Planet Antispam

All Spammed Up: Top 10 Zeus Campaigns

Thu, 02 Sep 2010 14:49:11 +0000

Here’s a look at the Zeus botnet’s top spam campaigns:

An unauthorized transaction billed to your bank account- Although most people should know that if their bank spots a fraudulent transaction they will call you or send you a letter - not email you, this subject line is alarming enough to get some people to open it and wind up getting phished or infected with malware.
DHL Tracking number #######- This is one of the oldest campaigns. A variation uses UPS instead of DHL, but in both cases the included attachment has a hidden executable that contains malware.
FDIC has officially named your bank failed bank- An obvious attempt to exploit the economic crisis. Too bad the horrible grammar gives it away.
Hello- This is why it’s often advised not to send emails this way. Many spam filters flag messages with “Hello” or “Hi” as the subject because of campaigns like this.
Notice of Underreported Incomeir- The glaring misspelling gives this away as spam right away.
Review your annual Social Security statement- This has been around for a while as well. The scammers are hoping there are still folks out there who don’t know that the SSA sends out your statement via postal mail about 6 months before your birthday each year.
Welcome to Friendster- An obvious attempt to exploit a brand. Unfortunately for them Friendster isn’t quite as popular as it used to be.
You have received a file from (email) via YouSendIt.- This campaign is banking on people’s natural curiosity to be peaked enough to open it.
Your Flight Ticket #####- Delta was one of the more recent airlines to be exploited by this campaign. The scammers are hoping that when someone gets the fake ticket and cheery note informing them that their credit card has been charged over $800 that they’ll be upset enough to not think first and open the attached paperwork, which delivers a Trojan.
Your Order with Amazon.com- This is a blatant phishing campaign. Every link in the fake notification leads to a fake Amazon login page. It’s pretty easy to spot though because the total amount due, which is listed twice, is always two different amounts and there is plenty of broken English as well.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 10 Zeus Campaigns

Sophos Blog (Spam Category): FakeAV, now with sounds

Thu, 02 Sep 2010 05:17:23 +0000

Recently, creators of Fake Anti Virus software have been getting quite creative and somewhat “professional” in designing the look and feel of their fake software.

Today I came across one with sounds.

Whenever the malware does a fake scan and finds something wrong with the user’s computer, a lady’s voice (in typical GPS style, I might add) booms out “New virus found!!”

If that’s not irritating enough, you get to hear her sweet voice again when she pesters you to “Please activate your Antivirus software”.

But don’t let her melodious voice fool you; she’s certainly out to get you.

Sophos detects this piece of malware as Mal/FakeAV-EI.

Box Of Meat: Seth's Blog: The corporate conscience

Wed, 01 Sep 2010 16:00:59 +0000

Seth's Blog: The corporate conscience:

‘Corporations don’t have a conscience, people do.

That means that every time you say, “It’s just my job,” or “My department has a policy,” or “All I do is work here,” what you’ve done is abdicated responsibility—to no one.’

John R. Levine: ARF is now an IETF standard

Wed, 01 Sep 2010 15:11:02 +0000

When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints.

Until now, the only documentation for ARF was a draft spec originally written Yakov Shafranovich in 2005, and occasionally updated originally by him and later by other people including myself. Earlier this year, the IETF chartered a working group called MARF which took that draft, brought the references up to date, stripped out a lot of options that seemed useful five years ago but in practice nobody ever used, and this week it was finally published as RFC 5965.

ARF (or now MARF) is quite simple, a version of the existing Multipart/Report message format that includes information about the report, such as the address of the recipient, descriptive text for a human reader, and a copy of the offending message. Having a standard format for reports, simple though it is, makes them much easier to process. For my tiny system, for example, nearly all of the trickle of reports are about mailing list messages. When a FBL report arrives, an automated script looks at the report and the message, and in the usual case that it's from a mailing list, it creates an unsubscribe request to remove the person from the list. Otherwise, it passes the message along to the human manager so I can decide what, if anything, to do about it. Larger mail systems also use them to collect statistics about their mail-sending customers.

The IETF process works particularly well when it standardizes existing practice, and ARF/MARF is an excellent example of that. The differences between the earlier drafts and the final version make it clearer and more precise, and it's now a proper standard we can cite:

Abuse Reporting Format! Ask for it by name: RFC 5965!

Box Of Meat: DarkReading: Major Disruption of Pushdo Botnet Wasn't The Original Goal

Wed, 01 Sep 2010 14:57:04 +0000

DarkReading: Major Disruption of Pushdo Botnet Wasn't The Original Goal:

“The researchers who successfully shut down much of the Pushdo botnet’s infrastructure last week didn’t go in planning to take down a large chunk of the botnet — that was a secondary but major byproduct of some related botnet research they were conducting.”

Box Of Meat: KISSmetrics Marketing Blog: An Open Letter to Marketers Who Abuse Social Media for Selfish Gain

Wed, 01 Sep 2010 14:00:44 +0000

KISSmetrics Marketing Blog: An Open Letter to Marketers Who Abuse Social Media for Selfish Gain:

“We’re not going to give you another self-righteous argument about how you can’t make money with social media. We’re not going to sermonize about the pitfalls of sleazy marketing. We’re not going to tell you you’re ruining opportunities for all of the other marketers out there who are trying to do things the right way.

You’ve probably heard enough of that, and it doesn’t matter anyway.

No, the honest truth is that it’s just a bad business strategy, and eventually you’re going to get burned.”

Spamresource.com: ARF: Now a Proposed Standard

Wed, 01 Sep 2010 09:34:00 +0000

ARF (Abuse Reporting Format), a simple specification that enables senders of email abuse reports (like, spam complaints and feedback loop reports, for example) to easily and appropriately encapsulate those reports in a way that ensures the receiving site will have all the information it needs to properly parse the report and identify the responsible party or process.

ARF was already on track to become a standard, as multiple ISPs' feedback loops were already in ARF format. Now, that process has taken a more formal step forward, as RFC5965 was just published by the IETF: An Extensible Format for Email Feedback Reports.

All Spammed Up: Some Reasons to Consider Hosted Spam Filtering

Tue, 31 Aug 2010 14:44:31 +0000

You might have been considering implementing a hosted spam filtering solution such as GFI’s Max MailEdge service, but are unclear as to how it works, and what reprecussions it might have on your existing IT infrastructure.

Simply put, the majority of hosted or cloud-based spam filtering works by redirecting incoming e-mails directly to the appointed service provider instead. This is achieved by appropriately modifying the IP address listed under the MX configuration of the company’s domain. As a result, e-mails that come in are forwarded to the service provider’s servers first, before being rerouted to the “real” e-mail server.

Today, I’ve listed some important factors of a hosted spam filtering deployment that the technical manager will be interested in.

Freedom from the burden of processing spam

One of the key advantages of using a hosted provider to tackle spam is how it allows businesses to offload the computational and storage demands of eliminating spam to a service provider. Unlike the hard to predict costs of operating and maintaining servers over any length of time, hosted spam filtering providers charge a fixed rate per protected mailbox, which serves to eliminate hidden or unanticipated costs. Ultimately, this allows businesses to better track and budget for the cost of properly equipping each employee in the company.

Bandwidth and DDOS protection

One facet that is usually missed out in a hosted spam filtering deployment is the greatly reduced bandwidth required for the e-mail server. Assuming the company e-mail server is hosted in a data centre, this translates into direct savings on the billable bandwidth since only e-mails that have been cleaned are forwarded to the mail server. This reduction in network traffic is true even in servers deployed on the local area network and which will be evidenced by faster Internet connectivity in the office.

In addition, the use of a hosted spam filtering service also grants an implicit defence against denial of service attacks that are propagated against the e-mail domain. Obviously, this does not stop a malicious hacker or entity from directly targeting your e-mail server’s IP address. It does however form an additional layer of defence against DDOS, and should be more than adequate against casual or widely targeted spamming.

Platform Neutrality

One of the greatest advantages of a hosted spam filtering service is its platform neutral nature. All messaging systems are supported by default, ranging from Microsoft Exchange, Lotus Notes, to standard POP or IMAP servers. This includes more sophisticated deployments involving BES implementations of BlackBerry smartphones or Exchange Sync clients like the iPhone.

The only real prerequisite to use hosted spam filtering is that the protected e-mail address must belong to a company-owned and managed domain, in order to allow the MX configuration to be modified accordingly. E-mails flowing in will be automatically forwarded to the service provider, which will eventually route processed e-mails back to the correct e-mail server.

Ease of deployment

All it takes is a signed service contract and the appropriate modification of MX records to enable hosted spam filtering, making it a trivial matter to implement. The reverse is true of a self-deployed solution; companies usually have to either acquire physical severs (or provision virtual ones), purchase the correct number of client access licenses, followed by the installation and configuration of the appropriate spam filtering software. And I’ve not even got started about setting up the appropriate level of failover redundancy or the training and lead time required of the technical staffers running it on a day-to-day basis.

On the other hand, hosted spam filtering can be implemented without extraneous training for already overwhelmed IT managers or system administrators. In fact, the correct information and authorization to modify the MX records could even allow service providers to setup and enable their service – remotely.

Flexible and versatile

Finally, the nature of hosted spam filtering allows for great flexibility and versatility in how it is deployed. For example, users can concievably “stack” multiple providers in a chain, or opt to channel e-mails through another server (or service provider) for archival first, or even reroute new e-mails to a different server for the purpose of rolling out a new e-mail server. The list goes on.

This clean separation between the various components of your e-mail subsystem means there is no need for corporations to be concerned about operating system security patches or updates to the spam filtering software inadvertently “breaking” any part of your precious e-mail infrastructure.

Conclusion

Of course, while the controls and spam filters afforded by the hosted spam filtering services are generally excellent, there are also advantages to running a self-deployed spam filtering server as well. Next week, I shall be looking at some of the features that an IT manager will want to look for in a self-deployed system, so stay tuned!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Some Reasons to Consider Hosted Spam Filtering

Spamresource.com: Stupid Search-Trick Watch: Content Thieves Strike!

Tue, 31 Aug 2010 14:51:19 +0000

Here's Ken Magill's take on Co-RegData.com theft of my blog content.

(xx301yz89901112aaaah33q3q3qbw)

Terry Zink: Stopping the flow of online illegal pharmaceuticals

Tue, 31 Aug 2010 04:14:10 +0000

Reading through Brian Kreb’s blog last week, he has an interesting post up on the White House’s call upon the industry on how to formulate a plan to stem the flow of illegal pharmaceuticals:

The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications.

The invitation, sent via e-mail on Aug 13 by White House Senior Adviser for Intellectual Property Enforcement Andrew J. Klein, urges select recipients to attend a meeting on Sept. 29 with senior White House and cabinet officials, including Victoria Espinel, the Obama administration’s intellectual property enforcement coordinator.

“The purpose of this meeting is to discuss illegal activity taking place over the internet generally, and more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications on-line,” the invitation states.

Klein did not return calls seeking more information. A spokeswoman for the White House Office of Management and Budget confirmed the event, but declined to offer further details. The meeting appears to be a continuation of the administration’s Joint Strategic Plan on Intellectual Property Enforcement, an initiative unveiled in June that promised to “address unlawful activity on the internet, such as illegal downloading and illegal internet pharmacies.”

According to the World Health Organization, approximately 8 percent of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard, and 10 percent of global pharmaceutical commerce — or $21 billion — involves counterfeit drugs. LegitScript.com, a verification service for online pharmacies, is currently tracking more than 45,000 rogue Internet pharmacies.

It is unclear to me whether or not the goal of this initiative is to stem the flow of online crime in general or to reduce the flow of illegal pharmaceuticals flowing into the United States (since presumably this cuts into the profits of large pharmaceutical companies… who would naturally want to see their profit margins increased in return for pledging their support for health care reform that was passed earlier this year). Assuming that the target of this are the online pharmaceuticals, there are a few things I can think of. Unfortunately, a three hour meeting really isn’t enough to get this off the ground because it is a series of interconnected events that would need to take place. Anyhow, here’s a list of things I’d do:

Stopping illegal pharmaceuticals piggy-backs onto stopping illegal <anything> on the ‘net. Spammers who advertise illegal software, or fake degrees, or fake enlargement pills, or fake mortgages are all basically doing the same thing. So, any strategy that is aimed at stopping those other things will extend to stopping fake pharmas as well. My point here is that concentrating only on fake pharmaceuticals may exclude strategies that scale to others.
Registrars need to get their act in gear. When a website advertising cheap Viagra goes up, somebody somewhere needs to register that site. Whoever registers is needs to do a better job of verification of the identity who registered it. The problem here is that so many of these sites are registered by registrars in foreign countries which is outside the jurisdiction of the US. However, just like in the Wizard of Oz, there’s no place like home and the government can pressure domestic ones to do better proactive abuse mitigation.
WHOIS protected services are questionable. I don’t deny the need for WHOIS-protected services in some cases. However, any time I am looking up a suspicious site and the WHOIS registration is protected, that’s pretty much all I need to make the determination that the site is abusive. It doesn’t cost much to shield your WHOIS information. If you want to do it, that’s fine but there should probably be a stricter set of criteria who shielding your information like this requiring you to jump through a couple of more manual hoops.
Crack downs on spammers will go a long ways. One of the chief mechanisms of advertising illegal pharmaceuticals is through the use of spam. We all get it in our inboxes. Of course, there are other avenues of advertisement such as black search engine optimization. However, because it is not particularly difficult to send out a lot of spam and make money off of it, and because there is little chance of repercussion, spammers continue to do it. If law enforcement had more resources dedicated to prosecuting spammers such that it became more de-incentivized, then the supply part of the equation would start to dry up. In other words, putting spammers in prison will help in this regards, and this requires a prioritization of law enforcement resources. Whether or not they are willing to divert resources from one area of law enforcement to another is an open question.
Perhaps walled gardens are a good idea. In Australia, some ISPs kick infected computers off of their network if the ISP can detect that the machine connecting to it is infected with malware. Or, they redirect them to a sandbox and alert the user that they cannot continue until they clean their system. If more ISPs made this a policy, then maybe we’d have less malware abuse flowing back and forth in cyber space. I don’t think I’d want government to enforce this, but perhaps ISPs might be willing to voluntarily comply with this.

