As I was going through one of our spamtraps a few minutes ago I saw a brand new message come in which claimed to be a CNN News Update.  This was especially interesting to me because none of our spamtraps subscribe to any updates from CNN (or any other news organization for that matter).




So I started to do a little digging....

Below are the (somewhat elided) headers:

Received: from unknown [219.87.137.170] (EHLO mail.tfmi.com.tw)    by
 XXXXXXXXXXXXX (XXXXXXXXXX) over TLS secured channel    with ESMTP
 id XXXXXXXXXXXXXXXXXXXXXXXXXX (envelope-from
 <news@cnn.com>);    Wed, 28 May 2008 11:32:13 -0600 (MDT)

Received: from User (dsl-KK-static-static-237.201.95.61.airtelbroadband.in
 [61.95.201.237] (may be forged))    (authenticated bits=0)    by mail.tfmi.com.tw
 (8.12.5/8.12.8) with ESMTP id m4SHTkxC005178;    Thu, 29 May 2008 01:29:49 +0800

If you are not sure how to read email message headers, here is basically how this message breaks down:  It originated from a static DSL customer in India (dsl-KK-static-static-237.201.95.61.airtelbroadband.in) and routed through Taiwan (mail.tfmi.com.tw), then sent to our spamtrap.

Whoever is sending these spam messages either doesn't know what they are doing or is testing the waters for an upcoming spam/malware run.  Here's why:

When I opened this message in an email client, the HTML within the message never attempted to render.  Why?  Because the content type of the message was set in the message header as plain text.  This means that the email client should not attempt to render the HTML (show it as it would appear on a web page) rather display the raw HTML text to the user.  Only the truly geeky, like me, would take the time to actually analyze this gibberish.

Also, the email had every link within the message (including the help text at the bottom of the message which is supposed to link to the CNN web site) pointed to a web site hosted in Italy.  Here is an example taken directly from the email:

For assistance, go to <a href="hxxp://www.colectionarul.com/existenz1.html">CNN web page</a> and choose the "Help" link on any page.<br>  If you do not want to recive any more news from CNN <a href="hxxp://www.colectionarul.com/existenz1.html">click here</a>!</span></font> <font color="#808080" face="Arial"></font></p>

There doesn't appear to be anything malicious on the page being linked to at colectionarul.com (at least right now), which leads me to believe that this was either someone who didn't know what they were doing and thus sent out a horribly broken spam message or someone who was doing a test run and that this was a prelude to more current event based social engineering tactics similar to what started the huge Storm Worm outbreaks in January 2007.

Thanks to James in our Threat Operations Center for forwarding me a sample of one of the funnier phishing tactics that I have come across.  I thought an appropriate name for this type of scam would be "Dead Phish."

Here is a copy of the email (in all it unedited glory filled with spelling and grammatical errors):

Dear Sir,

We are in receipt of a Death Certificate certifying you dead and seeking the transfer of your over due contract funds to an Account in London.
 
All the local financial contractural obligations have been met and the funds is ready for transfer to the London account.
 
Please understand that if we do not hear from you in the next 7 days we shall treat you as dead and the funds shall be duly transferred.
 
You have been notified.

If this is false please write and let us have an affidevid to counter
this claims.

Yours faithfullly,
 
Mrs.callister Ibe
 
Chairman of Contract Review Panel

Phone:234-805-6135520.

This is another phish by phone tactic similar to what I have blogged about previously where the scammers are avoiding using web site links within their messages in an attempt to get by URL filters and built-in browser phishing detection. 

My favorite part is where it says "You have been notified."  What if I were actually dead?  It's true that you can get your email just about anywhere nowadays, but I never knew that also extended to beyond the grave!  This was a good way to start the post-holiday work week.

Sometimes the depths to which spammers will stoop really sickens me. 

Even in today's criminally infested internet I sometimes naively hope that there is still some kind of Code of Conduct where trying to capitalize off of certain catastrophic events was considered taboo.  As we've seen before, such as with the devastation caused by Hurricane Katrina back in 2005, the Indian tsunami in 2004, and now with the earthquake and aftershocks that have already killed over 28,000 people in southwest China's Sichuan province (with estimates that the death toll will be over 50,000 before the final counts are tallied) over the past week and a half, scams looking to tug at both your heart strings and purse strings have started popping up.
I'll abbreviate the message that we received for the sake of brevity (it's about the longest phish I have ever seen) as it gives a fairly detailed account of the plight of the person allegedly sending the message:

Dear friend,

I don't know your exact name. I can only guess.

