Here’s a look at the Zeus botnet’s top spam campaigns:

1. An unauthorized transaction billed to your bank account- Although most people should know that if their bank spots a fraudulent transaction they will call you or send you a letter - not email you, this subject line is alarming enough to get some people to open it and wind up getting phished or infected with malware.
2. DHL Tracking number #######- This is one of the oldest campaigns. A variation uses UPS instead of DHL, but in both cases the included attachment has a hidden executable that contains malware.
3. FDIC has officially named your bank failed bank- An obvious attempt to exploit the economic crisis. Too bad the horrible grammar gives it away.
4. Hello- This is why it’s often advised not to send emails this way. Many spam filters flag messages with “Hello” or “Hi” as the subject because of campaigns like this.
5. Notice of Underreported Incomeir- The glaring misspelling gives this away as spam right away.
6. Review your annual Social Security statement- This has been around for a while as well. The scammers are hoping there are still folks out there who don’t know that the SSA sends out your statement via postal mail about 6 months before your birthday each year.
7. Welcome to Friendster- An obvious attempt to exploit a brand. Unfortunately for them Friendster isn’t quite as popular as it used to be.
8. You have received a file from (email) via YouSendIt.- This campaign is banking on people’s natural curiosity to be peaked enough to open it.
9. Your Flight Ticket #####- Delta was one of the more recent airlines to be exploited by this campaign. The scammers are hoping that when someone gets the fake ticket and cheery note informing them that their credit card has been charged over $800 that they’ll be upset enough to not think first and open the attached paperwork, which delivers a Trojan.
10. Your Order with Amazon.com- This is a blatant phishing campaign. Every link in the fake notification leads to a fake Amazon login page. It’s pretty easy to spot though because the total amount due, which is listed twice, is always two different amounts and there is plenty of broken English as well.

Here’s a look at the most popular spam subject lines.

1. Blank subject line- Whether it’s done out of laziness, forgetfulness or because they think it tempts curious recipients, most spam is sent without any subject line at all or “No Subject”.
2. Amazon.com Deal of the Day- This subject line is attached to millions of very realistic looking emails that claim to be from the popular e-tailer.  The spammers are hoping people will not realize Amazon doesn’t have a Deal of the Day promotion and fall for the phishing attempt. Amazon accounts are attractive to cybercriminals because they almost always have a credit card attached to them.
3. Please Read- Simple and humble, this subject line is still quite effective. Apparently being polite does make a difference.
4. Delivery Status Notification (Failure)- This subject line has a double meaning. It’s used to get a recipient’s attention and more importantly to get them to open the message, and it works well. Bounced mail is something most become concerned about. While it’s usually attached to fake bounce notifications with links that lead to spammy sites, this subject line also shows up in the inboxes of people who have had their email address spoofed. In that case they are real bounces.
5. Replica Watches- Fake designer goods like watches, handbags, and shoes are big business for spammers. These spam messages are particularly popular over the holidays and lead to either fake storefronts that steal credit card info or to Chinese websites that sell cheap junk watches and other designer knock-offs.

          My Internet Service Provider is very effective in blocking spam from my inbox. However, recently I noticed more junk mail sneaking through than is typically the case. So last month I decided to collect the pesky crap sneaking through my ISP’s filters. Here’s what I discovered.

An apparent tried and true technique for getting a subject line through a filter is to sprinkle numbers within words. So “From Canada to you” becomes “Fr4m C9nada to you” and “See huge discounts now” becomes “See hu2e discounts now.” The word medications is often misspelled “medication’s,” but that seems to be more an ignorant mistake than a devious tactic to breach anti-spam defenses. The mixed letters-numbers technique seems to be a favorite of pharmaceutical spammers.

What escapes me about the tack is that it actually makes identifying the junk easier for a user–even if spam filters appear to have trouble catching it. The numbers stick out in the subject’s words like a Goth at a young Christians convention so targets can send the electronic detritus to the trash without viewing its contents and without being tempted to click on the link in it.