This is a small list of things that could be done but by no means it is exhaustive. Running up-to-date software is a good idea, and so is running the latest patched version of one’s software. What other ideas do you have to cut down on the flow of illegal online pharmaceuticals?

Sophos Blog (Spam Category): Encryption with no separate external key

Tue, 31 Aug 2010 01:33:23 +0000

Most typical modern malware variants tend to hide critical parts of their functionality (strings, URLs/IPs of its dodgy servers, etc.) using some form of encryption. In most cases only trivial algorithms are used. However, these suffice as the intention is usually not to create unbreakable encryption, but merely to obscure their malicious intent from anti-virus engines.

Although some authors choose to cloak their malware in complete paranoia, such as the ZBot family that encrypts everything with an industry-standard RC4 implementation with enormously long keys, typically, you would not find anything more serious (such as AES, or BlowFish) even in the most complex of polymorphic viruses.

The most overwhelmingly-common method of string encryption is to use an XOR operation with a key. A big appeal of this technique is that the same simple operation can be used to perform both encryption and subsequently decryption of the data, ie: E[i] = (E[i] Xor Key) Xor Key.

But sometimes it is not just simple, its even more than simple - where there is no need for ANY decryption key to decrypt data!

While analyzing one of the recent samples, I found a very curious encrypted string (hexadecimal representation):

67 02 11 17 0C 01 08 0F 0E 49 5E 18 18

In the line above there is one single encrypted string. You don’t need any additional key to decrypt it - it is all available using a very simple algorithm. The decrypted string is:

67 65 74 63 6F 6E 66 69 67 2E 70 68 70 ; getconfig.php

To transform this string from the original, each byte is decoded by performing an xor operation with the previous byte (first one is not encrypted); so:

0×67 xor 0×02 = 0×65 (”e”), 0×65 xor 0×11 = 0×74 (”t”), …

Brilliantly simple although this will not hamper Sophos detecting it (Troj/Agent-OFC).

PS Other strings from this malware which uses this encryption technique include:

&hddsz=%I64x
ntd11.dll ; (sic)
htmlfile
Installer\Products
SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers
ROOT\CIMV2
Error setting admin rights

… and so on (about ~100 different strings)

Terry Zink: Another one bites the dust

Mon, 30 Aug 2010 17:55:29 +0000

Following in the footsteps of Lethic, Waledac, Mariposa and Zeus, yet another botnet has been infiltrated and shut down (even if temporary) – Pushdo. Pushdo is a family of malware, and Cutwail is the spamming software that spreads its payload across the Internet. From The Register:

Security researchers have disrupted the botnet known as Pushdo, a coup that over the past 48 hours has almost completely choked the torrent of junkmail from the once-prolific spam network. Researchers from the security intelligence firm LastLine said that they identified a total of 30 servers used as Pushdo command and control channels and managed to get the plug pulled on 20 of them. As a result, the torrent of junkmail spewing from it dropped to almost zero on Thursday, according to figures from M86 Security Labs.

Also known as Cutwail, Pushdo has long maintained a strong presence in the rogues gallery of the security world. It is known for spam that attempts to trick recipients into installing malware and it also excels at hiding itself from intrusion-prevention systems, security researches have said. Its output has varied over the years with estimates as high as 20 percent of the world's spam at some points.

…

The disruption is good news, but it also highlights the uphill challenge white hats face in severing menaces from the net. Some of the host providers contacted by LastLine ignored the request to disconnect the malicious servers, despite receiving a fair amount of data documenting their bad deeds

My own statistics on Cutwail from March-June 2010 suggests that it was the 3rd largest botnet after Rustock and Lethic. Cutwail more closely resembles Lethic in that it sends a lot of spam to multiple recipients in each email envelope. It still trails Rustock but not by a large margin. In terms of unique IPs, both Cutwail and Lethic had about the same amount, but Lethic sends way more spam per IP than Cutwail does. In terms of country of origin for IPs that are spamming (not C&Cs), I see the following:

South Korea
China
United States
India
Brazil

Regarding this particular takedown, typically what tends to occur in instances like these is that the spam operation from a particular source (botnet, ISP, etc) is disrupted for a small period of time. Then, gradually, spam levels return to their former levels. This is because bots that are sending the spam are attempting to call home to their C&Cs but because they cannot connect to anything, there is nothing to do. It’s like a military unit out in the field awaiting orders but radio communications are down at central command.

The botnet operators then have to rebuild their infrastructure. They start sending out new pieces of malware, creating new C&C nodes and send out even more malware to get hosts infected to send out spam. The previous nodes are orphaned unless they have code installed that can phone home and update themselves. Of course, as any programmer knows, writing software that automatically updates is easier said than done. Once this new malware filled with C&C nodes reappears, and new hosts start spamming again, the botnet has rebuilt itself and usually the authors have learned a thing or two from the previous time and have made their code a bit more resilient with some redundancies built it. That’s the unfortunate part of takedowns – they work for a while but the next time it promises to be less easy. You don’t get two McColo’s in a row.

Spamresource.com: Newegg.com: How not to handle a spam complaint

Mon, 30 Aug 2010 18:30:20 +0000

My old friend Mike Horwath relates his tale of Newegg.com doing just about everything wrong in response to a spam complaint. Spamming him again after he contacted you, then holding up the phrase "you've been removed" as if it means you've really resolved the issue, implying that the mail must be OK because it "is CAN-SPAM compliant," implying that the spam reporter is lying about the mail being spam, etc.

The smarter among us already know that mail is not spam just because it is CAN-SPAM compliant. Mike doesn't care that the mail was CAN-SPAM compliant, and neither do ISPs. They care about permission and relevancy -- two areas in which Newegg.com has let Mike down with this issue.

All Spammed Up: GMail Bug That Turned Some Users Into Spammers Fixed

Mon, 30 Aug 2010 13:31:03 +0000

Google announced that it has fixed a bug that caused a small percentage of GMail accounts to send the same email messages over and over again. The unending barrage of messages caused some of the affected accounts to be blacklisted by services such as SORBS.net and Backscatterer.org and left users wondering if their computers had been infected with some kind of malware or hacked.

“The problem with Google Mail should be resolved,” Google’s tech support staff wrote. “We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better.”

Some affected users who use GMail for business purposes were embarrassed and left having to explain to clients and colleagues who were no doubt annoyed by the flood of duplicate messages. Google has not provided any details about the bug or what might have caused it, and it’s not known if they provided assistance in getting blacklisted users off those lists.

It’s estimated that about 2.5% of GMail’s roughly 160 million users (as reported by the Wall Street Journal) were affected. That may not sound like much, but it equals about 4 million users whose accounts were turned into mail bombing machines by the bug. That’s a lot of email.

Google probably wishes the timing had been better as the bug hit in the same week they had called a press conference to announce that Google Voice and GMail have been integrated.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

GMail Bug That Turned Some Users Into Spammers Fixed

All Spammed Up: Pushdo Botnet Crippled

Mon, 30 Aug 2010 10:48:10 +0000

The folks over at InformationWeek are reporting that the Pushdo botnet has been crippled. Thanks to a combined effort on the part of several security researchers, Pushdo, also known as Cutwail, has had the majority of its command and control servers shut down. Pushdo pumps out enormous amounts of spam, much of it malicious, and is responsible for a massive DDoS against hundreds of commercial and government websites earlier this year.

Compromised computers spew spam.

“We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world,” said Thorsten Holz at cybercrime intelligence service LastLine. “We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several command & control servers are still online at this point.”

The shutdowns resulted in Pushdo’s huge flood of spam sharply plummeting.

Is this a good thing? Of course. Will it last? Not likely.

Botnet herders have learned from the McColo shutdown. Their command and control systems have become more complex and widespread so that when something like this happens, they are usually back in business within days rather than weeks or months. Many botnets are not programmed with long lists of domains so that if they try to connect to one and get no response they can move on to the next one and so on until they are able to connect.

It will be interesting to see how long it takes Pushdo to bounce back!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pushdo Botnet Crippled

Spam Wars Dispatches: Phony Shell Oil Star Promotion

Mon, 30 Aug 2010 07:11:04 +0000

Don't be taken in by this variation of the 419 lottery scam. The text portion of the message is as follows:

Dear Winner,
Find attached your winning Notification,in the Shell 2010 Online drwas.
Do contact our payment Manager for the immediate release of your funds.
Name: Attorney Cynthia Benton
Email address:[removed]@yahoo.com.hk
Phone/Fax: +44-7624-[removed]
Congratulations!!!!!
Shell Payment Department London.
30/08/2010

The message includes an image containing the Shell corporate logo:

Greedy recipients of this message won't realize that the email address of their contact is a free account from Yahoo! Hong Kong. Think for a minute: Why would a gigantic oil corporation not use its own email system for this highly valued award? (And, if you knew how to read email headers, you'd also ask why Shell Oil U.K. would send you a prize winning notification through a botnet computer in Taiwan.)

If you get sucked into communicating with these crooks (the phone number is for a cell phone, by the way), they'll get you to fork over all kinds of fees and taxes out of your own money, and you'll never see a dime of the award money. It doesn't exist. Shell Oil does not give away money like this. This scam has been running for years and years under the guise of other corporate and government sponsorships.

That's right, hit Delete. Now.

John R. Levine: Truth in spamming

Sun, 29 Aug 2010 23:11:03 +0000

Here's the body of a phish purporting to tell me about a $386 refund from the Canada Revenue Agency. Even disregarding the signature that says Internal Revenue Service, check out that alt text and file name for the image.

After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $386.00
Please submit the tax refund request and allow us 6-9 days in order to
process it. <br />
<br />
A refund can be delayed for a variety of reasons. For example
submitting invalid records or applying after the deadline.
<br />
<img height="340" alt="Fake CRA site"
src="http://video.itworldcanada.com/ITBUimages/Jan19/fake_cra.jpg"
width="450" /><br /> To access the form for your tax refund, please
<U><a
href="URL of phish site">click
here</a></U> <br />
<br />
Regards, <br />
Internal Revenue Service

Box Of Meat: Krebs on Security: White House Calls Meeting on Rogue Online Pharmacies

Sun, 29 Aug 2010 22:07:59 +0000

Krebs on Security: White House Calls Meeting on Rogue Online Pharmacies:

“The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications.”

Box Of Meat: Security Labs: 419 scams go phishing

Sun, 29 Aug 2010 21:06:02 +0000

Security Labs: 419 scams go phishing:

‘The scam we describe in this blog is quite interesting because it is combines a typical 419 scam with a phishing attack. After the initial communication with the scammer, the victim receives a phishing email claiming to be from PayPal indicating that the scammer “PayPaled” the money to the victim. Here is the long story.’

Box Of Meat: Terry Zink: Russian cybercrime is organized / Russian cybercrime is not organized

Sun, 29 Aug 2010 18:01:46 +0000

Terry Zink: Russian cybercrime is organized / Russian cybercrime is not organized:

“…the more I read, the more I see conflicting views on the state of the criminal cybercrime world. On the one hand, the Russian criminal cybercrime underworld is a scary, organized place where people are actively trying to do the rest of us harm. On the other hand, there is the position that that position is an exaggeration of what it is actually like and that it’s a bunch of ragtag folks who have some advanced computer skills but they are not formally organized.”

Box Of Meat: Terry Zink: A bit more on Rustock

Sun, 29 Aug 2010 15:00:44 +0000

Terry Zink: A bit more on Rustock:

“Rustock is, of course, the largest botnet out there but it depends on how you count it, as I have iterated in the past. If you count by number of unique IPs, then it is the largest botnet by a large margin. If you count by the number of email envelopes, it is still the largest by a large margin. However, each email envelope can have multiple recipients (receivers on the RCPT TO). If you count the each recipient as 1 message, then Rustock is the second largest botnet, trailing Lethic by a large margin.”

Box Of Meat: Spam Wars: Repeat After Me: "The From Field is Forged"

Sun, 29 Aug 2010 14:00:44 +0000

Spam Wars: Repeat After Me: "The From Field is Forged" :

“Spammers and crooks know it: Lots of email recipients treat the From: field as if it must be telling the truth. If an email message that makes it to your inbox says it’s from Joe Blow, well, by God, it’s from Joe Blow.

This blind faith about unsolicited email messages is what gets so many computer users into trouble.”

Sophos Blog (Spam Category): This could save your LIFE!

Sun, 29 Aug 2010 12:53:00 +0000

The following internet advice, which may have a subject title such as above, could just get you killed.

Like any other middle aged, balding, over-weight chap my mother still worries about me. So when her friend sent this to her and many other people, she forwarded it to me first:-

Just in case!!!

Let’s say it’s 6.15pm and you’re going home (alone of course), after an unusually hard day on the job.

