Optimists often look for the most positive events over the year to attach to the label, The Year of…, realists however, take a different approach. And while 2012 is still young and holds a lot of promise, this year could very well be known as the year of social spam.

Social spam is nothing new. In fact, spam first infiltrated Internet bulletin boards in 1994 to mark the first major commercial spam campaign when Laurence Carter and Martha Siegel, a husband and wife team of lawyers, posted bulk messages to Usenet groups advertising their immigration law services in what became known as Green Card spam.

Social interaction on today’s Internet is far more sophisticated than the simple posting of messages and hyperlinks however. Nowadays, spammers turn to social networks and guise their spam as links, content, video, audio and executable files.

The nature of social spam has also changed as the platforms that deliver these messages have also developed over time.

No longer is spam only used to deliver advertising and marketing messages alone. With a more sophisticated field on which to play, spammers have used social sites to not only deliver their advertising, but also malware that: steals credit card numbers, captures user names and passwords and turns computers into zombies.

But if social spam has been a problem for so long, why would 2012 be any different? Take a look and see…

The Facebook Example

On January 4, 2012 the Wall Street Journal reported that social spam is on the rise and to combat this, social networks are hiring more staff to help fight this problem. Facebook was named specifically because according to reports, the volume of spam on Facebook is growing faster than its user base.

On Facebook, spam usually spreads when users are tricked into liking, and then sharing, content that is spam. This practice, known as like-jacking, usually works when a user’s computer is infected with malware that allows the spammer to take control of the user’s Facebook account.

The spammer then posts a message on your friend’s profile that would be interesting to others. Commonly, free dinner coupons are used as the bait as are offers for free iPads or other give aways.

When the user’s friends click on the free offer, they are instructed to download the coupons. These coupons actually contain malware that infects the computers of the user’s friends thus continuing the cycle.

Of course the malware does more than just spread itself via Facebook. It can be used to deliver Trojan horses, keystroke loggers, or any other type of malware.

And just how prevalent are these messages? By Facebook’s own admission, they block over 200 million malicious actions every day. In 2008 the company employed four engineers working to fight malicious use of their site. The same department today, named site integrity, now has 31 team members. Additionally, there are 46 people working on security 300 focused on user issues and over 1,000 others (engineers, lawyers, risk analysts, etc.) who help to fight spam on the site in other ways.

Others Not Immune

Of course other social networks and content sharing sites are hardly immune to the problem of social spam. Twitter has long been a hot bed for spammy posts created by malicious users.

Twitter, by nature, set itself up for spam from the very beginning. As a great way to share content to other like-minded users, Twitter allowed people to share short messages that were less than 140 characters long; short, sweet and to the point.

Since URLs were often lengthy, companies – including Twitter – developed URL shorteners. Now, http://www.allspammedup.com could become http://bit.ly/3KmvyZ to save precious character space.

The problem is, no one really knows if http://bit.ly/3KmvyZ will take you to All Spammed Up or a malicious web site.

Google also out how quickly spam could infiltrate even a carefully planned social network.

Originally opened through an invite only process, Google+ users found the site a welcome break from other social sites that had turned into spam havens. Since early adopters were tech savvy, spam was quickly reported and accounts spewing spam were shut down.

Then came the public release and the ability to create business pages and spammy comments and shares began to fold the network causing one well known legitimate marketing professional to comment:

Wow, Google+ must be taking off. Spotted not one but two pieces of comment spam today.

As users find it easier than ever to share content with their friends and family, spammers will find it easier to manipulate this process. Because we have become so trusting of the content our “friends” share with us, we never consider the fact that what may be the coolest thing on someone’s wall may just wind up infecting our computer.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is 2012 the Year of Social Spam?

To many people, the easiest way to determine if an email message can be trusted enough to warrant opening and reading it is to look at the sender. Unfortunately, the inboxes of our family and friends can be compromised rather easily and used to send spam.

But surely the email of a large, respectable news organization would be immune to the trickery and masquerades of spammers, right?

Apparently not.

On December 28, 2011 subscribers to the New York Times received an email from the news company. The email informed these recipients that although their recent request to cancel their home delivery subscription for the newspaper had been received, the Times was appealing to them to reconsider their decision and remain on as a customer:

Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps.

We do hope you’ll reconsider.

As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.*

Continue your subscription and you’ll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You’ll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad^® apps, plus you can now share your unlimited access with a family member.^†

To continue your subscription call 1-877-698-0025 and mention code 38H9H (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

In a day and age where a majority of people get their news from electronic sources instead of traditional newsprint, this doesn’t sound like anything out of the ordinary.

However shortly after these emails went out, a tweet from the Times’ account went out stating:

If you received an email today about canceling your NYT subscription, ignore it. It’s not from us.

Instead of a few people being asked to reconsider their choice to cancel newspaper delivery services, the email went out 8 million people. All of them subscribers to services of the New York Times, but some of them only subscribed to the digital edition of the newspaper. They weren’t even customers of the home delivery service.

