security measures, it is clear that training users to identify the latest spam and phishing techniques is no longer an optional task.

In the final analysis, my take is that spam is here to stay.  So how are you protecting yourself and your organization?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Filtering Tech Relevant Despite Rise of Spear Phishing

Operation Phish Phry was a multi-year joint operation, including representatives of both American and Egyptian law enforcement, and is currently the largest single cybercrime case for the maximum number of charged defendants. US organizations including the FBI, the Secret Service, the US Attorney’s Office, the LA District Attorney’s office, the Social Security Administration, the DEA, US Customs, the Los Angeles Police Department’s Electronic Crimes Task Force, and other local law enforcement agencies all participated in the American side of the investigation. Even a local utilities company contributed to the investigation.

Hackers in Egypt worked with US counterparts to target US consumers with phishing attacks meant to gain access to their bank accounts. An estimated $1.5 million in funds from victims’ accounts were transferred from victims’ accounts to bogus bank accounts set up by the US members of the crew, who would then withdraw the money, keeping some for themselves while wiring the rest to accounts overseas. Victims in the US included residents of California, Nevada, and North Carolina, and numbered in the hundreds.

Lucas pled guilty to forty-nine counts of bank and wire fraud, computer fraud, aggravated identify theft, and money laundering, and was one of the ring leaders of the operation, leading activities within the US as well as recruiting others to participate. Participants recruited by Lucas would pose as bank representatives from some of the most well-known banks in the US, including Wachovia Wells-Fargo and Bank of America. They would contact victims by email asking them to update their accounts on official looking, but fraudulent websites, and set up the bogus accounts to which the funds were initially transferred.

Criminal proceedings are still in progress for his two co-ringleaders, as well as the fifty other US defendants, all of whom will be tried in the United States. Forty-seven Egyptian defendants will be prosecuted within the Egyptian criminal courts.

Lucas was also convicted of drug charges for growing marijuana, and given an additional five years (three to run concurrent to his other sentence). Lucas had posted videos of his growing operation, which included ventilation, lighting, and climate control systems to the popular video sharing site, YouTube, proving that people with the brains to carry on large-scale criminal activities can still be pretty stupid.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

11 Year Sentence for Phishing Scam Ringleader

Recent activity indicates a significant reduction in spam levels, but no one should find comfort in this news. Spammers are making it personal, a new report from Cisco suggests, and at fault may be the law enforcement community for taking down the likes of Rustock and other botnets.

If email spam is a recurring nightmare from which you cannot seem to wake, read on. At the half year mark of 2011, some seemingly good news has poked its head over the horizon, with the promise of a brighter future. Unfortunately, the news isn’t all good; in fact, like spammers, it’s a little deceiving.

According to a new (June 2011) report published by Cisco Security Intelligence Operations (SIO) entitled “Email Attacks: This Time It’s Personal,” cybercriminals are dumping the ‘throw it against the wall and see if it sticks’ approach of indiscriminate spam, so much so that Cisco’s reports the, “annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half.” The report goes on to state that the volume of overall random spam in the past year has declined by more than 80 percent, a figure that sounds a little on the high side, but no one can deny that spam volumes have dipped since the Rustock Botnet takedown in March.

Cisco SIO reports that the financial impact of this decline is significant.

“Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.”  

The direct impact of spam emails is even greater, down from 300 billion spam messages a day in June 2010 to 40 billion a day in June 2011.

Generally speaking, people continue to be smart enough to recognize a scam when they see one, but interestingly enough, those who aren’t are getting taken for more money. While Cisco SIO reports that the average user continues to be smart enough not to click that link, resulting in low user conversion rates (the amount of people who actually end up getting fleeced), that this figure “is partially offset by increases in the average user spending on conversions.” Cisco SIO attributes this increase in the spam artists using personalization tools, better-crafted scams and more effective malicious attacks, and reports that the level of personal information being divulged has resulted in larger paydays for the scammers.

So how much does an errant click cost? $250, according to the report. Cisco SIO explains the methodology used in arriving at this figure:

“This amount is in line with the low-end estimate of recent publicly disclosed scams and malicious attacks. For instance, in June 2011, the U.S. Federal Bureau of Investigation (FBI) announced a scam email directing recipients to send $350 to obtain a Clearance Certificate or else legal action would be taken against the recipient.”

Now for the bad news:  even though random email spam has experienced a large decline, the amount of money being made by the scammers has quadrupled. Using the estimates explained above, Cisco SIO reports that “scams and malicious attacks (as a sub-category of mass attacks) have grown from US$50 million to US$200 million over the last year on an annualized basis.”

