Hot off the presses and posted to the MX Logic web site is the July 2008 edition of our Threat Forecast and Report.
In this latest edition we look ahead to some of the threats and scams that we see upcoming for the month of July (Teaser: the iPhone will be featured prominently this month!) as well as a lookback to what we saw during the month of June (In our previous report we estimated that spam volume would go up in June after being down in May. Oops!).
There is also something about name calling between pots and kettles....
Check out this month's Threat Forecast and Report here.
Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out. Granted, new Storm Worm variants are nothing new. They come out all the time. I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.
The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).
This is a screen shot of what the site looks like:
Clicking on the banner at the top of the page attempts to download a file named winner.exe. Clicking the "Click Here" link attempts to download mylove.exe.
Here are the virustotal.com results for winner.exe and mylove.exe:
| Antivirus |
Version |
Last Update |
Result |
| AhnLab-V3 |
2008.7.1.0 |
2008.06.30 |
- |
| AntiVir |
7.8.0.59 |
2008.06.30 |
- |
| Authentium |
5.1.0.4 |
2008.06.29 |
- |
| Avast |
4.8.1195.0 |
2008.06.30 |
- |
| AVG |
7.5.0.516 |
2008.06.30 |
- |
| BitDefender |
7.2 |
2008.06.30 |
- |
| CAT-QuickHeal |
9.50 |
2008.06.30 |
- |
| ClamAV |
0.93.1 |
2008.07.01 |
- |
| DrWeb |
4.44.0.09170 |
2008.06.30 |
- |
| eSafe |
7.0.17.0 |
2008.06.30 |
Suspicious File |
| eTrust-Vet |
31.6.5914 |
2008.06.30 |
- |
| Ewido |
4.0 |
2008.06.27 |
- |
| F-Prot |
4.4.4.56 |
2008.06.29 |
- |
| F-Secure |
7.60.13501.0 |
2008.06.26 |
- |
| Fortinet |
3.14.0.0 |
2008.07.01 |
- |
| GData |
2.0.7306.1023 |
2008.06.30 |
- |
| Ikarus |
T3.1.1.26.0 |
2008.06.30 |
- |
| Kaspersky |
7.0.0.125 |
2008.07.01 |
- |
| McAfee |
5328 |
2008.06.30 |
- |
| Microsoft |
1.3704 |
2008.07.01 |
- |
| NOD32v2 |
3229 |
2008.06.30 |
- |
| Norman |
5.80.02 |
2008.06.30 |
- |
| Panda |
9.0.0.4 |
2008.07.01 |
Suspicious file |
| Prevx1 |
V2 |
2008.07.01 |
- |
| Rising |
20.51.02.00 |
2008.06.30 |
- |
| Sophos |
4.30.0 |
2008.07.01 |
- |
| Sunbelt |
3.1.1509.1 |
2008.06.30 |
- |
| Symantec |
10 |
2008.07.01 |
- |
| TheHacker |
6.2.96.365 |
2008.07.01 |
- |
| TrendMicro |
8.700.0.1004 |
2008.06.30 |
- |
| VBA32 |
3.12.6.8 |
2008.06.30 |
- |
| VirusBuster |
4.5.11.0 |
2008.06.30 |
- |
| Webwasher-Gateway |
6.6.2 |
2008.06.30 |
- |
| Antivirus |
Version |
Last Update |
Result |
| AhnLab-V3 |
2008.7.1.0 |
2008.06.30 |
- |
| AntiVir |
7.8.0.59 |
2008.06.30 |
- |
| Authentium |
5.1.0.4 |
2008.06.29 |
- |
| Avast |
4.8.1195.0 |
2008.06.30 |
- |
| AVG |
7.5.0.516 |
2008.06.30 |
- |
| BitDefender |
7.2 |
2008.06.30 |
Trojan.Peed.JLV |
| CAT-QuickHeal |
9.50 |
2008.06.30 |
- |
| ClamAV |
0.93.1 |
2008.07.01 |
- |
| DrWeb |
4.44.0.09170 |
2008.06.30 |
- |
| eSafe |
7.0.17.0 |
2008.06.30 |
Suspicious File |
| eTrust-Vet |
31.6.5914 |
2008.06.30 |
- |
| Ewido |
4.0 |
2008.06.27 |
- |
| F-Prot |
4.4.4.56 |
2008.06.29 |
- |
| F-Secure |
7.60.13501.0 |
2008.06.26 |
- |
| Fortinet |
3.14.0.0 |
2008.07.01 |
- |
| GData |
2.0.7306.1023 |
2008.06.30 |
- |
| Ikarus |
T3.1.1.26.0 |
2008.06.30 |
Email-Worm.Win32.Zhelatin.zy |
| Kaspersky |
7.0.0.125 |
2008.07.01 |
- |
| McAfee |
5328 |
2008.06.30 |
- |
| Microsoft |
1.3704 |
2008.07.01 |
- |
| NOD32v2 |
3229 |
2008.06.30 |
- |
| Norman |
5.80.02 |
2008.06.30 |
- |
| Panda |
9.0.0.4 |
2008.07.01 |
- |
| Prevx1 |
V2 |
2008.07.01 |
- |
| Rising |
20.51.02.00 |
2008.06.30 |
