Planet Antispam

Box Of Meat: Word to the Wise: I need IP addresses for reputation

2009-11-03T20:14:57+00:00

Word to the Wise: I need IP addresses for reputation:

“Reputation is tied to sending IP address, but receiving ISPs aren’t stupid and do recognize attempts to game the system. …The bad customers will drag your reputation as an ESP down more than the good customers will pull it up.”

Box Of Meat: Jart Armin in Internet Evolution: Terror Attacks Now Funded Mostly by Online Fraud

2009-11-03T19:13:53+00:00

Jart Armin in Internet Evolution: Terror Attacks Now Funded Mostly by Online Fraud:

“Fraud, and Internet fraud in particular, is increasingly used as a source of funding for terrorists, as traditional supply routes from donors are squeezed by tighter regulations….”

Box Of Meat: Washington Post Security Fix: Uptick in 'money mule' scams

2009-11-03T18:12:53+00:00

Washington Post Security Fix: Uptick in 'money mule' scams:

‘The Federal Deposit Insurance Corporation (FDIC) is warning financial institutions about an uptick in scams involving unauthorized funds transfers from hacked online bank accounts to so-called “money mules,” people hired through work-at-home scams to help cyber criminals overseas launder money.’

The article goes on to explain exactly how this works, with detailed examples.

Box Of Meat: Email Service Guide: Protect Yourself Against Phishing

2009-11-03T17:11:14+00:00

Email Service Guide: Protect Yourself Against Phishing:

“As fraudulent email scams become more sophisticated, the average user must become proactive regarding their online security. Armed with common sense and the knowledge of what you should be looking out for, anyone can learn to avoid phishing scam and protect themselves from becoming another victim.”

This is one of the best articles I’ve seen on the subject.

Box Of Meat: Spamhaus Blog: Some Good News From Downunder

2009-11-03T16:09:12+00:00

Spamhaus Blog: Some Good News From Downunder:

“Two New Zealanders…have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet…. The operation paid affiliates around the world to send spam emails marketing Herbal King, Elite Herbal and Express Herbal branded pharmaceutical products….”

Box Of Meat: Graham Cluley's blog: Hacked iPhones held hostage for 5 Euros

2009-11-03T15:07:44+00:00

Graham Cluley's blog: Hacked iPhones held hostage for 5 Euros:

“Many iPhone owners have jailbroken their devices to allow it to run unofficial code, avoiding Apple’s official App Store. However, some users forget to change the default root password on their device (which is common to all iPhones) - opening a door for potential intruders.”

Enemieslist: new pats posted - 20091102 (maintenance pats release)

2009-11-02T23:00:34+00:00

44862 patterns, 11493 right anchor strings, 187603 test IPs.

Some more contribs and updates. There were several interim releases since
10/31; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Also note that the rbldnsd zone file now has support for 'cloud', using
response code 127.0.0.12. Currently only a few of these, but the field
is growing, so expect more to come. This may be used via the most recent
sendmail package, and I've updated the SpamAssassin plugin to support it
as well.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091102

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091102

Box Of Meat: CyberCrime & Doing Time: Facebook Safety & Million Member Facebook Groups

2009-11-02T22:15:47+00:00

CyberCrime & Doing Time: Facebook Safety & Million Member Facebook Groups:

‘Would you like to see the secret truth about why people create “million user groups”?

Enter the seedy world of the online advertiser. Not the Madison Avenue advertising companies, but the punks who sit at home and devise ways to advertise their wares through spam, SEO (search engine optimization), and social network spam. They are making more money than you, and filling our lives with virtual junkmail, and in many cases, malware.’

Box Of Meat: MIT news: Secure computers aren’t so secure

2009-11-02T21:15:46+00:00

MIT news: Secure computers aren’t so secure:

“The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.”

Al Iverson's DNSBL Resource: Status of dnsbl.karmasphere.com: SHUTTING DOWN

2009-11-02T20:36:04+00:00

As messaged to the Karmasphere-Users and Karmasphere-Announce mailing lists, the Karmasphere Reputation Services data feeds are being retired. This means that the associated blacklist(s), including the karmasphere.email-sender.dnsbl.karmasphere.com DNSBL zone, and any other DNSBL/DNSWL zones under karmasphere.com. It is unclear to the author if karmasphere.org is similarly affected. Karmasphere

Box Of Meat: Google Operating System: Why It's a Bad Idea to Send Huge Files by Email

2009-11-02T20:15:46+00:00

Google Operating System: Why It's a Bad Idea to Send Huge Files by Email:

“People who demand large message size limits rarely understand the limitations of the email transmission.”

This article describes those limits in a way normal email users might understand. (Kinda. Maybe.)

Box Of Meat: John R. Levine: How do you test spam filters?

2009-11-02T19:15:18+00:00

John R. Levine: How do you test spam filters?:

“Everyone who uses e-mail needs spam filtering, and some filters definitely work better than others. Some people we know were trying to design tests of filter quality, which turns out to be extremely difficult.”

Box Of Meat: Веб безпека: Dark side of bookmarks

2009-11-02T19:04:04+00:00

Веб безпека: Dark side of bookmarks:

“Bookmarks create conditions for conducting of persistent attacks, because bookmarks are saving at computers of the users. So every of above-mentioned attacks is persistent attack, which can trigger in any time, when user will choose bookmark in his browser.”

Spam Wars Dispatches: Party Pooper

2009-11-02T18:40:50+00:00

Here's another guy who, depending on his business relationship with the final destination web site, could make a bundle by simply spamming the notion of a party:

Subject: Party reminder
Hello dannyg,

Party reminder
http://www.[removed].cn/

Best regards,

Tatum Hikel
2009-11-02

If you put this message into the mailbox of every single-ish Gen-[late letter of the alphabet]er, how many would follow the link? I'll bet it's a pretty high percentage, despite the Chinese domain name. And how many of those responders have ever heard of Tatum Hikel? Zero percent.

I can't tell you for sure what's at the end of the link — whether it's selling medz/warez/knockoffz or performing a drive-by malware download — because the spamvertized site uses a server redirect to the actual destination. I chose not to follow the redirect (I don't use a typical browser for these initial investigations) because it's possible that the spamvertized web site pays for referrals: Let some poor schlub take the risk and expense of spamming, while the seller pays a pittance for every visitor whose referring web site (automatically tracked by almost every web server) belongs to the schlub. I simply don't want the spammer to gain the tiniest fraction of a yuan from my curiosity.

Unfortunately, such will not be the case of all those whose main mission in life is to party hearty.

