Malware developers seem to appreciate a little humor when it comes to naming their schemes. One of the latest email scams to invade inboxes everywhere is no exception, it seems, and the FBI has been quick to let businesses know that if they don’t keep their eyes open for a phishing scam originating in an email from FDIC, NACHA and the Federal Reserve, opening the mail’s attachment could be one of the most devastating choices in a young 2012. Worse yet, this new scheme appears to be linked to the Lord of the Greek gods – or its eponymous malware, anyway.

‘Game over’ is never a good thing, whether it means that your last ship has been destroyed and your quarter spent, whether it’s a lame and overused witticism that yet again has found its way into the mouth of Hollywood’s action hero du jour, and yes, even when cyber criminals are searching for just the right name for their latest piece of malware. While we’re not averse to debating the first two, our interest here is firmly with the latter. It seems the U.S. Federal Bureau of Investigation shares that interest, as evidenced by a security bulletin earlier this month that identifies a new email scam, one which cyber criminals have decided to call – what else? – Gameover.

Gameover is a phishing attack that appears in the form of spam emails spoofing the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Bank, or the National Automated Clearing House Association (NACHA). Like a multitude of others, the scheme preys on users’ fears and/or lack of vigilance, informing them that there has been a problem with their bank account or an ACH transaction (ACH stands for Automated Clearing House, a network for financial institutions in the U.S.). Sufficiently frightened, recipients are encouraged to click the included link, which instead of resolving the issue, takes the user to a malicious site where the Gameover malware is executed.

The malware has been identified as a variant of ZeuS, a notorious piece of malware which has been responsible for stealing financial information through the practice of keylogging for a number of years. Once activated, the cyber crooks can steal banking information such as account numbers and passwords.

As if that wasn’t enough…

More than just a keylogger, however, ZeuS (and coincidentally, Gameover) has an added payload. According to the FBI:

“After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site — probably in an attempt to deflect attention from what the bad guys are doing.”

But wait – there’s more!

In what sounds like a novel involving international intrigue, FBI investigations have been able to trace the attacks as far as to jewelers, as the stolen funds are used to purchase “precious stones and expensive watches from high-end jewelry stores”. The crooks contact the jeweler, tell them what they’d like to purchase and inform them that they will wire the money the following day. The following day, a “money mule” – a person involved in the money laundering part of the crime – shows up at the jewelry store to pick up the merchandise. The jeweler confirms that the money (the stolen money from the spam scheme) is in their account and upon doing so, turns the merchandise over to the mule, who in turn delivers the merchandise to the crooks or converts it into cash that upon being transferred, is effectively laundered.

Wow – It really is the stuff of imagination, but even more interesting is that the FBI has suggested that the mules could be unsuspecting victims of those omnipresent ‘work at home’ schemes that we see everywhere. While the federal agency has confirmed that many of the mules are willing participants, it has also noted that an increasing number are likely people who have succumbed to these schemes and have been unwittingly recruited into laundering money stolen from victims of the spam scheme.

Be on the lookout for this one and advise your staff ASAP. At very most, it could be a story worthy of a novel. At very least, it could save you and your users plenty of headaches and lost funds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

FBI Declares ‘Gameover’, Link to ZeuS

Naturally, such tools would be very useful for IT departments and system administrators to educate employees on how to spot phishing scams. Employees falling for such scams are a leading cause of corporate data breaches, and such breaches can cost a company millions.

“The whole concept with this project started out with the discussion of, ‘Hey, wouldn’t it be great if we could phish ourselves in a safe manner?’” said Will, one of the Toolkit’s co-developers. “It seems like in every organisation there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”

While it appears the developers had honest intentions when they created the toolkit, the fact remains it could be pretty attractive to the bad guys and they have no way of controlling that. Right now it doesn’t record any data typed into the fake phishing sites it generates, but they said future versions of the kit will have that functionality. That may make it irresistible to scammers looking for a way to create phishing campaigns that’s fast and won’t eat into any profits.

What do you think? Are these toolkits helpful or just asking for trouble?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Phish Yourself?

The year’s off to a rousing start, with all sorts of interesting security news this week: Wikipedia led a temporarily successful foray against SOPA and PIPA by joining numerous websites that went dark for a day; the founder of Megaupload had his hands slapped when law enforcement officials told him resoundingly, “no, you can’t pirate copyrighted material” – insult was heaped upon injury when dozens of expensive cars were towed away to show him they were right; and Koobface – the Facebook botnet that has been harassing Zuckerberg for years – was taken down by its own creators after the Facebook gang teamed up with The New York Times to uncover and publish the identities of the worm’s owners. To round off the week, QR codes (like the one in the image here) may just be the latest form of spam, and news out of the Twitterverse suggests that Darwin’s cardinal rule is not only true, it’s actually a dire prophecy of our impending extinction.

The year’s less than a month old and it may already be shaping up as ‘the year of anything goes’. Topping the headlines was a mass protest against seemingly inevitable anti-piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect I.P. Act), as innumerable websites intentionally went dark on January 18. Led by students’ greatest friend and perpetual source of dubious information Wikipedia, the activist movement irritated web surfers across the globe and scored one for the little guy as the bureaucrats in Washington, DC backed off the proposed legislation and shelved the bills, albeit temporarily. It’s practically inevitable that some wily spammer will take advantage of this controversy, so keep your eyes open and watch your back.