I ask you to read my letter up to the end. After that you will be in the right to send my letter in a garbage basket or.......

My letter is caused by despair. I don't know to whom to address. I am compelled to ask for help any person. Namely you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.

My name is Arnulfo. My situation plunges me into depression and despair.

I will tell you shortly. I do not even know how to express correctly my thoughts. How to write you about it. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it's stupid or incorrectly. But it's the only thing that is left to do. I just ask to understand me. I even must  say that it is a shame to do it.

I will continue. I don't know where you are. And I do not know what news you watched on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it's awful...

Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we
could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese
language and culture. There I also have got acquainted with Jin It's my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.

All. Everything was good. Yes, everything was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not want to describe that occured with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife's parents. Jin was in despair.

But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one output. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I could not stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I do not know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.

[ SEVERAL UNIMPORTANT PARAGRAPHS REMOVED ]

Also some kind people which know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1500$. I have no opportunity to find such sum of money. I tried all ways to find thó money. I do not wish to think that money solve everything in this world. I believe that the main thing is people and love. And I want to believe that I will be able to be beside my Jin soon . We are sure will be happy together.

Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I shall understand you.I I address to you for a help. Your help is required to me. I will tell directly that I ask you to help me with money. I will return you money
later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I shall see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I shall return the money to you in the same way. I am ready to return you more.

I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.

I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have compelled me to write this letter to you. I wish to use all variants To be near to my love.

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

I don't know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:

arnulfoqramos@yahoo.com.ph

I have registered it right now. I shall wait fo your answer to this e-mail. If you want to answer me

Yours faithfully Arnulfo


The words that I want to use to describe people who would try to capitalize on an event that has affected hundreds of thousands of people aren't appropriate for corporate blog nor for any other conversation for that matter.  Every time I see these types of things, it further lowers my faith in humanity.

Please be on the lookout for this and other related scams over the coming weeks as we are sure to see more of them, likely alleging to be from relief organizations and/or companies who claim to be affiliated with them. 

If you wish to make a donation to your favorite relief organization to help them to provide assistance to people around the world being affected by these horrific natural disasters please contact them directly.  Do not respond to solicitations via email, even if they look legitimate or come from an email address that potentially looks legitimate.



*** UPDATE 5/21/2008 11:20am MDT ***  Here are some of the subject lines that we are seeing associated with this scam:

-- Help me
-- Help me please. Read through the letter
-- Last hope. Help me please
-- I ask to help. Please

According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS." 

One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today.  This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them.  Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage?  Not likely.

One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco."  This is a dangerous attitude to have for any software application.  I like to say "Where there is software, there are vulnerabilities."  This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them. 

One should never assume that software is hacker-proof.  It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down.  Always remain diligent in your pursuit of security!

Ok, I'll step off my soapbox now.  Have a great weekend!

I wanted to take a moment to respond to the New York Times article that appeared on their website on May 10th with respect to mobile phone spam.

Largely up to this point the United States has missed the boat as it relates to mobile phone spam.  This is largely because the problem pales in comparison in the US to the rest of the world.  When it is more of an issue here, however it will definitely become more problematic for consumers.  In the United States your cell phone number very much becomes tied to your identity.  If you change your cell phone number it is a real pain to have to make sure you notify everyone in your contact list (family members, friends, colleagues, etc) that you can no longer be reached at your old number.  This combined with cell phone number portability that was introduced a few years ago makes it simple to even switch carriers and keep your number, which hadn't previously been possible.  In some other countries, like Japan where mobile spam is a huge problem, cell phone numbers are throwaway.  When the Japanese start getting spam on their cell phone, they change numbers until the new number starts getting spammed.  Rinse and repeat.

In the United States there has mostly been a wait and see mentality as it relates to mobile spam, but few who have gotten spam on their mobile phone would disagree that it isn't an issue that needs to be addressed. 

Let's look at it from the carrier's perspective first though.  The article states that "Communications companies say they are not interested in spam as a profit center."  I would say that "publicly" this is true, but if you look at it from a sheer numbers perspective, they carrier's are already making big money as a result of mobile spam.  Let's use the following statement from the article: "getting as few as 10 unsolicited text messages a month at 20 cents each would cost an extra $24 a year". 

Here is where the numbers game really kicks in. 

If you assume 10 unsolicited text messages per month (which is a lot in my opinion!) this equates to $2 per month (using their pricing model).  Surely some people will wait on the phone on principle alone in order to fight this additional $2 charge on their bill every month, however many will say that the long telephone waits in order to fight the charge and get it removed is simply not a productive use of their time and will leave it alone.  This, of course, begs the question what the breaking point is?  At what point do the lines cross whereby it is an efficient use of time to fight the charge.  The answer to that question will lie with each individual consumer.