You’re really tired, upset and frustrated.

Suddenly you start experiencing severe pain in your chest that starts to drag out into your arm and up into your jaw. You are only about five miles from the hospital nearest your home. Unfortunately you don’t know if you’ll be able to make it that far. You have been trained in CPR, but the guy that taught the course did not tell you how to perform it on yourself.

HOW TO SURVIVE A HEART ATTACK WHEN ALONE

Since many people are alone when they suffer a heart attack, without help, the person whose heart is beating improperly and who begins to feel faint, has only about 10 seconds left before losing consciousness.

However, these victims can help themselves by coughing repeatedly and very vigorously. A deep breath should be taken before each cough, and the cough must be deep and prolonged, as when producing sputum from deep inside the chest.

A breath and a cough must be repeated about every two seconds without let-up until help arrives, or until the heart is felt to be beating normally again. Not sure I can cope with this - takes me more than 2 seconds to draw breath these days.

Deep breaths get oxygen into the lungs and coughing movements squeeze the heart and keep the blood circulating. The squeezing pressure on the heart also helps it regain normal rhythm. In this way, heart attack victims can get to a hospital. Tell as many other people as possible about this. It could save their lives!!

A cardiologist says if everyone who gets this mail sends it to 10 people you can bet that we’ll save at least one life.

Rather than sending jokes (not sure I agree with this part - keep on sending them they’re probably stopping me getting a heart attack) please contribute by forwarding this mail which can save a person’s life….If this message comes around you ……more than once…..please don’t get irritated…..U need to be happy that you are being reminded of how to tackle….Heart attacks….AGAIN…

It sounds very plausible and if true would be worth spreading to as many people as possible. But I told my mother not to send it on to anyone until I checked it out. I went straight to the British Heart Foundation website and other sources which revealed that this is dangerous advice and to all intents and purposes not true (except in the most extremely limited of contexts):-

IS47 Cough Cardiopulmonary Resuscitation (IS47_Cough.pdf)

Cough cardiopulmonary resuscitation

What is ‘cough cardiopulmonary resuscitation’?

There is a theory circulating from an uncertain source that you can stop yourself from having a heart attack by practising a technique called ‘cough cardiopulmonary resuscitation’ (sometimes called ‘cough CPR’ or ‘self CPR’). It suggests that coughing vigorously when you think you may be having a heart attack can return the electrical activity of the heart to normal.

The British Heart Foundation (BHF) is not aware of any evidence to support this theory and ‘cough CPR’ should never be used as a first aid technique.

What is the source of the ‘cough CPR’ technique?

You may have heard about ‘cough CPR’ or ‘self CPR’ from an email about an article called How to survive a heart attack when alone. According to the email, the article was originally published in a newsletter from Rochester General Hospital in the USA. However, the hospital claims that they have no knowledge of the source. The email says that vigorous coughing when experiencing sudden, severe chest pain (the classic symptoms of a heart attack) may help to restore or improve the circulation of blood, by maintaining the heart’s normal electrical activity. The advice is very loosely based on reports of people who have used coughing to maintain some sort of cardiac output during cardiac arrest. There is no evidence to support this.

So what should I do if I think I am having a heart attack?

If you experience heaviness or tightness in the chest, accompanied by sweating, sickness, or feeling faint or breathless, you may be having a heart attack. You will need emergency treatment to stabilise your condition, so you need to call 999 for an ambulance immediately.

For more information
———————
www.bhf.org.uk/doubtkills

For more information on what to do if you think you are having a heart attack.

Resuscitation UK Council
www.resus.org.uk

So remember, always verify internet advice if it is not directly from a trusted source.

Please note that Sophos does not certify any medical advice given above.

Box Of Meat: threatpost: Anti-Phishing Group Targeting Fax-Based Scams

Sat, 28 Aug 2010 22:03:45 +0000

threatpost: Anti-Phishing Group Targeting Fax-Based Scams:

“The heyday of faxing may have passed twenty years ago, but scam artists haven’t given up on the old technology, especially when it comes to wheedling personally identifiable information out of unsuspecting office workers. Now a leading anti-phishing group is tackling the problem of fax based phishing scams.”

Box Of Meat: threatpost: DLL Hijacking: Facts and Fiction

Sat, 28 Aug 2010 20:03:44 +0000

threatpost: DLL Hijacking: Facts and Fiction:

“The reality is anyone who can stumble through the DLL project wizard in Visual Studio can write an ‘exploit’ for this vulnerability, and when the dust settles the lists will look a bit silly — virtually every Windows application will be found to be vulnerable in one way or another.

Does it matter? Yes. Is it cause for concern? Probably. Should we all panic about this new ‘glut of zero-days’? Not at all.”

Box Of Meat: DarkReading: Careful With That Third-Party Web Widget

Sat, 28 Aug 2010 19:02:46 +0000

DarkReading: Careful With That Third-Party Web Widget:

“As more businesses continue to use third-party code in their websites and import content from other sites, the security of their visitors increasingly relies on others.”

Box Of Meat: SophosLabs: It’s that time again…

Sat, 28 Aug 2010 15:54:44 +0000

SophosLabs: It’s that time again…:

“It’s back to school time! I thought I might use this as a reminder to talk to your kids about computer security. We drill it regularly to our employees and readers, but honestly, kids need to be taught about this as well.”

MillerSmiles Phishing News: Weekly analysis - 21st August 2010 to 28th August 2010

Sat, 28 Aug 2010 12:00:00 +0000

MillerSmiles provides its weekly phishing analysis for the week of 21st August 2010 to 28th August 2010

Sophos Blog (Spam Category): Phish net stockings?

Fri, 27 Aug 2010 15:32:47 +0000

An interesting phish was just escalated to me for analysis. Well, ironic more than interesting.

Looking at the following phish:

The message is a typical phish with clues to its nefarious origins.

Dear Valued Customer,

Your New Online Statement Summary is now available to view online.
So, go and take a look, it’s there to keep you in the know by detailing your transactions.

Please remember to always keep your receipts safe, check them off against your statement and dispose of them carefully.
If you spot a transaction that you don’t recognize you can get help from the link on your statement,

if anything still seems wrong contact us straight away.

Log on to view your account statement

Sincerely,

TD Canada Trust

The link pointed to the images folder of a WordPress blog. The funny thing was that the blog is a ‘leg and stocking’ fetish site.

Unfortunately, there were no phish net stockings!

All Spammed Up: Phishing primary cause of bogus iTunes charges

Fri, 27 Aug 2010 13:08:21 +0000

Apple’s walled garden, also known as the iTunes store, showed a crack this week when reports began flooding the Internet of compromised accounts being used to siphon money from PayPal for unauthorized purchases at the online music outlet.

Sums charged to PayPal varied, but one iTunes customer claimed $4700 had been debited to his account through the Apple store by parties unknown. Other users reported more modest thefts–$500, $650 or $1000.

Although the bandits were exploiting connections between iTunes and PayPal, they exhibited behaviors associated with credit card scammers. For instance, they always spent less than $100 on an item. That’s a tactic used to stay off the radar screen of fraud trackers. It’s also a significant cut off point for merchants. At $100 or above, they’ve got to foot the bill for a fraudulently purchased item.

PayPal has denied its systems had been breached. “We’ve looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account,” the company’s chief information security officer Michael Barrett wrote in a blog.

While PayPal was advising its customers to report their problems to the company so they could be reimbursed for any money they may have lost to scammers, Apple passed the buck to others. “We’re always working to enhance account security for iTunes users,” it said. “If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about chargebacks for any unauthorized purchases.”

While not officially commenting directly on the security of iTunes, off the record, the company discounting breach speculation. “There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a bot attack or phishing scam-a variation on the one that’s been around for years now,” John Paczkowski wrote in All Things Digital.

“Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions,” he added.

If neither iTunes nor PayPal were compromised, password theft via a phishing scam or malware infection seems like a logical inference. Indeed, it’s one a number of unnamed security experts cited when contacted by reporters following the story. But there were some oddities in the transactions involved that didn’t seem to fit a straight password pilfering scam.

For example, all the unauthorized transactions were tied to PayPal. If the scammers stole iTunes passwords in a phishing scam, why were the only users victimized those who made iTunes purchases with their PayPal accounts?

The receipts generated by the unauthorized purchases were also queer. When purchases are made at the iTunes store, a receipt is generated and sent to the purchaser. Such receipts were received by the victims of this scam. However, a comparison of subject lines in receipts performed by Charles Arthur at The Guardian revealed an interesting disparity.

When an item is bought with a credit card at iTunes, the subject line usually says “Receipt for your payment to iTunes Store.” When it’s bought with PayPal, the subject says reads, “Receipt for your payment to iTunes.” What Arthur discovered was that while PayPal was used to make unauthorized purchases, the receipts generated from those purchased contained credit card subject lines.

Despite the lingering questions about the break-in, the consensus still seems to be that they involved compromised passwords and those passwords were obtained by phishing or other forms of Net mischief.

For consumers who want to avoid becoming victims of online scammers, PayPal’s Barret offers these tips:

Use a safe password: use a strong password which includes a combination of upper and lowercase letters and numbers. But don’t use the same password for every online account you have. That’s basically like using the same key for your house, your car, your office and your safety deposit box. If you lose that key, you’re in trouble.
Protect your computer: use a modern, supported operating system such as Windows 7 or Apple’s OS X Snow Leopard. You should also use an updated Internet browser that blocks fraudulent websites, like Internet Explorer 8, Safari 5, Firefox 3 or higher. As always, keep your antivirus software updated.
Don’t click on links in email: never click on links in email and then enter your username, password or other sensitive information – even if the email looks like it’s from your bank, an e-commerce site, the IRS or popular sites like PayPal.
Use common sense: if you wouldn’t do something in the offline world, don’t assume it’s safe online. If a stranger walked up to you at a gas station and said, “Please give me the key to your house; I need to make sure there are no burglars there,” you’d probably tell him to go take a hike. Likewise, if you get an email, phone call or some other unexpected message demanding that you turn over your username and password, don’t do it. Trust your instincts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing primary cause of bogus iTunes charges

Spamresource.com: Co-RegData.com: Content Thieves

Fri, 27 Aug 2010 11:23:00 +0000

Co-regdata.com seem to be pirating content from my own site here at Spam Resource dot com.

Example stolen content: http://www.co-regdata.com/2010/08/27/ken-magill-returns-45th-edition/

That seems to be a duplicate copy of my post about Ken Magill's new website. Oddly, they removed Ken's website URL and replaced it with their own.

If you're looking for a reputable co-reg data provider or lead generation partner, co-regdata.com might be a poor choice. If they're taking my content and using it in an unethical manner, without my consent, that doesn't give me high confidence about their ethics when it comes to lead generation.

(Thanks for reporter Ken Magill for giving me a heads up about these guys.)

Spam Wars Dispatches: Repeat After Me: "The From Field is Forged"

Fri, 27 Aug 2010 06:36:42 +0000

Spammers and crooks know it: Lots of email recipients treat the From: field as if it must be telling the truth. If an email message that makes it to your inbox says it's from Joe Blow, well, by God, it's from Joe Blow.

This blind faith about unsolicited email messages is what gets so many computer users into trouble.

A case in point is that someone managed to find his or her way to this web site (spamwars.com) and went to the trouble of filling out the contact form thusly:

I received an e-mail from this address saying I made an online payment of $500 not true. Remove all information

I suspect the person found the site by searching Google, which pointed to this article. So, I write an article blowing the lid off this scam, and I'd send out more messages after I implore you to not react to the messages? WTF?

Worse yet, this person included his/her email address in the contact form. Luckily for him/her, I don't harvest addresses (or send out any kind of bulk email of any kind). Voluntarily revealing one's email address to any kind of spammer or scammer is the most idiotic thing one could do — and he/she obviously thinks I'm a spammer/scammer, right?

I've tried to educate computer users about how email headers can be forged from here to Azerbaijan, but they either don't listen, or just have overriding faith in what they see in their in boxes. For the record: Everything from the header that your email client displays can be forged, including the From:, To:, Date:, and Subject: fields. And when it comes to spam or scam messages, the From: field is almost always forged with other addresses from the spammer's databases (i.e., other spam recipients). These addresses have been harvested from infected computers and other sources for years and years. An infected computer will supply Bad Guys with addresses of everyone with whom the infected computer has corresponded — which is how addresses belonging to owners of clean computers have been captured. If you are receiving spam, there is a very good chance that your address has been plugged into the From: field of spam going to others at some point.

Most computer users can't be bothered to learn how the spammers and scammers make them dance like marionettes. Put on your tap shoes.

Terry Zink: A bit more on Rustock

Fri, 27 Aug 2010 06:07:38 +0000

ZDNet and GoodGearGuide both report that Rustock is responsible for 41% of the world’s botnet spam in August, up from 32% in April. They are both quoting MessageLabs’s latest Intelligence Report.

Rustock is, of course, the largest botnet out there but it depends on how you count it, as I have iterated in the past. If you count by number of unique IPs, then it is the largest botnet by a large margin. If you count by the number of email envelopes, it is still the largest by a large margin. However, each email envelope can have multiple recipients (receivers on the RCPT TO). If you count the each recipient as 1 message, then Rustock is the second largest botnet, trailing Lethic by a large margin. This is because Lethic sends 5-6 times as many messages per connection as Rustock.

You might be wondering why we would want to count total messages instead of total envelopes. Don’t you want to reject a message as soon as you possibly can?