In a related story and in the spirit of fishy timing (i.e., the same week as the aforementioned protests), Megaupload founder, Kim Dotcom, was carted off along with several other geniuses who figured they would get away with providing a conduit for copyrighted material, all the while skimming millions of dollars off the illegal activity and thumbing their noses at the FBI. German national Mr. Dotcom, lamented as his lavish New Zealand mansion was raided and dozens of vintage cars were hauled away as the spoils of war. Again, there’s more here than meets the eye, especially now that Anonymous has its back up.

In an LMAO moment, individuals responsible for Koobface – a nasty piece of malware that has been frustrating Facebook and Twitter users for years – have taken down their own command and control server after Facebook teamed up with The New York Times to uncover and embarrass five of the founders – Russian nationals living in St. Petersburg, Florida. The named individuals have scrambled to scrub their online profiles, but it’s highly doubtful that erasing their cyber identities will have much of an effect in the real world, where police carry real guns and real handcuffs.

Are QR codes the newest spam threat? Some people think so. QR – or Quick Response – codes were developed in the automotive industry and have been used for a while. Slowly entering the mainstream  over the past couple of years, they are in wide use in Japan, the UK and the US, amongst other countries. Popular because of their fast readability and relatively high storage capacity (compared to bar codes), the increased use of smartphones with cameras and QR reading apps have made the codes a prime target for manufacturers and retailers; heck, even Google’s looking at getting into the game by using QR codes as a secure login method.  The problem is that QR codes can contain virtually any information, meaning that they are already being exploited by scammers and spear phishers. Keep an eye on this one, folks – and think twice before you take a picture of that code staring you in the face.

Finally, from the Twitterverse, here’s one that, no matter how much you shake your head, won’t rid that sickening feeling that the human race is on a collision course with extinction. Perhaps a case of ‘you can’t spell Twitter without ‘twit’, this recent article shows just how careless – or ignorant, or both – web users really are. Get this: over a twenty-four hour period, more than 11,000 Twitter users shared their email addies with the rest of the world. A safe practice if we were living in Thomas More’s Utopia, but it’s not the case if you reside anywhere on Earth, which is rife with people who would just love to use that information against you. This is just a guess, but it looks like spear phishing season is open and Twitter is the local watering hole.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Week in Review: You Can’t Spell Twitter Without ‘Twit’

Early Monday morning I received an email from Zappos, the popular online retailer.  Theemail informed me that they had been hacked and my personal info, along with that of 24 million other customers, had been compromised:

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

While it’s great that actual credit card numbers weren’t taken, the info that was leaves me and my fellow Zappos customers open to spammers and spear phishing attacks. It’s likely the hackers now know at least some of our buying history and can use that info to create very targeted campaigns, not to mention if they are able to decrypt the passwords they took before the account owner follows the company’s directions and changes it, theoretically they could access that account and go on a buying spree.

There are a couple of things to be learned from this and other recent breaches. Change the passwords you use regularly, and avoid using the same password and username on multiple sites. The hackers behind the Zappos breach will likely be able to find their way into other accounts because so many people use the same password over and over at different sites. If you’re a Zappo’s customer, change all your passwords and keep a close eye on your accounts, especially your financial ones.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zappos Data Breach Could Result in New Phishing Attacks

An open redirect vulnerability has been found on both Facebook and Google. This could easily be used to redirect users to a phishing page or a malicious domain. In a phishing attack, users wouldn’t even realize they’d been redirect, they’d just think their log in didn’t work the first time. This could potentially give scammers access to thousands of Facebook and Google accounts, and since many people have Gmail accounts linked to their Google accounts, access to those as well. A spammer’s paradise. Here’s a look at how it works:

Google

The Google vulnerability is located at the follwing URL:

https://accounts.google.com/o/oauth2/auth?redirect_uri=<malicious redirect>

If I’m not mistaken, I believe that this is actually a flaw inside of the Google API for 3rd party applications, because it is contained under the oauth directory. Oauth is what is used to make a secure link to an online account via a web API without the user compromising their password to an untrusted application.

Facebook

The Facebook vulnerability is located at the following URL:

http://www.facebook.com/l.php?h=5AQH8ROsPAQEOTSTw7sgoW1LhviRUBr6iFCcj4C8YmUcC8A&u=<malicious redirect>

In order to test both of these vulnerabilities, I recommend using the Facebook phishing tutorial found at Null Byte. However, when our web page is done, the link to our URL should be appended after the equal sign where it says “malicious redirect”. After you have crafted your URL, click it and see if you go through to your phishing page. If you did, pat yourself on the back and go mess with some of your friends.

What’s truly outrageous about this is that when notified about this, both Facebook and Google ignored the issue completely. Now as far as Facebook is concerned, this doesn’t surprise me. Anyone who has ever had a problem with the site and needed to contact them knows it’s next to impossible. Unlike most sites, they have no customer service or tech support email or phone number, no online chat or webform – nothing! Instead they offer a help center which really isn’t all that helpful, and a ‘Known Issues’ page where any and all user posts are ignored. So yeah, I can see how Facebook could ignore this.  I am surprised Google is though. They’ve always seemed more user friendly to me.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Security Vulnerability Found in Facebook and Google – A Spammer’s Paradise

This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.

On January 11, news erupted of a rather malicious little spoof email that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an email pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.

Sent with fake source addresses that included soc@us-cert.gov and the subject line Phishing incident report call number: PH000000XXXXXXX and an attachment named US-CERT Operation Center Report XXXXXXX.zip, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named US-CERT Operation CENTER Reports.eml.exe – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.

Oh, the Irony!

US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated

“difficulty receiving emails due to the phishing campaign”

according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.

In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns:

• Do not open the attachments in email messages from unknown sources.
• Install anti-virus software and keep virus signatures files up-to-date.
• Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
• Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.

