Malware developers seem to appreciate a little humor when it comes to naming their schemes. One of the latest email scams to invade inboxes everywhere is no exception, it seems, and the FBI has been quick to let businesses know that if they don’t keep their eyes open for a phishing scam originating in an email from FDIC, NACHA and the Federal Reserve, opening the mail’s attachment could be one of the most devastating choices in a young 2012. Worse yet, this new scheme appears to be linked to the Lord of the Greek gods – or its eponymous malware, anyway.

‘Game over’ is never a good thing, whether it means that your last ship has been destroyed and your quarter spent, whether it’s a lame and overused witticism that yet again has found its way into the mouth of Hollywood’s action hero du jour, and yes, even when cyber criminals are searching for just the right name for their latest piece of malware. While we’re not averse to debating the first two, our interest here is firmly with the latter. It seems the U.S. Federal Bureau of Investigation shares that interest, as evidenced by a security bulletin earlier this month that identifies a new email scam, one which cyber criminals have decided to call – what else? – Gameover.

Gameover is a phishing attack that appears in the form of spam emails spoofing the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Bank, or the National Automated Clearing House Association (NACHA). Like a multitude of others, the scheme preys on users’ fears and/or lack of vigilance, informing them that there has been a problem with their bank account or an ACH transaction (ACH stands for Automated Clearing House, a network for financial institutions in the U.S.). Sufficiently frightened, recipients are encouraged to click the included link, which instead of resolving the issue, takes the user to a malicious site where the Gameover malware is executed.

The malware has been identified as a variant of ZeuS, a notorious piece of malware which has been responsible for stealing financial information through the practice of keylogging for a number of years. Once activated, the cyber crooks can steal banking information such as account numbers and passwords.

As if that wasn’t enough…

More than just a keylogger, however, ZeuS (and coincidentally, Gameover) has an added payload. According to the FBI:

“After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site — probably in an attempt to deflect attention from what the bad guys are doing.”

But wait – there’s more!

In what sounds like a novel involving international intrigue, FBI investigations have been able to trace the attacks as far as to jewelers, as the stolen funds are used to purchase “precious stones and expensive watches from high-end jewelry stores”. The crooks contact the jeweler, tell them what they’d like to purchase and inform them that they will wire the money the following day. The following day, a “money mule” – a person involved in the money laundering part of the crime – shows up at the jewelry store to pick up the merchandise. The jeweler confirms that the money (the stolen money from the spam scheme) is in their account and upon doing so, turns the merchandise over to the mule, who in turn delivers the merchandise to the crooks or converts it into cash that upon being transferred, is effectively laundered.

Wow – It really is the stuff of imagination, but even more interesting is that the FBI has suggested that the mules could be unsuspecting victims of those omnipresent ‘work at home’ schemes that we see everywhere. While the federal agency has confirmed that many of the mules are willing participants, it has also noted that an increasing number are likely people who have succumbed to these schemes and have been unwittingly recruited into laundering money stolen from victims of the spam scheme.

Be on the lookout for this one and advise your staff ASAP. At very most, it could be a story worthy of a novel. At very least, it could save you and your users plenty of headaches and lost funds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

FBI Declares ‘Gameover’, Link to ZeuS

The year’s off to a rousing start, with all sorts of interesting security news this week: Wikipedia led a temporarily successful foray against SOPA and PIPA by joining numerous websites that went dark for a day; the founder of Megaupload had his hands slapped when law enforcement officials told him resoundingly, “no, you can’t pirate copyrighted material” – insult was heaped upon injury when dozens of expensive cars were towed away to show him they were right; and Koobface – the Facebook botnet that has been harassing Zuckerberg for years – was taken down by its own creators after the Facebook gang teamed up with The New York Times to uncover and publish the identities of the worm’s owners. To round off the week, QR codes (like the one in the image here) may just be the latest form of spam, and news out of the Twitterverse suggests that Darwin’s cardinal rule is not only true, it’s actually a dire prophecy of our impending extinction.

The year’s less than a month old and it may already be shaping up as ‘the year of anything goes’. Topping the headlines was a mass protest against seemingly inevitable anti-piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect I.P. Act), as innumerable websites intentionally went dark on January 18. Led by students’ greatest friend and perpetual source of dubious information Wikipedia, the activist movement irritated web surfers across the globe and scored one for the little guy as the bureaucrats in Washington, DC backed off the proposed legislation and shelved the bills, albeit temporarily. It’s practically inevitable that some wily spammer will take advantage of this controversy, so keep your eyes open and watch your back.

In a related story and in the spirit of fishy timing (i.e., the same week as the aforementioned protests), Megaupload founder, Kim Dotcom, was carted off along with several other geniuses who figured they would get away with providing a conduit for copyrighted material, all the while skimming millions of dollars off the illegal activity and thumbing their noses at the FBI. German national Mr. Dotcom, lamented as his lavish New Zealand mansion was raided and dozens of vintage cars were hauled away as the spoils of war. Again, there’s more here than meets the eye, especially now that Anonymous has its back up.

In an LMAO moment, individuals responsible for Koobface – a nasty piece of malware that has been frustrating Facebook and Twitter users for years – have taken down their own command and control server after Facebook teamed up with The New York Times to uncover and embarrass five of the founders – Russian nationals living in St. Petersburg, Florida. The named individuals have scrambled to scrub their online profiles, but it’s highly doubtful that erasing their cyber identities will have much of an effect in the real world, where police carry real guns and real handcuffs.

Are QR codes the newest spam threat? Some people think so. QR – or Quick Response – codes were developed in the automotive industry and have been used for a while. Slowly entering the mainstream  over the past couple of years, they are in wide use in Japan, the UK and the US, amongst other countries. Popular because of their fast readability and relatively high storage capacity (compared to bar codes), the increased use of smartphones with cameras and QR reading apps have made the codes a prime target for manufacturers and retailers; heck, even Google’s looking at getting into the game by using QR codes as a secure login method.  The problem is that QR codes can contain virtually any information, meaning that they are already being exploited by scammers and spear phishers. Keep an eye on this one, folks – and think twice before you take a picture of that code staring you in the face.

Finally, from the Twitterverse, here’s one that, no matter how much you shake your head, won’t rid that sickening feeling that the human race is on a collision course with extinction. Perhaps a case of ‘you can’t spell Twitter without ‘twit’, this recent article shows just how careless – or ignorant, or both – web users really are. Get this: over a twenty-four hour period, more than 11,000 Twitter users shared their email addies with the rest of the world. A safe practice if we were living in Thomas More’s Utopia, but it’s not the case if you reside anywhere on Earth, which is rife with people who would just love to use that information against you. This is just a guess, but it looks like spear phishing season is open and Twitter is the local watering hole.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Week in Review: You Can’t Spell Twitter Without ‘Twit’

In Part 2 of our look at what you can expect in the coming year, faint rumblings out of Japan suggest that one prediction from Part 1 of this article has already come true. If the very real prospect of becoming an innocent casualty of war isn’t enough to make you run backward toward the year that just passed, these bold predictions reveal how hackers will develop an even stronger sense of camaraderie, and how mobility is sure to become a four-letter word. And if you thought spamming and Internet scams made it personal in 2011, you ain’t seen nuthin’ yet.

How about that? 2012 wasn’t even seven days old when news out of Japan this week revealed some eerie premonitions of the things to come and earmarks of a bold prediction made one week ago.  Engadget, ZD Net and other media outlets are reporting that the Japanese government has been working in concert with Fujitsu since 2008 to develop a powerful ‘cyber weapon’ – a piece of software that, upon the detection of a cyber attack (such as DDoS, for example) tracks the attack back to the source.