Box Of Meat: louisgray.com: The Blurry Picture of Open APIs, Standards, Data Ownership

2009-11-02T18:03:14+00:00

louisgray.com: The Blurry Picture of Open APIs, Standards, Data Ownership:

‘Companies are practically falling over one another to show they have embraced developers or users, letting data stream in and out of their products, while avoiding words like “proprietary” and “closed”, which are PR death. But as you might imagine, the very definition of “open” can vary depending on who you talk to, what the service’s goals are, and how they may leverage existing standards on the Web.’

(via Persona Prime)

Terry Zink: Microsoft’s Security and Intelligence Report, v7, now available

2009-11-02T17:41:48+00:00

Every 6 months or so, Microsoft releases its Security and Intelligence Report for the previous 6 months of the year. SIRv7 is now available here. This is a very comprehensive document covering topics from the entire threat landscape that Microsoft is involved with combating. This year’s report contains three key messages:

The redistribution of knowledge – Microsoft’s level of security intelligence will be unmatched and provided to individuals and organizations to help them make better security decisions.
OK, so what else is new? – The SIR contains the information that is relevant to people right now.
What do I do now? - The SIR allows people to assess where they are and what action they need to take.

I thought I would post an excerpt from the Executive Foreword. I think that this highlights the theme of this current SIR.

Welcome to the seventh installment of Microsoft’s Security Intelligence Report, which I hope you will find is the most extensive and comprehensive edition to date. The cover story in this report looks back at the major threats that have attacked customers over the last 10 years, and then the report drills deeply into the current threats that you need to understand and includes what you can do to best manage your risks.

At Microsoft, we remember the pain past incidents caused our customers and we reflect on them frequently. In particular, the Slammer and Blaster attacks that disrupted the Internet in 2003 are vivid reminders of the responsibility we have at Microsoft to ensure our products are as secure and privacy enhanced as possible.

As you can see from the timeline above, 2003 and 2004 were difficult times. [tzink note: see the report for a better image] But, you can also see that since then, major security incidents have become less and less frequent. From the data in this report, you’ll also note that the scope and impact of major events have changed, as well. For example, from the press surrounding the Conficker worm that has been attacking customers over the past year, it’s easy to conclude that Conficker is just as widespread and impactful as Slammer or Blaster—but in most respects, it hasn’t been. In 2003, Blaster became one of the most prevalent threats impacting home PC users. Six years later, Conficker didn’t even make the Top 10 list among this audience. I don’t want to minimize the pain that many of our customers experienced fighting Conficker, because, as you’ll read in the report, it was the top threat detected and cleaned in enterprises in the first half of 2009, but Conficker emerged in a much different software industry than Slammer and Blaster.

Indeed, the software industry has matured a great deal since the days of Slammer and Blaster. Since 2003, the software industry has improved its ability to mobilize and coordinate resources to fight threats… The Conficker Working Group (CWG) was founded earlier this year, establishing a new model for how the collective industry can work together to mitigate global threats.

The industry was able to proactively get ahead of Conficker by discovering the vulnerability before attackers could use it in widespread attacks. The Security Science team at Microsoft was able to find the MS08-067 vulnerability, which Conficker uses to propagate, and work with the Microsoft Security Response Center (MSRC) to release its update before attackers could use it for a Blaster-type attack. Our industry partners helped protect many customers from attack via the Microsoft Active Protections Program (MAPP). MAPP supplies Microsoft vulnerability information to security software partners prior to security update releases from Microsoft… This program enabled the majority of MAPP partners to provide protections to their customers for Conficker 24 hours after the MS08-067 security update was released. This meant that many customers were protected up to a week earlier than traditionally possible, and certainly much earlier than customers could obtain such defense-in-depth protections and threat mitigations in 2003.

With the vulnerability that Slammer exploited, many administrators didn’t know whether they needed to apply a security update or that it had to be applied manually. Today, customers are notified and protected much faster; multiple communications channels exist to help customers find and understand information on security vulnerabilities. Security advisories help draw attention to security issues as they unfold, and provide customers with critical information before security bulletins become available. Microsoft’s advanced notification service provides customers with an insight into the number and nature of security updates that Microsoft will be releasing each month so they can plan more effectively for the deployment of the updates. Security bulletins provide information on vulnerabilities, along with workarounds and mitigations.

…

The progress that the software industry has made to better protect systems and customers might be small consolation to the users of those 5 million systems that were infected with Conficker in the first half of 2009. Still, it is a significant step forward, given that more than 100 times as many systems were protected from Conficker. This is in stark contrast to the Slammer and Blaster attacks of 2003 where many, many more systems were infected. The industry will continue to work together to make the frequency, scale and scope of emerging threats as minimal as possible.

We thank you for your help and efforts to protect the ecosystem, and look forward to continuing to work with you to create a safer, more trusted Internet.

George Stathakopoulos
General Manager, Trustworthy Computing Security
Trustworthy Computing Group

More excerpts to come over the next few days highlighting global trends in the threat landscape.

Box Of Meat: TechCrunch: How To Spam Facebook Like A Pro: An Insider’s Confession

2009-11-02T17:03:18+00:00

TechCrunch: How To Spam Facebook Like A Pro: An Insider’s Confession:

“…being able to dynamically insert user data into an ad, disguising the ad to seem like part of the application, lack of enforcement by the social networks, and billing the parents’ cell phone – well, it’s no secret what happens next.”

A fascinating look into how deceptive advertising appears on Facebook and other social sites, and how the perpetrators fool both Facebook and their users into letting it continue.

Box Of Meat: TechCrunch: Scamville: The Social Gaming Ecosystem Of Hell

2009-11-02T16:03:22+00:00

TechCrunch: Scamville: The Social Gaming Ecosystem Of Hell:

“Major media can’t stop applauding the companies long enough to understand what’s really going on with these games. The real story isn’t the business success of these startups. It’s the completely unethical way that they are going about achieving that success.”

Spamresource.com: Karmasphere Reputation Services Shutting Down

2009-11-02T13:46:28+00:00

Karmasphere, founded in 2005 by Meng Weng Wong as a reputation service provider, provided some neat tools, allowing any Joe internet user to publish their own blacklist or whitelist. Neat! How does one make money doing that? Sounds like they weren't too sure, either, based on the email I received on Monday, November 2nd, 2009.

D.J. Stewart of Karmasphere posted the following message to the Karmasphere Users and Karmasphere Announce lists:

As a registered user of Karmasphere Reputation Services, we wanted to let you know that we are discontinuing the service, effective November 16, 2009. If you are using the services through DNS, BQuery or email plugins, please make plans to adjust your configurations ideally prior to November 9 and no later than November 16, 2009.