From Russia with Malice

The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that

“Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.”

It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?

Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.

It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

US-CERT Hooked by US-CERT Phishing Attack

In Part 2 of our look at what you can expect in the coming year, faint rumblings out of Japan suggest that one prediction from Part 1 of this article has already come true. If the very real prospect of becoming an innocent casualty of war isn’t enough to make you run backward toward the year that just passed, these bold predictions reveal how hackers will develop an even stronger sense of camaraderie, and how mobility is sure to become a four-letter word. And if you thought spamming and Internet scams made it personal in 2011, you ain’t seen nuthin’ yet.

How about that? 2012 wasn’t even seven days old when news out of Japan this week revealed some eerie premonitions of the things to come and earmarks of a bold prediction made one week ago.  Engadget, ZD Net and other media outlets are reporting that the Japanese government has been working in concert with Fujitsu since 2008 to develop a powerful ‘cyber weapon’ – a piece of software that, upon the detection of a cyber attack (such as DDoS, for example) tracks the attack back to the source.

Sounds pretty straightforward, right? Sure, until you consider that the software also attacks and disables every machine it finds along the trail. The goal, Engadget reports:

“is to stop the spread of a malicious piece of code by finding and shutting down, not just the source, but all middleman PCs that are also now potential hosts. In some admittedly extreme scenarios this weapon could potentially spiral out of control, taking out far more computers than intended.”

Hmm… Botnets are nothing more than large numbers of unsuspecting computers carrying out their attacks at the behest of the infector and ignorance of the computer’s owner. Japan’s little toy, while it sounds like it might be fun to take for a spin, could have the unpleasant and unprecedented effect of being the cause of some serious collateral damage. Casualties of war? Here’s a tip for everyone: while you still have a chance, give that fave desktop or laptop of yours a great big hug before it’s too late.

1. Hackers of the World, Unite

Robin Hood met Mafia Boy last year as hacktivism took center stage. Indeed, 2011 was an entertaining year for anyone who followed the exploits of Anonymous and LulzSec. The drama unfolded like a kabuki play born in the mind of Ken Kesey and brought to life by a troupe of mimes with Tourette Syndrome, and there were even a few arrests along the way to make this reality show really…ahem… arresting.

Prediction: We will see some new hacking activity from these groups, with some high profile web takedowns in the process. While that’s not a stretch, this is: hacker groups like Anonymous and LulzSec will grow in size substantially, resembling an ‘occupy’ type movement that will take the war online. The civil and social unrest of 2011 will turn to face the financial behemoth that is the Internet.

2. Mobility Means Vulnerability

If we learned anything about spam in 2011, it’s that spam is like that proverbial bum of a brother-in-law who’s been living in your basement for the past two years. It’s not going away, good luck making it work for you, and you will be out-of-pocket at some point. Spammers continued to use every means at their disposal in 2011, with SMS spam becoming a real pain in the neck. Security flaws in the two most popular smartphone platforms – iOS and Android – just accented what we already suspected: that spammers and purveyors of malware had taken their show on the road.

Prediction: 2012 will see a massive increase in mobile spam, and mobile devices will become the swords upon which we will live or die unless we get mobile security under control.

3. It’s Nothing Personal…Well, Actually, It Is

A significant development in spam and phishing in 2011 was the way in which the scam artists were getting smarter; you know, smarter in much the same way that a chunk of igneous rock living at the bottom of a fetid riverbed is smarter than a rotting patch of lichen hanging for dear life to the side of an oak tree. Like it or not, the scambags are wilier, finding new and innovative ways to pick your pocket without actually residing in the same time zone.

Prediction: The scambags will become even cleverer in their assaults, finding new methods to lull people into a false sense of security. How this will occur remains to be seen, but our bold prediction is that it will most likely involve highly targeted, multilevel campaigns where the scammer will use detailed knowledge of the targets, and multiple contact methods like email, phone, SMS and even snail mail to enact their evil schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bold Predictions for 2012 (Part 2)

In a turn of events appropriate for the most tumultuous year in cybercrime, 2011’s body is barely cold and we’re already smelling something suspicious from its decomposing carcass. Rumors of two worms, one well-known and the other relatively new on the scene, have some of us wondering what will happen next in 2012, and the year has only just begun. In an attempt to put the preceding year into perspective, we take a look at what might be in store for the new year and beyond with some bold and not so far-fetched predictions for 2012.

PREDICTION: A Shiny New Worm with Every Census Report, Tax Return and Piece of Monetary Currency

First up for 2012 is a prediction that all bets will be off when it comes to understanding the nature – and source – of some of the most insidious malware in the known universe. In fact, the threat and very nature of the state-sponsored malware will only get more confusing, and most likely more disturbing, as we discover where and how it’s being used.

Discovered in 2010, Stuxnet was in the news again in 2011. A worm designed to target and damage industrial control systems (like the kind found in nuclear plants), it has been a source of great debate over who created it and what its ultimate purpose represented; but few could argue that with more than forty percent of Stuxnet’s infections landing in Iran, the nation was most likely the target from the get-go. Russia and others wasted no time pointing the finger squarely at the United States and Israel as the benefactors of the worm, which surely must be state-sponsored.

It seemed inconceivable that anything could top the news that broke late in the year about Stuxnet’s connection to Conficker, suggesting that the latter, a notorious botnet, was used to deliver the payload for Stuxnet. If rumors are true that Stuxnet is state-sponsored, the implication that spam might have been part of the delivery method can and must only leave a bad taste in people’s mouths.