Sounds pretty straightforward, right? Sure, until you consider that the software also attacks and disables every machine it finds along the trail. The goal, Engadget reports:

“is to stop the spread of a malicious piece of code by finding and shutting down, not just the source, but all middleman PCs that are also now potential hosts. In some admittedly extreme scenarios this weapon could potentially spiral out of control, taking out far more computers than intended.”

Hmm… Botnets are nothing more than large numbers of unsuspecting computers carrying out their attacks at the behest of the infector and ignorance of the computer’s owner. Japan’s little toy, while it sounds like it might be fun to take for a spin, could have the unpleasant and unprecedented effect of being the cause of some serious collateral damage. Casualties of war? Here’s a tip for everyone: while you still have a chance, give that fave desktop or laptop of yours a great big hug before it’s too late.

1. Hackers of the World, Unite

Robin Hood met Mafia Boy last year as hacktivism took center stage. Indeed, 2011 was an entertaining year for anyone who followed the exploits of Anonymous and LulzSec. The drama unfolded like a kabuki play born in the mind of Ken Kesey and brought to life by a troupe of mimes with Tourette Syndrome, and there were even a few arrests along the way to make this reality show really…ahem… arresting.

Prediction: We will see some new hacking activity from these groups, with some high profile web takedowns in the process. While that’s not a stretch, this is: hacker groups like Anonymous and LulzSec will grow in size substantially, resembling an ‘occupy’ type movement that will take the war online. The civil and social unrest of 2011 will turn to face the financial behemoth that is the Internet.

2. Mobility Means Vulnerability

If we learned anything about spam in 2011, it’s that spam is like that proverbial bum of a brother-in-law who’s been living in your basement for the past two years. It’s not going away, good luck making it work for you, and you will be out-of-pocket at some point. Spammers continued to use every means at their disposal in 2011, with SMS spam becoming a real pain in the neck. Security flaws in the two most popular smartphone platforms – iOS and Android – just accented what we already suspected: that spammers and purveyors of malware had taken their show on the road.

Prediction: 2012 will see a massive increase in mobile spam, and mobile devices will become the swords upon which we will live or die unless we get mobile security under control.

3. It’s Nothing Personal…Well, Actually, It Is

A significant development in spam and phishing in 2011 was the way in which the scam artists were getting smarter; you know, smarter in much the same way that a chunk of igneous rock living at the bottom of a fetid riverbed is smarter than a rotting patch of lichen hanging for dear life to the side of an oak tree. Like it or not, the scambags are wilier, finding new and innovative ways to pick your pocket without actually residing in the same time zone.

Prediction: The scambags will become even cleverer in their assaults, finding new methods to lull people into a false sense of security. How this will occur remains to be seen, but our bold prediction is that it will most likely involve highly targeted, multilevel campaigns where the scammer will use detailed knowledge of the targets, and multiple contact methods like email, phone, SMS and even snail mail to enact their evil schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bold Predictions for 2012 (Part 2)

In a turn of events appropriate for the most tumultuous year in cybercrime, 2011’s body is barely cold and we’re already smelling something suspicious from its decomposing carcass. Rumors of two worms, one well-known and the other relatively new on the scene, have some of us wondering what will happen next in 2012, and the year has only just begun. In an attempt to put the preceding year into perspective, we take a look at what might be in store for the new year and beyond with some bold and not so far-fetched predictions for 2012.

PREDICTION: A Shiny New Worm with Every Census Report, Tax Return and Piece of Monetary Currency

First up for 2012 is a prediction that all bets will be off when it comes to understanding the nature – and source – of some of the most insidious malware in the known universe. In fact, the threat and very nature of the state-sponsored malware will only get more confusing, and most likely more disturbing, as we discover where and how it’s being used.

Discovered in 2010, Stuxnet was in the news again in 2011. A worm designed to target and damage industrial control systems (like the kind found in nuclear plants), it has been a source of great debate over who created it and what its ultimate purpose represented; but few could argue that with more than forty percent of Stuxnet’s infections landing in Iran, the nation was most likely the target from the get-go. Russia and others wasted no time pointing the finger squarely at the United States and Israel as the benefactors of the worm, which surely must be state-sponsored.

It seemed inconceivable that anything could top the news that broke late in the year about Stuxnet’s connection to Conficker, suggesting that the latter, a notorious botnet, was used to deliver the payload for Stuxnet. If rumors are true that Stuxnet is state-sponsored, the implication that spam might have been part of the delivery method can and must only leave a bad taste in people’s mouths.

As 2011 wheezed out its last few painful breaths however, a new development occurred in this bizarre tale, as it was revealed that ongoing research by Kaspersky Labs on Stuxnet uncovered a direct link between Stuxnet and Duqu – a worm, discovered only in September, which shares many of the attributes of Stuxnet. In fact, media outlets are reporting that the worms are suggestive of an ‘arsenal’ of malware that has been in development as early as 2007. The code kernel has been dubbed ‘Tilded’, in recognition of the author’s habit of using filenames that begin with ‘~d’.

The Prediction: Keep your eyes open for Tilded. We will continue to see new pieces of the puzzle unveil, and they will point at the government of a country – or perhaps multiple countries working in concert – all but providing conclusive proof of the party (or parties) responsible for this new and nefarious form of warfare. What will make this story even more notorious, however, is when it becomes clear that an unsuspecting public has been a major delivery mechanism for this 21^st century warfare, through the use of spam, malware, and botnets. And if that is true, it could very well be the case that some of those spammers you curse on a daily basis are actually nation states using spam to mask their cyber intelligence activities.

PREDICTION: The Cloud Will Get Stormy

While the Cloud was one of those recurring themes that flew, for the most part, under the radar in 2011, companies like Apple and Microsoft continued to push it like it is a silver bullet and a cure-all for everything that ails small companies to major corporations.

The Prediction: 2012 will see at least three Cloud-based security events, most likely linked in some way to spam, malware, hack attacks or compromised mobile devices. Furthermore, they will be high profile events, targeting Fortune 1000 or Global 1000 companies, or less likely a government agency. Anonymous will take credit for at least one of the breaches, and there will be a link with one of the breaches to North Korea and/or China.

Next week, in Part 2 of this story, we’ll take a look at some other bold and controversial predictions for 2012, and how we can learn something from 2011 – but only if we’re ready and willing to listen to it.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Looking Back At 2011 And Bold Predictions for 2012 (Part 1)

While the fat man in the red suit has already signed-off on his naughty or nice list, there’s one nasty little child holed up somewhere in Russia who needs to get a large lump of coal in his stocking this year. Or if not a lump of coal, then a shiny new pair of law enforcement-grade handcuffs.

What is it about this time of the year that brings out the worst in people? Religious beliefs aside, there’s something about this time of the year that should make all people take a deep breath, send a little good will out to fellow humans, and, well… just smile, dammit. Unfortunately, for spammers and scammers, it appears that there’s no room for taking time off over the holidays and treat others with the dignity and respect that most people recognize as a necessary element of a living, breathing society.

Case in point: The Register reported earlier this month that three anti-scam sites were inundated with a massive Distributed Denial of Service (DDoS) attack over several days, effectively rendering the sites useless. According to The Register:

“The sites – 419eater.com, scamwarners.com and aa419.org (Artists Against 419) – were swamped with junk traffic for several days. During the attack the sites’ administrators turned to blogs, Facebook and other alternative channels to distribute news of newly detected fake payment sites and other urgent anti-fraud information.”