Oh, the irony!

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.” The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.”

Oh, the humanity! If what this report states is true (and it sure sounds about right), then by deposing the former ruler – the incessant glut of email-pushing online pharmacies, instant university degrees, Internet casinos, and secret fortunes waiting to be smuggled out of some foreign country – in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Evolutionary Change and Survival of the Craftiest

In fact, Cisco SIO reports:

“as part of the evolution of the criminal ecosystem, [the growing number of scams and malicious] attacks are becoming highly focused.”

Scammers are taking greater care in their approach as they carry out schemes designed to rob people of their hard-earned Benjamins. They’re taking to other means – such as SMS, social media like Facebook, Twitter and Tumblr, the tried-and-true telephone scam, and even  eBook readers – and they “are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position.” Examples of these scams, Cisco SIO reports, are:

• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user or group of users for financial gain

Spearphishing is on the rise and has experienced its own evolution, Cisco SIO states:

“Spearphishing attacks are aimed at a specific profile of users, often high-ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content.”

If the cyber scammers are getting smarter, then it’s imperative that we, too, evolve. Cyber criminals made $150 million this year from spear phishing, according to Cisco, and that kind of return on investment speaks for itself. Spam won’t go away, ever. But like a nasty super virus that evolves and mutates into an antibiotic-resistant strain, spam marches on, even if it’s only to the beat of a new drum.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Reduced, Targeted Attacks on the Rise: Cisco

Seven thousand users across the United States, Canada, the United Kingdom and Ireland were surveyed. Of the respondents, 22% had received at least one phone call from someone pretending to be a security engineer, while 3% were sufficiently fooled into following the attackers instructions.

After convincing the victim that their machine was at risk, the attacker proceeded to attempt one of several attacks. These included convincing the victim to provide him/her with remote access to their computer so that they “can assist with removing the malware”, leading them to download software which contained malware, or providing credit card information to pay for assistance.

Here are some of the key numbers from the report:

• 79% of the victims suffered a financial loss
• The average amount of money stolen was US $875
• 67% of those who lost money were able to recover some of it
• 53% said they suffered subsequent computer problems
• The average cost of repairing damage caused to computers by scammers was US $1,730.
• In the United States, the cost was much higher; $4,800.
• 67% of those who lost money were able to recover, on average, only 42% of it
• 17% experienced some form of identity fraud.

Microsoft included some advice to go along with the report; this included:

• Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company
• Never provide personal information, such as credit card or bank details, to an unsolicited caller
• Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue
• Take the caller’s information down and pass it to the authorities
• Use up-to-date versions of Windows and application software
• Make sure security updates are installed regularly
• Use a strong password and change it regularly
• Make sure the firewall is turned on and that antivirus software is installed and up to date.

Anyone who believes they may have fallen victim to a similar scam is advised to take the following actions:

• Change their computer’s password, change the password on their main email account and change the password for any financial accounts, especially bank and credit cards
• Scan their computer with the Microsoft Safety Scanner to find out if they have malware installed on their computer
• Contact their bank and credit card companies.

As computer professionals, such calls may be obvious to us, but we owe it to our coworkers, our friends, and our families to get the word out on these sorts of attacks. Scammers are going after the weakest link in security - the end user - and it is by raising awareness of these sorts of attacks that we can provide those who are not IT professionals with the best defense we can - knowledge.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft warns of telephone phishing scam

Traditional phishing attacks require the attacker to trick the victim into clicking on a malicious link sent to them via email or instant message. The link then takes the victim to a web page that has been spoofed to look like PayPal or the victim’s bank so that the attacker can collect login credentials.

Tabnapping is much more sophisticated and it no longer relies on a victim clicking on a link. Instead, it directly attacks open tabs on the victim’s browser.

The addition of tabbed browsing opened up web surfing to an entirely new level of productivity, or time wasting depending on how you use the Internet. Users could now reduce the clutter caused by multiple windows, bookmarking became much more efficient, multiple tabs loaded faster than multiple windows and it made web content much easier to manage. However tabs are often left idle, and that is what opens the door up to this type of attack.

Walking through the tabnapping attack

We all know that cybercriminals can spy on your browser history to see what sites you frequently visit using spyware. They can also tell when a browser tab has been inactive for a while. Using malicious code the attacker can replace the site that is open in the idle tab with a spoofed site of their own, say a bank or email page. Thinking the session has been logged out, the victim logs back into the spoofed page that appears in the tab. Now, the phisher no longer has to lure unsuspecting victims in with email spam as bait and, more importantly, he/she does not have to gain the trust of their victim. Unsuspecting users simply login to a page that they believe they have already opened.