Spreading the News Over Twitter

As soon as the tweet was released, the speculation started. Although the New York Times claimed that they were, “working to coordinate a response,” many on Twitter pointed the finger at Epsilon, the email firm that was compromised last spring.

When asked by BetaBeat if this was a result of the recent breach, Epsilon spokesperson Jessica Simon stated:

“This is the first I’ve heard of it. Let me talk with our email group and get back to you.”

Jumping the Gun

Once the smoke had cleared and the fingers had been pointed and redirected, it turned out that the email actually was sent from the New York Times’ email servers. They immediately released the following statement:

An email was sent earlier today from The New York Times in error. This email should have been sent to a very small number of subscribers, but instead was sent to a vast distribution list made up of people who had previously provided their email address to The New York Times. We regret this error and we regret our earlier communication noting that this email was SPAM.

It is nice that they regret their error, however they shouldn’t regret calling their errant mass mailing spam, because that is exactly what it is.

According to WikiPedia, Spam is unsolicited bulk, or unsolicited commercial, email. It is the practice of sending unwanted email messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients.

Companies, especially larger ones, need to understand that when someone trusts them with their email address they are assuming that this information is safe. Safe from cyber-criminals looking to harvest these addresses and safe from trusted employees accidentally sending out indiscriminate emails causing panic.

Had this incident in fact been caused by a security breach, the result would have been similar. Customers would have been hassled by illegitimate messages, people would have been less productive as they were forced to deal with this fake warning and resources were spent dealing with the mess.

Just because it was an email that was sent by mistake doesn’t mean the effects are any less irritating or costly.

If it walks like a duck, and sounds like a duck… well, you get the point.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Coffee, the New York Times and Spam

Instead of using up precious character space with long URLs like: http://www.allspammedup.com/2011/10/fighting-spam-and-going-green/, services like bit.ly, owl.ly or goo.gl could turn it into http://goo.gl/BdmMe.

Not only did this make Twitter happy, but these services include click tracking and other analytics so people could see how popular their shared content actually is.

Where the Problem Lies

Looking at the two links, it is easy to spot why a shortened URL would be attractive to spammers.

If you don’t see the problem, let’s take a look at another URL. Say for instance, http://this-is-nothing-but-spam.com. On this site I host anything from phishing scams to malware that infects your computer via drive by downloads. Or, I simply use the site as a way to deliver spam.

Of course if you see this URL you are not going to click on it. Likewise, http://cheappharmacy.com or http://buyviagra.com would probably warn you to stay away.

However, if I take our first example and plug it into any URL shortener I come up with something like http://goo.gl/rwr0K and it is impossible to tell where this link will take me. If it is given to me by a trusted source, I may not hesitate to click on it.

An added benefit to tiny URLs is the fact that it conceals the keywords that so many spam filters have been trained to seek out.

Any worthwhile spam filter would see http://buyviagra.com as spam and that message would be stopped dead in its tracks. Yet something like http://goo.gl/rwr0K could sneak past even to most reliable anti-spam solutions since it wouldn’t know immediately what to look for. And if the short version of the URL is blacklisted, the spammer simply creates a new URL to use.

Now this is a rather primitive approach and once this method of spam became popular the URL shortening services quickly put measures in place to detect and remove malicious, spammy links.

Yet this wasn’t enough to make cyber scam artists give up. Instead of looking for another delivery method, the spammers chose to create their own URL shortening service.

How It Works

If you are familiar with the world of Free/Open Source Software, then you know that the source code for any software that is created under this license is open for anyone to modify, hack, or build upon.

Since there is a Free/Open Source application for just about everything, spammers simply found a URL shortening script that they could use to create their own service from.

Security researchers from some of the industry leaders estimate that around 87 different URL shortening sites have been set up by spammers using this method to advertise pharmaceutical products for sites like Pharmacy Express.

What to Do?

When it comes to links spread via Twitter or other social sites, it is always good practice to trust the sender before clicking on any link. This can help protect you from a wide range of problems that can occur.

However you can also be on the lookout for some commonalities to the emails that contain these malicious links.

Research has shown that the subject lines of the messages used to spread these spammy links are often: “It’s a long time since I saw you last!” and “It’s a good thing you came!”. Seeing a message with either of these subject lines should clue you in immediately to spam.

Of course, if should you click on a link and be taken immediately to a pharmaceutical site be wary of the site’s intent. Another common industry that has been using this tactic is online dating. So like the Pharma spam, take heed if you are redirected to a site offering to help you find the love of your life.

The anti-spam industry is fighting back as well. Right now, all of the identified domains have been registered in Russia, but more importantly researchers have noted that the shortened URLs follow consistent patterns, like 3xy.info, spam detection engines will eventually be built to detect these patterns to help stop spam from reaching users’ inboxes. Since the sites don’t seem to be offering any legitimate services, the likelihood of a false positive is extremely low when it comes to detection.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers Turn to URL Shortening

Twitter user @pkafka tweeted the following out of what was probably frustration with spam messages received from what, to any human, was an obvious fake account.