According to an anonymous Register reader:

“These websites and their users provide excellent exposure for online fraud activities and have been responsible for allowing thousands of prospective victims to detect a scam in play, and get out before losses are incurred They also work actively to kill fake bank sites, fake freight forwarding sites and other criminal resources.”

The Register reported that two of the three sites were back in working order in a few days, but the story takes a nefarious turn from here. Early speculation was that a Russian scam artist was responsible for the attacks, and not long afterwards, someone over at ScamWarners contacted The Register and divulged that the attack:

“was perpetrated by a scammer who became angry at a topic posted on 419Eater, which exposed his scam. 419Eater.com was first attacked and ScamWarners began to publicise it via Twitter and Facebook. The next day [Thursday], ScamWarners was also attacked. The scammer then sent an email to me, threatening both ScamWarners and 419Eater. We were told to cease exposing their information and reporting their Amazon sites or we would both be eradicated from cyberspace.”

If that last sentence didn’t outrage you at least a little bit, go back and read it again. Is it necessarily foolish and naïve to believe that even scammers – scumbags who invest a significant amount of time into developing malware designed to bilk little old ladies living on fixed incomes out of their precious savings – might take a little time off during Christmas, Kwanzaa, Hanukah, Ashura, or whatever religious observance you prefer to…uhm…observe? Absolutely it is. One could assume that’s what bulbous men in red tights with fist-sized lumps of coal are for. But acceptance isn’t enough. This is a time of the year “when want is keenly felt, and abundance rejoices”, as Dickens pointed out; yet the inhumanity of the deeds of a few are enough to make this writer wonder how we continue to survive the ravages of human nature – in other words, ourselves.

It’s been a year fraught with cyber crime and cyber busts, with malicious attacks and new forms of spam; with new scams and chilling suggestions of things to come. For this week, anyway, most of us will rejoice at the presence of family and friends, and sadly, many will go hungry. Here’s hoping that in 2012, we will have a chance to see more of these scammers on our little blue-green orb find the other side of steel bars.

Next week: tune in for our top 10 list of popular torture methods for 2012.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Lump of Coal Edition: When Scammers Attack

It’s the most wonderful time of the year, and what better way to take a look back at the year in spam than poke a little fun at the moronic state of the crap that invades our inboxes? In a year that saw major security breaches, several high profile botnet takedowns, and an unprecedented surge in personalized scams and mobile spam, we stop to reflect upon it all and submit a simple postulate: what if Dr. Seuss had been a spammer?

As the year winds down to a close, it’s only basic human nature to look back at the year that just passed and reflect upon it. In the world of spamming and Internet scams, that’s bound to be a painfully long look, since this has been a year fraught with new scams, major cybercrime busts, and unprecedented levels of security threats. With mobile devices providing the newest threat opportunities, and SMS spam picking up a head of steam as scammers get creative, we must be even more vigilant when fighting spam-related threats.

What’s in store for 2012? One must shudder when imagining the possibilities. If anything like 2011, next year will represent an even more dangerous landscape, cluttered with mines and booby traps the likes of which we’ve never seen.

Dire prophecies and doomsday mentality aside, it doesn’t hurt to poke fun at spam once in a while, and during the holidays, no one is more fun than the venerable Theodor Seuss Geisel, known to adoring children and former children alike as Dr. Seuss. Like many households, it’s a holiday tradition around here to watch How the Grinch Stole Christmas!, an annual ritual which inspired this writer to wonder: what if Dr. Seuss was still with us, and what if, ahem, wait for it…Dr. Seuss was a spammer?

The thought itself is sure to bring a smile to the face of anyone who has endured the miserable drivel that infests inboxes like brown marmorated stink bugs. Poorly written and replete with ludicrous stories that must have been contrived during bad acid trips, these emails often frustrate us, and occasionally make us smile by virtue of their sheer stupidity. What they do not do, however, is give us any confidence that the human race is poised to survive much longer, if this epidemic of oafishness is representative of the current state of the gene pool.

So without further ado, here’s a humble attempt at imagining what spam might be like, if written by Dr. Seuss:

The Spammer Who Stole Christmas?

Dear stranger, forgive me for this intrusion

I hope my letter will ease your confusion.

I will not, cannot state it enough

This is rough stuff, even a little tough.

There’s a Libyan prince who lost his good fortune

And my offer to you is a share of the portion.

I cannot get the funds out of my land

And I hope you will aid me by lending a hand.

You see, there are sums in excess of millions

If you give me your name, I’ll give you gazillions.

It’s okay to give me personal information

They don’t extradite criminals in my tiny nation.

Your bank account and credit cards are essential

They’re only for scamming and merely referential.

This is for good cause, I must admit

Send money now and show you commit.

I do not wish to enter a heated debate

Send it fast, send it now, it cannot wait.

The funds are for my stately Kenyan mansion

It’s in great need of a major expansion.

Happy Holidays to all!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

If Dr. Seuss Was a Spammer

Not a fun thing to deal with but it did get me thinking a bit more about how often individual accounts are compromised to send out spam.

Of the larger messaging services, Yahoo! Mail appeared to be the most susceptible according to an end-user survey by Commtouch with 27% of Yahoo’s users claiming to have had their account compromised. Facebook came in second with 23%, Gmail followed with 19% and Windows Live rounded out the list with 15% of people admitting that their accounts had been targeted at one time or another.

The most frightening statistic from this survey was that 62% of these people had no idea how their email account was compromised. This does not reflect carelessness on the victim’s part but instead, shows how the threat landscape has increased in sophistication.

It used to be you downloaded a malicious program that infected your email client and sent out messages to everyone in your inbox however with the malicious links appearing in social network feeds, legitimate web sites hosting malware, drive by downloads and cyber criminals snooping in on public Wi-Fi narrowing down where your credentials were stolen is akin to finding a needle in a haystack.

Why Your Personal Account is a Target

You would think that large corporate email accounts would provide a much more lucrative target for spammers. After all, if they can compromise a good number of addresses they will have much more to work with.

However, cyber criminals have long abandoned the mass spam tactics of the past. This is evidenced by the fact that the amount of email spam has reduced over the years, and trends show that this will likely continue.

People have learned not to respond, or act, when they are sent an arbitrary email message from an unknown account. Over the years, they have been warned and trained that if you don’t know the sender don’t trust the message.

Personal email accounts, for this very reason, have become much more attractive to spammers and cyber criminals. Instead of blanketing mailboxes with spam that generates extremely small returns, their email campaigns have become much more targeted.

Harvesting smaller amounts of personal accounts to send their junk may not be able to hit the sheer numbers they used to use, but the odds of someone opening the email and taking action are greater because of the trust factor.

What To Do When Your Account is Compromised

First and foremost, don’t say your account was hacked. Security experts and people who understand the definition of hacking don’t appreciate that term. Explain that your account was compromised.

Next, don’t be like the 23% of people who admitted in the Commtouch survey that they did nothing when finding out that their account was being used for nefarious purposes.

When you finally realize that something fishy is going on with your account take the following steps:

Update your anti-malware software.

You are going to scan your computer but if your signature files, or definitions, are out of date your security software very well could miss files that have infected your computer.

Boot your computer into safe mode and run scan your computer.

Many people automatically assume that you should change the password to your account first. However, if whoever compromised your email account did so by means of a keystroke logger that is still running on your computer then they will be informed of your new password. Clean your computer of any malware in safe mode before you do anything else.