The inside of the pharma spam messages is fairly simple. It consists of another mixed alpha-number phrase–”Canadian m36ication’s are cheaper,” for example, or “Sa1e4on your medication’s with us today”–a URL and several rows of letters and numbers. The URLs share one thing in common: the subdomain spaces.live.com. Although spaces.live.com belongs to Microsoft’s Live Spaces service, several sources on the Web note that the subdomain is just one stop in a series of redirects a real spam site.

The letter-number dodge, by the way, was developed by spammers to fool signature-based filters. Those filters create signatures for spam messages from the text in them. The problem is, any change in text triggers a new signature. Spammers can keep one step ahead of the filters by automatically changing the text in each message. So a signature that identifies a message containing “m3dications” as spam won’t work on message that uses “m7dications” in its text. Continue reading Pharma, ISP spam invade inbox in May»

Bogus AARP page used by spammer.

An interesting drama played out last week at the Word to the Wise Web site. It started as a jibe about a sloppy spam email–the kind all of us have received from time to time–and ballooned into a revealing investigation into how AARP marketing dollars are used to subsidize spammers.

Laura Atkins, the founding partner of the anti-spam consultancy and software firm that sponsors the Web site, got the ball rolling when she heaped derision on a spam message she received from the senior citizen organization.

“Oh, of course they didn’t send me spam,” she wrote, “they hired someone who probably hired someone who contracted with an affiliate marketer to send mail.”

“I’m not surprised,” she continued. “A lot of legitimate and responsible and well-known groups hire spammers. They’ll argue they prohibit spam in contracts with affiliates, but the verbiage in the contract only means anything if they choose to enforce the no-spamming clause. Many of them don’t.”

Her remarks spurred a typical ad hominem attack from a commenter called Chilli, who had a spammer’s mastery of spelling and grammar. “Do you also believe that all those spam messages for Rolex watches are somehow from Rolex too?” he asked. “This isn’t from AARP this is a SPAM that’s been going around for years now. Did you bother looking into the source code to see where it sends you? My guess is it aint [sic] AARP…Do you know what your [sic] talking about?”

Continue reading Bloggers lock horns with AARP over spam»

The CAN-SPAM Act is supposed to protect us from unwanted commercial email but some U.S. based spammers, who usually call themselves direct marketers, have found a loophole to get around the requirements placed on them by the law.

CAN-SPAM says commercial emailers must provide a clear and easy way for recipients to opt out of receiving further messages and they must promptly honor those requests. What some sleazy marketers have found however, is that they can get around having to do so by changing their name. They send a blast of spam as XYZCompany at XYZ.com. They get a flurry of opt out requests and instead of honoring them, they change their name to XYZCompany1 at XYZ1.com.  More spam sent, more requests received, and they change their name again, this time to XYZCompany2 and XYZ2.com.

What can be done? It’s up to the U.S. to change the law to say that direct marketers and commercial emailers must get permission from consumers BEFORE sending any of their spam. In doing so the U.S. will fall into line with spam laws in most other countries.

Will this happen? That’s anyone’s guess. The Supreme Court’s decision to allow businesses to spend as much as they want on political campaigns may have a less than pleasant effect on the law. In the meantime, if your company is using this practice, stop. It’s not legal and it’s not good business.

The U.S. Federal Trade Commission has fined a New Zealand man $15 million; Spamhaus claims this is one of the largest spam gangs in the world. The gang, operating under the names “Canadian Healthcare” and “HerbalKing” has been operating since 2005 and has sent billions of spam messages hawking male enhancement products, weight loss pills and other pharmaceuticals. The spam messages directed the recipients to websites owned by an affiliate network called Affking. The sites claimed to be offering drugs from U.S. pharmacies when they were actually shady black market drugs made in India. They also stole credit card information and personal data. The gang appears to have made their profits from all three operations – the fake drugs, the affiliate network and the data harvesting.

The drugs are untested and could be dangerous if used. The gang leader, Lance Atkinson, and his partner Jody Smith, were also ordered to turn over all their assets, which amount to over $1 million, and Smith faces jail time. Their company, Inet Ventures Pty Ltd, registered in Australia, has received over 3 million complaints from consumers. Spamming seems to run in the family. Atkinson’s brother, Shane was fined over $112,000 earlier this year by a New Zealand court for his spamming activities.