On that final date, we will disable the reputation servers so that you can no longer query them. Anybody who still has not removed Karmasphere's reputation service from their mail configuration when this happens may find that their mail servers appear to slow down while they wait for their queries to Karmasphere to time out.

You may be thinking "why are they doing this?". The answer is that we are moving the business in a different direction. We have applied the experience gained in manipulating and analysing large data sets in reputation services into developing software that makes it easier to use Hadoop.

This change in focus means that we no longer have the time nor resources to give the reputation service the attention it deserves. Rather than letting the service slowly decay, we are ending them.

This end of service will proceed in the following stages.

Stage 1: To November 9, 2009
Our services will continue as they have for the past 4 years.
This gives you a chance to remove karmasphere's feeds and feedsets from
your mail server configurations.

Stage 2: November 9 - November 16, 2009
Our servers will continue to respond but our feedsets will whitelist
everything.

Stage 3: November 16, 2009
The reputation servers will be turned off.

Thank you for using our services.

The Karmasphere Team.

Spamresource.com: Two New Zealand Spammers Fined

2009-11-02T11:01:21+00:00

Vincent Hannah of Spamhaus reports: "Two New Zealanders well known to Spamhaus have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet, officials of the nation's Department of Internal Affairs (DIA) said on Monday.

"They were part of a business based in Christchurch that sent more than two million unsolicited emails promoting Indian-made herbal products to New Zealand addresses over four months in 2007, the DIA reported.

"Shane Atkinson was fined $100,000 New Zealand dollars (USD71,600) and Ronald Smits $50,000 in the Christchurch High Court last week, the DIA said in a statement."

Read the rest here.

Sophos Blog (Spam Category): Mal/Iframe-N: Another winning infection?

2009-11-02T09:09:23+00:00

Back in May, we posted some stats on the prevalence of Troj/JSRedir-R. Last week, I asked was Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

2819 infected URIs infected with Mal/Iframe-N
hosted on 2294 different domains
with 163 different TLDs including:

.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr

I have had a few correspondences with other security researchers regarding this threat (see iframes are EVIL! Hate Zeus!) particularly with Unmask Parasites who has gone into more details of this type of threat (see 1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:

Visiting an infected site on a goat machine.
The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.

Box Of Meat: The Next Web: Spam Arrives In Twitter Lists

2009-11-01T22:06:51+00:00

The Next Web: Spam Arrives In Twitter Lists:

“We now have a confirmed example…of spam lists being created to promote…the propagator of those lists.”

Spam Wars Dispatches: Spam, 1980s Style

2009-11-01T18:19:43+00:00

One semi-advantage of being the old fart that I am is that I have seen a lot in my many years and can recognize things from decades ago (just don't ask me where I set down my car keys). Such is the case with a spammer doing most of his operation out of China who is using what is known as ASCII art to convey his message.

Put on your time traveler hat, and set the dial to the early 1980s, when personal computers usually printed on fanfold paper, most commonly in a monospaced typeface. That is, every character, whether the slim "i" or fat "w", occupied the same horizontal space in a line. It not only made it easy to line up columns of numbers for boring reports, but also provided an invisible grid that could be replicated in every printer. By carefully placing letters in positions on the grid, one could create a mosaic-like piece of art. When viewed at a bit of a distance, the "image" could be plainly seen. This technique actually started back in the early typewriter days (late 1890s), moving onto clattering teletype machines, and, in the computing days, became known as ASCII art (named after a standard character set).

ASCII art is almost a lost art because these days printers and computer screens successfully render proportional font families, which are generally more pleasing to read. And if there is one thing that a proportional font does really well, it's screw up ASCII art that depends on a monospaced font.

But that didn't stop our spammer from using HTML and a tag that renders in a monospace font to convey his medz and warez spam message (a one-stop shopping spammer) via the lowercase "g" character:

For extra measure, this guy surrounded the ASCII art portion with fragments from English poetry (Ralph Waldo Emerson and Lord Byron, respectively) — a common hash-busting technique to trick content filters.

Yawn.

John R. Levine: How do you test spam filters?

2009-11-01T04:11:03+00:00

(Thanks to Chris Lewis for permission to adapt this)

Everyone who uses e-mail needs spam filtering, and some filters definitely work better than others. Some people we know were trying to design tests of filter quality, which turns out to be extremely difficult.

What one might call 'filtering quality' assessment, should be the very very last step after "does it have the features I want?", "does it install/is it supported/supportable?", "does it crash?", "does it make lots of stupid mistakes?", "is it likely going to compare favorably with what we already have?".

You have to do the latter before the former. The latter is relatively easy. The former is what people keep asking about, and is the really really hard part to do right.

One approach is cloning a real-time stream of mail and feeding it to both the current production filter and the one under test. If you do that, you're constrained to comparing the results of the two versions. This can be a considerable privacy concern even if you can check every email. On high volume streams it starts becoming quite difficult to compare the differences for validity, especially if you don't have much to start with in production. (Surprisingly, we tend to find that at least in the high volume, automated spam filters tend to be more accurate than humans are.)

Worse, there's the difficulty of cloning the stream accurately enough. At the simplest level, do you lose the source IP address due to passing the mail through a server that does the cloning? At a higher level there's the loss of ability to deal with actual SMTP-level interaction details. Filtering techniques that use real-time characteristics of the mail stream are very difficult to clone.

As a case in point: you can't clone to a greylisting or banner delay system and expect useful results. The filtering itself is based on the sending system's reaction to a temporary failure rejection. But a sending system can't react two different ways at once based on the two (or more) receiving systems on the same email transaction. Other techniques are equally difficult to clone, such as "nolisting" which uses a fake unreachable primary MX--it either is or it isn't, but can't be both.

Another aspect is filter training for filters that adapt to the mail stream. How do you train a real-time cloned Bayes-ish filter if the end-users aren't seeing its results? Imagine testing an end-user-trained Bayes as the cloned-in system. How do you train the thing if your production system is rejecting spam before the user sees it? Even if you can, can you tie in the new system's knobs to what you already have? Many systems can't.

Truly effective filtering systems tend to be a hybrid of many different techniques. Generally at least a few of them won't be amenable to cloning.

I was part of a working group trying to do A:B testing of filtering products. I have a enough experience that I was able to pick a lot of holes in the more naive proposals. The various filtering vendors' technies who were also participating found a lot more as we tried various other ideas.