Change your password.

Once your computer is malware-free you need to log into your email account and change the password. However make sure that you avoid using passwords you use to log into web sites or other types of accounts. This could very well be the place your password was stolen from since criminals know that people frequently use the same passwords over and over. Add to that the fact that many accounts use your email address as the username and you have a perfect mix for disaster.

Of course, you are going to want to also make sure you use a strong password consisting of a combination of upper and lower case letters, numbers and symbols.

Taking precautions will never completely eliminate the possibility that your email account will be taken over, but being smart and aware will certainly minimize the risk.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

When Spam Comes From a Friend

1. Counterfeit Goods: Designer bags, watches, and other knock-offs are a favorite of spammers. They hope to lure shoppers in with hard to resist deals on sought after brand names such as Rolex, Louis Vuitton, and Prada. Some of these spams are honest and actually brag about being high quality “replicas” while others do all they can to convince buyers they are getting the real thing. Remember, if it sounds too good to be true – it is!

2. Fake Delivery Notifications: This malicious spam has been around for a while and to keep right on going. Since this is the time of year people tend to ship lots of packages to distant friends and family, it’s a sure bet spammers will try and take advantage of that to trick people into downloading Trojans that will add their computers to  botnets.

3. Pharmaceutical Spam: This old favorite is still going strong as well. Expect lots of cheesy subject lines with holiday themed innuendo designed to sell a variety of male enhancement products.

4. Fake Auction Notices: This phishing scam uses emails designed to look like they’ve come from eBay. Usually they say you’ve won an item or that a buyer is trying to get in touch with you. Naturally you’ll have no idea what they are talking about because you haven’t bought or sold anything  and want to check your account. Don’t follow the links in the message! They’ll lead to a fake eBay page and when you submit your login details, they’ll go straight to a scammer, who will likely use them to hijack your account and rip people off.

5. Fake Greeting Cards: Perhaps the most popular holiday spam of all are fake, virus ridden electronic greeting cards. A good rule of thumb is if the notification doesn’t tell you who it’s from, it’s probably fake. All the major e-card sites will tell you the name of the person who sent the card in the notification email.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 5 Christmas Themed Spams

As retailers around the world ramp up for the holiday shopping season, you can be sure that holiday themed spam and phishing messages will be heading for inboxes everywhere. And while we can update our filters and pay close attention to what is hitting our borders, our users may not have as good a protection on their personal accounts as they do at work, so give your coworkers an early festive present by warning them of the common threats that hit this time of year.

Malware

Whether in form of festive greeting cards, holiday screensavers, or applications for your Facebook page, festive themed malware comes straight from the Grinch and tries to take advantage of people’s holiday spirit. Making sure that antivirus software is up-to-date is critical, and treating any software or app with a healthy bit of skepticism is a way to play it safe.

Scams

Whether the hot gift this year will be tablets, or smart phones, or coffee makers, one thing is for certain; supply will not meet demand. Scammers will exploit this by sending emails offering unbelievable deals, or stating that they have in stock what everyone else sold out. If it’s too good to be true, it probably isn’t. Remind users to only shop with reputable vendors, and to check out special offers by going to the website directly instead of clicking links in emails they weren’t expecting.

Online Coupon Offers

Phishing attacks may offer incredible savings in exchange for personal information. Before filling out any form to get a discount code, make sure you are dealing with a real vendor. Again, going to the vendor’s site by typing the URL in by hand is safer than clicking links in emails, or calling a brick and mortar to verify a coupon offer is legitimate can save time and disappointment.

Fake Transactions

Users should be very careful about email confirmations for purchases they did not make. Scammers can mock up an order confirmation for a high priced purchase easily; and they are counting on the victim clicking the link to cancel the order rather than confirming it is legitimate. Whether that delivers malware, or tries to harvest personal information and login credentials, it’s a way to exploit users’ fears of fraudulent transactions.

Pleas for Help

This is also the time of year when phishing expeditions pull out the really mean-spirited methods. These can be pleas for help from strangers with incredibly sympathetic stories, or from relatives allegedly stranded and needing money, who can email but strangely not call for help. Users should be aware of these scams, and be wary of any request for help that they cannot confirm as legitimate.

Take a moment or two today to warn your users of these scams. It’s a gift that keeps on giving, and helps make sure no spammer named Scrooge spoils their holiday.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

‘Tis the Season for Holiday Spam

With Christmas just around the corner, the FBI can’t be accused of waiting until the last minute to get their Christmas shopping done. This week, the U.S. law enforcement agency – in partnership with several U.S.-based and international agencies – gave users around the world an early present when it announced the culmination of a two year operation dubbed ‘Operation Ghost Click’, which netted the Feds six Estonian nationals and saw the Christmas tree lights yanked on the infamous DNSChanger malware scam.

It’s been a busy year for the law enforcement community and its ongoing war against Internet crime, which has experienced some success with the takedown of two major botnets in Rustock and Coreflood. But global law enforcement agencies have frantically been creating a shopping list of new targets for investigation, which undoubtedly include a carousel of security breaches, both in major corporations and government departments, the wafting scent of state-sponsored and industrial hacking, the persistent and growing threat of hacktivism, and a raft of other exotic security threats. All of the above are wreaking havoc on the connected world, so when law enforcement wins one for the little guys, we damn well want to give credit where credit is due. We even have to send out kudos for coming up with a sexy name for a two-year long operation that saw six dirtbags paraded away in handcuffs. ‘Operation Ghost Click.’ How cool is that?

Anyone familiar with malware should be all-too-familiar with the DNSChanger scam, a Trojan horse distributed through multiple means, particularly spam e-mails. When activated, DNSChanger modifies DNS settings so that legitimate URLs are redirected to malicious sites bent on stealing information and earning ad revenues for the scam artists. Since 2007, DNSChanger has infected over four million unsuspecting computers, both Mac- and Windows-based. A half million of those are estimated to have been infected in the U.S., and the total haul for DNSChanger is estimated at $14 million over the past four years – reason enough for the joint collaboration of the FBI, NASA, the Estonian Police and Border Patrol, and the National High Tech Crime Unit of the Dutch National Police Agency, to name a few of the involved partners.  The full list of parties responsible for the takedown can be found on the FBI’s official news release here.

DNSChanger and its Mac OSX variants – known as OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C – prompted antivirus and antimalware developers to create tools to detect and remove its malevolent ass, but the malware continued to propagate, which is where Operation Ghost Click comes in. On November 8, two data centers – in New York and Chicago – were raided and more than a hundred command and control servers were taken offline. “To reduce the disruption to infected machines,” The Register reports, “the rogue DNS servers have been replaced with modified machines that are being operated for the next four months by the not-for-profit Internet Systems Consortium.”

Infected users should now be experiencing healthy DNS activity, even if the IP addresses of their systems have been compromised by DNSChanger. Users who wish to check if their systems have been compromised can use the FBI’s rogue DNS checker site. CNET also has some helpful information for Mac users who wish to manually check for DNSChanger infection.

Now for the fun part: simultaneous with the server shutdown, Estonian police took six individuals into custody.  According to The Register,

“Federal prosecutors in Manhattan said the scam was controlled by an Estonian company known as Rove Digital. Six Estonian nationals have been arrested by local authorities, and the federal prosecutors plan to seek the defendants’ extradition to the US. The defendants include Vladimir Tsastsin, 31; Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; and Anton Ivanov, 26. A seventh defendant, 31-year-old Russian national Andrey Taame, remains at large.”