- |
| Sophos |
4.30.0 |
2008.07.01 |
- |
| Sunbelt |
3.1.1509.1 |
2008.06.30 |
- |
| Symantec |
10 |
2008.07.01 |
- |
| TheHacker |
6.2.96.365 |
2008.07.01 |
- |
| TrendMicro |
8.700.0.1004 |
2008.06.30 |
- |
| VBA32 |
3.12.6.8 |
2008.06.30 |
- |
| VirusBuster |
4.5.11.0 |
2008.06.30 |
- |
| Webwasher-Gateway |
6.6.2 |
2008.06.30 |
- |
So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon. The IPs that are hosting the infected URLs are being rotated using fast flux. In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times.
This is not likely to be the only time this week that we hear from Storm. Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge. Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless.
Expect to see some revisit of Storm sometime later this week. It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.
Another one bites the dust...
Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.
Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis. This constant mobility makes the botnet very difficult to shut down.
There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers. The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache. It has been estimated that controlled up to as many as 15,000 on his botnet.
Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison.
In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down. The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.
Don't be fooled....
According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.
Don't be fooled by what is meant by "address" in this context. Let's be clear on what these tools do and what they don't do.
They DO:
-- Scan web sites and identify potential SQL injection vulnerabilities. Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript.
Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.
They DON'T:
-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities.
If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide. As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist.
I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today. I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.
The July 2008 edition of PC Magazine has a short story on page 92 titled "Hacked Through the Heart" which references a paper published at secure-medicine.org discussing the possibility of hacking the human body through wireless reprogrammable Implantable Medical Devices (IMDs) such as pacemakers. These attacks could lead to effects such as changing the settings on the pacemaker or even disabling it entirely! The paper also goes into detail as to how some of these attacks would take place.
Although the paper mentions that as of right now these are theoretical scenarios, the more important point to remember is that these IMDs are driven by software and "where there is software, there are vulnerabilities" and "where there are vulnerabilities, there will be exploits." I could easily envision a scenario where this creates a Cyber Hitman of the Future where hits are carried out in such a way that they would be virtually untraceable and if executed correctly could have an elapsed time effect where the full damage of the attack may not materialize for days, weeks, or even months after it initially occurred.
On a lighter note, this certainly gives new meaning to the term "Insider Threat" (I'm funny on a Friday :) )
Worm Alert!
We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component. Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours). From what we can tell thus far the malware appears to be related to the Srizbi botnet.