As 2011 wheezed out its last few painful breaths however, a new development occurred in this bizarre tale, as it was revealed that ongoing research by Kaspersky Labs on Stuxnet uncovered a direct link between Stuxnet and Duqu – a worm, discovered only in September, which shares many of the attributes of Stuxnet. In fact, media outlets are reporting that the worms are suggestive of an ‘arsenal’ of malware that has been in development as early as 2007. The code kernel has been dubbed ‘Tilded’, in recognition of the author’s habit of using filenames that begin with ‘~d’.

The Prediction: Keep your eyes open for Tilded. We will continue to see new pieces of the puzzle unveil, and they will point at the government of a country – or perhaps multiple countries working in concert – all but providing conclusive proof of the party (or parties) responsible for this new and nefarious form of warfare. What will make this story even more notorious, however, is when it becomes clear that an unsuspecting public has been a major delivery mechanism for this 21^st century warfare, through the use of spam, malware, and botnets. And if that is true, it could very well be the case that some of those spammers you curse on a daily basis are actually nation states using spam to mask their cyber intelligence activities.

PREDICTION: The Cloud Will Get Stormy

While the Cloud was one of those recurring themes that flew, for the most part, under the radar in 2011, companies like Apple and Microsoft continued to push it like it is a silver bullet and a cure-all for everything that ails small companies to major corporations.

The Prediction: 2012 will see at least three Cloud-based security events, most likely linked in some way to spam, malware, hack attacks or compromised mobile devices. Furthermore, they will be high profile events, targeting Fortune 1000 or Global 1000 companies, or less likely a government agency. Anonymous will take credit for at least one of the breaches, and there will be a link with one of the breaches to North Korea and/or China.

Next week, in Part 2 of this story, we’ll take a look at some other bold and controversial predictions for 2012, and how we can learn something from 2011 – but only if we’re ready and willing to listen to it.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Looking Back At 2011 And Bold Predictions for 2012 (Part 1)

1. Create new botnets and find new ways to increase and strengthen existing ones.
2011 saw the takedown of several major botnets as Microsoft teamed up with the FBI and went on the warpath, determined to crack down on spam.

2. Find new ways to exploit social media for gain and profit.
With Facebook still refusing to vet apps before letting them be released on the site, the possibilities for rogue apps are endless.

3. Work on new Black Hat SEO techniques.
Thanks to Google’s new Panda algorithm, which has put many so-called “content mills” out of business and made traditional search engine spam techniques such as blog scraping and splogs useless, spammers will need to come up with new ways to exploit Google’s search engine results.

4. Continue to refine spear phishing techniques.
Spammers have found that targeted attacks are more effective than the traditional phishing techniques that used a large and random group of addresses. They’ve also been finding new ways to make their fake phishing sites look more and more legit.

5. Continue to look for more loopholes and security vulnerabilities to exploit. This includes finding new ways to crack anti-spam tools like CAPTCHA and ways to hijack social media accounts and websites.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 New Year’s Resolutions For Spammers

Not a fun thing to deal with but it did get me thinking a bit more about how often individual accounts are compromised to send out spam.

Of the larger messaging services, Yahoo! Mail appeared to be the most susceptible according to an end-user survey by Commtouch with 27% of Yahoo’s users claiming to have had their account compromised. Facebook came in second with 23%, Gmail followed with 19% and Windows Live rounded out the list with 15% of people admitting that their accounts had been targeted at one time or another.

The most frightening statistic from this survey was that 62% of these people had no idea how their email account was compromised. This does not reflect carelessness on the victim’s part but instead, shows how the threat landscape has increased in sophistication.

It used to be you downloaded a malicious program that infected your email client and sent out messages to everyone in your inbox however with the malicious links appearing in social network feeds, legitimate web sites hosting malware, drive by downloads and cyber criminals snooping in on public Wi-Fi narrowing down where your credentials were stolen is akin to finding a needle in a haystack.

Why Your Personal Account is a Target

You would think that large corporate email accounts would provide a much more lucrative target for spammers. After all, if they can compromise a good number of addresses they will have much more to work with.

However, cyber criminals have long abandoned the mass spam tactics of the past. This is evidenced by the fact that the amount of email spam has reduced over the years, and trends show that this will likely continue.

People have learned not to respond, or act, when they are sent an arbitrary email message from an unknown account. Over the years, they have been warned and trained that if you don’t know the sender don’t trust the message.

Personal email accounts, for this very reason, have become much more attractive to spammers and cyber criminals. Instead of blanketing mailboxes with spam that generates extremely small returns, their email campaigns have become much more targeted.

Harvesting smaller amounts of personal accounts to send their junk may not be able to hit the sheer numbers they used to use, but the odds of someone opening the email and taking action are greater because of the trust factor.

What To Do When Your Account is Compromised

First and foremost, don’t say your account was hacked. Security experts and people who understand the definition of hacking don’t appreciate that term. Explain that your account was compromised.

Next, don’t be like the 23% of people who admitted in the Commtouch survey that they did nothing when finding out that their account was being used for nefarious purposes.

When you finally realize that something fishy is going on with your account take the following steps:

Update your anti-malware software.

You are going to scan your computer but if your signature files, or definitions, are out of date your security software very well could miss files that have infected your computer.

Boot your computer into safe mode and run scan your computer.

Many people automatically assume that you should change the password to your account first. However, if whoever compromised your email account did so by means of a keystroke logger that is still running on your computer then they will be informed of your new password. Clean your computer of any malware in safe mode before you do anything else.

Change your password.