Each defendant is charged with five counts of wire fraud and computer intrusion crimes, and Tsastisin faces an additional twenty-two counts of money laundering. If convicted, six of these geniuses are looking at 85 years. Tsastsin is looking at an additional ten years for each of the money laundering charges, which, if convicted on all counts, would make him 336 years old by the time he gets out – and they say that bad things don’t happen to bad people!

Some are calling it the biggest cyber-bust ever. Whether or not that’s true, it was still a pretty good day for the law enforcement and Internet security communities. Keep up the good work, and thanks for the early Christmas present!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

‘Operation Ghost Click’ Biggest Cyber-Bust Ever?

Apple is a popular target for spammers. Spam messages and sites offering free iPads are plentiful. Since it was announced on October 5^th that Jobs had finally lost his long battle with pancreatic cancer, new spam campaigns exploiting his death have been increasing. Some include links that claim to offer proof that Jobs faked his death and is still alive, while others include links to supposed video tributes, iPhone 5 news, and exclusive info about his cause of death. Most led to pharmaceutical and other spam sites but some tried to deliver malware.

It’s standard operating procedure for spammers to exploit news stories, natural disasters, and entertainment and pop culture fads. Anything they think has a large audience is a target, no matter how tasteless. Some of the biggest of these types of campaigns includes spam exploiting the Haiti and Japan earthquakes and the sudden death of pop music icon Michael Jackson. When Steve Jobs died, there was a nearly unprecedented outpouring of grief and sympathy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Campaign Features Fake Steve Jobs Charity

During the last full week of September, the International Medical Products Anti-Counterfeiting Taskforce (IMPACT) coordinated an operation that spanned both law enforcement and other businesses being used by the alleged criminals, including Internet Service Providers, credit card payment processors, and delivery services. Law enforcement sought the participation of these different businesses as they are used (unknowingly) in the illegal prescription medicine trade. Information was gathered by various parties and forwarded on to INTERPOL’s offices in Lyon, France. All told, over 13,500 websites were identified as selling fake drugs. Over 45,000 packages inspected, leading to 8,000 that seized. In total, more than 2.4 million pills were in these 8,000 packages, including fake medications for cancer, epilepsy, and antibiotics, antidepressants, steroids, and other supplements. A total of 55 people have been arrested or are currently under investigation for a variety of crimes, including credit fraud, illegal drug trafficking, and other crimes.

Acting upon the advice of law enforcement in the UK and the Medicines and Healthcare products Regulatory Agency, Nominet worked with its own personnel and partner registrars to suspended 500 .UK domains. There were over 13,500 websites scattered across these domains.

Rather than seizing the domains (as has been the practice recently in the US) Nominet simply stopped resolving requests for the authoritative name servers for the implicated domains, essentially cutting them off from the Internet. If a browser cannot resolve the name in the URL to an ip.addr, the site cannot be reached.

According to Eleanor Bradley, the Director of Operations for Nominet, the affected domains were all clearly in violation of the terms of service for Nominet or its partners’ terms. Domains that were not clearly in breach were not shut down. Many of the domains that were taken down had been registered with false contact information, which is a violation of practically every TLD registrar in the world.

Other domain registrars might have participated in Operation Pangea IV, but were either not available for contact, or chose neither to confirm or deny their involvement.

I for one applaud Nominet’s actions and their cooperation with the operation. Rather than seizing domains based solely on a warrant, they cooperated with law enforcement, but used the terms of service customers must agree to when registering a domain to determine whether or not to suspend a particular domain. Suspension indicates that there is a valid way to appeal this action should a customer wish, but at the same time immediately and effectively removes from service these websites peddling fake and most likely dangerous drugs. While spam and phishing emails related to these drugs will likely continue for some time, links will no longer work, and the more gullible recipients of this particularly noxious type of spam won’t be able to reach the websites designed to fleece them of their money.

Readers might be tempted to provide false information when registering their own domains, hoping to avoid spam or other unsolicited sales calls, but again, this is a violation of the terms of service set out by every domain registrar I have ever used, and most others as well. If you want to protect your privacy, use a domain registrar that offers private registrations. These use their own staff to act as an agent on your behalf, protecting your privacy while still providing valid contact information for registrar purposes.

You can read more about the operation on Interpol’s website, at http://www.interpol.int/News-and-media/News-media-releases/2011/PR081.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Registrar Shutters 13,000 Domains

In the immortal words of Homer Simpson, “D’Oh!” Just when you thought you had things figured out, a new report from IBM states that desktop computers will become the craze and everyone will want one, that everyone in the world will be able to send messages over this new thing called “the Internets”, and that a new pop star named Lady Gaga will take the world by storm. Oh yeah, they also advise us that mobile spam is on the rise. In other words, they’ve stated the blatantly obvious.

Haters of spam and phishing, beware. We’ve got some bad news for you. Really bad news. You’d better be seated for this one. We’ll wait.

[waits]

OK, good. Now that you’re seated, we have some earth-shattering news that will rock you to your socks: mobile spam is on the rise. Now that we’ve said it, we’ll wait while you catch your breath.

[waits]

Better now? Good, because it came as a shock to us, too. ComputerWeekly.com reported this week that IBM has just released its X-Force 2011 Trend and Risk Report, and the news is, well, just as we expected. Now that our sarcasm is expended, let’s take a look at the facts, for IBM does, in fact, put together a pretty sweet report, replete with fancy graphics and yes, some pretty interesting reading.

BYOB or BYOD?

Personally, I prefer BYOB, but IBM’s report focuses on the growing trend of BYOD, or bring your own device. A nifty if not so advantageous upgrade to the bring your parent to school days, BYOD, simply put, is a natural occurrence in a world that’s fascinated by mobile devices, such as smartphones and tablets. The offshoot of people bringing their devices to work, of course, is that they want to connect those devices to the company network, and that’s where the problem lies. According to IBM’s report, as stated by ComputerWorld.com:

“Mobile vulnerabilities are expected to grow at least 15% year-on-year, while mobile exploits are predicted to double compared with 2010.”

IBM’s report, it seems, is bringing to bear our greatest fears.

“’For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices. It appears that the wait is over,’ said Tom Cross, manager of threat intelligence and strategy for IBM X-Force.”

IBM is advising IT departments everywhere to increase their vigilance (and maintain their software) by ensuring that anti-malware software and patches are kept up-to-date. Malware being delivered through SMS and the privacy risks that arise from personal devices that may not be secure are, of course, primary concerns for any network that might be compromised through a wireless connection with the infected devices.

Not So Anonymous Anymore

The report has identified a tripling in the amount of malicious activity between 2010 and 2011.

The reason for this massive increase is due in no small part, “to ‘hacktivist’ groups, such as LulzSec and Anonymous, using SQL injection attacks, and ‘whaling’ or spear-phishing, whereby company senior executives with access to critical data are targeted. Anonymous proxies have more than quadrupled compared with three years ago.”

It’s Not all Bad

Even though malware is on the rise, it’s worth noting that the X-Force report found that web application vulnerabilities have decreased for the first time in five years. This can probably be attributed to the rise in more personalized and targeted attacks.

ComputerWeekly.com notes that IBM found “levels of vulnerabilities in web browsers and spam had also declined significantly while traditional attacks on weak passwords and databases were still commonplace.”

I Thought it Was the Year of the Rabbit

IBM’s preamble to their analysis is a little chilling in what it predicts, and it should stand as a dire warning to anyone with a vested interest in maintaining security.

