Sleazy informercial king Kevin Trudeau’s 30-day jail sentence has been stayed by the courts. He was slammed with it for orchestrating a spam email campaign designed to influence the judge in his case. He’s currently on trial in Civil Court fighting a complaint by the FTC that the advertising for his “natural cures” book is misleading. He was first sued by them in 1998 and banned from making false claims in the future, ordered to pay $500,000 in consumer redress and pay another $500,000 for a performance bond to ensure compliance. In 2004 he was sued again for ignoring the order and making false claims about a product called Coral Calicum. He was ordered to pay $2 million in fines and damages and banned from doing informercials except for informational publications like books, provided he make no misrepresentations. He again ignored the order which is why he is in court again. Trudeau has long been hawking his natural cures as the answer to everything from obesity to drug addiction.

In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

Business Week reports that a study by researchers in New York reveals that as many as one in five young, overweight people have been a victim of email spam.

The study revealed some interesting statistics:

• 88% of overweight individuals reported receiving spam pitching weight loss products, compared to 73% of other respondents
• 42% of overweight individuals said they opened the spam, compared to 18% of other respondents
• 18% of overweight individuals said they bought products promoted in the emails, compared to just 5% of other respondents

Firstly why do overweight people receive more weight loss spam?  One theory is that these people are visiting more web sites on that topic than other people, and therefore end up in marketing databases.  This means that the spam is either coming from the website owner, or another party that is given access to the database of email addresses.  This access may be either from selling the list or by using co-registration, which is a legitimate lead-sharing strategy that is often abused by spammers.

For any email marketer a 42% open rate is outstanding.  It means that the subject line for the email was very effective at enticing the recipient to open the email and read more.

For a spammer sending 1,000,000 emails 42% open rates do not mean 420,000 people opened them.  Most of those recipients will never receive the spam due to anti-spam protection on their email server or their computer.  But even a 1% penetration could mean several thousand people open the email.

Finally the conversion rate for overweight people is very good at 18%.  Several hundred conversions of a weight loss product likely to cost $50-$200 is a good day’s pay for the spammer. Continue reading Weight Loss Scams Reveal Why Spam Works»

In 2010, spam volume is expected to rise 30 to 40 percent worldwide over 2009 levels.

Money and large sucker pools attracted increased  attention by Black Hats this year and will continue to do so in the next, according to Cisco Systems’ 2009 Annual Security Report released this week by the company.

When the infamous bandit Willie Sutton was asked why he robbed banks, he told his interviewer, “Because that’s where the money is.” The same seems to be true of Internet highwaymen.

         ”Online criminals show every sign of continuing their campaign to steal lucrative financial login information–and they’re growing ever smarter and more sophisticated with their tactics,” the Cisco report noted. “The Zeus and Clampi botnets, which steal online account credentials with a focus on bank accounts, have gained in size and strength in recent months, and no doubt will continue to do so throughout 2010.”

The report also identified a new wrinkle in the malware genre that will make many consumers think twice before heeding those pleas from their banks to ditch paper statements.

          “A newer entry on the banking Trojan scene is URLZone, which exhibits new methods to shield itself from detection by computer users,” the report explained.

          “When the criminal using the Trojan makes a transfer from a victim’s bank account,” it continued, “the Trojan can alter the online bank statement to disguise the fact that an illegal transfer has occurred. Victims who check their bank accounts online only, instead of reading paper statements, would not realize their money had been stolen.”

Continue reading Cisco says social network, banking scams on rise»

Security experts have issued a warning about a new spam campaign that targets the unemployed and financially troubled and exploits Twitter to do it. The spam, being sent by the Donbot botnet, hawks “get rich quick” and work at home scams designed to get people to pay a fee for a useless program that claims to help them make money on the internet.

The spam messages use a variety of methods to get past spam filters. First, the message itself is an image rather than text so it can’t be analyzed by filters, and that image contains a link to a Twitter account. The spammers did this because they know Twitter would never be blocked due to its size and reputation. The image is of a fake newspaper article which gushes about how great the get rich program is.