Once your computer is malware-free you need to log into your email account and change the password. However make sure that you avoid using passwords you use to log into web sites or other types of accounts. This could very well be the place your password was stolen from since criminals know that people frequently use the same passwords over and over. Add to that the fact that many accounts use your email address as the username and you have a perfect mix for disaster.

Of course, you are going to want to also make sure you use a strong password consisting of a combination of upper and lower case letters, numbers and symbols.

Taking precautions will never completely eliminate the possibility that your email account will be taken over, but being smart and aware will certainly minimize the risk.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

When Spam Comes From a Friend

A new study reveals that spam email volume has plummeted to levels not seen since 2008. Spam now accounts for 70% of global email volume, down from a high of 90% and very close to the levels seen after the shady ISP McColo was shut down three years ago. The drop in the levels is attributed to the fact that spammers have moved to more targeted attacks for their spam, malware, and phishing attacks, rather than the massive blasts to random addresses they have traditionally favored. Spam filters are also becoming more and more effective and users more educated.

I think social networking has also contributed to the drop. People just don’t rely on email quite like they used to. Instead they hop on Facebook or Twitter and send a message. Spammers will always go where the biggest audiences are and that means the social networks. Not only do sites like Facebook offer enormous traffic, they also offer something else spammers covet-trust. A spam link on Facebook or Twitter is much more likely to be clicked since it will look like it was posted by a friend and people naturally trust their friends. It’s this built in trust that makes spam so rampant on these sites. It’s hard for people to break the habit of clicking on their friend’s links.

Another feature that spammers love is Facebook’s refusal to vet third party apps. Unlike Apple’s App Store, which has a strict approval process, developers must navigate in order to have their apps made available for downloading, Facebook lets anyone post any app they want. This means rogue apps aplenty. They will respond to user reports and shut down such apps, but it would be better if Facebook had a system in place to prevent them from being posted in the first place.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Levels Plummet to 2008 Levels

While it’s despicable for a spammer to take over anyone’s account, and I can understand why Paula Chase’s family is upset, the situation does raise some questions. Why didn’t they close her account when she died? Many of my friends have a list of their online accounts and passwords stored with their wills, and I think this is an excellent idea. Another question I have is why didn’t they simply block their mother’s email address? Rather than let the spammer “torment” them, blocking her address might have saved a lot of stress.

This story illustrates the importance of making sure your online accounts are taken care of if something happens to you.  For example, Facebook will turn your account in a memorial page -all your loved ones have to do is contact them and request it.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Family Tormented By Spam From Dead Relative’s Account

Stuxnet, arguably the most interesting and bone chilling discovery in the history of computer security threats, is back in the news this week. This time, however, it’s brought a friend – one familiar to security experts and IT personnel alike. If the report from one of the world’s foremost experts is accurate, then it’s going to be a merry Christmas indeed for conspiracy theorists and lovers of international intrigue – and potentially a headache for a couple of governments which are being pressed to fess up about the true origins of Stuxnet and Conficker.

When its presence became known in June 2010, the mere existence of the Stuxnet worm sent shudders through international cybersecurity circles. In case you were off-world at the time of the incident, here’s the skinny: Stuxnet is spread via Microsoft Windows and targets Siemens industrial software and equipment. Although it’s not the first time hackers have targeted industrial systems, it is the first malware to spy on and compromise industrial equipment, and the first to include a programmable logic controller (PLC) rootkit.

What made Stuxnet particularly interesting to conspiracy theorists was where, specifically, it landed. 60% of occurrences of Stuxnet infections were in Iran, and five variants of the worm were discovered at various Iranian facilities, with the apparent target being Iran’s nuclear programme. Stuxnet’s ability to control Supervisory Control And Data Acquisition (SCADA) systems – the kind found in industrial plants – has wreaked havoc on the Iranian nuke programme, particularly at the country’s uranium enrichment facility at Natanz, where, according to Haarretz, “the centrifuge operational capacity has dropped over the past year by 30 percent.”

News of the industrial worm quickly became the stuff of a Tom Clancy novel or Hollywood thriller. Stuxnet’s sheer sophistication and the level of resources required to enact such an attack made it clear that Stuxnet was most likely state-sponsored. Accusations flew about the originator of the worm, and in a fine example of inductive reasoning, fingers were squarely pointed at the U.S. and Israel.

Enter Conficker

Much ado has been made of Stuxnet, and as might have been expected, nothing’s been proven about the source of the worm; but in what is sure to be only the beginning of a heated new debate, this week several media outlets have reported that a

“a celebrated ‘uber-hacker’ with 18 years of service in Special Operations and intelligence,” has linked Stuxnet to Conficker. No, that wasn’t a typo.

John Bumgarner, a retired U.S. Army special-operations veteran, former intelligence officer, and current CTO of the not-for-profit U.S. Cyber Consequences Unit, says he discovered the link between Stuxnet and Conficker only after,

“spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code,” according to Reuters.

In case you’ve been off-world AND living under a rock, Conficker is one of the most devastating and pervasive worms, discovered in 2008 and infecting millions of computers in over 200 countries. The worm is traditionally thought to be the work of an organized crime gang in Eastern Europe, because, much like Stuxnet, Conficker is very sophisticated, probably required immense resources to create, and is extremely difficult to detect and destroy.

“Conficker was a door-kicker,” Reuters quoted Bumgarner. “It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet.”

Let’s be clear: Bumgarner thinks he knows who is behind the two programs, but he’s not saying who, because the matter is “too sensitive to discuss.”

According to Reuters, “The White House and the FBI declined to comment,” and, “Prime Minister Benjamin Netanyahu’s office, which oversees Israel’s intelligence agencies, also declined comment.”

