Continental Airlines is the latest company to be exploited by scammers. A new wave of spam claiming to be from the airline attempts to trick the recipient into downloading malware. The messages come with an attachment that look like ticket invoices and boarding passes and thank the recipient for buying their tickets online. A username and password are provided as well as the confirmation of a $900 charge to their credit card. The attachment, called “e-ticket.doc.exe” is actually a worm that downloads additional malware to the user’s PC.

Read the rest of this entry »

Spammers are again attacking Microsoft’s CAPTCHA system and so far have a 10-15% success rate. They’re using automated bots to defeat the system, which was revised and revamped after it was attacked successfully earlier this year. Experts have found that the process involves three stages. First, instructions are sent from a host machine to one on its botnet. The infected machine then begins to attempt to crack the CAPTCHA system, and then the bot uses the successfully created Live Hotmail accounts to send large amounts of spam.

Services like Live Hotmail and GMail have become favored targets for spammers and phishers because of the DomainKeys and Domain Key Identified Mail email authentication they use, which lets a sender’s reputation determine email delivery. The more reputable the sender, the less likely mail from them will end up in a spam filter or blacklist. The messages and senders are authenticated with a digital signature and private key. The server receiving the message decrypts the signature with a key obtained thtough the DNS of the sender’s domain (hence the name DomainKeys) to determine if it matches the email message. Once the message and sender are determined to be authentic, the sender’s reputation is used to decide the delivery status. Senders with bad reputations or messages with missing or fake signatures stand a very strong chance of being rejected while those from reputable senders and good signatures are usually delivered. While most ISPs haven’t adopted this technology yet, many web based email providers and services have, including Yahoo, GMail, Ebay, and Paypal. Read the rest of this entry »

Michael Hampton at the Homeland Stupidity blog has discovered a new spammer-the government! He reports receiving spam from the Overseas Security Council, a branch of the State Department. The spam came from an employee address and hawked a get rich quick scheme which involved sending him $44.95 to get a website and the ability to send millions of spam messages a day. Sure it’s very possible the computer that sent it was infected by a Trojan or virus, but this is the Federal Government! They of all people should have air tight computer security. Michael says he emailed the OSC but got no response. Pretty interesting. Either there is a spammer working for the government, or they have a serious security breach somewhere!

The best defense against spam is continuously educating the email user community.  As administrators we may sometimes get a little too hung up on the technocratic methods of preventing spam. Although the technical details are important, our email users must be constantly reminded of their role to prevent spam.  It’s an extremely important role.

Many spammers are people in each person’s inner circle who send notices, warnings and heads up emails.  When a person sends a friend a chain letter email, surely they do not think they are proliferating spam.  The forwarding of community announcement notices is surely sent with all the best of intentions.  This does not take away from the fact that this type of email clogs up the email highway.

Our friendly spamming friends then want us to send this email to 10 of our friends in the next 5 minutes.  This “not deliberate spam” sent to 10 people will bring the sender an unexpected positive outcome in their life.  The mere hope of something nice happening, by forwarding friendly spam to people in our trusted network, usually makes people do it faster. Read the rest of this entry »

Security experts are predicting that the next wave of phishing spam will attempt to exploit the recent financial woes on Wall Street. They say scammers are likely to start soon, using people’s fears of bank failures like that of Washington Mutual by sending official looking spam messages asking for their banking info in order for them to be assured of FDIC protection.

          E-mail scammers like to use global crises and high profile news headlines when baiting consumers,” said Peter Horan, chief executive officer of Goldman, in a press release issued this week to warn consumers of such attacks. “Phishers know how to make use of people’s vulnerabilities during times of stress.”

According to a recent survey, $3.2 billion was lost to phishing scams in 2007, and that figure is expected to keep rising. Banks spend between $100,000 and $500,000 a year to protect their customers from such scams.

The New York Times is reporting that the current economic crisis has led to a spoof of the classic 419 (aka Nigeria) spam scam. Everyone who has an email address has received at least one 419 spam. Named after the number given to the section of the Nigerian criminal code dealing with fraud, these emails claim to come from a desperate foreign national or lawyer who needs your bank account info-and promises millions in return. People who fall for it find their bank accounts emptied. The spoof reads in part:

           Dear American:

I need to ask you to support an urgent secret business relationship with a transfer of funds of great magnitude.

I am Ministry of the Treasury of the Republic of America. My country has had crisis that has caused the need for large transfer of funds of 800 billion dollars US. If you would assist me in this transfer, it would be most profitable to you.

