Security experts have issued a warning about a new spam campaign that targets the unemployed and financially troubled and exploits Twitter to do it. The spam, being sent by the Donbot botnet, hawks “get rich quick” and work at home scams designed to get people to pay a fee for a useless program that claims to help them make money on the internet.

The spam messages use a variety of methods to get past spam filters. First, the message itself is an image rather than text so it can’t be analyzed by filters, and that image contains a link to a Twitter account. The spammers did this because they know Twitter would never be blocked due to its size and reputation. The image is of a fake newspaper article which gushes about how great the get rich program is.

These types of scams are rising as spammers take advantage of the 10.2% unemployment rate in the U.S. and of people desperate to make money in order to get out of financial problems. The timing of the new campaign also coincides with the holidays, which is a time when many people are looking for a quick way to make some extra cash.

Experts say the campaign is increasing. Within 24 hours of its beginning it accounted for 4% of the world’s total spam volume.

Russian spammers are in the process of cashing in on the swine flu pandemic. Shady pharmacies are advertising Tamiflu for rock bottom prices using massive spam campaigns and search engine manipulation. Hundreds of fake “Canadian pharmacy” sites exist, many run by cybercrime gang Glavmed, whose “affiliates” rake in tens of thousands a day from the sales. The Tamiflu being offered is usually fake or out of date. Sometimes plain old sugar pills are provided, and in some cases, they are made of disturbing and downright dangerous ingredients like rat poison. Glavemed also runs SpamIt, a group of email spam affilates that is thought to be behind the Conficker, Waldec and Storm botnets.

The spammers are exploiting the news that global production of flu fighting drugs like Tamiflu is unable to keep up with demand. They are trying to appeal to those who may be likely to order out of panic, and they are finding success. The top countries ordering the fake flu medication are the US, Canada, France, the UK and Germany.

The gang, known as “THE PARTNERKA” has found such success because they are using a mix of methods to deliver their message. In addition to floods of email spam, they are using Black Hat SEO, social networking, and malware, and there are all kinds of software to help them, such as “John22” which generates HTML content for websites at an alarmingly fast rate, links them together, uploads them, and notifies Google. The pages are so good it’s near impossible to tell they were computer generated. Then there’s ZennoPoster, which generates webmail accounts on services like Gmail and Yahoo, and accounts on social networking, free web hosting and blog sites. It also sends text, email and forum/blog spam. This recipe ensures that spam filters and anti-virus programs won’t have much impact on their bottom line.

Security and Health experts alike are advising everyone to stay away from any pharmacy advertised in spam messages or affiliate marketing. If you need medication, get it from your licensed and educated doctor.

When Latvian ISP Real Host was shut down earlier this month, many believed it would have a similar effect as the shut down of McColo last November. That shutdown cut worldwide spam levels by 90% when several botnets hosted by the ISP were knocked offline. Unfortunately spam levels have since bounced back ferociously.

When Real Host was shut down, experts believed the Cutwail botnet it hosted would go down with it, at least for awhile. Instead it was back to business as usual in less than 48 hours later. Cutwail is responsible for roughly 20% of of all spam sent. It’s also responsible for numerous phishing attacks, malicious websites, and rogue anti-virus software. Cutwail is responsible, along with Mega-D and Donbot, for sending 21 billion spam messages a day.

Security experts say cybercriminals have learned from the McColo shutdown and have adjusted their botnets so they are no longer dependent on a single host for their control and command servers and have backups in place. They have even begun using other ways to control their botnets-just a few weeks ago a massive botnet was discovered to be using Twitter to communicate with its command servers. It appears simply shutting down a scammer-friendly ISP is no longer going to be effective.

A massive new spam attack is hitting free web services such as YahooGroups, LiveJournal and GoogleGroups. Over 1 million spams an hour are being sent through these services using fake Hotmail accounts. Security experts say the Hotmail accounts were most likely created via an automated process that included cracking the webmail provider’s CAPTCHA. Spammers like to use services such as Hotmail, GMail and Yahoo! Mail to send their messages because the domains have a good reputation and are less likely to be blacklisted or caught in spam filters.

Continue reading Major Spam Attack Hitting Free Web Services»

Just hours after Michael Jackson died yesterday, spam with subject lines claiming to have “exclusive information” on his death began flooding the net. The emails don’t contain any malicious links or attachments but seem to be an attempt to collect emails for a future attack. Researchers say anyone that replies to the spam will likely have their address harvested and that it wouldn’t be surprising to see future spams containing links to malicious payloads masquerading as exclusive video of Jackson’s last moments or autopsy photos.

News of the pop icon’s tragic death from what appears to be a sudden cardiac arrest caused an overwhelming spike in traffic that crashed Google, Wikipedia, AIM and Twitter for short periods and caused Facebook to slow to a crawl. Spammers and scammers are jumping at the chance to take advantage of all that traffic. Exploiting headlines and holidays is one of their favorite tricks. The last big headline they used was the Swine Flu outbreak, and before that President Obama’s inauguration.

Security experts are advising people to get their news only from reputable sources, and it goes without saying that you should never ever reply to a spam message. At best it will just bounce back due to a faked header, at worst it’ll just get you put on a list of people that respond to spam, meaning you’ll become a prime target for spammers.

A new wave of malicious spam hitting inboxes uses Western Union’s Money Transfer Service in its attempt to trick recipients into downloading its payload. The spam messages carry the subject line “Western Union Transfer MTCN:” and a random number.