The only thing that works is live production testing. If your environment is large enough, you can split your MXes between the old and new, giving separate but, one hopes, similar mail streams to the two and compare the results. If it's not possible to split run each candidate for at least a week. The latter was the end-point suggestion we came up with. I think they finally realized that their mail flow was too small for validity, and perhaps it was too scary to try to use random new filters on production.

In our shop, we roll out new tools to small subsets of users. Since our filters permit us to forward filtered mail out of quarantine, and our filtering method provides feedback for false positives, we get to find out whether something's wrong when it can't do "too much" damage.

This is a great idea for environments that can do this.

Environments (or, rather, software) that can't do this are simply ineligible for evaluation due to missing critical features. Or to put it another way, quarantine, forward-out-of-quarantine, and "reject, notbounce, with message for remediation" features are critical business requirements. While other environments can do with somewhat less, I feel the latter at least should be a MUST.

We've decided that certain filtering methodologies are simply unacceptable, such as, rejection notification by bounce rather than SMTP reject.

Secondly, we consider the process around "wrong filtering choices" to be just as much a part of the system as the filtering is. Checks and balance on the filtering (eg: rejection with remediation instructions, quarantine etc) are designed in from the beginning as part of the overall system.

As a concrete example, you can be really aggressive in your filtering if you have (a) a way of finding out when you goof and (b) you have tools to remediate it. Blocking a huge IP range isn't so scary if you know you will find out what spots you shouldn't, you can unblock those spots as needed, and you can "undo" the filtering simply by forwarding in the applicable hunk of quarantine.

We're probably FAR more aggressive in filtering than most simply because we can "undo" portions of that aggressiveness. It's routine. Just another designed-in aspect of the filtering system. This sort of thing is notably absent in most vendor offerings.

That said, other installations can do without these features, but should be able to simulate their results with respect to measuring effectiveness and false positives in one way or another.

However, is this something you do during pre-production launches of new products that you know you'll eventually be deploying across the board? Or do you do this as a part of your normal evaluation processes for any product?

This tends to be a final stage of evaluation of new systems or new features. Generally, they go through a test on the trap first to see if they're in the ballpark--primarily based on overall metrics with some spot checking of individual results. The latter gives you a good idea whether it's worth the risk of putting in production. The former tells you whether it's better than what you had before. Few outside products have ever made it to production testing.

Enemieslist: new pats posted - 20091031 (maintenance pats release)

2009-10-31T22:33:29+00:00

44806 patterns, 11494 right anchor strings, 187523 test IPs.

Some more contribs and updates. There were several interim releases on
10/30; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091031

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091031

Box Of Meat: Overheard in the Newsroom: 2070

2009-10-31T18:04:57+00:00

Overheard in the Newsroom: 2070:

‘To PR person on phone: “I would love to receive your email updates, but I’m afraid they would just clog up my Spam filter.”’

Box Of Meat: Al Iverson's Spam Resource: Ask Al: Bad things happening?

2009-10-31T17:03:17+00:00

Al Iverson's Spam Resource: Ask Al: Bad things happening?:

“…unless AOL has suddenly implemented a new policy of picking up a bus full of day laborers from the parking lot in front of the Home Depot, driving them over to your home, and beating you with zucchini while you sleep fitfully on a carpet remnant in your unheated basement…”

Box Of Meat: Techdirt: It Doesn't Matter How Many Twitter URLs Are Malware... Only If People Are Clicking

2009-10-31T16:02:59+00:00

Techdirt: It Doesn't Matter How Many Twitter URLs Are Malware... Only If People Are Clicking:

“The real question should be how often are people getting malware because of clicks on Twitter.”

Box Of Meat: Seth's Blog: Opt in and opt out

2009-10-31T15:02:08+00:00

Seth's Blog: Opt in and opt out:

“I think there are a few general principles that could save us time and money and hassle….”

Silent Noise: "Do Not incriminate your self ...."

2009-10-31T12:44:04+00:00

Spam pointing me to germanfriendfinder, claiming to come from "Singlesnet Customer Service".
Asking me if I want sex tonight.
Well, I'm not going to Germany for it.

And it is a very long time since I saw this "disclaimer".

P.S Do Not incriminate your self by reporting a faulty Spam complaint if
you have not attempted to get removed first.
end an email to the following
address:
mailto: [removed]
This email was sent to you because you are a valued customer. If you no longer like to receive our advertisements,
5776-D Lindero Canyon Rd #179, Westlake Village, CA 91362 USA

MillerSmiles Phishing News: UK tax phishing scams on rampage

2009-10-31T12:00:00+00:00

Many variations of UK tax reclaim scam currently circulating net

Sophos Blog (Spam Category): There’s Malware on Elm Street this Halloween … with pumpkins!

2009-10-31T11:11:33+00:00

It appears that this Halloween the malware writers preferred choice of infection vector is by using SEO (Search Engine Optimization) techniques to poison popular search terms.

We at SophosLabs have seen relatively few email campaigns that exploit Halloween this year, but there have been plenty of campaigns pushing malware loaded URL’s into festive search terms.

We have various Fake AV families featuring highly:

and

Which leads to the familiar:

and

There are also families that pose as fake media codecs exploiting Halloween to push their wares:

As users wise up to the dangers of email attachments we are seeing SEO poisoning becoming a more and more popular attack vector.

Sophos detects this years nightmares variously as Mal/FakeAvJs-A, Mal/Krap-A and Mal/EncPk-LH.

Enemieslist: new pats posted - 20091030 (maintenance pats release)

2009-10-30T21:14:57+00:00

44767 patterns, 11495 right anchor strings, 187454 test IPs.

Some more contribs and updates. There were several interim releases on
10/29; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091030

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091030

Box Of Meat: The Last Watchdog: Unstoppable new phishing attacks blanket Facebook, Twitter, Hotmail

2009-10-30T21:05:52+00:00

The Last Watchdog: Unstoppable new phishing attacks blanket Facebook, Twitter, Hotmail:

Read the article; this stuff is too big and scary to summarize.

Box Of Meat: DarkReading: New Honeypot Mimics The Web Vulnerabilities Attackers Want To Exploit

2009-10-30T20:04:53+00:00

DarkReading: New Honeypot Mimics The Web Vulnerabilities Attackers Want To Exploit:

“Glastopf uses a combination of known signatures of vulnerabilities and also records the keywords an attacker uses when visiting the honeypot to ensure it gets indexed in search engines, which attackers often use to find new targets. The project uses a central database to gather the Web attack data from the Glastopf honeypot sensors installed by participants who want to share their data with the database.”