Is it really possible that the botnet propagated by Conficker was all for the purpose of setting up a state-sponsored attack?

Huh?

Things get even stranger from here. In September, Techworld reported that for the first time the Russian government has officially blamed the U.S. and Israel for Stuxnet, calling it “the only proven case of actual cyber-warfare”. And wouldn’t you know it? In related story, a water plant in Illinois was hacked in mid-November, an attack that apparently originated from Russia, and like Stuxnet, targeted the plant’s SCADA system.  In the attack, the hackers gained control of the plant’s equipment and damaged it, the first such type of attack on U.S. soil.

Confused? You should be. If we’re to glean anything from these latest developments, let’s at least take away the following: that a) Conficker may have been the delivery mechanism for Stuxnet, and b) Jerry Bruckheimer’s probably finalizing scripts at this very moment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Conficker Linked to Stuxnet, Conspiracy Theory Activity Up 530%

Spammers have been taking advantage of a vulnerability in Yahoo! Messenger that allows them to take over user’s accounts and post spam as their status messages. The hole is found in the application’s file share API and allows them to send automatically executed malformed requests without the user knowing or doing a thing. It’s not clear if the security hole allows any other malicious actions to be performed as well.

Spammers find such spamming attractive for the same reason they love spamming Facebook and other social networking sites. When spam links come from people’s friends and contacts, that built in trust factor makes the click through rate skyrocket. Spammers trying to exploit affiliate programs and pay-per-click advertising programs like Adsense know this could mean a tidy profit.

These types of attacks are the most popular way to distribute malware, and similar vulnerabilities have been found in Adobe Acrobat, Java, Flash Player, and other browser plug-ins. These attacks are popular because they don’t require the victim to do much of anything, unlike traditional spam and malware distribution methods which require tricking them into installing a Trojan or virus onto their system.

Yahoo! has been notified of the vulnerability but has not yet responded or repaired it. If you use Yahoo! Messenger you can protect yourself by simply making sure your account is set to block anyone who is not on your contact list, something that you should do anyway. It won’t protect you from attacks by your current contacts, obviously, but hopefully if you see a spammy sounding status update you’ll ask your contact about it rather than click on the link it contains! If you use version 11.5, keep an eye on your tabs as they may be hiding attacks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers Take Advantage of Yahoo! Messenger Security Hole

South Korea recently announced plans to fight the country’s growing spam problem by asking all ISPs to block all port 25 traffic - something that’s already done in Canada, many European countries, and by some ISPs here in the U.S. The reason blocking port 25 helps cut down on spam is because to use alternate ports like 587 or 465 requires authentication, something botnets simply can’t provide. Although it seems simple enough there are a few catches. For example, companies often use port 25 for authenticated access and requiring ISPs to block it completely would cause serious problems for workers who telecommute or must log into their company’s intranet from a remote location. It’s also likely that, like most other anti-spam solutions, it would wind up being only a temporary fix as spammers are sure to either find some way around it or find new ways to exploit webmail instead. Also, some critics say it punishes too many legit users.

I suppose the same could be said about CAPTCHA, which many users despise. Some visually impaired users find it impossible to get past and even those with perfect vision often find them frustrating -I know I have. Sometimes they are so distorted or close together that it’s nearly impossible to decipher!

My ISP – Road Runner – doesn’t block port 25, and at last count I had 150 spam messages in my junk folder. Coincidence? Maybe. How do you feel about blocking port 25? Do you think it’s a good idea? Would it interfere with your business in any way? Please leave a comment and share your thoughts!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Blocking Port 25 Really Does Thwart Spammers

Activity – up; average phishing uptime – down

For starters, the group has discovered that there’s been an increase in global phishing attacks, from 42,674 in the second half of 2010 to 112,472 in the first half of 2011. To anyone following the trends in phishing activity, this isn’t earth-shattering news, but interestingly enough, even though overall activity is on the rise, the average uptime of phishing attacks has dropped significantly. In the first half of 2011, the average uptime of a phishing attack was 54 hours and 37 minutes, compared to an average uptime of 73 hours in the second half of 2010.

“The “uptimes” or “live” times of phishing attacks,” the report states, “are a vital measure of how damaging phishing attacks are, and are a measure of the success of mitigation efforts. The longer a phishing attack remains active, the more money the victims and target institutions lose.”

The report notes that the first 48 hours of a phishing attack are the most critical, as they represent the most lucrative time for the scammers, so quick takedown is an essential component of anti-phishing efforts.

More than a third of attacks involved shared servers

APWG’s report cites the increased use by phishers of shared virtual servers as a primary reason for this.

“Nearly every year we see a new tactic being used by phishers that drastically affects our Statistics,” APWG says, but this year the group has seen “a dramatic rise in what is actually an old tactic, but one that has been obscure until recently.”

As stated, the hacking of servers that host a large number of domains isn’t a new tactic, but the technique employed by the hackers is interesting, to say the least. According to APWG’s findings, the phishers, upon hacking the server, are placing a single copy of their phishing content on the server and then updating the server configuration to include that content in all the domains hosted by the server – effectively, every site on the server now has an infected section that can be accessed via a specific subdirectory.

To wit, the report states, “instead of hacking sites one at a time, the phisher can infect dozens, hundreds, or even thousands of web sites at a time, depending on the server.” The numbers are a tad staggering, according to APWG, which “identified 42,448 unique attacks that utilized this tactic, each using a different domain name. This was 37% of all phishing attacks worldwide.”

Phishers, apparently, have a hankering for Chinese

Perhaps most interesting in the new report is the massive increase in targeted activity by Chinese at Chinese.