But since we’re praising Twitter w/one hand – why do I have to filter out spam from accounts w/0 followers? Can’t you guys handle?

@dickc responded to him with this promising, if somewhat non-specific, response:

@pkafka yep, we’re working on it. We are trying to migrate from “reactive” to “realtime” to “predictive” on that front.

Twitter has offered users the ability to report spam for quite some time, presenting a button that includes the ability to report a user for spam, but this is most definitely a reactive method to dealing with spam. If you click on the link, the account is blocked from sending you messages immediately, and then the account’s behavior is reviewed by Twitter’s Trust and Safety Team. If it is determined that the account is being used for spam it may be disabled or deleted. A number of users may have to report someone for spam before their account is permanently deleted, which is a good thing to prevent malicious users from filing false reports. There is even an appeal process for users who have been suspended, which seems more than fair and a good way to prevent accidental bans from happening.

But that is today. That tweet from their CEO about what Twitter is working on for tomorrow got me thinking. From @dickc’s tweet, it would seem that there are two different approaches being taken; real-time and predictive. Real-time spam detection might be very similar to approaches we take with analyzing spam emails today. Keyword filters, reputation filters, and Bayesian filters could all come into play with tweets in much the same way that they do with email. Users could even have a kind of whitelist, where accounts they have chosen to follow are whitelisted since by following someone you are expressly indicating you want to receive messages from them.

It’s that predictive approach that has me scratching my head. How can Twitter see into the future to predict spam? @pkafka’s question seems a good place to start. Accounts with no followers that suddenly start tweeting large volumes with hash tags or mentions would be a good indication that the account is a spammer, but that is all activity that has to happen, and be reacted to; not exactly predictive. Perhaps by placing every new account into a delayed send bucket, and monitoring their behavior for a period of time to be sure they are good netizens of Twitter, could help; but that is not what I would call predictive either.

Could there be some correlation between account names, URLs, and spammy actions? Or are the more spammy accounts all being created from the same group of source ip addresses or using the same client? What other methods could Twitter be using to predict spam, and could they be applied to email as well? If you have any thoughts, insights, or predictions yourself, leave a comment and let me know what you think. And while you’re at it, follow me on Twitter. I’m new to it, and am feeling kind of blue with zero followers so far. I promise not to spam you!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

What tech is Twitter adding to combat spam?

At least 30,000 people think so. President Obama’s Twitter account lost at least that many followers after going on a massive tweeting binge in an effort to drum up support for the debt ceiling talks. The account tweeted the Twitter handles of every GOP member of Congress by state, resulting in over 100 tweets ending up in followers newsfeeds. This angered many and prompted the mass exodus of followers. President Obama, or whoever runs the account, seemed to realize they’d crossed the line into spamming when they posted:

Thanks for contacting your legislators, and for sticking with us amid our tweeting today. We’re done now, we swear.

This illustrates an important point. If your business has a Twitter account, use it wisely. Tweets can be a great tool for marketing and customer service. It makes it easy to reach out and connect with your customers. However, there’s a fine line between being responsive and being annoying. Don’t bombard your customers with tweet after tweet about how great your product is, or even worse, trashing your competition. Your followers don’t like spam any more than the folks on your mailing lists. Make your tweets useful and interesting. This will keep your followers interested and draw new ones through retweets.

Twitter takes a hard line when it comes to spam. They even have a special Twitter account users can follow and then DM to report spammers. Most spammers disappear fairly quickly, and you don’t want your company to end up on that list. Once you get a reputation as a spammer on Twitter, it’s pretty hard to repair the damage.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

President Obama: Twitter Spammer?

Of course, sudden growth has its problems. Early on Vic Gundotra, Senior Vice President of Engineering at Google, had to send out an apology to users. Apparently, the system had spammed those involved in the beta test because the servers ran out of disk space causing the system to send out notice after notice.

Unwanted email for sure, but spam? I would hardly think so.

However some insiders think that it is just a matter of time before users start getting hit by some really nasty spam inside the network.

Basing their theories on the fact that Facebook and Twitter have become huge targets for phishing attacks, many see Google+ as the next logical target.

Will it become a problem?

To get a sense of what Google+ users think of spam on the network, let’s look at what some of the most influential users have to say:

• Spam away, as far as I’m concerned, because I don’t want to miss something good just because nobody bothered to tell me about it! : )  +Will Wheaton
• One thing that’s been nice (so far) about G+ is the lack of spam accounts. There are lots of those on Twitter. +Wesley Fryer
• One of the things I have seen is that people will share posts with you to pitch you on their message. Sometimes this is very effective. Other times, though, I find myself blocking these people since their posts are pure sales/i.e. spam. Hopefully G+ won’t become a haven for spammers. How do we manage this? Should we be tagging the spammers back? +Steve Rubel
• Of course whenever we review a profile, if we determine that the account is violating other policies like spam or abuse we’ll suspend the account. +Natalie Villalobos
• Imagine SEO/SEM with spam weeded out through your circles & interests. Game Changer for sure! +Tom Anderson
• G+ allows you to actually see who you want to see without all of the ads and spam messages. +Robert Scoble
• Spam can be dealt with. Google is already very good at detecting this type of thing in Gmail, the rest can be crowd sourced. +Vic Gundotra

Now let’s take a moment to address the comment made by Vic Gundotra.