The answer is it depends. Or rather, you want to reject a message as soon as you can, but no sooner. In our service, we reject messages after the RCPT TO, not on connect. The reason we do this is because we are a hosted service and we have reporting requirements for each of our customers. If our customer is microsoft.com and they want to know how many messages we blocked for them, then the only way for us to tell is to count the number of recipients on the RCPT TO. We add up how many are going to @microsoft.com and then log that number. This means that we cannot reject at connection time. If we did that, we would have a log of the sending IP but not the MAIL FROM (which isn’t relevant) and not the RCPT TO. It would make it impossible for us to validate our SLAs and tell customers how much mail we blocked for them.

While reporting has its advantages, this also has its drawbacks. By holding the connection open longer, we cannot reject as quickly and tie up more resources. On the other hand, it’s not that big a deal because we are rejecting after the RCPT TO, not on end-of-data would would hold up significantly more bandwidth. From a tech standpoint, we are imposing a cost upon ourselves but it is one we pay in order to demonstrate our net worth to the end user.

The differentiation between messages vs envelopes matters for a second reason: botnets like Lethic, when they aren’t on a blocklist, cost us way more resources when it comes to content filtering. All spam that comes to us first needs to get past the IP blocklist. If it does, then it’s on to the content filter. As I said earlier, Lethic sends lots of mail per connection. They are like the guy who goes to the all-you-can-eat-salad-bar 5 times and pays $8.99. When we filter it in the content filter and mark it as spam, at the end we have to split up all of those RCPT TOs and send them either to each user’s quarantine (in the cloud where we have to store it) or to the customer’s mail server where they sort it and store it on-premise (such as an Exchange box’s junk mail folder). When that occurs, that takes up a lot of resources in terms of bandwidth and disk storage cost. The post-blocklist cost of Lethic is higher than Rustock because of the way they send their spam. For a filtering service, that matters and it matters a lot.

So yes, Rustock sends the most spam but it depends on how you measure it. It also depends on what you consider to be the greater impact. Not only that, but if we’re talking about bandwidth and storage costs, then it’s not just about the number of messages but how big each message in in terms of kilobytes. My research indicates that from March – June 2010, the average size of a Rustock spam message was 18kb, whereas Lethic was 3kb. So, that kind of equalizes the amount of spam cost each one takes up. Using these counts, then Rustock becomes the biggest botnet by a longshot, once again regaining its crown even in spite of Lethic’s dominating messages/envelope. The total value of Rustock? 40%, which agrees with MessageLabs’s numbers.

Aren’t statistics great?

Terry Zink: Some notes on Rustock

Fri, 27 Aug 2010 05:41:17 +0000

There’s been a number of articles on Rustock lately so I thought I’d chime in with my take, which isn’t that novel but I have to inflate my post count. Techworld recently reported that Rustock, which started sending spam over TLS, has stopped doing so:

The Rustock mega-botnet appears to have ditched the experimental use of TLS (transport layer security) to obscure its activity, Symantec has reported. Rustock’s use of TLS is now averages between 0.1 and 0.2 percent of all spam, peaking at 0.5 percent, a tiny fraction of the levels seen in March when it reached averages of around 25 percent with a peak of as much as 77 percent.

The key moment was on 20 April, when the volume of spam featuring the tactic suddenly plunged to sub-one percent levels after an equally sudden rise in rates in the weeks prior to that date. TLS adds a small but cumulative overhead to server email processing, which ties up mail servers but also affects the rate at which spam is sent. Why Rustock’s controllers adopted the technique at all was never clear but might have been connected to a misplaced belief that it would make it harder for servers to filters its activity or detect the command and control system used to direct its activity.

“It would seem that the botnet controllers, especially those behind Rustock, have perhaps realised that the use of TLS gave them little or no discernable benefits, and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS,” reckons the August 2010 MessageLabs Intelligence Report.

Back in March, I originally reported that we were seeing an increased amount of spam from Rustock sent over TLS. As the authors of MessageLabs’ Report conclude, it’s unknown why they would have used it in the first place. There really isn’t that much benefit to using TLS to send spam. No spam filter worth its salt uses TLS as a mechanism for trust in and of itself so it wouldn’t aid in delivery. It’s possible that they may have thought that using it made detection more resilient since it would be more difficult to detect the command-and-control nodes, but this doesn’t make sense either. The nodes who call back to the C&C centers would need to have those communication channels encrypted, that is, updating the instructions for what purposes they are going to do should be encrypted to prevent disruption. However, sending messages over an encrypted channel to mail recipients has no benefit – the payload (spam) is the same and looks the same to the end user since it must be displayed in clear text.

The maintainers of Rustock probably determined this and decided to abandon the trick. Perhaps they thought that end-to-end encryption was a useful technique, but it really is not. It doesn’t buy them anything and in fact is very cost intensive. Heck, Hotmail doesn’t even do TLS so maybe they figured that their target audience wasn’t even worth the effort. As the above article says, as soon as they dropped TLS a few weeks ago the bot was able to double its throughput.

On our side, you may recall that we originally noticed it when we discovered that our CPU utilization had spiked up. This occurred in December 2009 (although the utilization problem didn’t become evident until a few weeks later). An investigation demonstrated that it was because we were attempting to negotiate all of these TLS connections. We did some digging and collected some connecting IP addresses for a small snapshot of a single day and then compared them against a list of known botnets. It confirmed what I suspected, most of these connections utilizing TLS were coming from IPs associated with Rustock.

We then quickly got to work. And the work occurred with amazing rapidity. We implemented a couple of fixes:

The short term fix. The short term fix was to avoid advertising STARTTLS using some of our routers. We had the router do an IP blocklist lookup before it hit our Exchange mail servers, and if it was on a blocklist it was diverted to a different port (say, port 28 instead of port 25 which is where email is normally done) and pool of servers which did not advertise STARTTLS. Thus, we were doing a blocklist check using the router instead of the mail server. This worked because immediately our CPU utilization dropped.

However, this was only a short term mitigation. It wouldn’t scale; if we ever wanted to add more mail servers and take on more traffic, we’d have to make sure that the router could handle the connections. Our mail servers do things like logging that the router does not do. The long term fix was to ensure that that this problem would be taken care of automatically no matter how many mail hosts we added.
The long term fix. This is a fix that was made and ported into Exchange 14 (our service is the largest consumer of Exchange 14 anywhere in the world). What happens here is that STARTTLS is delayed. First, an IP blocklist check is done (either through an rbldns query or some other mechanism such as a local on-the-box call) and if it is on the list, STARTTLS is not advertised. The rationale behind this that rather than advertising it from the start, a decision is made to see whether or not the connecting IP is not trustworthy. If not, we don’t advertise STARTTLS and the connection is rejected. It is conditional upon verification of reputation.

This fix went out in March or April (I can’t remember) and it worked immediately. Our CPU utilization continued to remain low.

Of course, a few weeks ago, the Rustock botnet decided to stop sending spam over TLS altogether. That means that all the hard work our developers and testers went through is now all for naught. All we would have had to do is not do anything and the problem would have resolved itself. However, we all certainly learned a lot: spammers may be able to operate quickly, but then again, so can we.

Richi Jennings: Fanboi falsehood #1: "Mac security better than Windows"

Thu, 26 Aug 2010 16:28:58 +0000

The Long View (Computerworld)

My irritation with fabois and fanboishness knows no bounds. These people have an intense desire to evangelize their chosen technology and convert users of competing products to their One True Way. Whether it's Mac fanbois mocking Windows users, or iPhone fanbois taunting Android wielders, their behavior is childish, cultish, and frankly a little disturbing. In this occasional series of posts, let's examine some fanboi falsehoods and technological tropes -- in The Long View.

...Read more

All Spammed Up: Five Ways to Train Your Users to Identify Spam

Thu, 26 Aug 2010 15:27:06 +0000

One aspect of spam has to do with trickery, where users are cajoled or tricked into performing an action, usually in the form of clicking on a specially prepared URL link. While the best way to stop the proliferation of spam would of course be the implementation of a good spam filter, the inevitable junk e-mail slipping is often an inevitable state of affair.

Rather than having to sort through the mess after the fact, one way that IT managers can turn the situation around is to train non-technical staffers to complement and enhance technical methods of identifying spam. Teaching employees how to identify spam is a good idea on a few fronts, such as allowing spam administrators to better refine or tweak existing spam filters. In addition, savvy users dramatically reduce the possibility of malware being introduced through spam.

Today, I will highlight a number of current spam vectors that you can use to train your users on how to identify spam. You can of course also use these methods to better tune your spam blacklist.

“Mail undeliverable” messages
I personally experienced a spike of such e-mails recently, which were all fortunately caught in my spam filter. Depending on specific configurations – so as not to erroneously block legitimate warnings about unsuccessful mail delivery – some organisations might inadvertently let in more of such spam. Less savvy users who see such e-mails might be panicked into rashly clicking a link in a misguided attempt to determine the problem. While it would be unreasonable to train every employee on how to read e-mail headers, it won’t be as difficult to coach them on how to watch out for bogus links embedded within such e-mails.
Messages from popular on-line services
The shotgun nature of unsolicited mails means that spammers are drawn to masquerade as popular Web services that have a higher chance of being used by their targets. Common vectors are sites such as Facebook, PayPal, Amazon, or even iTunes. In a nutshell, messages that claim to come from these popular on-line services are then laced with links in the hope that victims will click on them.
Nonsensical headers or text body
One popular trick by spammers is to copy or paste snippets of legitimate Web content as the e-mail header or text. Links to specific sites are then carefully embedded to trick readers into clicking them. The content of copied text can vary greatly, and I’ve seen materials from several sites combined before in a bid to bypass Bayesian filters. Users can be further confused because e-mail recipients and senders are typically spoofed.
IT managers need to remind users that if an e-mail makes absolutely no sense, it probably isn’t legitimate – even if apparently originating from someone they know.
Death and accident involving well-known personalities
Events ranging from the demise of pop megastar Michael Jackson to the recent World Cup have clearly shown us how spammers are reacting much faster than before in an attempt to circumvent increasingly sophisticated spam technology. Spam involving current or breaking news have a far higher chance of making it into inboxes before administrators have an opportunity to react. Also, users who might have heard part of the news via other avenues are far more susceptible to read or click on any links that are given. Rather than forcing spam administrators to stay glued to breaking news, tapping into users to identify such spam is also an excellent opportunity to involve them in the fight against spam.
HTML file attached
Most e-mail servers and spam filters now block executables by default, even if compressed within ZIP archives. However, the continued discovery of flaws in popular Web browsers have led to spammers who send HTML files containing code to exploit these vulnerabilities. Header and body text can vary as usual, but suffice to say that it usually involves something enticing such as winning a lucky draw or some unsolicited transfer of funds. Users need to know that the sending of HTML files constitutes extremely suspicious behaviour and should first be verified with the appropriate administrator.

The above list represents just some of the newer spam attempts that I’ve personally witnessed; periodical training will be necessary to keep users up-to-date. Ultimately, staffers need to know that the spam (or mail) administrator is always available to address any doubts or queries that they might have.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Five Ways to Train Your Users to Identify Spam

Sophos Blog (Spam Category): DLL pre-loading attack vector addressed by Microsoft

Thu, 26 Aug 2010 11:06:30 +0000

We have been discussing the issue of unsafe DLL loading in the lab since the release of the Microsoft advisory about a potential attack vector that uses the default Windows DLL Search Order to load a malicious DLL into the process space of an application designated for opening a specific file type (e.g. .MP3 or .DOC or .XXX).

To summarize it, when an application dynamically loads a DLL without specifying a full path, Windows tries to locate the DLL by searching through a set of directories, known as DLL Search Order, which consists of

1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable

Now, if the attacker discovers a vulnerable application they can place a malicious DLL and a file to be opened by the vulnerable application (to set the current working directory) on a remote or WebDAV share so that the malicious DLL gets dynamically loaded to handle the designated file type.

Usually, when a new vulnerability is disclosed we publish a SophosLabs vulnerability analysis and write detection for our products to detect attempts to exploit the issue in the wild. However, this time, the cause of the vulnerability could not be classified as one of the usual suspects for remote code execution - buffer overflow, integer underflow or double free, so we decided that we will not write our own advisory knowing that Microsoft decided to put the emphasis for addressing the problem on the developers of the growing number of affected applications.

A number of proof of concept exploits, including a Metasploit module have already been released and there are reports that the issue has been actively exploited in the wild.

Microsoft has released guidance and tools for mitigating the issue both for the end users and for developers. Unfortunately, there must be hundreds of applications affected by the issue and it will take some time for their developers to fix them. In the mean time, it is important to follow the Microsoft’s guidance to mitigate the threat.

Our colleague Chet also commented the issue on his blog.

CAUCE North America: Omnibus Cybersecurity Bill May Not Go Where Original Authors Intended

Wed, 25 Aug 2010 23:03:21 +0000

Image via Wikipedia

In an interview with GovInfoSecurity, Sen. Thomas Carper said that the U.S. Senate is considering attaching cybersecurity legislation to a defense authorizations bill. Though clearly a ploy to be able to say "we did something about those evil hackers" before the elections, CAUCE applauds the attempt. There can be no doubt that the United States (and many other countries) sorely needs better laws to deal with these threats.

Further, Senate Majority Leader Harry Reid has asked that the cybersecurity bills currently in front of various committees be combined into one single, omnibus bill, which would presumably then be attached to the defense authorizations bill. Here's where we start to get worried.