Box Of Meat: guardian.co.uk: A people's history of the internet: from Arpanet in 1969 to today

2009-10-30T19:03:55+00:00

guardian.co.uk: A people's history of the internet: from Arpanet in 1969 to today:

“To mark the 40th anniversary of the first stirrings of the internet…we present an interactive documentary of your stories and videos, alongside our own research and interviews with key figures.”

(via gizmodo)

Box Of Meat: TidBITS Opinion: Why Email Remains the King of Internet Communications

2009-10-30T18:03:54+00:00

TidBITS Opinion: Why Email Remains the King of Internet Communications:

“It all comes down to two simple facts: email is based on open standards, and it’s the lowest common denominator for Internet communication. Any communication system that wishes to supplant email will need to offer both openness and ubiquity, and nothing available today comes even close.”

Box Of Meat: PC World: UK Police Smooth Over Rift With Internet Registry

2009-10-30T17:03:14+00:00

PC World: UK Police Smooth Over Rift With Internet Registry:

“U.K. police have apologized over a recent public presentation that linked a nonprofit Internet registry with money laundering by a notorious group of Russian cybercriminal gangsters.”

Box Of Meat: TechLaw: Obscenity in E-Mail Messages Judged by National Community Standards

2009-10-30T16:03:15+00:00

TechLaw: Obscenity in E-Mail Messages Judged by National Community Standards:

“In a nutshell, the defendants used spam to promote adult websites.

The court ruled that the appropriate standard for e-mailed obscenity is a national community standard…the application of a local community standard to e-mail speech was unconstitutional.

…the court remarked that domain name registrants who use [domain name] registration services that conceal the registrant’s true identity have materially falsified their registration information” - making it illegal under CAN-SPAM.

Box Of Meat: ClickZ: E-Mail Marketers Trip up on Quality Control

2009-10-30T15:02:20+00:00

ClickZ: E-Mail Marketers Trip up on Quality Control:

“In recent weeks the Email Experience Council (EEC), a leading e-mail [marketing] industry group, has come under fire in industry circles for a series of errors in its regular e-mail communications. While I agree that it doesn’t give a great impression when an ambassador of our industry repeatedly sends e-mail communications with errors, I don’t lay the blame solely at the feet of the EEC.”

Spamresource.com: Ask Al: Bad things happening?

2009-10-30T10:04:33+00:00

Perry writes, "I keep coming back to re-read your comments about AOL being the good guys. I must admit, that when our ISP is on their blacklist, bad things happen."

Well, unless AOL has suddenly implemented a new policy of picking up a bus full of day laborers from the parking lot in front of the Home Depot, driving them over to your home, and beating you with zucchini while you sleep fitfully on a carpet remnant in your unheated basement, I don't really believe that bad things are happening to you.

Truth be told, most responsible ISPs block mail based solely on a statistically-driven reputational computation. Meaning, your IP address sends unwanted or problematic mail, then its ability to transmit mail to that ISP is revoked. Usually not permanently, either. But keep in mind here, that this is driven by the mail being sent. It's reactive to the mail coming in. If AOL shut all of this off, stopped blocking mail from IP addresses that send bad mail, their entire mail system would probably collapse within twenty-four hours.

Also, keep in mind that when AOL blocks mail from your IP address, you're only blocked at AOL. They don't publish a blacklist. They don't make you get blocked at Yahoo or Hotmail. I wonder if perhaps your concern stems from noticing that when one ISP blocks you, other ISPs are likely to follow. If that's the case, there's no collusion; not even any coordination. Just multiple smart folks using their multiple sets of eyes to denote that you're emitting mail that their users don't want. AOL isn't causing other people to block your mail; AOL is the canary in the coal mine warning you that if you keep it up, you're likely to cause other ISPs to block you, just like AOL is doing.

Also, let's lose the hyperbole and misunderstanding about relationships and friendships. I get sick of reading about how "AOL must hate us" or "if only Yahoo knew we weren't bad guys." The ISPs don't think you're bad guys. It's not a question of making friends with them. Seriously, they don't hate you, they don't want to hate you, they don't have time to hate you. Keep in mind that you are one data point in a million. The solution isn't to buddy up to them. Ninety-nine percent of the time, the solution is to just stop emitting the unwanted mail.

Box Of Meat: CNET News: Facebook awarded $711 million in spam lawsuit

2009-10-30T04:57:08+00:00

CNET News: Facebook awarded $711 million in spam lawsuit:

‘Facebook was awarded $711 million in a judgment Thursday against self-described “spam king” Sanford Wallace.’

All Spammed Up: Facebook Wins Suit Against Spammer

2009-10-30T04:09:57+00:00

Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Wins Suit Against Spammer

Terry Zink: Live Free or Die Hard

2009-10-29T23:20:04+00:00

Spoiler alert.

This past weekend, I got a chance to watch the 4th installment in the Die Hard series, Live Free or Die Hard. I hadn’t seen the whole thing end-to-end before, only parts of it. It was nice to finally get a chance to see the whole thing.

Overall, I like it. It’s so far over the top that it’s completely unbelievable… but that’s the point. It’s supposed to be unbelievable. A jet plane flying around the city at low speeds and hovering like a helicopter in between parts of a freeway? John McClane getting hit by a car and walking away? Bad guys falling 20 feet onto concrete below and not even suffering a limp? Whatever.

But what about the basic premise of the story? In case you haven’t seen it, at the beginning of the film, various government agencies experience a major shutdown. Hackers infiltrate the computer systems of the FBI, departments of transportation, nuclear facilities… well, nearly every agency in the United States and they proceed to shut it down. The villain behind it is a disgruntled employee of the Department of Homeland Security who is a brilliant programmer and security expert. After the events of September 11, he warned his superiors that the nation’s cyber infrastructure was vulnerable to attack. Rather than listen to him, he was ignored and/of vilified, and fired from his job. To get revenge, the villain plots a major hacking operation to demonstrate to his superiors that they should have listened to him; this proves that the nation’s infrastructure is vulnerable. In reality, this is all a smokescreen as it is a diversionary attempt to steal billions, possibly trillions, of dollars of wealth. In the hacking world, the villain would be classified as a cyber warrior.

Of course there are some things in the movie that are completely unrealistic like the physical stunts above. Furthermore, why would the bad guys hack into a hacker’s computer and wait for them to hit the Delete key that detonates some C4, rather than them executing the explosion remotely? That seems a little inefficient to me.

But that’s not the question I want to address. What I want to ask is whether or not the nation’s cyber infrastructure is really as vulnerable to attack as the movie makes it out to be.