In Google+ fellow users can be blocked. If they insist on spreading junk you have the option to block them so none of their posts show up, even if they comment on someone else who you are following.

While invites are scarce, this method will work against those without the foresight to create multiple accounts right from the beginning. However, once this product gets out of beta, what will happen? Once a spammer is blocked too many times, he or she will just create another account. The same is true if they are kicked off the network for being reported as a spammer.

And, as any Gmail user can attest to, spam does get through their filters; no more than any other email service, but it does get through.

What holds the most promise for fighting spam is crowd sourcing.

The Google+ community so far has been extremely helpful to one another. A link that is spam would quickly be identified by other users so that others would not fall victim as well. Combining the users with whatever technologies Google employs to fight spam may very well take the profitability out of using Google+ to deliver spam.

I would be interested in hearing from other Google+ users as to their experiences with spam on the network and what they think will best keep it at bay.

Author’s Note –  many people are reporting that emails being sent to their inbox claim to contain a link that will provide the reader with an invite to Google+. The link actually takes the person to a pharmacy site offering drugs like Viagra, Cialis and Levitra.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google+ Will It Become a Magnet for Spam?

The emails look like they were sent from Twitter complete with the site’s logo. One version informs the recipient that an account hijack attempt was detected and instructs them to click on a link to download a “security module”.  The link leads to a fake Twitter site that downloads a trojan that installs a rootkit and a fake anti-virus program called “Protection Center”.

Another version of the spam tells the recipient the email address associated with their account has been changed and to follow a link to confirm or report a problem. The link leads to a fake Twitter login page designed to steal the user’s login credentials, presumably to send even more spam.

A third less common version of the spam looks like a message from Twitter but displays ads for internet pharmacies and drugs under the Twitter logo. Links in the message lead to the “Canadian Pharmacy” scam sites.

Phishing has become a thriving underground economy. Researchers say nearly 4 billion phishing emails have been sent over the past 12 months and that number is expected to continue to rise. Furthermore, scammers and spammers are continuing to increase their skills making it more crucial than ever for IT departments and end users to continue to increase theirs in order to fight back effectively.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam/Phishing Campaign Exploits Twitter

The Twitter Grader application uses an algorithm to calculate, or grade, a Twitter user’s ranking among their peers.  This type of tool has been very popular with Twitter users who willingly grant access to their Twitter accounts for websites that offer this type of ego-feeding information.

The compromise resulted in thousands of unauthorized messages being sent from Grader users’ Twitter accounts containing a link to a web page that hosted an embedded video.  The content turned out to not be malicious and it has been speculated that this was an attempt to increase the search engine rankings of the website.

The hack was quickly acknowledged by Hubspot who proceeded to take down the Grader application while they investigated the issue.  Grader users are advised to revoke access for Grader to their Twitter accounts and also to consider changing their account password.In this particular incident the fallout is mainly embarrassment for Hubspot and some disgruntled users.  With no serious data breach of Hubspot’s paid customer base the matter will quickly fade into the background with no ongoing attention paid to it.

The potential impact of these sorts of breaches cannot be ignored.  Social networks carry a much higher degree of trust between relative strangers than other online communications.   One of the most popular users of these networks is sharing of interesting links, often masked by URL shortening services.

Simply put, the timing of the unauthorized message may have meant that it was sent by a particular user while they were conversing with an online friend and sharing a series of links with each other.  In that situation the recipient would not hesitate in clicking the spam link as well.

If the link was to a malicious web page that contained a web browser exploit then the number of compromised computers from this one hack would have been enormous.  The sad fact is that many computers connected to the web use outdated, unpatched operating systems, web browsers and other applications.  Even those that are completely up to date may have undisclosed vulnerabilities that hackers can exploit before security researchers can discover and patch them.  One of the most common exploits today is using PDF files.

For a home user a compromised computer can be a moderate inconvenience.  For a business network a compromised computer can be a major disaster.

So what can be done about these threats to businesses?

Technical Solutions – filtering of social networks to only approved users, blocking of URL shortening sites, and real-time scanning of file downloads.

Human Solutions – the cornerstone of any network’s security is the level of awareness of the end users to the potential threats that are out there.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Twitter Grader Hack Highlights Social Network Spam Risks

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient.A serious issue is also that of costs.  A higher email load combined with more thorough monitoring means more costs to the ISP for servers and software to do those jobs.  The human resource costs also increase, both in the management of the systems as well as the teams who need to contact and support customers who are suspected of sending spam.