There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories. Here are some example subject lines that we have seen so far:
Batman latest movie bombs at box office
Britney found hanged in locker room
Celtics disqualified from NBA title
China Earthquake claims 1 million lives
Dan Brown's latest novel
David Cook American Idol - latest NEW single
Donald Trump missing, feared kidnapped
Egypt Giza pyramids rocked by massive earthquake
Eiffel Tower damaged by massive earthquake
Eiffel Tower suffers structural damage, collapse possible
Find out about Harry Potter's last novel
Ford unveils latest 2 door design hatch
Get Smart -- movie premiere
Get star wars photos
Get the latest discount plan from Ford Cars
Great Wall of China damaged by earthquake
Hiliary admits past failures
Hillary Clinton reveals husband's scandal secrets
Italy knocked out of Euro 2008
Las Vegas Hotel caught in fire
Lastest! Obama quits presidential race
London rocked by gas attack, army on high alert
Love Guru sneak previews here
Man wakes up from 40 year coma
Nokia unveils revolutionary new phone design
Obama suffers setback in polls due to sex secrets
Obama withdraws from elections
Oprah found sleeping the streets
Osama Bin Laden caught finally
Paris Hilton found to be gay
Saddam Hussein found dead
Star Trek star dies at age 79
Statue of Liberty struck by lightning, catches fire
Stonehenge damaged by massive earthquake
Top 10 movies of all time
Top comedy downloads
Top film from the Cannes
Turner Empire poised for bankruptcy file
Usher and Rihanna making out
Watch movie premieres now
White House hit by lightning, catches fire
Windows Vista URGENT upgrade installation
The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control. Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):
hxxp://envol-restaurant.com/r.html
hxxp://spizarnia.nazwa.pl/r.html
hxxp://wandea1.wandea.org.pl/r.html
Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:
If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:
At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window. The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).
Keep on the lookout for these as they are currently being distributed in fairly high volumes.
*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour. Looks like this one hit quick and is now tailing off.
Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China.
Some of the subject lines associated with these messages include:
2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China
This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails. This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat."
If a user clicks the link within one of these emails, they are not immediately infected with Storm. They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:
It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.
Volume of this variant is pretty low. We are currently seeing on the order of about 900 per hour in our Threat Operations Center. Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer.
Last week I had the privilege of attending the 13th General MAAWG Meeting in Heidelberg, Germany (I serve as the co-chair of the Zombie/Botnet Subcommittee with my friend Ken Simpson from Mailchannels).
The MAAWG conferences are a great opportunity to meet and talk with some of the best minds in the anti-spam industry, discuss anti-spam tactics, operational best practices (what works and what doesn't), how to be a responsible ESP, and many other topics. Although MAAWG is largely run by ISPs, its mission is to also bring together both email senders as well as email receivers in a collaborative environment where both sides can attempt to work out best practice solutions so that senders can achieve better deliverability rates at the large mailbox providers, a constant struggle for ESPs.
If you are a messaging vendor or provider (and this includes both email filtering vendors as well as email senders) or an ISP, you are doing yourself a disservice by not becoming a member of an organization like MAAWG where ideas, practices and upcoming threats are shared that it is very likely you will not hear anywhere else.
This has been an unpaid advertisement :)
Before I close, I'd be remiss if I didn't bring up something security related in this post. So, I am standing in the security line at Denver International Airport about to go through the metal detector when the guy who was working behind the conveyor belt asks me and the woman behind me the standard "Any liquids, gels, or aerosols in your bag?" before our bags went into the X-Ray machine. I just look at him and say "No", but the woman behind me responds with "Not that I know of." Apparently this set off the ire of the TSA worker who immediately responded with "Not that you know of?! Don't you know what is packed in your bags, ma'am?" I'd never seen a TSA worker move so fast, but her bags were immediately yanked off of the conveyor, she was pulled out of line, and then was escorted by 2 TSA workers to wherever they take you likely to inspect every minute crevice of her bag.
For all of the flack that the TSA gets for either bad procedures or lack of attention to detail, you would think that as a traveler it is also our responsibility to know the basic responses to the simple questions security officers may ask you. The questions are neither tricky nor confusing. I guess this woman had to learn the hard way...
I wonder if the folks over at Google got the message that service providers had finally had enough of dealing with the backscatter that was coming out of their mail servers because it has also significantly dropped off since we first started talking about it back in April. Backscatter (bounce messages attempting to be delivered to users that do not exist) rates from Google were over 50% on some days. This means that over 50% of the total mail that we were receiving from Google were these invalid bounces. The backscatter rate has dropped now to about 2% of the total mail from Google. That is still higher than what most would call acceptable, but when you are comparing over 500k messages per day to about 10-15k, I would say that is a significant improvement no matter how you slice it.