Each of the bills we've seen (and we surely haven't seen them all yet) have some good points, and some...let's just call them unintended consequences. In every case it's obvious that the authors' intentions were good, but they needed some expert advice from people who understand the technical and legal realities of the internet today.

One such expert, a long-time CAUCE supporter who asked to remain anonymous, shares his review of one of those bills: S. 3742, the "Data Security and Breach Notification Act of 2010." You can read the original and check its current status here.

Please note that this is not legal advice. Our expert is not a lawyer, I'm not a lawyer, and CAUCE did not consult with any lawyers before publishing this article.

Our expert says it's going to be difficult to construct a single good omnibus cybersecurity bill. The bigger and more complicated it gets, the less likely it is that anyone will actually read the bill before voting on it — particularly when they're in a hurry to go home and win an election.

He highlights a few specific items which could be troublesome for just about anyone running a mail server, a web site, or other online services which collect or transit any information:

Page 2, Section 2 (a)(2)(A): More or less everyone's going to need to have personally identifiable information (PII) security policies
Page 3, Section 2 (a)(2)(B): ... and an information security officer
Page 3, Section 2 (a)(2)(C): ... and a process for monitoring for PII breaches
Page 3, Section 2 (a)(2)(D): ... and a process for mitigating PII vulnerabilities
Page 3, Section 2 (a)(2)(E): ... and a process for securely deleting electronic records containing PII
Page 4, Section 2 (a)(2)(F): ... and a process for securely destroying paper and other non-electronic records containing PII
Page 4, Section 2 (b): If you're an "information broker" (which would include nearly anyone who collects information and shares it with anyone else), you have additional obligations, including needing to submit policies to the FTC, needing to provide consumer access to information, tracking access to information maintained by the broker, etc.
Page 13, Section 3 (a)(1): Requires notification solely to US citizens and residents in the event of a breach. Of course, that presumes you know the nationality/immigration status of those whose PII data you hold (hmm, I don't think *anyone* I know does, except for HR departments with regard to their own employees). If I were a covered entity, I'd be strongly inclined to begin soliciting that information from everyone I get PII data from, although of course that may trigger a whole different set of issues, particularly in areas where immigration related issues are a hot button topic.
Page 14, Section 3 (b)(2): Notification by a service provider triggers reporting requirements. This is going to make LOTS of friends for service providers, given the affirmative notification and credit protection obligations that customers accrue after being notified.
Page 19, Section 3 (d)(2)(A): Alternative notification is available for incidents involving LESS than 1,000 individuals. This is goofy.
Normally alternative notification is allowed as an option when the number of covered individuals is very LARGE not very small. For example, some state laws permit alternative notification in cases where costs of providing notice would exceed a quarter million dollars, the affected class of consumers to be notified exceeds 350,000, or the notifying party doesn't have sufficient contact information to provide notice.
There's language on page 22 of the draft bill that may allow regulatory additions to expand when substitute notification is permissible, but the basics for when substitute notification should be permissible should be part of the core statute, not an after-the-fact, maybe-yes, maybe-no regulatory add on by the agency.
Page 25, Section 3 (d)(2)(B): imposes compliance burdens on entities for a year before technical compliance guidance is available. Enforcement of the act should be held until the guidance envisioned by 3(d)(2)(B) is available, and realistically it will take probably an additional period after that for sites to deploy the recommended technology (new projects don't happen over night).
Page 26, Section 3 (h): Potentially requires notification in polyglot languages. This can be a huge administrative PITA -- consider the "simple" case of the EU, where there are "only" 23 official languages (Bulgarian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portugese, Romanian, Slovak, Slovene, Spanish and Swedish, plus (semi-official) Catalan, Galician, and Basque).
This section could be potentially exceptionally burdensome if the FCC suddenly mandates that sites provide notification in multiple foreign languages (I could see an argument for requiring Spanish as well as English, but there are some communities in the United States where other languages are also very common).
Page 28, Section 4 (b)(1): It seems unnecessarially combative to define all data security incidents as "unfair or deceptive acts or practices." Data security incidents are not typically something which a covered entity intentionally does, neither are such breaches typically "unfair" or "deceptive" in the same way that some TV or Internet huckster's "miracle" product or pyramid sales scheme might be.

The most persuasive argument in the other direction is probably that currently most states already have their own PII breach notification laws, and it can be a pain to try to stay in compliance with 46 different PII information security and breach notification statutes. So again, the intention is clearly good, but in practice...it needs some careful review.

So there are the results from one bill, examined by one expert. He's one of the best minds in the cybersecurity community, yet he may still have missed something. With legislation as important as this, smushing it all together and rushing to attach it to something unrelated is simply a bad idea. This is a topic which requires careful thought, from multiple people who really do know what they're doing — and who can explain it to the Congressional staffers who will write the resulting bill, and then to the Senators and Representatives who will collectively make the decision.

Once that education has occurred, it should quickly become evident that while some of these bills do overlap, others do not. Some will disagree. Some simply contain bad ideas. All of this has to be worked out. Then, finally, it might make sense to combine them — not now, and not just because they all have the prefix "cyber" in the title somewhere.

Spamresource.com: Ken Magill Returns

Wed, 25 Aug 2010 23:22:42 +0000

Number one (in my personal estimation) industry reporter Ken Magill has returned, and in his first newsletter, he drops a interesting tid-bit: apparently Goodmail is for sale. Read it here.

Don't forget to visit Ken's website and sign up for his newsletter -- you can find it over at www.magillreport.com.

Sophos Blog (Spam Category): It’s that time again…

Wed, 25 Aug 2010 15:41:41 +0000

Today in Boston is a special day. Yes it’s raining, but today the yellow buses have started their engines. It’s back to school time!

I thought I might use this as a reminder to talk to your kids about computer security. We drill it regularly to our employees and readers, but honestly, kids need to be taught about this as well. First, talk to them about creating a strong password, one that can’t be easily guessed. We blogged about the Top 20 you should never use here:

http://www.sophos.com/blogs/gc/g/2010/01/22/top-20-website-passwords/

We also blogged about how to choose a more secure password:

http://www.sophos.com/blogs/gc/g/2010/02/03/choose-strong-password/

Second, of course make sure the machine is patched with the latest operating system patches, and that the security software is up to date. This can pre-empt a lot of problems right away. But something that gets overlooked is making sure your child’s account doesn’t have admin rights. This way you can control what they download and install. This also cuts down on the amount of spyware and malware issues you’ll have on that machine, simply because much of the malware written needs “escalated privileges” (admin or poweruser rights) to be executed. Yes, your kids may whine and fuss because they can’t install some program that is the latest “GOTTA HAVE IT”, but this give you the opportunity to research and even test the program out to make sure it’s appropriate for your kids.

Another recommendation is to put the computer in a common area, such as the kitchen or the living room. You can monitor what your kids are seeing and doing, but it also means that you and your kids won’t get sucked into hours online. It’s hard to surf, chat, and game while you are around. This will also help with the above points of keeping the machine secure, since it’s right there. Out of sight, out of mind, right? This is really an important recommendation, given what all we are seeing on the social media sites:

http://www.sophos.com/blogs/gc/g/2010/08/24/i-text-this-facebook-scam/
http://www.sophos.com/blogs/gc/g/2010/08/23/stalk-site-exposes-danger-sharing-photos-online/
http://www.sophos.com/blogs/sophoslabs/?p=10716
http://www.sophos.com/blogs/sophoslabs/?p=8976
http://www.sophos.com/blogs/sophoslabs/?p=10001

That’s just a small sampling of what we are seeing here everyday in SophosLabs. So along with the new clothes, school supplies, and talks of safety, please include cyber-safety in list of things to get ready for the new school year.

Creative Commons image of school bus courtesy of Zemlinki!’s Flickr photostream

All Spammed Up: Rustock Botnet Responsible for 40% of All Spam

Wed, 25 Aug 2010 14:54:04 +0000

Security researchers say the massive Rustock botnet is currently responsible for 40% of the world’s spam volume. This is particularly impressive considering the number of infected computers under its control has dropped from 2.5 million to 1.3, probably as a result of increased detection by anti-virus software. Still, even with the reduction in size it is still pumping out nearly 50 billion spam messages a day.

Compromised computers spew spam.

Most of that spam is pharmaceutical, hawking counterfeit prescription drugs offered by the infamous group of Canadian Pharmacy websites. The drugs, which are freely distributed without a prescription, are made in India and China and are not regulated or inspected in any way. The group behind the Canadian Pharmacy scams is said to be connected to the Russian Mafia.

Rustock was thought to be using Transport Layer Security to encrypt its spam in an effort to make detection difficult but appears to have abandoned the practice, probably due to the affected it had on bandwidth and processing speed.

The botnet has been thriving since its recovery from the McColo shutdown back in November 2008. When the cybercriminal-friendly ISP had its service terminated by its upstream providers, Rustock went dark, but the herders behind it acted quickly to switch its command and control servers to another host and began developing ways to keep it from depending on a single host, which has kept it from further shut downs. Botnets are now programmed with a list of different domains and IPs to contact for instructions, so if one goes down, a new one can easily and quickly be found.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Rustock Botnet Responsible for 40% of All Spam

Terry Zink: Russian cybercrime is organized / Russian cybercrime is not organized

Wed, 25 Aug 2010 06:14:39 +0000

I like to read other people’s stories when it comes to spam, and I like Box of Meat. It’s always alerting me to interesting stories around the web that deals with cyber security. But the more I read, the more I see conflicting views on the state of the criminal cybercrime world. On the one hand, the Russian criminal cybercrime underworld is a scary, organized place where people are actively trying to do the rest of us harm. On the other hand, there is the position that that position is an exaggeration of what it is actually like and that it’s a bunch of ragtag folks who have some advanced computer skills but they are not formally organized. They trade amongst each other for the highest prices and exchange goods and services like the open market but they are not colluding with each other. I see this very similarly to how I see cyber warfare – on the one hand there are the hawks who believe national cyber threats are behind every corner, and on the other hand there are the doves (for lack of a better word) who claim there is no national cyber threat, it’s all about crime that has moved online.

Consider excerpts from this article from the New York Times:

MOSCOW — On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service. And in real life, he was nearly as untouchable — because he lived in Russia. BadB’s real name is Vladislav A. Horohorin, according to a statement released last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

…

The seizing of BadB provides a lens onto the shadowy world of Russian hackers, the often well-educated and sometimes darkly ingenious programmers who pose a recognized security threat to online commerce — besides being global spam nuisances — who often seem to operate with relative impunity.

Law enforcement groups in Russia have been reluctant to pursue these talented authors of Internet fraud, for reasons, security experts say, of incompetence, corruption or national pride. In this environment, BadB’s network arose as “one of the most sophisticated organizations of online financial criminals in the world,” according to a statement issued by Michael P. Merritt, the assistant director of investigations for the Secret Service, which pursues counterfeiting and some electronic financial fraud.

…

According to the Secret Service statement, Mr. Horohorin managed Web sites for hackers who were able to steal large numbers of credit card numbers that were sold online anonymously around the globe. Those buyers would do the more dangerous work of running up fraudulent bills. The numbers were exchanged on Web sites called CarderPlanet carder.su and badb.biz — according to the Secret Service, and payment was made indirectly through accounts at a Russian online settlement system known as Webmoney, an analogue to PayPal.

…

Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals’ expertise or for allowing their networks of virus-infected computers to be used for political purposes — to crash dissident Web sites, perhaps.

Reading this article, you would come away with the impression that these guys are very good at what they do – they have extensive computer hacking and social engineering skills, are well educated not to mention being good at money laundering (or being affiliated with people who are good at it). We see terms such ‘sophisticated’ being used to describe these people. They are a definitive threat and the odds of actually arresting them are small; when they are arrested it is seen as the exception and not the norm. In any case, they are not a ragtag bunch of people but instead are well organized and intentional about their behavior.

Worse yet, there are possible collusions between themselves and national intelligence agencies. This makes the general public even more concerned because the not-so-subtle implication is that not only do these people have extensive hacking skills, they could potentially use this to cripple national infrastructure if a hostile government, directed by an intelligence agency, instructed them to do so. The general public isn’t entirely clear on what spy agencies do anyway, but in our cultures we are ingrained with the belief that they do some nasty stuff. Just imagine what they could do with a small army of hackers.

However, contrast that article with excerpts from this one in eWeek:

When people think of cyber-crime, the typical image being pushed today is that of highly organized criminal operations. New research, however, suggests the underbelly of cyber-space may be less mafia-like than some think. In an effort to improve the level of understanding of today's black hats, security researchers Fyodor Yarochkin and "The Grugq" have spent several months looking at Russian hacker forums.

"It is an ongoing project that we started about 18 months ago," Grugq told eWEEK. "Originally it started when Fyodor investigated some service offerings from Russian hacker forums for a specific project that I was working on. It turned out to be extremely interesting and amusing, so we discussed doing more long-term monitoring on the forums. It grew from there into what is now a continuous monitoring program."

Their research was presented last month at the Hack in the Box 2010 conference in Amsterdam. What the two found was that the image of a highly organized cyber-underworld run by hardcore criminals is not the order of the day. Instead, the dozen or so hacker forums they analyzed illustrated that many of the users are "geeks, not gangsters," the researchers said.

"Basically, from what we've seen on the forums much of what goes on with the sales of services is much more petty criminal activity, or crimes of opportunity," Grugq said. "Often poor students who like to hack for fun will sell access to a server they've owned. Many don't even realize that this is an illegal activity. This sale will be for $20 or $30, which is a lot of money for a poor student in Russia, but for a hardened criminal mastermind bent on destroying Western civilization—not so much."