Although email is currently the largest source of spam on the internet there are other forms of spam that are quickly becoming very common that would not be addressed by this solution.  Social networks such as Facebook and Twitter have become rich hunting grounds for spammers and phishers who are able to target victims with highly personalized attacks thanks to the open nature of these networks.

In a world where ISPs block spam email from customers the focus of botnets would simply shift to exploiting social networks and identity theft for the same outcomes.  Because these networks run simply as interactive websites they become impossible to block at the protocol level, and blocking them on a site by site basis would immediately outrage customers.

The British ISP heads who commented are correct in their view that businesses and email administrators need to take the responsibility of blocking spam that is sent to them, rather than expect ISPs to do all the work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISPs Don’t Want to be Spam Cops

Business Week

The study revealed some interesting statistics:

• 88% of overweight individuals reported receiving spam pitching weight loss products, compared to 73% of other respondents
• 42% of overweight individuals said they opened the spam, compared to 18% of other respondents
• 18% of overweight individuals said they bought products promoted in the emails, compared to just 5% of other respondents

Firstly why do overweight people receive more weight loss spam?  One theory is that these people are visiting more web sites on that topic than other people, and therefore end up in marketing databases.  This means that the spam is either coming from the website owner, or another party that is given access to the database of email addresses.  This access may be either from selling the list or by using co-registration, which is a legitimate lead-sharing strategy that is often abused by spammers.

For any email marketer a 42% open rate is outstanding.  It means that the subject line for the email was very effective at enticing the recipient to open the email and read more.

For a spammer sending 1,000,000 emails 42% open rates do not mean 420,000 people opened them.  Most of those recipients will never receive the spam due to anti-spam protection on their email server or their computer.  But even a 1% penetration could mean several thousand people open the email.

Finally the conversion rate for overweight people is very good at 18%.  Several hundred conversions of a weight loss product likely to cost $50-$200 is a good day’s pay for the spammer.

So what does this tell us about why spam works?  Well like any form of marketing with more accurate targeting comes higher conversions.  Valentines Day spam converts better in January/February, and Christmas spam converts better in November/December.

Interestingly the statistics above are only for email spam.  This type of spam is the most common and is still quite easy to accomplish (for example by requiring an email address submission before revealing the “25 Amazing Weight Loss Tips for 2010”).  Spam is perceived as a big problem and yet email addresses are perceived as low value and are quickly given up.

But the last few years have seen a strong emergence in other types of spam such as in social networks, where the targeting is much easier for spammers because of how much information we make public about ourselves.

Consider how easily a spammer can send messages to people who post “I want to lose weight” on Twitter as a new year’s resolution, sending them a link to those “25 Amazing Weight Loss Tips for 2010” so as to capture their email address.  Or how easily single women aged 35-45 can be targeting with a Facebook ad for weight loss, leading to a female-focused website, and then female-focused follow up email messages.

More accurate targeting means higher conversions.  So why does spam work?  Because we give spammers everything they need to know to make it work.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Weight Loss Scams Reveal Why Spam Works

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers.

The BBC gets itself into hot water when it buys a botnet to research a story and then uses it to send messages to potential victims.

April

Security vendor PGP exposes hundreds of customer email addresses by not using the BCC field for a broadcast email.

Global spam volume makes a complete return to the level it was at prior to the McColo shutdown.

Researchers discover the first ever SMS virus in the wild, capable of spreading between mobile phones via text messages.

Twitter suffers its first major malware outbreak due to a cross-site scripting attack by a bored teenager.

May

The Swine Flu outbreak gives spammers a new hot topic to exploit in their latest scams, with fake drugs and “survival guides” offers flooding mailboxes.

The Cutwail botnet, previously seen during the Valentine’s Day spam season, makes a fresh start pushing fake weight loss products, and Acai Berry scams appear all over the internet.

June

Air France flight 446 crashed in the Atlantic ocean, giving spammer a new tragedy to exploit.

A UK furniture company makes a major PR blunder by using Twitter hashtags for the Iranian conflict to promote their products.

Michael Jackson dies, nearly causing an internet meltdown as search engines, social networks and news websites struggled to copy with the unprecedented burst in traffic.  Spammers quickly jumped on the public thirst for details about Jackson’s death with new spam messages.

July

The ZBot Trojan appears in a new attack that uses a fake Microsoft update notice to trick users.

A botnet launches a major DDoS attack against US government websites to coincide with the July 4^th holiday.

Spammers begin using free URL shortening services to bypass spam filters.

August

Another Twitter phishing/spam combo attack appears causing disruption for users.

Twitter, Facebook and other sites were all knocked offline for several hours due to a targeted DDoS attack against a pro-Georgian blogger.  The event was so prominent in the news that spammers began exploiting it with email and search engine keyword spam to cause further denial of service and compromise more computers.