Unfortunately, though the problem has shifted from backscatter to 419 phishing scams. A 419 phishing scam is the advance fee fraud type of scam where for a small amount of money you can be promised to receive much more in return. 419 scams are also typically called Nigerian Scams. The term 419 comes from the Nigerian Criminal Code that deals with fraud.
Although still about 25% of the email that we get from Google's network is spam, the traffic has shifted from about 50% backscatter to about 50% phishing, in particular from IP addresses that start with 72.14.204, 72.14.214, and 72.14.246.
This is certainly not intended to single out Google either as they are not the only free webmail provider that we see enormous amounts of spam from. We see plenty from Yahoo and Hotmail as well. Google is the main provider on everyone's radar right now because of the quickly changing nature of attacks against their system and the rapidly changing view across many different industries of the viability of using Google as their business mail host. More and more legitimate businesses are having trouble sending email from their hosted GMail accounts to service providers because Google's mail servers are ending up on block lists with increasing regularity, a trend that is only gaining momentum amongst industry insiders.
Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos. We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique.
Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.
Where did it go?
It seems to have migrated over to Microsoft's Live SkyDrive service. If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs.
Here is the basic premise on how this tactic works:
-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait. The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)
-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website
-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.
The HTML file being hosted on SkyDrive is a simple, one line script :
<html><script language=JavaScript>window.location.replace("hxxp://songkhlong.com")</script></html>
Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam. I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.
As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.
*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic. I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):
Hi fellow
Is the Rising Cost of Prescrlption Drugsare cause of concern?
The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.
You can cut your Medicalbilling.
Simple Way to Cut Your Prescrlption Costs optfor Generic.
Genericpharmacy: A Cheaper Effective Alternative
Forget about huge spendings You can save upto 8O%
Hugesaving because the solutions is directly from manufacturer.
hxxp://docs.google.com/View?docid=3Dddsz3hdh_0wwwmrbm3
Amateurs....
As I was going through one of our spamtraps a few minutes ago I saw a brand new message come in which claimed to be a CNN News Update. This was especially interesting to me because none of our spamtraps subscribe to any updates from CNN (or any other news organization for that matter).
So I started to do a little digging....
Below are the (somewhat elided) headers:
Received: from unknown [219.87.137.170] (EHLO mail.tfmi.com.tw) by
XXXXXXXXXXXXX (XXXXXXXXXX) over TLS secured channel with ESMTP
id XXXXXXXXXXXXXXXXXXXXXXXXXX (envelope-from
<news@cnn.com>); Wed, 28 May 2008 11:32:13 -0600 (MDT)
Received: from User (dsl-KK-static-static-237.201.95.61.airtelbroadband.in
[61.95.201.237] (may be forged)) (authenticated bits=0) by mail.tfmi.com.tw
(8.12.5/8.12.8) with ESMTP id m4SHTkxC005178; Thu, 29 May 2008 01:29:49 +0800
If you are not sure how to read email message headers, here is basically how this message breaks down: It originated from a static DSL customer in India (dsl-KK-static-static-237.201.95.61.airtelbroadband.in) and routed through Taiwan (mail.tfmi.com.tw), then sent to our spamtrap.
Whoever is sending these spam messages either doesn't know what they are doing or is testing the waters for an upcoming spam/malware run. Here's why:
When I opened this message in an email client, the HTML within the message never attempted to render. Why? Because the content type of the message was set in the message header as plain text. This means that the email client should not attempt to render the HTML (show it as it would appear on a web page) rather display the raw HTML text to the user. Only the truly geeky, like me, would take the time to actually analyze this gibberish.