These types of scams are rising as spammers take advantage of the 10.2% unemployment rate in the U.S. and of people desperate to make money in order to get out of financial problems. The timing of the new campaign also coincides with the holidays, which is a time when many people are looking for a quick way to make some extra cash.

Experts say the campaign is increasing. Within 24 hours of its beginning it accounted for 4% of the world’s total spam volume.

The FBI is warning small and midsize businesses that spear phishing is becoming an ever increasing threat. Over $85 million has been stolen by cybercriminals and only around $45 million has been recovered. The scam starts with a spam campaign that delivers malware. The messages are targeted to individuals responsible for handling financial transactions within a company. Those that fall for the spam find their computers infected with malware that is designed to steal personal info and banking credentials. From there the fraudulent withdrawals begin, all under $10,000 to avoid reporting requirements. The stolen money is then sent to a money mule who is instructed to wire it to the criminals via Western Union.

This scam has two sets of victims, the companies that are being stolen from and the innocent people being used to do the dirty work. Most are recruited via phony “Work from Home” ads. Scammers prey on the unemployed and underemployed, often flooding sites like Craigslist and Monster with fake job openings and also scanning the site for job seekers who have posted contact info and spamming them. What makes this part of the spear phishing scam so sinister is that the mules aren’t just being scammed, they are money laundering, which is a serious criminal offense.

The FBI advises companies to confine their banking activities to a dedicated, locked down computer that is not used for any other purpose and isn’t allowed access email or everyday web browsing. A strong and constantly updated firewall is also a must.

A new report by IBM is showing a steady decline in email phishing attacks. In 2008, phishing attacks made up 0.5 percent of all spam but so far this year that number has dropped to 0.1 percent. At the same time the number of malicious links found on the net has shot up an alarming 508 percent, and experts say that’s no coincidence.

        Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Thursday that she is not surprised by IBM’s findings. As a trend, cybercriminals are switching from phishing to more “surreptitious” malware attacks, she said. One reason for this shift is that email filtering mechanisms have been fairly successful at stopping the proliferation of phishing attacks.

Continue reading Phishing Attacks Decline, Malware Rises»

I recently began getting a lot of spam from Fanbox.com. The messages had subject lines like “Something For You” and “I Sent a Gift To You”, and the sender was someone I don’t know. The messages claimed that this person had send me a gift using an application called “Flower Fans” or that they had set up a 10GB email account for me on the system. Ironically it bills it as “world’s first spam-free email”.

Continue reading Fanbox.com Uses Members To Spam»

A massive new spam attack is hitting free web services such as YahooGroups, LiveJournal and GoogleGroups. Over 1 million spams an hour are being sent through these services using fake Hotmail accounts. Security experts say the Hotmail accounts were most likely created via an automated process that included cracking the webmail provider’s CAPTCHA. Spammers like to use services such as Hotmail, GMail and Yahoo! Mail to send their messages because the domains have a good reputation and are less likely to be blacklisted or caught in spam filters.

Continue reading Major Spam Attack Hitting Free Web Services»

A new phishing scam is targeting Bank of America customers who use the bank’s “Bank of America Direct Digital Certificate program”. The program offers full service internet based banking to businesses. To access it customers need to install a BOA issued digital certificate into their web browser. The attack focuses on the site that allows them to use their company ID, username and password to re-download their certificate if needed.

The emails being sent tell customers that their certificates have expired and must be re-downloaded, or that an updated version is available. A masked URL directs them to a fake version of the certificate pick up site. If the customer fills out the form they not only have their login info stolen, but they are then asked to download the “certificate” which is really the Waledac Trojan. The malware scans their systems for personal and financial information. Waldec also adds the infected computer to its botnet and uses it to send out even more malicious spam.

Bank of America is aware of the scam and recommends that customers call them to verify any emails they receive, and to remember they will never be asked for their user name and password via email.