“An explosion of breaches has opened 2011 with continuing, near daily new reports, marking this year as ‘The Year of the Security Breach.’ These breaches have been notable not just for their frequency, but for the presumed operational competency of many of the victims.”

The environment is changing, they go on to state, and in that snippet of knowledge we can begin to understand what’s happening here.

If 2011 is the ‘Year of the Security Breach,’ then what, in God’s name, does 2012 have in store for us? If the victims, as IBM suggests, are atypical targets due to their high levels of ‘operational competency,’ then what’s next?

We’re not in Kansas, anymore, Toto.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

IBM Report: Mobile Spam on the Rise, Sun Sets in the West

Fans of the venerable Monty Python and the Holy Grail will undoubtedly remember the classic scene at the Bridge of Death, when the bridgekeeper confronts the knights of Camelot with three questions each. Brave Sir Galahad, of course, can’t get it straight when the old man asks him, “What is your favorite color?” Sir Galahad answers, “Blue…no! Yelloooooww!” and is surreptitiously tossed into the Chasm of Death. Funny stuff, right? Not so funny is the current state of phishing – similar to Sir Galahad, the IT industry can’t seem to get it right when it comes to the financial impact of phishing, and this week, we call them out for it.

We all know that somewhere, somehow, spam sucks-in someone for some serious shekels (bet you can’t guess that I’m a fan of alliteration). It’s been a sad fact of life in the modern era for as long as email has been around. As you read this, some poor, unsuspecting schmuck who doesn’t understand technology enough is about to click a link that represents the gateway to financial doom and destitution; and before you don your fluffy bunny (or, in my case, Spiderman) pajamas tonight, drink your glass of warm milk (or pop an Ambien) and tuck yourself into your feather (race car) bed, an inconceivable host of naïve web surfers will have somehow compromised their safety, all from the perceived safety of the walls of their own homes.

But is that host of patsies innumerable? Some might think so, but just how far off are the estimates of the untold wealth being bilked from honest citizens? How much money are the creeps who phish really getting away with?

I Don’t Get It, and I Don’t Care

An eye-opening article by Terry Zink uncovers some uncomfortable truths about the understanding that we have of this modern-day plague, and it brings to bear an accusatory finger which points squarely at the heart of the problem. It ain’t pretty, either, because the true criminal in the ongoing war is apathy. Zink points out that the huge black eye suffered this week by UBS is an example of how law enforcement excels at bringing down white collar criminals; but the other ‘white collar criminals’ – spammers and phishers – go largely unidentified and unprosecuted. Zink points out that “phishers and scammers get away with it because they can: nobody goes after them, and when they do it is extremely rare.”

I Can Tell You, but You Won’t Like It

He backs it up with some pretty compelling evidence, too. According to multiple, reliable sources, the financial impact of phishing scams looks like a shopping list made by someone with Multiple Personality Disorder:

• $3.2 billion in 2007 according to Gartner
• $137 million in 2004 according to TRUSTean
• $60 million in 2008 according to Microsoft
• $500 million in 2004 according to the Ponemon Institute
• Not even in the top 5 threats according to Paypal
• $100 million in losses according to the FBI
• $250 million per year over the past couple of years according to Consumer Reports
• $2.3 million per one million customers of banks according to Trusteer

As Zink points out, the disparity between these numbers is not only glaring, in fact it’s downright distressing. That no one really understands how big this problem is, is in fact the only takeaway from these numbers.

Get Your Act Together

Zink considers that no one has really conducted a good study of the financial impact of phishing scams, and while that may be true, there are also other considerations. Some people who get scammed never report it, perhaps because they’re too embarrassed to tell anyone. Corporations normally remain tight-lipped when they’ve been successfully scammed, because that kind of news breeds investor and consumer apprehension. But the malaise which threatens us every day from within the confines of our inboxes grows like a festering wound, and the only way to combat it is to find some sort of solidarity amongst those of us who wish to stamp out the insects.

In short, if we don’t want to be tossed into the Chasm of Death, then we had better get our act together and come up with a response that will ensure our safe passage. That’s why this week, I’m calling out those groups above, and others not listed in that group (beginning but not ending with law enforcement), who can’t seem to get their story straight and don’t seem motivated to understand what we’re up against. Fix the problem, or remain part of it.

Now, for an Ambien and a good night’s sleep in my race car.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

“Blue…No Yellow!” Make-Up-Your-Mind Edition

However, since spam is entirely reliant on electronic communications, it can easily be tracked and studied. By collecting data from anti-spam tools and filters those tasked with fighting the spam menace can put together information that not only helps them discover trends, but helps the end user gain the all important education that so many professionals feel is the best way to attack the problem of spam.

So, if you are one of those who wish to better educate yourself, or better educate others, read on.

Trends in the subject lines

One of the easiest ways that end users can identify spam is through the content of the message itself. Starting with the subject line.

Spammers understand the need to entice victims into opening the email by using an intriguing subject line. To do this they either try to scare the recipient with a warning message or instill curiosity by using a short, non-descriptive subject.

In early August spammers took a more retro approach using a subject line stating that a package from UPS, FedEx or DHL could not be delivered. More recently the following subject lines have become popular:

• One that simply reads “Changelog”
• One that states the email contains an end of the month statement requiring immediate attention
• One that claims to have come from a company’s internal accounts department
• A warning that the recipient is being notified of traffic charges
• Those promising adult content

Where is spam coming from?

It is no secret that most spam originates from developing countries. While the targets may be the inboxes of those living in the United States, Great Britain and Canada, they rarely come from these countries.

The top ten originators of spam messages are:

1. India – 15.6%
2. Indonesia – 11.7%
3. Brazil – 9.2%
4. Peru – 6%
5. Ukraine – 5.8%
6. Korea 3.6%
7. Colombia 3.6%
8. Taiwan – 3.2%
9. Italy – 3%
10. Thailand – 2.1%

Spam as a marketing tool

When people think of spam they often think of its use as an advertising medium. For years people have used different messaging systems to generate interest in their products. By category, the most commonly advertised products/services from the past month are:

1. Pharmaceuticals and medical services – 45.7%
2. Financial services – 20.6%
3. Adult content – 5.8%
4. Computers – 5.5%
5. Education – 4.3%
6. Travel – 1.7%
7. Gambling – 0.9%
8. Interior design – 0.7%
9. Surveys – 0.3%
10. Electronics and gadgets – 0.3%

Email attachments and spam

While marketing is commonly associated with spam, many spammers realize that the profit from their trade comes from other revenue streams.

Infecting computers with malware can yield much higher returns for spammers as these infected computers can be controlled as zombies or botnets, deliver scareware in the form of fake anti-virus software or simply send passwords and financial information back to a database.

Ever wonder what it is that infects so many computers? Take a look at the malware that was frequently sent via email during the month of August:

1. Trojan-Spy.HTML.Fraud.gen
2. Email.Worm.Win32.Mydomm.m
3. Trojan-Downloader.Win32.Deliver.II
4. Trojan.Win32.Yakes.bss
5. Trojan.Win32.Yakes.bwb
6. Trojan-Dropper.Win32.Injector.azq
7. Trojan-Downloader.Win32.FraudLoad.ibu
8. Trojan.Win32.Yakes.bqc
9. Trojan.Win32.Yakes.btp
10. Trojan-Dropper.Win32.Injector.bvw

Phishing

Phishing still remains a popular reason for people to send spam. The number of messages that can be considered phishing attempts has been increasing steadily.