Also, the email had every link within the message (including the help text at the bottom of the message which is supposed to link to the CNN web site) pointed to a web site hosted in Italy. Here is an example taken directly from the email:
For assistance, go to <a href="hxxp://www.colectionarul.com/existenz1.html">CNN web page</a> and choose the "Help" link on any page.<br> If you do not want to recive any more news from CNN <a href="hxxp://www.colectionarul.com/existenz1.html">click here</a>!</span></font> <font color="#808080" face="Arial"></font></p>
There doesn't appear to be anything malicious on the page being linked to at colectionarul.com (at least right now), which leads me to believe that this was either someone who didn't know what they were doing and thus sent out a horribly broken spam message or someone who was doing a test run and that this was a prelude to more current event based social engineering tactics similar to what started the huge Storm Worm outbreaks in January 2007.
Thanks to James in our Threat Operations Center for forwarding me a sample of one of the funnier phishing tactics that I have come across. I thought an appropriate name for this type of scam would be "Dead Phish."
Here is a copy of the email (in all it unedited glory filled with spelling and grammatical errors):
Dear Sir,
We are in receipt of a Death Certificate certifying you dead and seeking the transfer of your over due contract funds to an Account in London.
All the local financial contractural obligations have been met and the funds is ready for transfer to the London account.
Please understand that if we do not hear from you in the next 7 days we shall treat you as dead and the funds shall be duly transferred.
You have been notified.
If this is false please write and let us have an affidevid to counter
this claims.
Yours faithfullly,
Mrs.callister Ibe
Chairman of Contract Review Panel
Phone:234-805-6135520.
This is another phish by phone tactic similar to what I have blogged about previously where the scammers are avoiding using web site links within their messages in an attempt to get by URL filters and built-in browser phishing detection.
My favorite part is where it says "You have been notified." What if I were actually dead? It's true that you can get your email just about anywhere nowadays, but I never knew that also extended to beyond the grave! This was a good way to start the post-holiday work week.
Sometimes the depths to which spammers will stoop really sickens me.
Even in today's criminally infested internet I sometimes naively hope that there is still some kind of Code of Conduct where trying to capitalize off of certain catastrophic events was considered taboo. As we've seen before, such as with the devastation caused by Hurricane Katrina back in 2005, the Indian tsunami in 2004, and now with the earthquake and aftershocks that have already killed over 28,000 people in southwest China's Sichuan province (with estimates that the death toll will be over 50,000 before the final counts are tallied) over the past week and a half, scams looking to tug at both your heart strings and purse strings have started popping up.
I'll abbreviate the message that we received for the sake of brevity (it's about the longest phish I have ever seen) as it gives a fairly detailed account of the plight of the person allegedly sending the message:
Dear friend,
I don't know your exact name. I can only guess.
I ask you to read my letter up to the end. After that you will be in the right to send my letter in a garbage basket or.......
My letter is caused by despair. I don't know to whom to address. I am compelled to ask for help any person. Namely you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.
My name is Arnulfo. My situation plunges me into depression and despair.
I will tell you shortly. I do not even know how to express correctly my thoughts. How to write you about it. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it's stupid or incorrectly. But it's the only thing that is left to do. I just ask to understand me. I even must say that it is a shame to do it.
I will continue. I don't know where you are. And I do not know what news you watched on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it's awful...
Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we
could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese
language and culture. There I also have got acquainted with Jin It's my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.
All. Everything was good. Yes, everything was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not want to describe that occured with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife's parents. Jin was in despair.
But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one output. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I could not stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I do not know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.
[ SEVERAL UNIMPORTANT PARAGRAPHS REMOVED ]
Also some kind people which know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1500$. I have no opportunity to find such sum of money. I tried all ways to find thó money. I do not wish to think that money solve everything in this world. I believe that the main thing is people and love. And I want to believe that I will be able to be beside my Jin soon . We are sure will be happy together.
Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I shall understand you.I I address to you for a help. Your help is required to me. I will tell directly that I ask you to help me with money. I will return you money
later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I shall see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I shall return the money to you in the same way. I am ready to return you more.
I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.
I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have compelled me to write this letter to you. I wish to use all variants To be near to my love.
And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.