Where was I?  Oh, yes!  Security!

The article mentions that "The carriers regularly adjust spam filters to block offending messages. At Sprint, more than 65 percent of all text messages sent over its network are identified and blocked as spam before they reach customers."  Spammers are aware that spam filtering for SMS spam is still not very mature.  As such, it is a target that is more easily exploited than spam over email.  To look at this as a cynic, is this also something that cell phone companies are putting considerable money towards stopping considering the amount of revenue being generated? 

I as well as many others across the security industry have been predicting the wider scale movement of spam to mobile devices for the past couple of years now and have also discussed how much easier that movement is becoming due to the inbox and the personal computer becoming a lot more mobile.  I wouldn't yet say that we have turned the corner as it relates to mobile spam nor would I say that we are on the verge of an epic increase, but the problem definitely continues to grow as the filtering technology lags behind.  Mobile malware continues to grow also, albeit not nearly at the same rate as personal computer based malware.   Now that most phones are coming with internet access, however the protections on those devices need to be at least on par with what is being provided for PCs. 

Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court. 

Here is an elided sample that has been received by our Threat Operations Center:

UNITED STATES TAX COURT WASHINGTON, DC 20217

Docket No. 622-555. Filed May, 2008. COMMISSIONER OF INTERNAL REVENUE Petitioner. v. EXECUTIVE NAME HERE COMPANY NAME HERE COMPANY PHONE NUMBER HERE Respondent.   PETITION The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008 Please download a Copy of the Order, Letter, Notice or Other Document Being Appealed This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006.  As motions, without prejudice, and remand this case to respondent.s Office of Appeals. Respectfully submitted, Bennett H. Klein Tax Court Bar No KB0214 400 Second Street, N.W., Washington, D.C. 20217.

The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th.  Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately.  It would not surprise me if the same people behind those scams are also originating from the same group of people.


*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour.  Very low volumes in an attempt to fly under the radar as much as possible.

There have been more and more complaints popping up on the internet lately in relation to a new type of spam: Calendar Spam.  Calendar Spam introduces some new annoyances and some potential tricky pitfalls that we are used to seeing from typical spam.

Since the announcement of the Google CAPTCHA compromise and the influx of spam and blowback that has been eminating out of the Google network since, it is clear that there is no easy solution to this problem from Google's standpoint (I am giving them the benefit of the doubt that more is being done on the backend than their claims that they are shutting accounts down as quickly as they can, which is clearly a futile effort).   Now spammers have started also abusing the Google system to send out spam calendar invites. 

One might say: Calendar invites are no more intrusive than spam.  I can easily delete them from my inbox just like any other message. 

True, except the default behavior of the Google Calendar (and of the Outlook calendar, actually) is to automatically display events that you have been invited to in your calendar, even if you have not responded to them.  So, what this means is that if the spammy calendar event was sent to you with a reminder (which they all are), then you will still receive the reminder notification even if you deleted the original invite from your mailbox.

So, what to do?  Should you decline these events?  Doing so and sending a notification back to the original sender is essentially a validation of your email address which will open the floodgates for more spam.  Ignoring it obviously doesn't yield the desired result either as we just discussed. 

In fairness, Google does provide some guidance on how to prevent Calendar Spam, which essentially involves not auto-adding events to your calendar.  A nice work around, but certainly not a "fix" in my opinion.   This is an important calendaring feature, which is why many of the widely used calendars support it.  Simply turning it off because you are receiving spam calendar invites is merely an inconvenient band-aid.

I've also seen some people say "Google signs their mail with DKIM.  Shouldn't that help?"  Neither DKIM nor Sender ID Framework do anything to determine the reputation of the sender nor does it make any positive or negative determination as to the content of the message.  They only help to determine whether or not the message was spoofed or forged.  In this case, since the message is originating through Google's own servers, it will pass any kind of authentication mechanism. 

This goes back to the age old discussion that we have had many times in that spammers will latch onto any type of technology they can get their hands on and will use and abuse it in every way possible (many times in ways you and I never even thought they could be abused!).

Clearly Google's problems are running deeper and deeper by the day.  New vulnerabilities and abuses of their services are being unconvered on a seemingly daily basis.  More and more service providers are starting to block communications from Google as a result which will start to make them a less viable option for users and businesses alike which will cut into Google's top and bottom lines.  Google has some great tools and certainly are an innovation driven company.  Now if only their security would start to catch up to their innovation...