The list of websites targeted by phishing scams covers a broad range of sites with online shopping, financial services, social networking, online gaming and even the US government represented:

1. PayPal – 35.91%
2. eBay – 10.17$
3. Habbo – 9.77%
4. Facebook – 8.67%
5. Orkut – 6.03%
6. Santalander – 3.19%
7. Google – 2.84%
8. RuneScape – 2.62%
9. Halifax – 2.37%
10. Internal Revenue Service – 1.94%

Even though the numbers in each of these lists represents only one month out of the year they show us two things: spam remains a serious threat that continuously needs to be addressed, and with the scope of the various threats changing from month to month education regarding spam is more important than ever.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

A Look Inside Spam’s Numbers

After the article on talking to people about spam, we got a few requests to go deeper into the topic and share some more ways a technically adept user could show to a non-technical user how to identify spam. In this post I will share snips from some actual spam messages I have recently received, and while someone like you or I could tell instantly that they are spam, I will call out to “regular folks” what makes it spam.

You are welcome to discuss this post with your non-tech friends, or just point them to this post and let them approach it on their own. If you choose to let them self-study, please be available for them in case they might have any questions. 

Unexpected messages

Email can be very social, so the temptation is there to read, believe, and respond to anything you receive. But if the message is from anyone you haven’t heard from in ages, or a business you have not dealt with, show some healthy skepticism.

Emergency messages from friends or relatives

Many scams will try to convince you to send money to a stranded relative who can somehow email you, but didn’t call and can’t be reached by phone. Do you really think they had access to email, but not a phone? Don’t fall for this scam.

Requests to update your account

Any time you get an email from your bank, your credit card, or some social networking site telling you to click the included link to update your settings, you can bet it’s fake. Call the customer service number on your card or account statement, or go to their website by typing in the URL to your browser to confirm, but NEVER click the link that is in the email.

Requests for your password

You will never, ever, get a legitimate request to provide someone your password. Never.

Faked links

Always treat links in emails with a healthy sense of caution. Mouse over them to see if the URL that appears in the message matches what is in the status bar, and if you have any doubts at all, better safe than sorry. You can always Bing for the page if you really want to see it.

Obvious misspellings

This may apply more here in the US than elsewhere, but almost every spam message I have ever looked at has some obvious misspellings. I mean ones that anyone should catch. This may also include STrange CAPitalization. Most legitimate senders use spellcheck.

Strange punctuation

This is another one; though it may be more subtle and even legitimate messages may have some punctuation errors. Dont be a grammar nazi, but think twice when you are checking your mail.

Pleas for help from strangers

Unless you actually submitted your email address to a list of good Samaritans and charitable causes, no one is going to email you out of the blue asking for help.

Offers too good to be true

No dead businessman has EVER left an unclaimed bank account worth millions, and no last surviving scion of a deposed dictator is going to reach out to you to help smuggle millions out of the country. Microsoft does not give away laptops to people who forward their email, and Walt Disney doesn’t give free vacations for that either.

You’re a winner, but you never entered the contest

Same concept. If you didn’t enter a drawing, contest, or raffle, how could you be the winner. If you are giving out your email address to so many things you can’t remember, spam may not be the biggest problem you have.

Anything that wants you to forward to others

Just don’t do it.

Attachments you weren’t expecting

Malware (the fancy name for viruses and other programs that will crash your computer and steal your passwords) are often sent as attachments, hoping to get you to open them. Even if it is a friend who sent you the message, call them to be sure they really sent it before you open it.

Open the attachment to read the message

Same idea, only more likely to fool the curious since they want to know what the message is. Don’t fall for it. No legitimate mail will be sent as an attachment without anything in the body of the email.

There may be good reasons for some of these (but not the passwords, giveaways, or requests to update your account) so don’t assume every email you get is spam, just understand most of them are, and use caution and good judgment. It really is better to be safe than sorry.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Teaching People how to Identify Spam

Amazon has finally started cracking down on spam-filled ebooks for sale in its Kindle store.
The books started flooding the store back in June. Most of them were fake and filled with either recycled PLR (private label rights) content or simply an ad for the same scam program the person who “wrote” the ebook fell for. The ad offers a supposedly foolproof way to make money by selling ebooks. It’s really just a collection of templates and suggestions on how to exploit the Kindle store for profit.

A spammer on Warrior Forum, a gathering spot for “internet marketers”, complained that he had 22 spam books removed from the store and got this email from Amazon:

Hello,

We’re contacting you regarding books you recently submitted via Kindle Direct Publishing. Some of these books are either undifferentiated or barely differentiated from an existing title in the Kindle store. We remove such duplicate (or near duplicate) versions of the same book because they diminish the experience for customers. We notify you each time a book is removed, along with the specific book(s) and reason for removal.

In addition to removing duplicate books from the Kindle store, please note that if you attempt to sell multiple copies or undifferentiated versions of the same book from your account, we may terminate your account.

If you have any questions regarding the review process, you can write to kdp-quality@amazon.com.

Best regards,

Kindle Direct Publishing

http://kdp.amazon.com

So many people jumped on to the spam bandwagon that the Kindle store was filled with fake ebooks, many of which had the exact same content courtesy of the aforementioned ebook spam program. It’s good to see Amazon cracking down on the spammers. There are many authors in the direct publishing program who don’t spam or cheat and instead work hard to produce high quality, original work. They shouldn’t have to compete with or be tarnished by all the scammers.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Amazon Cracks Down on Spam

The purists may suggest that we should never have made things smaller. They might even postulate that the age of innocence is over, and they would probably be right; but a new age is just beginning, and the dinosaur-sized PC that sits on your desk is now just that: a dinosaur. The ‘Big Ol’ Beast,’ as I like to call mine, sits there and stares at me sometimes, seemingly pleading with me: “pay attention to me!” “Use me!” it begs. “Bigger is better!” it pouts.

I just chuckle and Swype my finger across a shimmering sheet of Gorilla Glass, giggling like a school girl when a word is transposed into the message I’m composing, without my finger ever leaving the virtual keyboard.  Holding a fully functional computer in the palm of my hand is surreal and downright unbelievable, especially when I think about my first computer, an Atari 400 with a flat membrane keyboard, 4 Kilobytes of RAM, and the ability to display a whopping 256 different colors onscreen simultaneously. The wonderment I felt while pounding out (literally – you had to press hard on those keys) games in Atari BASIC seems like only yesterday, but the tech world is a time machine and I’ve been transported into the 21st century – where smaller is better, and just when you thought it was safe to download that new Sudoku game for your shiny new mobile device, you should think again. For as our tech gets smaller, so too does the world we live in.

“Mr. Data – Engage”

Allow me to dispense with a formality: it is Android of which I speak. I’m not going to get into a lengthy debate here, but I’m dismissing the iPhone and iOS from this discussion. While there are many millions who would vehemently disagree with me, I believe the Android OS, and the phones that support it, to be vastly superior to Apple’s offerings – and it appears there are many millions who would agree with me. As a developer who strongly believes in sharing over hoarding, I’m an open-source guy and always have been.

The problem with open-source is that while it promotes the highly admirable philosophies of collaboration, sharing, and (often) freeness, it also sends a message to the lowlifes and scum of the earth. You know the types: those who will scam little old grandmothers out of their life savings. The despicable cross-section of society that often makes me ashamed to admit I’m part of that society. The scammers and spammers – the pond-scum phishermen, as I like to call them.