…

"In terms of percentage, there'd be two to three guys working on stuff professionally, versus 10 to 20 hobbyists," he continued. "Most of the activity is essentially petty criminal activity where guys are trying to make a little extra cash on the side. You can think of it as a self-organizing hierarchical system with needs and people able to provide goods and services to satisfy the needs."

…

"From what we can guess," Grugq said, "any [mob] involvement is more along the lines of some people at the very top of the stack have to pay off the real gangsters. ... So, for example, if you are organizing a massive credit card cash-out scam which nets millions of dollars, you'll have to pay protection money to the mob to not get robbed. It doesn't look like the mob itself is organizing these cash-outs though.

"We're not disputing that organized crime is involved with cyber-crime, but the popular conception of leather jacketed thugs running around with firearms and laptops is not in line with what we have observed from the actual communities," he said. "It seems like it is very useful for some companies to popularize the scary idea of Russian cyber-gangsters, but honestly the involvement seems to be much more hands off."

This is quite a bit different than the perspective offered by the first article. Here, we still have perpetrators that are advanced hackers with strong computer skills. However, they are not organized amongst each other and view their craft like a bunch of frat boys. They boast amongst themselves. They argue amongst themselves. They don’t even seem to realize that what they are doing is illegal. What makes the problem so widespread is that the cost of technology has dropped so much and Internet access has become so ubiquitous that they can do a lot of damage with limited human resources.

A few weeks ago I wrote about how many hackers who get arrested are arrested because of their own hubris. They do not have their egos in check and therefore end up leading a cyber paper trail straight to their lairs. Their lack of life experience leads to carelessness, and when that occurs they get caught. It is more of a bunch of individual actors doing stuff, trading stuff, trying to make some money. This is hardly the portrait painted by the New York Times.

So which portrait is correct?

Well, to be sure, there are many hackers out there that are hobbyists, and they are the ones that get caught. But it certainly seems like there are plenty of organized criminal groups out there (such as Avalanche). A conspiracy is often a “nice” way to explain all that’s wrong in the world, but most conspiracies rarely hold up to close examination (never attribute to malfeasance what you can simply attribute to incompetence).

My theory is that this is a variant of the Pareto principle. The Pareto principle, also called the 80/20 rule, states that 80% of the effects are from 20% of the causes. In a business, 80% of the revenue comes from 20% of the sales. 80% of the systems crashes are caused by 20% of the bugs. 80% of the movement on the stock market comes on 20% of the days (not sure if this one is true… it sure feels like it).

In the same way, 80% of the cybercrime is caused by 20% of the cyber criminals. The other 80% of the cyber criminals do some damage and are not so difficult to back trace. They are nuisances and commit online fraud but will always remain small potatoes. By contrast the good ones, the 20%, are very good at what they do. They are smaller and better and cause more damage, and get paid more. The reason they get paid more is because they are more skilled and have the full repertoire – good computer skills and good people management skills, that is, the ability to stay anonymous.

People who are good at their craft usually make more money, and in order to stay alive in the criminal underworld (that is, without getting arrested), you need to be good. Not everyone is good at what they do (like the players on my favorite football team which explains their current 2-6 record). The ones who aren’t that good browse forums and chat openly about stuff. They don’t make too much money. The ones who are good are busy honing their craft, coming up with new ways to separate people from their money and they don’t browse forums. They are spending their time getting better at what they do, not raising their profile.

That’s why the second article paints a picture of a disorganized structure of hackers. The hackers that they can examined fall into the 80% that just aren’t the kingpins of the industry. That’s why the first article paints a picture of doom and gloom, they are studying the elite group of hackers that are difficult to catch and more difficult still to profile.

That’s my theory.

Terry Zink: State AGs: Craiglist should drop adult services

Wed, 25 Aug 2010 05:12:03 +0000

I found this story today on the Associated Press:

HARTFORD, Conn. (AP) -- State attorneys general nationwide are demanding that Craigslist remove its adult services section because they say the website cannot adequately block potentially illegal ads.

Connecticut Attorney General Richard Blumenthal announced Tuesday that he and colleagues in 16 states have sent a letter calling on the classified advertising site to get rid of its adult services category.

The attorneys general say Craigslist is not completely screening out ads that promote prostitution and child trafficking. The site creators pledged in 2008 to improve their policing efforts.

Craigslist has acquired the problem that every other free service has – it’s free, it became popular, and now it is targeted by people who are using it in a way that it was not intended for its general use. In this case, Craigslist is classified service that lets users come together. The problem is that since it is online, it is much easier for people to abuse the service.

In this case, policing ads is not easy to do. I’m sure that Craigslist does a good amount of abuse mitigation (all reputable free services do) but the problem is one of scale. For services like Hotmail and Gmail, they can implement algorithms to prevent bots from signing up with things like CAPTCHAs, IP address analysis and so forth. Craigslist’s problem is that the abusers of their service are actual humans who have switched mediums from traditional print to electronic print. Thus, stopping bots is not the issue being mitigated because it is not bots that are being abusive – it is humans. It is kind of like the dopes who post really dumb messages in Youtube comments.

Speaking of comments, one commenter wrote on that article “I think these Attorney Generals have too much time on their hands...” It looks like they are saying that adult services are fine and Attorney Generals should focus on actual crimes. Human trafficking is a crime and these are crimes that they have to investigate. On the flip side, Craigslist needs to figure out whether or not it is worth the headache to continue to provide these services vs dealing with the wrath of government. Services like Paypal have to deal with credit card fraud and abuse and for them, it is worth it to continue to use them because it’s required in order to have people pay for stuff. Anti-abuse is expensive but worth it (you can bet that if fraud was rampant, the government would be heavily pressuring Paypal).

Craigslist, by contrast, is not the profit-making enterprise that Paypal is. To be sure, Craigslist is profitable but the creator of it was never in it for the money. The cost/benefit ratio of continuing to do this sort of thing vs just saying it isn’t worth the hassle is something every free service has to do. Several URL shortening services have done the same.

Enemieslist: new pats posted - 20100824 (maintenance pats release)

Tue, 24 Aug 2010 21:41:08 +0000

63859 patterns, 11587 right anchor strings, 233997 test IPs.

Some more contribs and updates from a new feed, and a few from a new
data set. Lots of new hp.com, qwest.net, and verizon-gni.net patterns.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20100824

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20100824

All Spammed Up: The curious case of the Facebook Dislike button

Tue, 24 Aug 2010 14:03:02 +0000

In newspaper circles, when a correction to a story has to be written, a rule of thumb used by many organizations is to omit the original mistake from the correction. That’s not to eschew embarrassment, although it often works out that way, but to avoid printing the incorrect information twice. Bad information, you see, has a way of sticking to little gray cells when it’s the first to arrive in the information marketplace. Repeating it, even in a correction debunking it, tends to add to its stickiness.

That seems to be the case with the recent hullabaloo over the “dislike” button in Facebook.

Members of the vast Facebook social network have the ability to click a button when they “like” a posting they see in their news feeds, but unlike other websites that solicit mob opinion on their content, Facebookers can’t show their displeasure with what they see on the network. That omission has vexed more than a few of the Facebook faithful, including columnist Dan Tynan.

“Like many people of an inherently cynical nature, the fact Facebook only allows you to express your ‘Like’ on various topics, posts, and advertisements irks me,” he wrote. “I know I’m not alone, and so do Facebook scammers, which is why the latest viral ‘Dislike button’ scam has spread so quickly.”

As many popular scams begin on Facebook, a member sees a message with an enticing pitch. In this instance, it was “I just got the Dislike button, so now I can dislike all of your dumb posts lol!!” or “Get the official DISLIKE button NOW!” Included with the message is a shortened URL, so victims don’t know where they’re going when they click on it.

Clicking on the short URL in the Dislike message displays a screen for installing the Dislike Button. When members attempt to install the feature, they’re asked to give their permission to allow the app to access their basic information, post to their “walls” and access their data at any time, which pretty much opens the door to the chicken coop for the foxy spammers.

Once they have access to your Facebook information, the spammers use the member’s information to promote–under the member’s name–the Dislike Button to all the member’s friends.

Meanwhile, the member still doesn’t have a Dislike Button. Before he or she gets the button, they must fill out a survey, which makes the scammers some cash. After finishing the survey, the member is sent to a website where they can install a browser add-on called Dislike Button. The app began as a Firefox add-on, but now it can be downloaded as a executable file that will work with Chrome, Internet Explorer and Opera. Support for Apple’s Safari browser is in the works.

What got lost in all the hubbub about the scam, though, was the fact that the Dislike Button is a legitimate add-on. Its makers, FaceMod, were being victimized by the scammers as much, if not more, as Facebookers clicking on the URL in the fraudster’s pitch message. Unfortunately, the maker’s message was lost in the digital din that erupted when the scam was revealed by a malware fighting firm.

“Recently, the Dislike Button has been mentioned in several articles, blogs and tweets, in conjunction with a scam, which silently sends the link to users’ Facebook friends, and requires the user to then take an online survey, which makes money for the scammers,” FaceMod wrote on its website. “Due to the high demand for the Dislike Button,” it continued, “unaffiliated people and/or groups are attempting to monetize FaceMod’s products by re-directing to online surveys. FaceMod does not require a user to fill out a survey, is not affiliated with this Scam and urges users to avoid unofficial posts.”

For the sake of clarity, FaceMod’s add-on only works with other Facebook members who have installed the app in their browsers. In other words, if you click “dislike” and the person who posted the item you disapprove of doesn’t have FaceMod’s software installed in their browser, they won’t see your thumbs down.

Initially, FaceMod sent a message to a person when a user of its app gave the thumb’s down to an item, but it removed that feature–although the company’s website still says it’s there–after receiving complaints from people who received what could be interpreted as spam messages announcing they’d been “disliked.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The curious case of the Facebook Dislike button

Sophos Blog (Spam Category): You’re Not That Well Financed, Are You?

Tue, 24 Aug 2010 06:31:08 +0000

Every once in a while, I get the odd spam message that really makes me want to laugh.

Take this one for instance. The spam message says that if I ever want to get a home loan, just feel free to drop an enquiry into the form on the weblink provided and my financial woes are over.

Of course, following the weblink brings me to the following website :

Ok, so far I’m not that impressed. For a finance company that purports to want to lend me money, that website looks a little skimpy. Out of curiosity, I decided to do some browsing around and go to the main webpage where I was greeted with:

I know the worldwide financial markets are still not in the best of health but really, do you seriously expect me to borrow money from you when you look like you can’t even afford a web administrator, much less a website designer? :)

Well, I’ve got more pressing matters to attend to now. Apparently, according to the 2 latest emails I’ve just received, I’m supposed to be both 12 weeks and 33 weeks pregnant at the same time. I wonder what my wife is going to say?

All Spammed Up: UK University Service Infuriates Students With Spam

Mon, 23 Aug 2010 12:50:45 +0000

Thousands of UK students are furious with the country’s Universities and Colleges Admission Service after receiving an email from them with the subject line “You’ve Been Accepted”. The message, which led students to believe it was an acceptance notice from a university, was actually a spam message advertising discounted HP laptops. This infuriated students, as this is the time of year when they are awaiting their A-level results and scrambling to apply to the limited amount of university openings available. In the UK there are more qualified students than there are spots at the most sought after universities. Many students feel that the spam message was not only misleading, but cruel and in poor taste. The UCAS, red-faced, quickly offered an apology.

A UCAS spokesman said: “We understand and apologise for the confusion this has caused to some applicants, and we are looking at reviewing our quality filters to avoid this type of situation in future.”

It’s not known who approved the message or its deceptive subject line. HP has declined to comment on the matter. This story illustrates how important it is to use care in sending newsletters and other bulk mailings to the customers on your mailing list. A deceptive subject line, even if it wasn’t intended to be, can cause a real public relations headache for your company, and thanks to social networking services like Facebook, your unhappy customers can make themselves heard in a hurry! Avoid wordplay and other attempts to be cute and keep your subject lines and messages simple and straightforward. The old saying, “Keep it simple, stupid!” really is the best policy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

UK University Service Infuriates Students With Spam

Terry Zink: Cracking ReCAPTCHA

Mon, 23 Aug 2010 05:59:46 +0000

I was browsing dark Reading today and came across an article they published 4 days ago. A researcher has broken reCAPTCHA, that is a CAPTCHA software tool that many websites use to tell the difference between a human and a computer. It is designed to prevent automated program from creating mass accounts which, in most cases, is intended to abuse a particular service.

A researcher earlier this month demonstrated how he solved Google's reCAPTCHA program even after recent improvements made to the anti-bot and anti-spam tool by the search engine giant.

Chad Houck, an independent researcher, also released the algorithms he wrote to crack reCAPTCHA. Houck had published a white paper on the hack prior to presenting his research at Defcon in Las Vegas, and says that Google made several fixes to reCAPTCHA that defeated several of his algorithms before he was scheduled to give his presentation. He then quickly came up with a few additional approaches with his algorithms, and says he was able to beat the updated reCAPTCHA 30 percent of the time.

"[ReCAPTCHA] has never been wholly secure. There are always ways to crack it," says Houck, whose algorithms have been available online since Defcon. "The information [about the research] is out there. Google still hasn't changed it, which kind of surprises me." Google, however, thus far has not seen any signs of this being actively used in the wild.