My answer? Unlikely. There are a couple of problems with this scenario:

The bad guy’s team was too small.

I counted a team of maybe 3 hackers on the bad guy’s team, not including himself. That is way too small a team to control multiple that much computer systems. Over here, we have a lot of people running a network that is not nearly as complicated as multiple government departments. It takes constant monitoring and tons of documentation to keep things running smoothly. And many times, things don’t run smoothly. It would take a very long time to code something up, test it, deploy it, and control it while evading detection during the entire time the operation was running.

Of course, something like that might be possible but three people is not enough. It takes forever to get done all of the stuff I mentioned. And it is very resource intensive. Nobody writes code that executes as perfectly as the villain’s does the first time they try it out. Of course, maybe they tested things but the government has a lot of independent systems. The left hand doesn’t know what the right hand is doing. So, you need guys who are familiar with each of the government’s various departments’ computer systems. And know how to control them. That just isn’t possible with 3 people.

The computer hackers running the operation would be busy all day trying to evade detection and the amount of psychological pressure on them would be intense (especially when your boss is holding a gun and waving it around, and his girlfriend could knock your teeth into next week). Nobody under that type of pressure avoids making mistakes, so you have to build automated mechanisms to control stuff for you. And if you do that, it takes time to code it. And if you take time to code it, even if you’re a great programmer, it’ll still have bugs. The flawless execution of their stuff was completely unrealistic without having back up teams responding to issues that would inevitably come up.
The nation is vulnerable to attack, but not in the way they made it out.

The uber-point of the nation’s security being vulnerable is correct, but not in the way they were making it out to be. In my first point, I say that the team is too small. I go on to say that government departments have all their stuff implemented differently. I don’t know this to be true, of course, but I surmise that each department built their stuff independently of each other. Some may have built their stuff on Linux and MySQL. Others may have used Ruby. Others, Perl. Maybe there is some Java, Exchange, PHP (ugh) and Oracle.

And when stuff is built independently, they don’t talk to each other. And when they don’t talk to each other, it is very difficult to take them all over simultaneously.

Furthermore, when computer systems get big, particularly when they were implemented in the 1980’s or 1990’s, they aren’t documented very well. If you work at a company whose infrastructure was written long ago, you’ll know how disorganized it is. The code is poorly written, you will probably have GOTO’s going to GOTO’s, and there is no written support. If you want to figure out what is happening, you have to “decompile” the code in your head or on paper. It’s a mess.

Thus, if an organization as large as the government is going to be attacked, what is more likely to happen is that rather than being controlled, it is more likely to be shut down than having control of it given to an external attacker. A hacker can break in and deploy a worm, but this is much more likely to cause systems to crash and not boot than it is give control to a remote user. Remember, it is not a single organization with a unified communication system, it is multiple computer networks that must be compromised and controlled.

Poorly written code doesn’t act like a cohesive unit. Instead, it deadlocks and becomes unresponsive. Memory leaks, and resources do not get released. It’s the equivalent of having large paperweights on your desks (like my IP phone at work) and servers that sit there, spinning their wheels and doing nothing.

When the governments of Estonia in 2007 and Georgia in 2008 were attacked, and when Twitter suffered a DDOS attack in 2009), they shut down the nation’s, or web site’s, computer systems but they didn’t control them from the inside to make them do nefarious things. They “just” rendered them inoperable. So, we can all take solace in the probability that if a hacker ever takes over, traffic lights will only go out. We don’t have to worry about them all turning green.
An emergency data dump wouldn’t go to only one server in one location.

Or, I certainly hope not.

As I said in my introduction, the taking over of a nation’s computer systems was only a diversion. When this happened, all of the nations banks, financial institutions, trading accounts, etc, started downloading of all of its data into a data center located in Maryland (I think). This computer data center was supposedly the Social Security Administration, but in reality it was designed to be a redundant backup in the case that a real emergency happened. Of course, this emergency did happen, and the bad guy is the one who designed it that way. Thus, his goal was to create an emergency, trigger this data download into the servers, and then walk away with all of the money (or delete it, sending America back to the Stone Age).

Okay, I won’t get into all of the problems, but let me say this – if this guy was so brilliant, then his design has a flaw. If you really were going to do this, you wouldn’t download all of the data into one location. You would download it into two locations. Remember, this is absolutely critical information and losing it would be disastrous. Therefore, you’d have a backup. That’s so obvious that a designer has to know that. What you would probably do is download it to two separate (redundant) servers in the same data center, and then do the same thing in another geographically separate data center. That way you have double-redundancy for a set of data that is so important. Clearly, this bad guy can’t be that smart if he designed it to have one backup. What a doofus. No wonder he got fired.

I could probably name more problems, but this will do. But like I said, this movie isn’t real life, it’s entertainment. It’s not supposed to be realistic. And for what it was worth, it was a good ride. I liked it.

Yippie-ay-yo-kay-yay!

Silent Noise: Twitter hacks and cleanseprox - a quickie

2009-10-29T22:21:31+00:00

Just a quick one regarding todays hacking of Twitter accounts.

The links given by the tweets from the compromised accounts seems to take this route (there may of course be others):

http://qwecvgfjk.info/ (206.71.62.157)
http://www.onlyfreeoffersonline.com/redir.aspx?CID=27453&AFID=39261&DID=119273 (67.208.131.230)
http://www.cleancoloncleanse.com/ (204.244.66.117)

Which makes me think of "affiliate" spam. With the aid of hacking.
Well, the company behind will of course use the affiliate excuse. But who really believes them?

Box Of Meat: Washington Post Security Fix: PhoneSnoop app bugs BlackBerrys

2009-10-29T21:22:48+00:00

Washington Post Security Fix: PhoneSnoop app bugs BlackBerrys:

“…a spyware program that allows attackers to turn a target’s handset into a microphone that can be accessed remotely.”

Sophos Blog (Spam Category): Look and feel great! Try this pill (Or how to make your wallet lighter?)

2009-10-29T17:11:11+00:00

Another Twitter direct message (DM) scam was happening today, but apparently this time the hook was to prey on users’ vanity. Several messages were seen with the following text:

“I lost 25lbs using this ”
“whoa this works. i feel good and look good ”
“lol it’s amazing. look and feel great with ”

When a user clicked on the link, it redirected you to this site:

All you had to do to get your “free” bottle was fill out your name, address, phone number and email. However, once you submitted that, you then get to the screen to input your billing information and input your credit card details. Why do you need to input credit card details for something that’s free? With all that information, the cybercrooks have more than enough info to commit identity theft and fraud on your card. They have your name, address, card info and you’ve even confirmed that the address you gave is the billing address too.