The folks over at Trend Micro have a good write up on a new type of phishing scam that has started floating around over the last week or so: Google AdWords Phishing.

It looks like the scammers are using the same general content in their phish with a couple of different variations on the subject line and the tagline that appears at the end of the message. 

The phishing link mentioned in Trend's blog points to a Chinese registered domain that appears to have been taken down as of the time of this posting, but being the resilient type that cyber criminals are they have started to send out a new spam run with links pointing a new domain (also Chinese registered): adwords.google.com.s0leo9.cn, which is currently still active. 

Below is a screen shot of one of the phish examples that we saw hit one of our spamtraps (note where it is different between here and the screen shot posted on Trend's blog):



From a volume standpoint these phishing attempts appear to be coming in waves.  For example, on Tuesday, May 6th our Threat Operations Center was seeing approximately 2,200 of these hitting our systems in the early morning hours up to about 7:00am.  After that it dropped off to about 2 per hour.  In the early morning hours of May 7th we were again seeing up to 550 per hour.  

This tactic won't resonate very well with most people as even though there are quite a few organizations out there who are using Google Adwords to promote their products on Google search result pages, the actual audience that this type of scam will make sense to is pretty limited.

According to Peter Gabriel's web site sometime on Sunday Night or Monday Morning their web servers were stolen from their data center. 

I wonder if they broke in with a Sledgehammer?  Or if they were Quiet and Alone?  I wonder if the RIAA will sue the thieves for stealing music?

Ok, enough jokes....

Kind of makes you wonder how they got in....or does it?  I've been speaking to several colleagues lately who either currently perform social engineering engagements or did them in previous lives and it is amazing to me the areas of buildings that they have been able to access and the confidential information that they have uncovered just by every day, common techniques that we all do: tailgating, acting like you misplaced your access badge, or just looking like you belong somewhere.

Then once they were in the data center, how did they access the cabinet that the servers were in?  Many cabinets go from the floor to the ceiling or have safeguards in place to prevent the cabinet from being compromised from on top.  They should also have at minimum either a keylock or combination lock (or both), not to mention that the data center should also have security cameras covering every square inch of floor space. 

We talk about proofs of concept very frequently where the occurrence of one crime is a finger pointing towards the potential occurrence of something much more damaging.  This is definitely one of those types of crimes.  If it can happen at this data center, what is to say that this same thing couldn't happen at any number of others as well?  What security policies does your data center have?  How well do they follow them?

We make a lot of assumptions with regards to the security of data centers, but all the technology controls in the world don't make a bit of difference if they can easily be bypassed.

It would be inappropriate for me to let this day go by without wishing a happy birthday to one of the most important and controversial terms of the early 21st century. 

Spam!

No, not SPAM!

Spam!

I try to shy away from actual definitions of spam because it's scope has gotten so much wider from when the first spam message was sent by Gary Thuerk to a large swath of ARPANET addresses 30 years ago this month.  

So, was Thuerk an overly aggressive marketer?  Or a pioneer setting the stage for modern day cybercrime?  In my opinion the answer is both, but to that I would add the disclaimer that if he didn't do it surely someone else would have. 

One could also make the claim that spam started even prior to that using the CTSS (Compatible Time-Sharing System) "mail" command back in 1971 where a developer wrote a long anti-war message that began with "THERE IS NO WAY TO PEACE.  PEACE IS THE WAY."  Despite being told that using the CTSS mail system in that way would likely be viewed as abusive he defended his position with the statement of "but this is important!"

Obviously spam has evolved quite a bit from its days of ARPANET and CTSS, but there are still a lot of parallels in why spam is sent.  The primary end-goal was the use of network technology and over the wire communication for the purpose of making money.  Whether that has to do with trying to sell a product (either legitimate or illegitimate) or trying to get a user to install adware or crimeware on their PC, money has been, still is, and will continue to be the primary reason for spam. 

As we also know, "Spam Ain't Just for Email Anymore." but still carries the common theme of network abuse.  Social and mobile networks have been common recent additional avenues that spammers have been exploiting as well through SMS spam, blog spam.  Also, communication technologies like Instant Messenger and Voice over IP (VoIP) haven't been immune either whose abuse have borne acronyms like SPIM and SPIT.

Bill Gates was clearly way off base when he predicted in January, 2004 that spam would be gone in two years.  Spam is more prevalent than ever not only in our inboxes, but in just about every way that we communicate and collaborate.  As long as people continue to respond to spam it isn't going anywhere.  In fact, it will only continue to become more pervasive and unavoidable.