Another spammer ISP is shutdown but this time the effect is nowhere near as successful as when McColo was taken offline, suggesting spammers are building more resilience into their networks.

September

A South Australian woman shares her experience of being the victim of identity theft when her Facebook account is hacked and used to scam money from her friends.

Popular blogging software WordPress becomes the target of a new worm that attempts to insert spam links in thousands of blogs.

A new Koobface worm variant appears targeting Facebook users.

October

A court order leads to an innocent Gmail user losing their email account when Google is forced to close it down.  The court order was granted after a bank employee accidentally emails customer information to the Gmail account.

A list of over 50,000 email addresses and passwords for major online web and email services appears on the internet.

A thriving marketplace of open source malware is uncovered by security researchers.

Geocities shuts down, taking with it thousands of spammer’s websites.

Facebook wins a massive $711 million judgement again one of the world’s biggest spammers.

November

The first Christmas season spam starts to appear to exploit the rising trend in online shopping.

Researchers successfully kill the Mega-D botnet.

Twitter job spam starts appearing promoting “get rich quick” schemes to exploit high unemployment rates.

An Australian amateur programmer writes an iPhone virus that causes relatively harmless infection on jailbroken iPhones.  His code is quickly repurposed by people with more malicious intent, and a security vendor is criticized by the wider community for rewarding him by offering him a job.

December

A New Zealand man is fined $15 million by the US FTC for operating a worldwide spam gang.  The same man faces charges in Australia soon after.

The Koobface worm adds a Christmas theme to its Facebook phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

2009, The Year in Spam

          “Jose Nazario with Arbor Networks said he found a Twitter account that was used to send out what looked like garbled messages. But they were actually commands for computers in a botnet to visit malicious websites, where they download programs that steal banking passwords.”

Social networking services such as Twitter have recently become associated with spam and phishing attacks due to the lack of inbuilt protection from malicious users.  This new development of using Twitter messages to control botnets takes the issue another step forward.Typically a botnet is made up of computers connected to broadband connections that have been compromised in some way, usually by either tricking the owner into installing malicious software (a browser toolbar, fake antivirus software, or a porn dialer) or by exploiting a vulnerability in the operating system or web browser that they are using.  A lot of these attacks occurred over email, which lead to the need for the email anti-spam protection software most of us are using today (either on our own computers or on the email servers of our businesses and ISPs).

Botnets were often controlled using IRC channels, which were quick and easy for spammers to set up anywhere in the world and control remotely.  Over time IRC traffic became almost synonymous with botnets, and despite its legitimate intended uses it is really only used by tech enthusiasts so most businesses simply block IRC traffic at their firewall.  Many consumer broadband modems and routers also block IRC traffic by default.

Twitter on the other hand simply works over the HTTP protocol, which is almost always open on business and consumer firewalls.  Most Twitter clients will even work seamlessly through web proxies.  This makes the use of Twitter for controlling botnets a very serious problem.

There is no doubt that social networking such as Twitter can be a valuable tool for businesses to use to communicate with their customers.  However the lack of content filtering exposes the end user to attacks such as messages with URLs that lead to web pages designed to trick the user or exploit a software vulnerability.  The URLs are often masked with URL shortening services making malicious URLs more difficult to detect at a glance.  Even a message from a known, trusted friend may be an attack because of the tendency for people to willingly give away their Twitter password to third party services.

The security challenge here is complex.  Businesses would like to trust their users to engage in social networking for work and for pleasure, but even the best online security training for staff will still leave gaps as people’s awareness and attentiveness wanes over time.  Blocking the services entirely is undesirable, which just leaves blocking of URL shortening services in email and at the web proxy as a counter-measure.  This of course cripples one of Twitter’s more useful benefits, the ability to quickly share interesting and useful links.

Ultimately the best on-premises solution a business can implement will still be vulnerable without better inbuilt security measures for social networks.  But as long as these networks remain free and open for anyone to use they will often lack the resources to invest in security even as they continue to attract malicious users.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Botnets Now On Twitter

Hackers are using the high profile nature of the attack to spread scareware. They are poisoning search engine results so that people searching using the keyword Cyxymu will be given results that redirect to malicious sites that push rogue anti-virus programs.

Spammers are also exploiting the attack. A new flood of spam has been detected that claims to be a grammatically garbled apology from Cyzymu and links to his blog. Experts say it is likely an attempt by those behind the DDoS attack to further alienate him and get him in trouble. His actual email address was spoofed, and as a result his email box was probably flooded with bounce messages, out of office auto responders, and similar noise. This, experts say, was the attacker’s way of sending a message to Cyzymu, and the link to the blog is an attempt to send a flood of traffic to the site in hopes of crashing it.