“Attacks perpetrated largely by Chinese criminals,” APWG reports, “victimize Chinese Internet users and steal their credentials for Chinese e-commerce and banking sites.”

Attacks increased by 44% over the first half of 2011 and a mind-blowing 70% of malicious domain registrations worldwide were specifically targeted at Chinese institutions in the past six months. While APWG is identifying the source of these phishing attempts as being from China and directed at China, interestingly enough the Chinese phishers are using “free and low-priced” domain providers outside of China.

For whatever reason, the Chinese phishers have chosen to bypass the hacked domain route.

“Unlike most phishers, Chinese phishers do not use many hacked domains. Instead, they continue to register domains, on which they set up their phishing pages. Of the 11,192 domains used in 1H2011, at least 10,179 of them (91%) were maliciously registered, up from 5,895 in 2H2010.”

Interesting stuff this, and well worth the read. There’s more in the report to keep your head spinning, so head on over to APWG’s site and check out the downloadable PDF.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

APWG: Massive Surge in Phishing Targets Chinese Sites

Facebook was hit with a massive and disturbing spam attack this week. What made it disturbing was its payload. The attack wasn’t meant to sell anything, steal anything or defraud anything. Its sole goal was to disrupt the service and anger and upset its users; and it did just that, by filling newsfeeds with pornographic and gory images. The pornographic images included photoshopped photos of Justin Bieber in sexual situations and the gory ones included everything, from gruesome accident scenes to depictions of animal abuse. The images sparked outrage among Facebook users, most of who lashed out angrily and blamed the site for the problem when they should have been blaming themselves.

That’s right. Facebook’s users are to blame. The site announced in a statement that they had discovered that the attack occurred thanks to users who had copied and pasted code directly into their browser’s address bars. The code then executed and took over the user’s account, tagging them in a variety of disturbing and pornographic images and posting them under that user’s name. According to Facebook they were tricked into doing so with promises of free or deeply discounted laptops. They also announced they had located the people responsible for launching the attack but have not released any further details. One thing we do know is that hacker group Anonymous, which had been previously rumored to be planning an attack on the popular social networking site, was not involved in this one.

I was fortunate in that my newsfeed was only hit with one image from the attack – a shocking photo of a dog whose face had been literally blown off after his owner had shoved lit fireworks into its mouth. It was gruesome and heartbreaking.  If your newsfeed got flooded with disturbing or pornographic images, don’t be angry at Facebook. Instead, make sure you and your friends know to never ever copy and paste code directly into your browser. No legit site will ever ask a user to do so.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Anonymous Not Linked to Facebook Spam Attack

With Christmas just around the corner, the FBI can’t be accused of waiting until the last minute to get their Christmas shopping done. This week, the U.S. law enforcement agency – in partnership with several U.S.-based and international agencies – gave users around the world an early present when it announced the culmination of a two year operation dubbed ‘Operation Ghost Click’, which netted the Feds six Estonian nationals and saw the Christmas tree lights yanked on the infamous DNSChanger malware scam.

It’s been a busy year for the law enforcement community and its ongoing war against Internet crime, which has experienced some success with the takedown of two major botnets in Rustock and Coreflood. But global law enforcement agencies have frantically been creating a shopping list of new targets for investigation, which undoubtedly include a carousel of security breaches, both in major corporations and government departments, the wafting scent of state-sponsored and industrial hacking, the persistent and growing threat of hacktivism, and a raft of other exotic security threats. All of the above are wreaking havoc on the connected world, so when law enforcement wins one for the little guys, we damn well want to give credit where credit is due. We even have to send out kudos for coming up with a sexy name for a two-year long operation that saw six dirtbags paraded away in handcuffs. ‘Operation Ghost Click.’ How cool is that?

Anyone familiar with malware should be all-too-familiar with the DNSChanger scam, a Trojan horse distributed through multiple means, particularly spam e-mails. When activated, DNSChanger modifies DNS settings so that legitimate URLs are redirected to malicious sites bent on stealing information and earning ad revenues for the scam artists. Since 2007, DNSChanger has infected over four million unsuspecting computers, both Mac- and Windows-based. A half million of those are estimated to have been infected in the U.S., and the total haul for DNSChanger is estimated at $14 million over the past four years – reason enough for the joint collaboration of the FBI, NASA, the Estonian Police and Border Patrol, and the National High Tech Crime Unit of the Dutch National Police Agency, to name a few of the involved partners.  The full list of parties responsible for the takedown can be found on the FBI’s official news release here.

DNSChanger and its Mac OSX variants – known as OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C – prompted antivirus and antimalware developers to create tools to detect and remove its malevolent ass, but the malware continued to propagate, which is where Operation Ghost Click comes in. On November 8, two data centers – in New York and Chicago – were raided and more than a hundred command and control servers were taken offline. “To reduce the disruption to infected machines,” The Register reports, “the rogue DNS servers have been replaced with modified machines that are being operated for the next four months by the not-for-profit Internet Systems Consortium.”

Infected users should now be experiencing healthy DNS activity, even if the IP addresses of their systems have been compromised by DNSChanger. Users who wish to check if their systems have been compromised can use the FBI’s rogue DNS checker site. CNET also has some helpful information for Mac users who wish to manually check for DNSChanger infection.

Now for the fun part: simultaneous with the server shutdown, Estonian police took six individuals into custody.  According to The Register,

“Federal prosecutors in Manhattan said the scam was controlled by an Estonian company known as Rove Digital. Six Estonian nationals have been arrested by local authorities, and the federal prosecutors plan to seek the defendants’ extradition to the US. The defendants include Vladimir Tsastsin, 31; Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; and Anton Ivanov, 26. A seventh defendant, 31-year-old Russian national Andrey Taame, remains at large.”