I don't know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:
arnulfoqramos@yahoo.com.ph
I have registered it right now. I shall wait fo your answer to this e-mail. If you want to answer me
Yours faithfully Arnulfo
The words that I want to use to describe people who would try to capitalize on an event that has affected hundreds of thousands of people aren't appropriate for corporate blog nor for any other conversation for that matter. Every time I see these types of things, it further lowers my faith in humanity.
Please be on the lookout for this and other related scams over the coming weeks as we are sure to see more of them, likely alleging to be from relief organizations and/or companies who claim to be affiliated with them.
If you wish to make a donation to your favorite relief organization to help them to provide assistance to people around the world being affected by these horrific natural disasters please contact them directly. Do not respond to solicitations via email, even if they look legitimate or come from an email address that potentially looks legitimate.
*** UPDATE 5/21/2008 11:20am MDT *** Here are some of the subject lines that we are seeing associated with this scam:
-- Help me
-- Help me please. Read through the letter
-- Last hope. Help me please
-- I ask to help. Please
According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS."
One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today. This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them. Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage? Not likely.
One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco." This is a dangerous attitude to have for any software application. I like to say "Where there is software, there are vulnerabilities." This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them.
One should never assume that software is hacker-proof. It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down. Always remain diligent in your pursuit of security!
Ok, I'll step off my soapbox now. Have a great weekend!
I wanted to take a moment to respond to the New York Times article that appeared on their website on May 10th with respect to mobile phone spam.
Largely up to this point the United States has missed the boat as it relates to mobile phone spam. This is largely because the problem pales in comparison in the US to the rest of the world. When it is more of an issue here, however it will definitely become more problematic for consumers. In the United States your cell phone number very much becomes tied to your identity. If you change your cell phone number it is a real pain to have to make sure you notify everyone in your contact list (family members, friends, colleagues, etc) that you can no longer be reached at your old number. This combined with cell phone number portability that was introduced a few years ago makes it simple to even switch carriers and keep your number, which hadn't previously been possible. In some other countries, like Japan where mobile spam is a huge problem, cell phone numbers are throwaway. When the Japanese start getting spam on their cell phone, they change numbers until the new number starts getting spammed. Rinse and repeat.
In the United States there has mostly been a wait and see mentality as it relates to mobile spam, but few who have gotten spam on their mobile phone would disagree that it isn't an issue that needs to be addressed.
Let's look at it from the carrier's perspective first though. The article states that "Communications companies say they are not interested in spam as a profit center." I would say that "publicly" this is true, but if you look at it from a sheer numbers perspective, they carrier's are already making big money as a result of mobile spam. Let's use the following statement from the article: "getting as few as 10 unsolicited text messages a month at 20 cents each would cost an extra $24 a year".
Here is where the numbers game really kicks in.
If you assume 10 unsolicited text messages per month (which is a lot in my opinion!) this equates to $2 per month (using their pricing model). Surely some people will wait on the phone on principle alone in order to fight this additional $2 charge on their bill every month, however many will say that the long telephone waits in order to fight the charge and get it removed is simply not a productive use of their time and will leave it alone. This, of course, begs the question what the breaking point is? At what point do the lines cross whereby it is an efficient use of time to fight the charge. The answer to that question will lie with each individual consumer.
Where was I? Oh, yes! Security!
The article mentions that "The carriers regularly adjust spam filters to block offending messages. At Sprint, more than 65 percent of all text messages sent over its network are identified and blocked as spam before they reach customers." Spammers are aware that spam filtering for SMS spam is still not very mature. As such, it is a target that is more easily exploited than spam over email. To look at this as a cynic, is this also something that cell phone companies are putting considerable money towards stopping considering the amount of revenue being generated?
I as well as many others across the security industry have been predicting the wider scale movement of spam to mobile devices for the past couple of years now and have also discussed how much easier that movement is becoming due to the inbox and the personal computer becoming a lot more mobile. I wouldn't yet say that we have turned the corner as it relates to mobile spam nor would I say that we are on the verge of an epic increase, but the problem definitely continues to grow as the filtering technology lags behind. Mobile malware continues to grow also, albeit not nearly at the same rate as personal computer based malware. Now that most phones are coming with internet access, however the protections on those devices need to be at least on par with what is being provided for PCs.
|
|