…

ReCAPTCHA, which was originally created by Carnegie Mellon University and later purchased by Google, basically protects websites from bots and spam by generating distorted text or words that humans can read, but software or optical character readers cannot. The words used by the reCAPTCHA program come from books that are being digitized. The program, which runs on many major websites as a way to validate that the user on the site is a human and not an automated bot or spammer, presents the user with two real words to type into a box, one of which is for verification and the other for digitization purposes.

…

Just how difficult would it be for a bad guy to exploit this? "As long as you know how to program well enough, it would take a day to implement my algorithms," he says.

I would say that this somewhat qualifies as news. On the one hand, reCAPTCHA nicely dovetails with Google’s mission to digitize all of the world’s books (that the publishers will let them). While people are busy solving these CAPTCHAs, at the same time they are putting books into digital format which assists in their redistribution. In essence, Google is killing two birds with one stone – they are preventing abuse of their systems, and at the same time capturing information in preparation for its dispersal to everyone else (or as one Objectivist put it, the only resource that requires redistribution is knowledge).

ReCAPTCHA has become very popular and a lot of sites use it because it is free and it is (was) secure. However, on the flip side, the fact that a CAPTCHA is broken doesn’t really qualify as news. We have known for years that CAPTCHAs are broken and this has been accomplished by a couple of different methods:

Spammers (or malware authors) hire people off shore in countries in the developing world and pay them create accounts. In essence, they (the spammers) are still absorbing a cost but they have circumvented the problem of deciphering text that is unreadable by ensuring that the cost/benefit ratio is still in their favor. The clock is ticking on this mechanism, though. As more and more countries are lifted up out of poverty, the industrial wages there will go up. Eventually it will not be cost effective for spammers to outsource labor in this fashion.

Of course, it will be decades before that finally happens, so while the clock is ticking, it’s a very long clock.
Software already exists that breaks CAPTCHAs. This is kind of the point of my post. These types of security measures have had pseudo-effectiveness. There are lots and lots of abusive accounts being created on Hotmail, Yahoo, Gmail and abusive content hosted on Windows Live Spaces, Sky Drive, Yahoo Groups and Google Blogspot. All of these services are free to sign up with and all of them are protected by CAPTCHAs. However, we continue to see lots of spam, malware, and other sundry subterfuge being used for these services. Working backwards, it doesn’t take a genius to figure out that the spammers have figured out a way to break the CAPTCHAs used to protect those sites.

To be sure, all of these services periodically go back and update the algorithms for these things and the spammers are defeated for a while. However, the spammers react, tweak their own software and eventually they can go back to breaking the algorithms used to stop them from abusing the service. Now, when I say ‘break’, I mean that they are successful maybe 10% of the time. However, if something is successful 10% of the time and you can do it over and over, it basically means that you have succeeded in breaking the protection.

So, I take issue that this is news in the sense that it is “new”, or that we haven’t seen this before. What makes this newsworthy is that a service that was supposed to serve the dual purpose of implementing security + saving the world might not be able to serve a dual role after all.

Terry Zink: Reasons not to like Aeroplan

Sun, 22 Aug 2010 04:05:00 +0000

A long, long time ago, while I was still living in Canada, I signed up for a credit card that gave me Aeroplan points. Those are kind of like air miles except that you have to redeem your points for miles, rather than accruing miles directly. You don’t just need to use your points for travel, though. You can get stuff like iPods and printers and routers (oh, my!). The drawback is that it takes thousands and thousands of points to go anywhere. To go from Seattle to Winnipeg, it takes 25,000 points. Since a flight there (in US dollars) is currently $550 in October, this works out to 1 point = $45. For a normal air miles card it is usually 1 air mile for every $20 spent. This means that my Aeroplan card is approximately twice as expensive as my dad’s air miles card. It’s kind of a ripoff. Yet at the time, it was all I had.

The reason I still have it is that I accrued a lot of miles while I was living in Canada. Yet I don’t use it anymore now that I am living in the United States because it doesn’t make good financial sense to always have to do the exchange rate conversion of US dollars into Canadian dollars (Visa will not switch it to a US dollars account). So, I had a card I didn’t really use but had many thousands of aero-points on, almost enough for a trip to New Zealand (but not back). But the plan was to use them at a strategic time.

Well, this past year American Express offered me a gold card that also offered points for every purchase, 1 point for every $1 purchase. I never really understood why the Amex gold card was such a great deal. They explained all of the benefits – anti-fraud protection, an annual fee of $35, a high interest rate, 24/7 emergency assistance, and rewards. In other words, it’s like just about every other card out there. It’s really not that great a card at all from what I can see, other than the ability to earn points. I wouldn’t have considered it except for two things:

As a Canadian living in the United States, I did not exist at all to all American credit bureaus (credit card companies, banks, car insurance) before September 2007. This makes it difficult for me to get a credit card, and therefore, build credit. When I saw that I was pre-approved, I decided it was worthwhile going for it.
The rewards program made it possible to link my purchases to my existing Aeroplan on my other credit card. This meant that I could make purchases in US funds and have the air travel points applied to my existing account so I wouldn’t have to start from scratch. I was pre-approved and so the glide path to card acquisition was smooth.

Because of these two offers, I decided to acquire the card. If I am going to be paying for stuff, I may as well get air travel points. Some people prefer cash back, I prefer air travel points because I like to travel.

The whole problem starts when I start looking to redeem my Aeroplan points. I don’t fault Amex at all, they are doing a fine job (other than the fact that their card is not better than most other cards out there). Aeroplan is proving exceedingly frustrating to use. It’s virtually impossible to travel with them. For one thing, I can only travel on Air Canada. This was not a problem while I was living in Canada (in fact, it was a requirement), but now that I live in the US, it’s kind of inconvenient. I could drive up from Seattle to Vancouver and fly out of there… or I could just fly out of Seattle.

The real problem, though, is all of the fricking black out dates. I can’t travel around Christmas, Thanksgiving (Canadian or American), Labour Day (yeah, that’s right, I spelled it with a ‘u’), or even Sundays! In other words, they make it as inconvenient as humanly possible when handing out their “reward” flights. I’d like to fly over a weekend since I only have limited time off. I want to fly back on a Sunday. Not with Aeroplan!

But if that weren’t enough, I may have been able to handle that. The last straw was their password policy. I regularly forget my password to sites I infrequently log in to (insurance, credit card, etc). Aeroplan is no different. I don’t log in to that because I never travel anywhere. And if you think about it, once I used up all of my points, it takes forever to rebuild them and so there is no point (pardon the pun) in logging in frequently. It’s like watching paint dry. I can’t buy anything anyhow so why bother logging in frequently. Heck, does anyone log in to their site frequently?

Because I don’t log in regularly, I forget my password all the time. I also don’t save it in my browser. So almost every time I visit the site, I have to reset my password. This is annoying, but it’s my own fault. But what isn’t my fault is aeroplan.com’s lame password policy. I tried to make a decently secure password, but couldn’t. I was not permitted to use non-standard characters like !, @, #, $, % or &. What the heck? I like tossing in those characters in order to make my password secure! Obviously, the reason they do that is to prevent SQL injection attacks that make use of those special characters. They’ve decided to compromise customer security for the tradeoff of not doing input sanitation to prevent those types of attacks.

But not only that, not only can those special characters not be used, passwords are restricted to 12 characters or less. I tried to enter in a 15 character password, one I could easily remember (seriously). But instead, Aeroplan kept saying that there was some sort of error. They couldn’t be bothered to tell me what error, only that there was some error. I tried to re-enter my password again and again but they wouldn’t hear of it. I then thought to myself that if their password policy is weak, then maybe they are restricting on the character size. I entered in an 11 character password, and what do you know? It worked! I wasn’t happy that it worked, I did the smiley face where I was experiencing mixed emotions:

Quite frankly, if you allow a web login you should permit users to enter in passwords of any length they wish (or maybe restrict at 32 instead of 12 or whatever they were doing) and allow special characters to be used. They should validate the input to ensure that SQL injections or cross-site scripting cannot occur but when it comes to passwords, an attacker can guess it if all you do is allow lower case. Perhaps most users do use all lower case, but you shouldn’t be requiring it. Sheesh.

So as you can see, I am not happy with Aeroplan. A poor customer experience, tossed in with poor security practices, does not a happy security guy make. If you want an example of a good customer experience, check out Mint. That one is very good, kind of the opposite of Aeroplan.

MillerSmiles Phishing News: Weekly analysis - 14th August 2010 to 21st August 2010

Sat, 21 Aug 2010 12:00:00 +0000

MillerSmiles provides its weekly phishing analysis for the week of 14th August 2010 to 21st August 2010

Spam Wars Dispatches: Spampaign Analysis

Fri, 20 Aug 2010 19:31:21 +0000

The activities of one particular spammer has caught my eye, and I've been monitoring the activity directed my way over the past few months. I don't know the identity of the spammer — the one responsible for putting the spam into inboxes — but all of the spamvertised domains are registered (privacy locked, of course) through Dynamic Dolphin, for many years one of Scott Richter's alleged homes.

What brought these messages to my attention is that the subject matter isn't the typical medz, knockoff goods, or other items pitched by the bulk of the world's spam. Look at these selected Subject/From combinations:

Residential House Painters Painting

Become a CNA Certified Nursing Assistant Training

Train to become a photographer Photography School

No repair will go unfixed with a handyman Handyman

Renovate your old bathroom Bathroom Remodeling

Healthy careers inside Best Medical Billing Training

Hire an expert to repair your roof today. Roof Repair

Take a seat and sneak a peek at Private Jets. Private Jet

Save on Contact Lenses and Supplies Contact Lenses

Lasik Eye Surgery Lasik

Government grant money is available Government Grants

Record it all on a spy camera Security Cameras

Discount air conditioners - energy efficient Air Conditioners

Discount dog supplies online Dog Supplies

Auto-Answering Service Answering Service

Dont waste time cleaning. Hire a maid service. Housekeeping Service

Easily save for retirement 401K Plans

Find local personal injury lawyers. Personal Injury Lawyer

What struck me as being so odd is that many of these messages appeared to have a local appeal. I mean, a global spam campaign by a handyman service just doesn't seem right.

I'll come back to this in a minute, but first, more about the message content.

Over the past four months, the message body designs have changed. They started out with a simple format like this:

More recently they've been using a couple table-oriented layouts. One doesn't use images:

The other employs images in a variety of table cell proportions. Here's one (without downloading the images, as I'll explain in a moment):

The reason I don't show you all of the images is that each downloadable image URL (and link) is encoded with three identifying numbers. My assumption about these numbers is that they identify the actual advertiser account, campaign, and the recipient email address (the long number). I have my email client set to not download any remotely-accessed content without my approval, so this was one way to prevent my address from being confirmed to the spammer.

I did, however, find a workaround to conceal my address code, and here is an example of one of the image-based email bodies:

Notice that there is no identification of the entity offering the training being advertised. The same was true of the image-less ads. The From: email addresses were to the domains (gibberish) hosting the images and receiving the click-throughs.

What about CAN-SPAM, you ask? At the very bottom of every message is a link and purported mailing address to be removed from the mailing list. Here is what one of them looks like:

I say "one of them" because across the span of these mailings, I've seen several addresses in at least five states. One of them lists a company name, TLE Inc. Good luck with that. The "unsubscribe" links lead to an unsub.cgi program, and the URL is coded with the campaign and addressee ID numbers. I wouldn't click on one of those links with a ten-foot mouse.

Deeper inside the message is more stuff so typical of a spammer trying to beat the content filters by loading up the invisible body with tons of hash busting text. The general format of the hash-busting text is similar throughout all of the mailings, but their sending routines substitute words here and there to prevent being identified by the same strings.

All of the hash-busting text is embedded within a phony <style> tag (whose content doesn't render for the user to see). Here's a brief excerpt of stuff that's supposed to resemble style sheet specifications:

table .foulmouthed{ background:#D3E4E5;
border:1px solid gray;
border-collapse:collapse;
color:#fff;
font:normal 12px verdana, arial, helvetica, sans-serif;
}
caption .comfits{ border:1px solid #5C443A;
color:#5C443A;
font-weight:bold;
letter-spacing:20px;
padding:6px 4px 8px 0px;
text-align:center;
text-transform:uppercase;
}
howls td, bathrobe th { color:#363636;
padding:.4em;
}
argufy tr { border:1px dotted gray;
}

But then there are further blocks, sometimes of random dictionary words bashed together:

cacao/circulariserhydroxyproline/audit/crevice/bareknuckle/expressive/flutterboard/Decca/computerisation/flimsily/expurgator/apeldoorn/bondsman/concision/intraorganization-advocacy/idiotism-Crockford/clauses/bituminisingbummaree.carer/horizontalisationsacknowledgements/Koheleth/communalizes

plus many dozens of lines with single words between more dozens of blank lines between them. A typical message is formatted to contain over 3000 lines (mostly empty) with a character count approaching 20,000. The actual visible content portion is a tiny fraction of that.

By now, you must be wondering what's at the end of these links. By way of an email address identifier disguise, I found out for at least a couple (which I would wager is a sufficient sample size for this spammer).

I chose the police training and copier sites. The police training link navigated me beyond the domain in the emails to an online division of a small university in Ohio. Although I had never heard of the university, the .edu domain had been alive since 1994. The copier link delivered me to a company's web site that has (possibly) been around since 1997. But it's not that simple, it turns out.