While it’s not yet known exactly who is responsible for the initial DDoS attack or the spam and malware attacks spawned from it, Cyzymu has told news outlets that he believes the Kremlin is behind it all.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

DDoS Attack Against Georgian Blogger Inspires Spam, Malware Attacks

There has been very little news about the Twitter spam attack other than the one notice on Mashable, which has been circulated far and wide. Twitter’s own blog hasn’t said anything about it–but then again, the past day, Twitter has been hard to find, since it got hit by a denial-of-service attack yesterday and the site went down. There may be no connection between the denial-of-service attack and the wave of spam–Twitter is after all, what you might call an “attractive nuisance” that attracts all kinds of evil-doers.

Given these recent attacks, one asks should Twitter be allowed in the workplace? There’s no clear answer, except for “it depends.” Marketing people use it to good advantage to keep partners and customers informed. But one thing’s clear, workers need to be informed of the potential risks. Already, there have been many cases of malicious Twitter spam that contains links to nasty web sites that contain malware that could infect the computer or the entire network. Follow Twitter links at your own risk. This is especially dangerous as Twitter uses the abbreviated URLs, making it difficult to tell whether you’re being sent to a legitimate site.

This isn’t the first time compromised Twitter accounts have been used to send out spam. Just a few months ago in March, 750 accounts were hijacked to send links to porn sites.  And the spammers are on top of Twitter, and they’re apparently promoting its use at “Spam University,” or wherever it is they go to learn their trade. There are already commercial Twitter spamming tools out that can generate bogus Twitter accounts automatically for sending out ads.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Twitter hit by spam wave

Phishing attempts in email are still rising as well. Most of these attacks target banks and other financial institutions; in fact the top 2 targets of phishing attempts between January and June of this year were Bank of America and Paypal. While in the past phishing emails and the fake sites they lead to could be easily spotted due to their extremely poor grammar and sloppy formatting, experts are finding that more recent phishing attacks have shown a sharp rise in attention to detail with nearly perfect layouts and error-free grammar. Of course they still can’t hide the true destination of their fake URLS though. Hover your cursor over the link (don’t click) and the real URL will be revealed in the information bar.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Study Finds Phishing Scams Fool Over 55,000 a Month

Those that did so had their Twitter account promptly spam everyone they are following with the same question and link, and if they happened to click on any of the people in the gallery of thumbnails the site claims are people that visited their profile (but they didn’t-there is no way for a site to be able to collect that kind of information), their account automatically followed them-and of course spammed them with the TwitViewer link. All in all a very slick phishing scheme.

How do your users protect themselves? Simple-tell them to never ever give their usernames, passwords or any other personal info out to sites like TwitViewer and better yet, to be very careful what links they click on in their Twitter feeds. This is admittedly hard to do thanks to the URL shortening services that are a must because of Twitter’s strict 140 character limit. A good rule of thumb is to never click on links offered from anyone you don’t know very well.

The good news is that the TwitViewer site is now down, but the bad news is the site owners say they will return with a new domain.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Twitter Users Hit By Malicious TwitViewer Spam

URL shortening services allow Twitter users to share URLs with each other without concern for the length of the URL.  For example, http://www.veryinterestingwebsite.com/funny-video (49 characters long) can be shortened to http://tr.im/s74hs (a mere 18 characters long).  There is no doubting that this is convenient for services such as Twitter, but it really serves no useful purpose for normal email communication.

As Microsoft’s Terry Zink points out:

“I checked out all of these sites… and I couldn’t believe the insecurity running on them! It was unreal! All I had to do was enter in a URL, click the button and bam — I had a compressed URL ready for me to use.

There was no CAPTCHA on the site either, so all that would need to be done is have a spammer write a script to plug tons of these things in there. A spam filter could not easily key on the URL in the message to block the message since the root domain is all the same; the filter would have to travel through to the site and then extract the URL to see if it was good or not.”

In other words, to safely check each shortened URL that is in an email message the anti-spam server would need to follow that URL to the URL shortening service and be redirected to the real URL that it leads to.  This is not a trivial amount of time and computational effort, especially for a server checking hundreds of thousands of email messages every day.

So why permit them at all?

Some email users may be using these services to share perfectly harmless URLs in messages but it is a fairly pointless exercise because:

a) It raises suspicion that the real URL is being hidden for malicious reasons; and

b) There is no character limit on email messages so no compelling reason to use shortened URLs to begin with.

Given these two points, and the risks that these services are presenting, some email administrators are simply blocking all messages containing shortened URLs.  Lists of popular URL shortening services such as this one at Mashable can be found by a simple Google search.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Prevent Phishing by Blocking URL Shortening Services

          Sky News Online has reported a Habitat spokesman as saying: “This was a mistake and it is important to us that we always listen, take on board observations and welcome constructive criticism. We will do our utmost to ensure any mistakes are never repeated.”

The company has not issued an apology on Twitter but did quietly delete all the spam tweets it posted. It’s not clear why they felt hashtag spamming was okay to do, although they told a blog that it was done without their knowledge. That sounds a little hard to believe but it wouldn’t be the first time a rouge employee was blamed for a blunder that became a PR nightmare.