The message says a large sum of money transferred on March 10 was never collected and directs them to open the attached zip file and print out the invoice in it, then take it to their local WU office to get the money. The attachment is actually a Trojan. In an effort to make the message seem legit, the scammers even added language at the end of it that claims it was scanned by the recipient’s ISP and found to be “safe”.

The Trojan,Troj/Agent-JUC, appears to be a rootkit that disables firewalls and steals banking information. It also installs other malware including a keylogger program, takes screenshots, and provides backdoor access to the systems it infects.

Despite how nasty the payload sounds and how legit the scammers behind it may have tried to make the spam delivering it sound, common sense should prevail here. If you haven’t sent any money via WU, ignore this message, and if you have, they’ll generally call you, not send an email, and as always, be very wary of any attachments you receive via email from people you don’t know.

It’s believed the scammers behind this latest attack are trying to take advantage of the shaky economic times, figuring there are enough people desperate enough to let their greed over potential free money override their common sense. Don’t fall for it!

Disgraced former FL District Attorney Jack Thompson is facing spam charges for flooding a Utah State Senator with complaints about the CAN-SPAM Act. Oh the irony!  Thompson was disabarred last September for making false statements to tribunals, disparaging litigants and other lawyers, and improperly practicing  law outside the state of Florida.

The possible spam charges come as a result of another barrage of emails he sent in an attempt to pursuade Utah lawmakers to override a veto of a law that would have made the sale of video games labled Mature illegal. Thompson is a rabid anti-video game activist.

          “In the grip of such legislative ignorance, Mr. Waddoups has today threatened Mr. Thompson with criminal prosecution by Utah’s Attorney General for writing him, the ultimate purpose of which is to encourage Utah legislature to override Gov. Huntsman bizarre veto,” reads Thompson’s press release. “Thompson also informed Sen. Waddoups that the same Attorney General he wants to have prosecute Thompson has received thousands of dollars from the video game industry whom Mr. Shurtleff now helps protect. Gov. Huntsman has received their money as well. What a surprise. This is pay to play in Utah. Maybe the whistle blowing as to this is what concerns Mr. Waddoups the most.”

The email in question included an image of two barely clad women about to give a Grand Theft Auto IV character a lap dance. When State Senate President Waddoups asked to be removed from Thompson’s email list, he refused, leading Waddoup to seek charges under the CAN-SPAM Act, which carries fines of up to $11,000. Thompson pledges to fight any charges and keep his vendetta against video games going strong.

A new report by Microsoft reveals what many of us already know. More than 75% of all emails sent are spam, and more often than not these days, contain malicious links or attachments. Malware is becoming more and more widespread. The report says that there are nearly 9 infected PCs for every 1,000 clean ones. Still, ads for shady pharmaceuticals make up most spam, with adult oriented spam a close second.

Fear not however as most spam never makes it to people’s inboxes:

          Cliff Evans, head of security and privacy for Microsoft in the UK, told BBC News: “The good news is that the majority of that never hits your inbox although some will get through.”
Ed Gibson, chief cyber security advisor at Microsoft, said the rise in spam was due to traditional organised crime figures moving away from exploiting software vulnerabilities and “targeting the weak link that is you and me”.
“With higher capacity broadband and better OS (operating systems), and higher power computers it is easier now to send out billions of spams. Three or four years ago the capacity wasn’t there.”

Continue reading Spam Continues to Overwhelm»

I always love getting packages in the mail. I think everyone does. So when a notice arrives in my email box that says I have a package to pick up, I get excited–but then I think better of it, and remember that carriers leave little slips on your front door, they don’t send you an email.

Earlier this month, there was a spam scam making the rounds, claiming to be a delivery notice for UPS. This week, a new one is circulating, this one claiming to be from DHL, with a subject line “DHL Tracking Number”. The message says that a delivery attempt has been made on a specific date, and then tells the recipient/victim to click on a link to print out a notice to retrieve the package. Similar scams have also circulated from spammers claiming to be FedEx.

Of course, when the user clicks, they download a malicious Trojan, known as Troj/Agent-JJP, which contains the file dhl_n756512.zip. The file creates a remote connection via port 80, and then the bad guys on the other end can fill the victim’s computer with more malware and adware.

Continue reading Phony emails from shippers abound»

With Valentines Day now long over, spammers and phishers have turned to another topic – the economy. As the economic forecast continues to be gloomy here and around the world, recession oriented spam is on the rise. Not too surprising seeing as how spammers regularly exploit headlines in an attempt to get their messages (and more often than not, malware) opened.

The messages contain text and subject lines involving discounts and money-saving opportunities, and contain links to popular search engines that redirect to the spammers’ websites. This type of redirect hides spammer domains, letting them get by spam filters and giving them a longer lifespan.

Phishing emails are also on the rise, most of it in the form of fake account alerts from well-known banks. Phishers know that these days people won’t be surprised to hear from their banking institutions and are taking advantage of that. Phishing emails made to look like responses from well-known sites like Careerbuilder and Monster.com are also becoming more and more widespread as the flow of jobseekers to them increases rapidly.

To protect yourself and your employees, the same rules apply. Don’t click on links in unsolicited emails – in fact don’t even open them at all. Perhaps even more importantly, be ready to help any customers who may have fallen prey to a phishing scam involving your company. If a phisher is using your company, post an alert on your website to warn your customers and file a report with the Internet Crime Complaint Center, a branch of the FBI.