Fortunately, this attack has only been seen so far as a proof of concept attack that was developed by Aza Raskin, creative lead for Mozilla Firefox. Unfortunately, he was able to simulate this type of attack on all the major browsers for both Windows and Mac OS X computers.

“You can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate log-in screen and favicon on demand”, Raskin explaines about this discovery.

“Even more deviously, there are various methods [one can use] to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML Web page in a script tag … You can make this attack even more effective by changing the copy. Instead of having just a log-in screen, you can mention that the session has timed out and the user needs to reauthenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.”

Prevention

Right now, browsers are not expected to release any patches to fight against this type of threat. According to Microsoft’s security response center, the issue isn’t considered a vulnerability per se. The attack simply exploits the way browsers work. But that doesn’t mean there is no defense.

Like any phishing attack, tabnapping can be thwarted by making sure you always check the URL before entering any login credentials or account information. If the URL is different or if it doesn’t have the https then you may be visiting a spoofed page.

Other steps you can take to prevent falling victim to this type of attack are to close out any tabs that ask for reauthetication and go back to the page in a new tab to log in. Another move that is advised is to avoid online banking and visiting sensitive sites with new tabs. Do your banking first and then surf the web to mitigate any attacks.

At the browser level you can also utilize plug-ins and tools designed to filter our malicious sites and those that contain malicious code. This would give you an added layer of defense, but it is not one you can rely on solely.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Defending Against Tabnapping – No Fix Coming Soon

What struck me was how the statistics gleaned from the more than 2,000 respondents showed a majority (55%) of them admitting to using a client-side anti-spam solution, with another 19% say they are using a solution included as part of their Internet service. I suppose this is probably why 72% of respondents say they receive up to 10 email spam per day, which does not look like an unreasonable amount of digital trash to sort through. On the other hand, a full 10% did indicate that they are receiving a staggering 100 email messages or more of spam on a daily basis.

Of course, my personal opinion is that a definite conclusion about whether spam is a more manageable problem today is practically impossible to prove given the subjective nature of such a question. As such, the survey should be construed as nothing more than an indicator of the average volume of spam that is making its way into the inboxes of the surveyed users.

The survey got me thinking about the nature of spam however. As I wrote in 6 reasons why spear phishing will increase, the effectiveness of spam filters against traditional spam is simply forcing spammers towards the adoption of sophisticated measures to render their spam indistinguishable from genuine emails, or to explore other delivery mediums altogether. The result is that any decrease in the volume of spam is no longer an accurate indication of the spam threat.

Consider also the far larger number of users today who actively use multiple email accounts, which serves to obfuscate the volume of spam actually transmitted over the Internet. Throwaway email addresses too, are handy tools to separate the chaff from the important messages. Moreover, receipt of fewer email messages may also be a meaningless yardstick given how sophisticated phishing and spear phishing attempts is succeeding in tricking even seasoned computer users into giving up private information or passwords.

Spam is a different problem today

Where pharmaceutical spam necessitates a certain volume in order to hook someone, the same cannot be said for phishing spam designed to install malware on a target. Below are some examples of modern spam attempts that do not rely on high volume of messages.

Skype voice spam: This appears to be a relatively new occurrence, and entails the use of an automated computer system to call Skype users. A script about a purported malware infestation is then read in the robo-call to the target, asking users to visit a visit a web address for rectification of the alleged problem. As you can imagine, the furnished domain have been put together for the sole purpose of either conducting a drive-by downloads, or as part of a “scareware” scheme to trick users into parting with their money.

Spear phishing: Some of the most dramatic security break-ins of late involve the use of spear phishing so as to install the malicious software. Indeed, the “significant” cyber-attacks highlighted by fellow blogger Jamie Campbell could be traced to the recent break-in at RSA – which was believed to originate from the use of spear phishing.

Malware spam: As mentioned earlier, all it takes is for a single spam message and a new malware to convert a PC into a hapless member of a botnet.

Social media spamming: The newness of social media spam means that spammers are still experimenting with the best methods of delivering spam. So far, social media networks are moving relatively quickly to close down accounts used for spamming, though it remains unclear whether this will continue to happen as the number of users and messages sent via these sites continue to explode.

Spam as part of a DDoS: I wrote about how spam could be leveraged to perform DDoS (Distributed Denial of Service) attacks against email servers a couple of weeks back. While not common, it is not unreasonable to expect that further use of the email system to attack other Internet infrastructure will emerge in future.

Do you have anything to add to the above list?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Volume not an Accurate Gauge of Spam Problem