At the risk of sounding preachy, these pills never work. They only thing that gets “slimmer” is your wallet.

All Spammed Up: Geocities Shutdown Closes Door on Spammers

2009-10-29T15:20:39+00:00

This week Yahoo! permanently closed down its venerable Geocities service. This move ended one of the internet’s longest standing free web site hosting services and one of the most frustrating spam problems of more recent years.

Geocities became popular in the last 1990s as a free and easy way for people to publish web sites about their businesses and hobbies. Although in recent years it stood as a monument to horrible website design in its prime it was one of the most visited sites on the internet.

After a takeover by Yahoo! in 1999 the website began a slow but steady decline due to various changes by the new owner. However one demographic that remained strong on Geocities was spammers.

The attractiveness of Geocities for spammers came down to a few key elements:

Geocities.com was a trusted and recognizable domain name to normal internet users
As a Yahoo! property it was unlikely that the various Geocities domain names would be blocked by anti-spam product vendors
Geocities permitted JavaScript on the web pages it hosted

User Trust and Social Engineering

A social engineering attack is one in which the attacker convinces the victim to perform a certain task. These attacks involve establishing the appearance of legitimacy and trustworthiness in the eyes of the victim.

For a spammer who wants to convince a person to click on a link in an email the Geocities.com domain name was a perfect way to gain the trust of the victim because it was highly likely the person would recognize it as a place for legitimate web sites.

Free Services and Combating Abuse

As most internet security experts will attest, if there is a free service available on the web then spammers will abuse it. The problem with this is that many free services are hosted by large, trustworthy internet companies and have millions of users.This presents security vendors with an obvious dilemma – the service is being exploited by spammers and should be blocked, however the service is also heavily used by legitimate users and so blocking it would likely cause customers some pain.

JavaScript Redirection

JavaScript is a web programming language commonly used on web sites all over the internet. JavaScript has many useful applications but like all useful things can also be used maliciously.

Although JavaScript redirection in itself is not malicious, it is obviously able to be used in that way to redirect users from one seemingly harmless URL to another one that a spammer wants people to visit.

Geocities Was Perfect for Spammers

When you combine all of the above three elements it is not hard to see why Geocities was perfect for spammers.

A spammer could start a new Geocities web site, add the JavaScript code to redirect visitors to their real web site, and then blast out millions of spam messages with the Geocities URL to try and trick people into clicking the links.

The Geocities shutdown is a minor relief for security vendors and professionals. Unfortunately it was only one of hundreds of similar sites that still remain today.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Geocities Shutdown Closes Door on Spammers

Box Of Meat: Federal Computer Week: Government to build $1.5B cybersecurity data center

2009-10-29T15:04:08+00:00

Federal Computer Week: Government to build $1.5B cybersecurity data center:

“The federal government will spend an estimated $1.5 billion to build a new data center in Utah to support intelligence and defense agencies’ cybersecurity programs….”

Enemieslist: new pats posted - 20091029 (maintenance pats release)

2009-10-29T14:01:08+00:00

44721 patterns, 11495 right anchor strings, 187374 test IPs.

Some more contribs and updates. There were several interim releases on
10/28; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091029

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091029

Ed Falk: Beware of "password reset" emails

2009-10-29T13:21:24+00:00

I've been getting a lot of these lately, and I suspect everybody else is too. Typically, you get an email from Facebook or some other social networking site telling you that your password has been reset, and please unpack the enclosed .zip file if you want to do something about it.

Obviously, this is just a very crude attempt at propagating a virus, and I know that nobody reading this would be foolish enough to open it, but please pass the word to your more gullible friends and relatives.

Update: ZDNet is reporting that the Facebook-specific spam is coming from the Bredolab botnet.

Update: Brian Krebs at Security Fix is reporting that the fake FDIC emails telling you your bank has failed are coming from the Zeus/Zbot password-stealing Trojan.

John Graham-Cumming: Der Geek Atlas

2009-10-29T11:03:40+00:00

The Geek Atlas ist jetzt auch in Deutsch.

Kaufen Sie es hier.

Die lebendige Geschichte der Wissenschaften ist überall um uns herum, man muss nur wissen, wo man hinschauen muss. Mit diesem einzigartigen Reiseführer kann man 128 Orte auf der Welt kennen lernen, die für bedeutsame Ereignisse in Wissenschaft und Technik stehen. Erlebe das Foucaultsches Pendel, das in Paris schwingt; erfahre Interessantes über das größste Wissenschaftsmuseum der Welt, das "Deutsche Museum" in München; besuche einen Ableger des Newtons Apfelbaums am Trinity College in Cambridge und vieles, vieles mehr...

Jeder Ort in Der Geek-Atlas stellt eine außerordentliche Entdeckung oder Erfindung in den Mittelpunkt und befasst sich darüber hinaus auch mit den Menschen und Geschichten, die hinter diesen Erfindungen stehen. Alle Orte werden mit interessanten Fotos vorgestellt und die Themen mit zahlreichen Zeichnungen illustriert. Das Buch ist nach Ländern aufgeteilt, für alle interessanten Orte werden auch -- neben nützlichen Tourismusinformationen -- die genauen GPS-Daten aufgeführt.

Eine kleine Auswahl der interessanten Orte: * Bletchley Park in Großbritannien, wo der Enigma-Code geknackt wurde * die Alan-Turing-Gedenkstätte in Manchester * die Hornantenne in New Jersey, wo die Big-Bang-Theorie bestätigt wurde * das National Cryptologic Museum in Fort Meade in Maryland (USA) * die Trinity Test Site in New Mexico, wo die erste Atombombe gezündet wurde * das National Museum of Scotland in Edinburgh, wo das Schaf Dolly ausgestopft ausgestellt wird Jeder Ort, der im Der Geek-Atlas vorgestellt wird, hat einen besonderen mathematischen, technischen oder wissenschaftlichen Hintergrund. Orte, die das Geek-Herz schneller schlagen lassen.

Spamresource.com: Judge rejects TD Ameritrade breach settlement

2009-10-29T09:34:50+00:00

In early 2007, Ed Falk, John Levine, and other trusted anti-spam and network security folks started to note that email addresses given only to TD Ameritrade were beginning to receive spam from unrelated entities.

In September 2007, TD Ameritrade disclosed that this was due to intruders breaking into a database that contained sensitive customer information (including email addresses) and that more than six million customers may have been leaked to bad guys. Oops. Even worse, other sources suggest that the issue may have been ongoing back as far as 2005 or 2006.