I am working with Mr. Phil Gram, lobbyist for UBS, who will be my replacement as Ministry of the Treasury in January. As a Senator, you may know him as the leader of the American banking deregulation movement in the 1990s. This transactin is 100% safe.

This is a matter of great urgency. We need a blank check. We need the funds as quickly as possible. We cannot directly transfer these funds in the names of our close friends because we are constantly under surveillance. My family lawyer advised me that I should look for a reliable and trustworthy person who will act as a next of kin so the funds can be transferred.

It then goes on to request the recipient’s bank and IRA account numbers as well as those of their children and grandchildren. The sender is listed as Henry Paulson and the email address is “wallstreetbailout@treasury.gov. Most people will realize that it’s meant to be a spoof but you just know there’ll be at least one person who thinks it’s serious! Thankfully the email is fake so any personal info sent would just bounce back.

ISP Intercage, dubbed a “major hub of cybercrime”, with 78% of its domains and mail servers used for malicious purposes, has been cut off by its upstream provider,Pacific Internet Exchange. Intercage president Emil Kacperski has ignored complaints about that activity for the past 5 years, and when Spamhaus blacklisted PIE earlier this month, it was apaprently the last straw.

          His network was used for very clearly hostile criminal activity. I’m not aware of any legitimate customers,” said Matt Jonkman, an independent researcher who contributed to a white paper on Intercage.

Spamhaus has reported more than 350 cybercrime hosting incidents on Intercage in just the past 3 years. Cybercrime includes spamming, hacking, malware, internet fraud, phishing, and more.

Kacperski said he is looking for a new provider and doesn’t know how long it will take. Let’s hope there are no providers out there willing to help him put his cybercrime haven back online!

A precedent has now been set in South Africa.  Repeat spam offenders are now on notice.  Spammers now have a price on their heads and their names on a Wall of Shame.  It would be nice, if this was a sign of things to come for other countries to place bounties on spammers.

Jani Meyer of the Sunday Tribune reports that a South African Spammer Bounty Hunter Programme offers multiple rewards.  There are 3 ways anyone can receive a reward for providing Information that leads to successful prosecution:

• 7,500 Rands ($958.00) is paid if a spammer admits guilt.

• 15,000 Rands ($1,916.00) if a spammer is convicted in the magistrate’s court.

• 30,000 Rands ($3,831.00) bounty is paid for a conviction in the high court.

Alan Levin, Internet Society of South Africa (ISOC) spokesman, said spam made up more than 70% of monitored e-mail traffic.

He said one of the weaknesses in the current system was that it depended on the recipients to act on the spam they received. Read the rest of this entry »

Rustock and Srizbi, two of the world’s biggest spam botnets, may be connected. Researchers have discovered that the two botnets share the same malware delivery method, a Trojan called Trojan.Exchange, which is activated when unsuspecting users click on malicious links in spam messages. Most of the spam the botnets send is of the fake headline variety (such as the recent Obama and Nuclear Disaster spams) and the fake video variety (this type usually tells the recipient they were caught on video in an embarrassing situation and invites them to click on a link to see for themselves).

Rustock is currently the biggest spammer on the net, with Srizbi a close second. It’s not yet known if the two botnets are being run by the same gang or simply have some sort of agreement in which they work together, but there is some speculation that they are both run by the infamous Russian Business Network, a known haven for spammers, hackers, and other cybercriminals. Read the rest of this entry »

A botnet created by a trojan virus is sometimes referred to as SpamThru.

According to the Don’t Bounce Spam organization, spammers have become very sophisticated in the way they manage their botnets , and the SpamThru Trojan is the leading example. In at least one case the botnet consisted of over 73,000 computers.

SpamThru operates by using a peer-to-peer configuration, but all bots report to a central control server. The bots are separated into different server ports, depending on which variant of the trojan is installed. The bots are further segmented into peer groups of no more than 512 bots. This keeps the exposure overhead involved in exchanging information about other peer connections to a minimum. The SpamThru controller keeps statistics on the country of origin of all bots in the botnet.  The SpamThru controller also keeps statistics on what version of Windows each infected client is running, down to the service pack level.  The SpamThru bot also has the capability to scan the system for other malware on a system.  Imagine the intelligence of people who take the time to develop this type of sophisticated software, which is used for a very foolish purpose. Read the rest of this entry »