Each defendant is charged with five counts of wire fraud and computer intrusion crimes, and Tsastisin faces an additional twenty-two counts of money laundering. If convicted, six of these geniuses are looking at 85 years. Tsastsin is looking at an additional ten years for each of the money laundering charges, which, if convicted on all counts, would make him 336 years old by the time he gets out – and they say that bad things don’t happen to bad people!

Some are calling it the biggest cyber-bust ever. Whether or not that’s true, it was still a pretty good day for the law enforcement and Internet security communities. Keep up the good work, and thanks for the early Christmas present!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

‘Operation Ghost Click’ Biggest Cyber-Bust Ever?

A variety of phishing attacks are pounding the net this month.

While some claim phishing may be a dying art, as long as there are people foolish enough to fall for the scams, phishers will stick around. Here’s a look at the current phishing topics making news.

Phishing Scam Hits StubHub Users:

 http://www.ticketnews.com/news/StubHub-warns-customers-about-phishing-scam101127538

Netflix Brandjacked for Phishing Campaign:

http://www.nbcdfw.com/news/tech/Phishing-Email-Tries-to-Net-Netflix-Customers-133659803.html

Spear Phishers Target Chemical and Defenese Company:                                          

http://arstechnica.com/business/news/2011/11/nitro-spear-phishers-attacked-chemical-and-defense-company-rd.ars

Paypal Labeled Major Phishing Risk:

http://www.spamfighter.com/News-17027-E-mail-Phishing-Threat-PayPal-Users-at-Risk.htm       

Holiday Shoppers Warned About Phishing Attacks:

http://www.gmanews.tv/story/238156/technology/holiday-shoppers-warned-vs-12-online-scams-of-christmas   

Let us know about stories we missed and what you’re thinking about the stories above!      

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

November Phishing Roundup

With the world about to end on Tuesday, you probably have more pressing matters on your agenda, like kissing your kids goodbye, donning your tinfoil hat, booking the first available space ark to Mars, and spending some last special moments with the one you love the most – the Internet – using that quality time to finish those Torrent downloads, grab some virtual games for the long trip, and search for a good recipe for soylent green. But just in case the Earth doesn’t get into a smackdown with an asteroid the size of an aircraft carrier and we’re not all converted into the cosmic equivalent of a badly shipped box of corn flakes, you may want to take note of the latest SSL Certificate security breach. And when you hear how long the purported malware has been infecting their servers, you may be tempted to dust off your old typewriter and dig your fax machine out of the rummage pile in the basement.

The encryption method that provides nearly every secure online transaction today is reliant upon third parties – the Certificate Authorities – to ensure that every connection is digitally signed as a reliable source; so what if those certificates are compromised? Well, for starters, we may be taking on some new computer overhead in the form of botnets or spyware. But that’s just speculation, right? CAs offer secure digital transactions and we can all sleep at night, right?

[Sigh]. The hits just keep on coming in a year that has seen massive security breaches and data breaches, the unprecedented rise of hacktivism, the hacking of SSL/TLS, deadly new botnets and smarter spammers. Amidst all these high-profile stories, it may be tempting to turn a blind eye from a number of security breaches at SSL Certificate Authorities in 2011, and in case you were wondering, there have been a few. In fact, more than a half dozen CAs have been breached this year, including four different Comodo resellers, DigiNotar, StartSSL, and the ubiquitous GlobalSign. Now, the fine people over at The Register are reporting that KPN Corporate Market, based in the Netherlands, has ceased issuing any new Secure Sockets Layer certificates after it discovered attack tools stored on its servers.

The tools in question were Distributed Denial of Service (DDoS) attack mechanisms and while that may seem like serious business to most of us, KPN wants to assure us that it probably isn’t anything to worry about.

“There is no evidence,” The Register states, “that the compromise affects KPN servers used to generate the certificates that Google, eBay, and millions of other services use to cryptographically prove their websites are authentic, rather than easily created imposters. But the possibility cannot be completely excluded” KPN officials said in a statement issued Friday (Google translation here).

Okay, it most likely isn’t anything. Well, it could be something, but how can anyone possibly know? I mean, it’s not like the malicious software has been sitting there on the certificate servers, for like, oh, I don’t know, four years or anything. Right?

KPN states that they were taking action while they continue to investigate the breach, “which may have taken place as long as four years ago.”

C’MON, MAN! Four years? Are you freaking kidding me? To put that into perspective, that’s one-fifth of the lifetime of the World Wide Web. CA’s are supposed to be the front line of defense against botnets, spyware, adware, and a host of other security risks. I don’t know if it’s even possible (I’m sure it is) to estimate just how many certificates have been assigned in four years, but when you consider the aforementioned breaches of other CAs – all this year – it makes one wonder if we’ve been treading water in the River Styx all these years. “The compromise underscores the fragility of an SSL system that’s only as trustworthy as its most insecure, or most corrupt, member,” notes The Register. Around since 1994, there is plenty of speculation today to suggest that SSL is truly broken.

The Register points out that there are more than 600 CAs trusted by today’s mainstream browsers and all that’s needed to forge a replica of a credential for [insert website here] is unauthorized access to one CA. From an anti-spam perspective, it’s bad enough that we have to worry about the websites that represent a clear and present danger. What happens when we can’t trust any sites?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Latest SSL Certificate Breach Sparks Renewed Interest in Phone Booths, Typewriters and Fax Machines