Yesterday, Tech Target published an update on the story. "A federal judge has denied a proposed settlement of a class-action suit filed against TD Ameritrade Inc. for a 2007 data security breach that exposed its customers' personal information." The reason for the rejection? The judge seems to be saying that the proposed settlement terms, specifically that the company wasn't doing enough on the security and auditing front.

"[The proposed] measures are security procedures any reputable company would conduct and don't benefit those affected by the breach, Walker said in a court filing Friday." Try harder, he seems to be saying.

Read the rest of the article here.

Box Of Meat: DarkReading: Nearly 6 Million Infected Web Pages Across 640K Compromised Sites

2009-10-28T21:56:47+00:00

DarkReading: Nearly 6 Million Infected Web Pages Across 640K Compromised Sites:

“Among newly compromised Websites of 10 pages or more, nearly 20 percent of their pages were infected. The bad guys have been infecting more pages as a way to score more victims.”

(640K should be enough for anybody.)

Box Of Meat: PC World: Internet Phone Systems Become the Fraudster's Tool

2009-10-28T20:56:46+00:00

PC World: Internet Phone Systems Become the Fraudster's Tool:

“Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.”

Box Of Meat: Joho the Blog: Elizabeth Goodman on walled gardens

2009-10-28T19:56:47+00:00

Joho the Blog: Elizabeth Goodman on walled gardens:

“…walled gardens originally were created not to keep people [out, but] to create a microclimate.”

Box Of Meat: Wired GeekDad: The First E-Mail Address: Raising an Internet-Savvy Child

2009-10-28T18:56:49+00:00

Wired GeekDad: The First E-Mail Address: Raising an Internet-Savvy Child:

“…when setting up e-mail addresses for your kids, you should work off the assumption that this will become a primary form of communication they will use for the near future and should be approached with that level of importance.”

Sophos Blog (Spam Category): Are you old enough to watch this?

2009-10-28T18:23:10+00:00

I was watching some of the activity on Twitter today and noticed a really some really odd tweets. It was only one, every couple hours and while the text “Haha, look at this vid” didn’t change, the link did. It seemed worth checking out.

I followed the link and it went to a fake YouTube page with the following text.

“This video or group may contain content that is inappropriate for some users, as flagged by YouTube’s user community. To view this video or group, please verify you are 18 or older with your cell phone”

Huh?

How does that prove anything to do with your age? I know parents who have given their young children cell phones. I’m guessing this is a great scam to get legitimate phone numbers for those “market affiliates” that call to try to sell you “long term auto insurance” and other such scams.

Definitely more tricks than treats today on Twitter.

Sophos Blog (Spam Category): No, it’s not you on there

2009-10-28T18:15:17+00:00

Twitter users should be especially careful this morning as there’s a new Twitter phish campaign going on. The message that is being seen is using a known tactic where it tries to trick the user into believing there’s some content on the internet about them, whether it be a photo or a video, and tricks them to browse to the link to find out what it is. Similar tactics have been seen in messages on Facebook and even via email. The message simply states the following.

“hi. this you on here? http://blogger.djh****.com”

The good news is if you do a search on Twitter, you’ll have a hard time finding an example of the original message since there’s an overwhelming number of people tweeting to their friends warning them about this campaign. Slowly but surely, people are learning to be more cautious.

Terry Zink: The evolving MAAWG

2009-10-28T17:30:11+00:00

MAAWG is an organization that started up in response to the spam problem. Its official name is the Messaging Anti-Abuse Working Group, and they are meeting this week in Philadelphia to discuss all things abusive. I didn’t go this time around, but maybe in the future I will secure my attendance. DarkReading has an interesting article on the proceedings that you may wish to check out. An excerpt:

"Email [abuse] will remain substantial," says Michael O'Reirdan, chairman of MAAWG and distinguished engineer in national engineering and technical operations at a major U.S. ISP. Even so, O'Reirdan says he'd like for MAAWG to change its name to more than a messaging title to better reflect the evolving threats to ISPs and their users. [tzink: emphasis mine]

Other MAAWG members, such as Cisco, note that malware distribution via email has become less of a threat in developed countries. "Email as a malware distribution [vector] is somewhat dead except in emerging economies," says Henry Stern, senior security researcher for Cisco's IronPort team. G-20 countries are now sending anywhere from 20 to 40 percent less spam this year than last, he says.

That's, in turn, pushing spamming botnets out of the U.S. to lesser-developed countries with emerging broadband infrastructures. "It's more lucrative for them to go outside the U.S. There's a migration away from old email spam here" and to other methods, such as attacks on social networks, for instance, says Patrick Peterson, a Cisco fellow.

Indeed, over the past year, the threat landscape has changed and shifted in various fashions. The spam problem is not going away anytime soon. People will continue to spam, ad nauseum, forever. However, it is not the growth industry it once was. I liken spam to the railroad industry. Back in the 1800’s and 1900’s, railroads were the new and emerging transportation mechanism. They were growing by leaps and bounds and revolutionized domestic trade (in the United States) and international trade (in Europe). Trains could travel to places that boats could not. Nowadays, we don’t really see a lot of railway expansion. It’s an established industry. There is certainly plenty of maintenance but there are other ways to get goods around – by automobile or by plane. That being said, rails are not going away. They are a very efficient distribution mechanism of transporting lots of goods, such as grain, steel, automobiles or passengers. It is an entrenched part of our economy. But it is not the growth industry of today.

In a similar way, spam is not a major growth industry. It is harder for spam to get by filters and the spamming is done by more elite spammers. That does not mean that cyber-abuse has gone away, however. There are other attack vectors that have crept up over the past couple of years:

Rogue antivirus
Black search engine optimization (getting spammy webpages to the top of web queries)
Hijacking of free web creation tools (like Blogspot or Live Spaces)
Fast flux
Social networking abuse
Cyber riots in the form of DOS attacks against countries or services (like Twitter)

So you see, there’s a big chunk other than just spam. Botnets are behind most of it, but they are a distribution vector for accomplish all of the above in addition to spamming. To say it is only Messaging Anti-Abuse is too narrow in scope. It is a natural progression to widen one’s view when the nature of the threat changes.

A couple of years ago, I attended the CEAS – the Conference on Email and Antispam. They have since changed their name to the Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEMAAS?). It’s catching in other places, so why not MAAWG? For every new communication medium, there will be someone who will attempt to take advantage of it and abuse it, and eventually organizations like MAAWG will have to figure out how to fix that one, too. That’s simply the way it is.