Atkinson is a New Zealand citizen living in Australia, which will make collecting on the fine difficult. He’s not required to pay unless he enters the U.S. Smith however, does live in the U.S. and will soon be sentenced for conspiracy to traffic counterfeit goods, which he pled guilty to. The conviction carries a maximum 5 year sentence.

The FBI has issued a warning about a new phishing attack targeting PR firms and lawyers. The messages contain business specific subject lines designed to trick the recipient into thinking it is a legit message. The body of the message contains either a malicious link or attachment that when clicked will download a file called “srhost.exe” from a site called d.ueopen.xom (URL purposely mistyped to avoid accidental clicks). The FBI is warning IT departments to block any traffic discovered from ueopen, a domain registered in China as it is a definite sign their network has been compromised.

Security experts say attacks against legal agencies are increasing due to the large amount of personal and financial information they possess. Such personal data is highly sought after on the underground cybercrime market and can be used or sold for a handsome profit.

This latest warning came as the Government Accountability Office released a report saying that cyberattacks against the U.S. are rising sharply and that as a result of the increasing connections between the Internet and information systems, hackers are being presented with more and more opportunities to do things like disrupt telephone service or the power grid. The GAO says it is critical that the U.S. do more to protect its infrastructure and critical services and increase its level of cyber security.

The idea of a per email charge isn’t anything new. Goodmail did it years ago – or tried to. Not surprisingly it was a dismal failure. Still, some experts insist it’s an effective way to deter spammers. After all they aren’t about to shell out money to send their messages. The problem with virtual postage is that legit users have to pay too, and that’s just not something most people are willing to do. They figure their monthly payment to their ISP is enough, and who can blame them?

Continue reading Yahoo! Revives Pay Per Email Model to Fight Spam»

Most of us have got accustomed to using spam filters, so we never even see most of it. The spam that does get through, we tend to ignore. We just glance past it, delete it, and never bother reading it, because we’re used to the suspicious headings and the tip-offs that classifies it as an advertisement. Anything coming from a barrister in Nigeria, or a crooked banker in South America goes straight to the trash, as do all the ads for pharmaceuticals, get-rich-quick schemes, and secret tropical fruit juices that are used by people on some island in Southeast Asia where they all live to be 100 years old.

But it seems, one man’s trash is another man’s treasure, and there are a few people out there who actually want those fruit juices. If you’re one of those people, here’s a tip: I used to buy that same juice that the multi-level marketers sell for $40 a bottle, when I was living in Bangkok, from street vendors for about a half a dollar. Be that as it may, now and then there is an ad that catches my eye. Yes it’s true, sometimes those ads do peddle something useful, like printer ink cartridge refills, which I regularly purchase. But I suppose to lots of other people, those ads are spam, too.

Continue reading Who responds to spam?»

The Conference on E-mail and Anti-Spam, held in Mountain View, California this week, brought to light some interesting trends in spam and research on where it comes from. According to a report in today’s MIT Technology Review, new research highlights just how spammers get their email address lists in the first place, and how they relay the messages.

According to a paper coming out of Indiana University that was presented at the conference, it is common for spammers to gather email addresses from Web pages, in much the same way that a search engine’s spider works. When you print your email address on the Web, you’re risking spam–automated spam crawlers, constantly survey the Web, looking for email addresses, and sooner or later, it will get to yours. The research showed that when you include an email address on a comment board on a web site, there is a high probability of receiving spam. But what about when you register on a web site? It’s very common for a web site to require user registration to gain access, and this is a legitimate way for a site to operate–you’re in essence, trading your email address for access to information. But the registration process is less likely to result in spam, especially when more legitimate and mainstream sites are conducting the registration.

Is there a way to stop the spam crawler programs? The researchers say yes, and it should be a straightforward process to block them and thereby protect email addresses submitted to a web site from being harvested.

A common technique seen throughout the Internet is to replace the @ symbol with the word “at”, to foil the automated harvesting mechanism. Surprisingly, this very simple technique has proven to be highly effective.

The Indiana University researchers recommended users exercise caution when divulging email addresses–and also noted that spam can arrive very quickly, in many cases, in less than an hour after entering an email address on a web site. The spamming crawlers tended to be fairly aggressive as well, ranging from visiting two times per minute to over 50 times per minute.