Security Breach

Herein lies part of the problem: society just can’t turn down something that’s free. If the Android OS has one significant problem, it’s that its open-source nature allows anybody to put free or advertising-supported content on the Android Market. It’s no secret that Google has had their share of problems with previously valid applications being reupped to the Market, replete with all sorts of security exploits. And while it seemed strange to me to install a firewall and antivirus software on my phone, in my mind it was a pure necessity and the first thing I did when I set up my phone. (Note: this is where I tip my hat to Apple’s closed, often oppressive, approach to its marketplace. Oppressive or not, I never sensed a security threat to my iPhone).

Spam Magnet

That device in your pocket is infinitely more dangerous than anything you ever plugged a keyboard and mouse into. The open-source feeling and the sense that you’re holding a teeny-tiny little PC in the palm of your hand provides a false sense of security, one that turns your phone into a spam magnet. It’s easy to forget, especially if you’re not an IT professional, that not all spam filters are created equal. Indeed, the very nature of mobile devices means we use them on the go, making that device in your pocket a spam attack waiting to happen.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bigger is Better: Why Your Pocket is Filled with Spammy Goodness

My Dear,

In all your humble awareness, this is best understood by also playing the song If I Had a Million Dollars by the Barenaked Ladies at the same time. Now that you have done that, understand that I contact you only because my government has locked me inside our national brewery and I cannot get all this fine ale out of my country without your considered support. Please respond to this message by providing your personal information, bank and credit card numbers, and a large bag of very salty pretzels.

Yours insobriety,

Mr. Jamie Campbell

All righty, then. I suppose that my first – and last – attempt at composing a spam letter exposes me for the fraud that I am. But what if I was serious about this strange thing called spam? What if, God forbid, I got smart about the whole matter and adopted a scientific approach in implementing a targeted spam campaign? It’s a dangerous thought, but it did occur to me recently that if spammers had some brain cells to rub together, they might spark a fire far worse than the ones we’re already trying to douse. With that thought process in place, I began thinking about how I would approach spam. Here are the results.

Please note: The following activities were imagined by a trained professional. Do not try this at home. By the way, it really does read better if you play If I Had a Million Dollars.

…I’d Hire Writers with English Degrees
I love Google Translation, but not for translating War and Peace from its native Russian. Spam emails read like a synthesis of Revolution Number Nine by the Beatles and the collective works of Dr. Seuss, if those works were co-written by Jack Kerouac. Don’t get me wrong: I love the Beatles, Dr. Seuss and Kerouac, but I don’t experience them all at one time, any more than I dump my dinner in a blender and drink it. So for my first considered action, I would hire writers trained in English. Even if they were bad writers, they couldn’t be worse than the ones currently crafting spam emails, and I use the word ‘crafting’ lightly.

…I’d Pay Attention to the PC Market
Everyone knows that smartphones, tablets and web appliances have set their sights and taken bites out of the traditional PC market for some time now; but last week, news from the financial world seemed to set the pace for the future of computing, when the giants of the tech world announced their quarterly results. Intel shaved its projections for PC sales and Microsoft’s results for sales of Windows fell short for a third straight quarter. All the while, Apple happily announced that it has moved a whopping nine million iPads. “The desktop, at least for consumers, probably doesn’t have a great future, and the iPad and similar tablets can deliver a lot of the functionality of a laptop,” an analyst stated in an article by Reuters.

The face of technology is changing rapidly, and adapting to the new paradigm is a necessity for wannabe spammers. We’re already seeing a shift, as evidenced by an increase in SMS spam, and the successful spammers are going to be the ones who figure out how to utilize all facets of devices in a thoughtful and coordinated manner.

…I’d Integrate My Attacks
Spam is like spaghetti (spamghetti?) – it gets thrown against a wall and sometimes it sticks. In fact, it’s mind-boggling how poorly-contrived most spam campaigns appear to be. But what if the spam was personalized? We’re already seeing it, as evidenced by Cisco SIO’s 2011 report entitled “Email Attacks: This Time It’s Personal.” The real opportunity is not only to identify individuals and personalize spam messages, but also to implement integrated, multi-tier attacks.

People are creatures of habit and tend to lower their guard when approached three or more times. For example, I’d send them a personalized email to begin with, but I’d also call and ask for them by name, explaining the opportunity; and then, for good measure, I’d send them an SMS message following up on the call. Y’know, build up the trust before I take them for everything.

…I Wouldn’t be Spamming Anymore
I wouldn’t be calling them myself. Heck, I wouldn’t even be sending spam emails. I’d have people doing it for me. And I’d already have my private island, fifty foot yacht, exotic pet collection, and like the song says, really expensive ketchup for my Kraft Dinner.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

If I Was a Spammer…

The New York Times have begun to take issue with questionable search engine optimization (SEO) tactics and have been highlighting these black-hat techniques that are used to game the Google search engine. Their efforts exposed JC Penny and Overstock.com for illicit practices when it came to buying incoming links and now the Times have taken interest in how spamming Google places has become a profitable venture for those who find email spam just a bit too exhausting.

The Scam

Using locksmith services in Seattle as the scene for this story, the Times reported on how lead generation sites can flood the local search results with fake addresses to gain more favorable rankings in the search engine results page for specific keywords. In this instance, emergency locksmith Seattle.

In this type of scam the lead generation service sets up a listing in Google Maps for their target city that can be either a post office box or, for the more courageous, a fake address on a real street. Some local businesses even offer their address to these spammers for a small price each month.

The business name is then set up as using prime keywords and the name of the city, for example Seattle 24 Locksmith. Using other services like Yahoo Local, Yelp, Yellow Pages, etc, the spammer can build citations for the illegitimate listing.

Some spammers even go so far as to set up a blog, link build with comment spam and hire people to provide reviews of their service. Now they not only look like the ideal choice for a locksmith, but they have successfully built themselves up in the search engines so that true local businesses don’t stand a chance at out ranking them.

Now they move on to the next city or keyword and repeat the process.

So now the customer thinks that they are calling a local business with great reviews. Instead they are calling a phone bank, often located in a foreign country, which dispatches a locksmith that pays for their services. Some of the locksmiths are legitimate but the Times reported that, “all too often [they] do shoddy work and/or charge two or three times the estimate.”

Essentially, if a legitimate business doesn’t fall in line and pay up for customers through these lead generation services their business takes a huge hit. Basically, this is an example of digital extortion.

Is it Really a Problem?

So just how big a problem is this? According to Yelp there were 3,000 locksmiths listed in the Seattle area. Most, as it turns out, were lead generation sites.

For the customer this presents a huge problem. One story cited in the Times article explains how a local locksmith named Bob Strom responded to a call where a victim of this type of scam explained,  “A young man came yesterday, quoted me $49 to open my door, then he drilled my lock, charged me $400 and left — and now I need a new lock.” He went on to state that this has become a rising trend.

For businesses it represents just as much of a threat. Google’s Matt Cutts defines webspam as, “the junk you see in search results when websites successfully cheat their way into higher positions in search results or otherwise violate search engine quality guidelines.” And Google has spent a great deal of time and money to fight this growing type of spam.

Currently, certain industries are more susceptible to this type of spam than others. Those who find it most difficult to compete fall under these industries:

• Locksmiths
• Plumbers
• Carpet cleaning
• Movers
• Appliance Repair

But that doesn’t mean other industries won’t see problems beginning to arise as they lose business to those who find it easier to game the system than to produce quality, competitive work.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamming Google Places