The moral of the story? Twitter can be a valuable tool to help you reach out to customers and potential customers, but tread carefully and follow the rules. Spam is no more acceptable there than it is anywhere else.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

UK Furniture Company Apologizes For Exploiting Iran Conflict in Twitter Spam

As email became a crucial business tool the spam problem rose rapidly to become the major problem it is today.  Regular research is released that puts spam at over 90% of global email traffic.  Despite this not every business takes it seriously enough to actually do something about preventing it.  Those that do will implement a quality anti-spam solution for their email and continue about their business hopeful that it will protect them from those on the internet with malicious intent.

However as the web evolves new spam threats have emerged that also need to be considered by businesses.

Email Spam

Email spam is a continually shifting landscape of new threats as spammers develop new techniques.  For example, spammers have gone from putting spam content in emails, to putting it in file attachments, to putting it in password-protected file attachments, to putting it in image files, to putting it on web pages that they link to, each technique intended to keep them a step ahead of anti-spam vendors and the protective measures built in to their products.

Spammers have used, and continue to use, home PCs on broadband connections that have been compromised by viruses.  When these don’t work thanks to RBL providers such as Spamhaus, they turn to free webmail services and simply break through the CAPTCHAs that are in place by breaking their algorithm or simply paying people in developing countries to manually enter the CAPTCHAs for them.

This continually evolving threat highlights the need to deploy serious protection for email spam.  A “bits and bobs” solution cobbled together from separate free components will not have the effectiveness of a comprehensive, integrated anti-spam product from a vendor committed to ongoing support and protection for new threats.

Social Networking

The emergence of social networking has changed business communication forever.  Although email remains critical to businesses more and more we see interaction occurring outside of email using social networking services such as Facebook and Twitter.  Staff may be using social networking only for personal use, but business use is also becoming common.

The threat posed by social networking is that messages will not be scanned or filtered by an email anti-spam solution. This leaves users open to phishing attempts and scams.  Although web filter technology can be used to simply block these services entirely, that makes them unavailable for genuine business use.

A better solution is one of user education.  Although social networking fosters close relationships with people around the world the same level of suspicion should be applied to social networking interactions as it is to email.

URL Shortening Services

The explosive popularity of Twitter has lead to an equal explosion in the use of URL shortening services.  These services convert a very long URL into a much shorter one, making them perfect for the limited space available in a Twitter post.  Because of this their use is spilling over to other social networking services, and also being used in emails.

The problem presented by these services is it disguises the true destination of the URL, which can thwart content filters that check for URLs for domains with a reputation for spam.  I was recently working at a customer site where all such URL shortening services were outright banned, which is a short sighted approach to the problem.  Given that the URL redirects the browser to the real destination, and that destination is still accessed via the same web proxy, the proxy could still apply URL filtering to the ultimate destination.

Rather than viewing URL shortening services as the problem, a better solution is to ensure that all web traffic is subject to URL filtering that will block known malicious websites.  This makes web filtering part of an overall anti-spam solution, by protecting users from malicious short URLs sent via email or over social networks.

Free File Hosting

Terry Zink of Microsoft recently considered the problem of free file hosting services and who is responsible for scanning the content stored in them for viruses.  The spam problem here is an email saying “Check out this important file…” which links to a malicious file at a free hosting service run by an otherwise trusted and reputable web company.

He makes a good point but businesses don’t need to wait for the problem to be sorted out by the providers, nor do they need to be blocked entirely which deprives users from making genuine use of them.  Instead the same approach can be taken as for URL shortening services.  By utilising web filtering that scans file downloads the threat can be greatly reduced.

Comprehensive Strategy

As new threats emerge it demonstrates a need to consider spam prevention not just in respect to email, but for all online interactions that our end users might engage in.  With a combination of email protection, web filtering, and end user education a business can be protected from these threats as they evolve.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Dealing With New Spam Threats to Business

How they do it is disturbingly easy. They simply do a search on the phrase “email me at” and/or on a specific domain or domains. An example would be something like: aol.com OR yahoo.com OR “email me at”.  The result is a nice collection of email addresses ready for the spammer to add to his database.

          “You can sit and just watch the email addresses steadily trickle in,” said Twellow’s lead developer Matthew Daines . “I wouldn’t doubt it if spammers are harvesting these. It would be trivial to write a script that gathers these addresses. They could have several hundred thousand over a few weeks at the rate they trickle in. The Twitter stream really weeds out all sorts of irrelevant data and cuts right to the email addresses within 140 characters, so it’s a lot less intense, and would require very little coding skill.”

Since Twitter’s TOS clearly states they are not responsible for what people put in their tweets, don’t look to them to do anything about the problem anytime soon. Instead, have your employees refrain from putting their emails in their tweets (tell them to ask to be DM’d instead), and don’t ask your customers to provide theirs. Direct Messaging is much safer. Don’t make a spammer’s job easier!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Email Harvesting Latest Twitter Problem