Both sites lead the visitor through a multi-screen questionnaire that (in the sales biz terminology) qualifies the visitor for what kind of information they want to receive. In the case of the police training, the site actually advertises numerous curricula from which to choose. As you navigate through questionnaire screens, they want to know what your current education level is, your age, when you want to begin school, whether you're a U.S. citizen — all the kinds of things that an enrollment office for an online university would ask. The same was true for the copier site, which wants to know how many copiers you're looking for, whether you do mostly color, b&w, or both, your copier volume, how fast a copier you need, and so on.

Both sites have a quality feel to them. Although the designs are quite different, there is a similarity in how they report one's progress through the qualification stages (there is literally a progress bar). The copier site claims to have an A+ rating with the Better Business Bureau — an online claim that is worthless after having been so horribly abused by spammers over the years.

My takeaway from this lengthy series of campaigns is that an "email marketing" company (shudder) is either selling lead generation services to smaller organizations (including web site design), or it's gathering the leads on its own to rent out to other firms. In the process it is also gathering live email addresses through image retrievals and click-throughs (in fact, all clickable URLs have "clickthru" as part of the URLs).

Heaven knows what kind of B.S. these guys sell the people who buy their services. I'm sure it's full of stuff like "we email only to opt-in addresses" and the like — the same lies being peddled under the guise of email marketing for years and years. If they were so legitimate, they'd use one of the verified sender systems to guarantee delivery to those who want their messages and not load their messages with hash busters.

Although I'd like to know the identity of the sender, enough of my curiosity has been satisfied that I can now block these guys and never be bothered by them again.

Sophos Blog (Spam Category): PerlBot: A reason to run anti-virus on Linux?

Fri, 20 Aug 2010 13:38:50 +0000

This morning I noticed that SANS were talking about a Perl bot that has been reported on various Unix systems. I went looking for this file and noticed that a colleague had already updated the identity for Mal/PerlBot-A to detect it.

SophosLabs see large numbers of malware affecting Windows everyday and while malware affecting other operating system is rarer no operating system is immune (Linux, Mac).

SophosLabs recommends that all computer users use anti-virus even those running *nixes.

Richi Jennings: Aha! Adobe alternatives ahoy. Absolutely amazing...

Fri, 20 Aug 2010 13:56:43 +0000

The Long View (Computerworld)

Happy Friday, everyone. This morning's wailing and gnashing of teeth over Adobe patches reminded me that there's more to PDF reading and writing than the 'official' Adobe software. Let's take a peek, in The Long View.

...Read more

Sophos Blog (Spam Category): Critical Adobe Acrobat APSB10-17 Vulnerability Patch

Fri, 20 Aug 2010 01:08:04 +0000

Adobe Systems has sent out a critical Security Advisory for Adobe Reader and Acrobat. This advisory is related to the security vulnerability CVE-2010-2862. For more information, please refer to this Sophos knowledgebase article.

For further information and where to obtain the updates, please refer to the following link: http://www.adobe.com/support/security/bulletins/apsb10-17.html

This vulnerability affects existing versions of Adobe Reader 9.3.3 as well as earlier versions of Adobe Reader for Windows, Macintosh and UNIX.

Users of these Adobe products are strongly advised to update their software.

Terry Zink: The most dangerous celebrities

Thu, 19 Aug 2010 23:47:47 +0000

Reuters has an article up today on the most dangerous celebrities on the web. Topping this year’s list is Cameron Diaz:

NEW YORK (Reuters) - She may be known for her playful giggles and killer looks, but now movie star Cameron Diaz has become the most dangerous celebrity on the Internet. Diaz, 37, is top of the list of the most dangerous celebrities to search for online, above second-placed Julia Roberts, according to computer security company McAfee, Inc. Last year's most dangerous Web celebrity, Jessica Biel, fell to third.

One in ten websites featuring the "Knight and Day" star contain malicious software intended to infect computers and steal data from users, according to research released on Thursday by McAfee. Creators of malicious software use celebrities as lures, baiting fans and followers to click on and download seemingly innocuous content containing programs designed to steal passwords and other private information for profit, said Dave Marcus, director of security research at McAfee Labs.

"They know that people want to have screensavers of popular individuals. They follow hot topics on the Web and create their poisonous content accordingly," Marcus said. "This relates to a larger trend of using social engineering lures. A lot of times a cyber criminal will mine Twitter, or follow Google Trends, to poison those links. It's very clear they will use news trends to lure," he said.

To elaborate some more on what McAfee is saying, various services like Google publish their Google Trends top keywords which indicates what users are searching for the most. Services like Twitter will have their most trending topics, that is, what people are talking about and categorizing their tweets as. The ones that users are searching for or tweeting the most show up at the top of the list. It’s a good way to determine what people are interested in the most at a particular point in time. After the 2008 presidential election, people were all searching for Barack Obama. In February of this year, people were talking about the Olympics (no doubt regarding Canada’s victory in the men’s gold medal hockey game).

However, spammers will do the same thing. They will figure out the most important trends in a particular category or a particular time of year, and then they will create poisoned search results which gets their pages to the top of a search ranking. For example, they might engage an army of bots to crawl through various blogs that leave comments that contain the celebrity’s name, say Cameron Diaz, with a link to a web page (the spammer’s). When Google’s crawlers start searching the web, they pick up all these pointers to the spamming web page. Since part of Google’s search algorithm is finding out how many pages point to another page with a search tag attached, and since the spam bots have left tens to hundreds of thousands (to millions?) of redirects, this makes the web page show up higher in a Google search.

Of course, these web pages are not benign fan pages. They can contain a few different things:

Drive-by downloads – These are web pages that have malicious code running in them that are designed to exploit vulnerabilities in a web browser. These exploits execute automatically without the knowledge of the user and silently install malware onto the computer. This illustrates why it is important to keep one’s browser fully patched, and more importantly, upgrade to the latest version (cough, UK government, cough).
Links to free software or screensavers – Who can resist a free screensaver of your favorite celebrity? Well, most of the world, actually, but the point is that these screensavers may be free, but they are not cheap. They are actually pieces of malware and when you install them, you are actually installing malware directly onto your computer. Good anti-virus software can help, but so can the latest browsers like Internet Explorer 8 and Firefox 3. Each of them contain URL screeners that can determine whether or not a URL is malicious or hosting malicious content (this also works for the previous bullet point).
Links to spam, usually pharmaspam – In one of the all time biggest disappointments, imagine wanting to check out your favorite celebrity and instead being served up with an advertisement for cheap Ambien. I would think that this wouldn’t work too well for the spammers because once people have their expectations violated in a less satisfactory manner (wanting one thing and getting another lower quality product), the emotions of disgust and anger kick in. People are less likely to be compliant to advertising when those two emotions are in play.

So, when the term “dangerous” is used in the cyber context when it comes to celebrities, the term does not refer to them being physically dangerous but instead dangerous to the health of one’s computer. The celebrity is used as a lure to get people into taking action that they might not normally take, and then systems under their control have been compromised. The most dangerous ones would be the ones with the most malware attached to them.

Celebrity harvesting is nothing new, spammers have been using their names in x-rated spam for years. In the case of Cameron Diaz, one in ten sites is a lot to be compromised which demonstrates that spammers/malware authors are quite successful at getting their products so widely distributed and search engines so highly compromised.

Richi Jennings: How does Intel/McAfee make sense? I think I know...

Thu, 19 Aug 2010 19:46:45 +0000

The Long View (Computerworld)

What's Intel up to? Don't expect it to tell us the real reason it's buying McAfee. But I'll tell you what I think its plans are, in The Long View...

...Read more

All Spammed Up: Spammers Using Fake LinkedIn Notifications

Thu, 19 Aug 2010 14:11:04 +0000

Spammers have begun sending out fake LinkedIn notices that have spam attached to them. At first glance they look like the notices you get when someone wants to add you to their network but they have a linked image attached which is usually an ad for Viagra Cialis and other related types of drugs. The link leads to a site called PathTasty. PathTasty appears to be one of the hundreds of fake internet pharmacies that fall under the “Canadian Pharmacy” umbrella. This isn’t a phishing scam – if you place an order you will get it but it will be a counterfeit version of the drugs you paid for. These fake drugs are made in China and India with unknown ingredients and are completely untested and unregulated. There have been no reports of anyone getting sick or dying from taking the fake drugs but the FDA was concerned enough to issue an alert warning consumers to stay away from these sites.

Canadian Pharmacy has been around for quite sometime now. Its spam is pumped out by the massive Rustock and Mega-D botnets and is run by GlavMed, which bills itself as an “affiliate program” but most security experts consider it a criminal organization. It’s located in Russia however which makes it difficult to track down.

Ironically there is a very legit company called Canada Pharmacy and they are said to be quite irate over the association with Canadian Pharmacy. Canada Pharmacy is a real pharmacy doing business on the net and unlike Canadian Pharmacy, they won’t dispense drugs to anyone without a valid prescription for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers Using Fake LinkedIn Notifications

Sophos Blog (Spam Category): It’s not what you write, but the words you use…

Thu, 19 Aug 2010 10:40:28 +0000

Or at least their length.

Earlier this week I came across some rather interesting JavaScript injected into legitimate sites. The obfuscation method was new (to me at least) and piqued my interest.

The payload itself is predictable and dull - addition of an iframe to the page in order to load further malware. But the manner in which this payload is hidden made me chuckle. The bulk of the injected script consists of a long string of words, which is split into an array (DayahDet in the code snippet shown below).

Decryption to the payload consists of the following steps. For each pair of words in the array, construct a string from the length (minus 1) of the words (in hex).

str = (myArray[i].length-1).toString(16)+(myArray[i+1].length-1).toString(16)

The parseInt function is then used to convert the string to a numeric value, before passing to String.fromCharCode to return the desired string character.

String.fromCharCode(parseInt(str,16));

In the code snippet image above, just the start of the string is included, which decrypts to the start of the malicious JavaScript:

document.write(

The characters used in the words is immaterial - only the length matters. The exact same payload could be obfuscated as follows:

This is nothing hugely complex or clever, but it is cunning nonetheless. The example provides yet another illustration of the flexibility that JavaScript provides the attacker in terms of obfuscation. It does not take much imagination to modify the above technique (changing delimiter, numeric shift applied to the length of array elements etc).

What about protection for Sophos customers? The sophisticated JavaScript handling in the core AV engine enable us to recognise the payload and block these injected scripts as Mal/Iframe-F.

Sophos Blog (Spam Category): Good software doing bad things 2

Thu, 19 Aug 2010 00:23:28 +0000

Recently, my “Oh-So-Smart” colleague <3 Pete <3, highlighted Good Software Doing Bad Things and I was truly inspired and impressed. Thus, I went hunting. Hunting for other good software doing bad things. Now, I have a sequel to his excellent blog. In part 2, which I un-creatively penned, it relates to AutoIt archives doing memory injection.

Getting the handle to WriteProcessMemory with a AutoIT script.

The malware author has taken pains to pick up AutoIT scripting and hand crafting this malicious mutant. Fortunately, like all superhero or action movies, The S-Team wins. :)

All Spammed Up: Office Depot Latest Brand To Be Exploited By Spammers

Wed, 18 Aug 2010 14:20:20 +0000

Office supply retailer Office Depot is the latest company to be brand-jacked by spammers. The company says they’ve received many reports of both customers and non-customers receiving fake order receipts for merchandise they never bought. The order total appears to always be the same amount, $151.06. While they won’t say exactly how many reports they’ve got, company representatives say the problem is wide spread and have issued a warning:

“Office Depot has been alerted that both customers and non-customers have received an unsolicited email confirmation of an Office Depot order that they never placed,” Office Depot spokesman Brian Levine said in a statement. “This message was not sent by Office Depot. We are asking recipients of the email to delete it. Office Depot only sends email confirmation messages to customers who request one at the time that they place an order and this confirmation comes from an Office Depot email account. ”

No other details about the spam campaign have been released but if it’s like similar campaigns that have brand jacked big names like Amazon and UPS, there is probably some sort of attempted phishing attack or malware delivery involved. Presumably the spammers are trying to get people click on a link that leads to a fake Office Depot page, much like the Amazon attack that sent fake Amazon order confirmations included links that led to a fake Amazon login page. Spammers and scammers are getting more and more brazen about using the names of well known companies to trick people into falling for their schemes.

It’s difficult to keep your brand from ending up in a scammer’s campaign so it’s important to make sure you have a strong response strategy. Take any reports of such activity very seriously. Send an immediate take down order to any domain you find hosting a fake copy of your company website and issue warnings to all your customers and vendors. Being proactive is your best defense.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Office Depot Latest Brand To Be Exploited By Spammers

Residential House Painters	Painting
Become a CNA	Certified Nursing Assistant Training
Train to become a photographer	Photography School
No repair will go unfixed with a handyman	Handyman
Renovate your old bathroom	Bathroom Remodeling
Healthy careers inside	Best Medical Billing Training
Hire an expert to repair your roof today.	Roof Repair
Take a seat and sneak a peek at Private Jets.	Private Jet
Save on Contact Lenses and Supplies	Contact Lenses
Lasik Eye Surgery	Lasik
Government grant money is available	Government Grants
Record it all on a spy camera	Security Cameras
Discount air conditioners - energy efficient	Air Conditioners
Discount dog supplies online	Dog Supplies
Auto-Answering Service	Answering Service
Dont waste time cleaning. Hire a maid service.	Housekeeping Service
Easily save for retirement	401K Plans
Find local personal injury lawyers.	Personal Injury Lawyer