REMINDER: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette. The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":
If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.
No code is injected on the user's computer just by visiting the web page. They need to download and install the monopoly.exe executable file that the site tries to deliver. The executable file is just the first stage of the process, however. A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning. At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.
As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now. Don't be fooled. This is merely a counter of how many people have visited the page thus far.
Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS. We are currently observing traffic averaging about 90,000 messages per hour using this tactic.
The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it.
The email provides a link for the user to view their recent tax statement online. This link does not directly infect the user's machine, but instead directs them to a website where the malicious code is being delivered from.
If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe. As of the time of this posting, AV detection for this new variant is low.
Please remember that the IRS does not know your email address and will not conduct official business with you over email. Any email purporting to do so is a scam and should be deleted immediately.
In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
Our Threat Operations Center has recently noticed a new type of phishing campaign attempting to phish login credentials to Yahoo!'s Local Search Marketing tool. This is similar to the Google Adwords phishing campaign that we reported back in May 2008 attempting to obtain login credentials to Google's Adwords site from customers. In this instance the email that is being sent is spoofing a from address @yahoo-inc.com (Yahoo's internal email domain) and trying to convince the user that their account is about to be suspended. Sounds like just about every other phishing campaign, right?
The phish reads as follows:
Dear Advertiser,
We just want to remind you that, on August 25, 2009, your Local Sponsored Search account will be discontinued. You will be upgraded to a new Sponsored Search account with geo-targeting and other great new features.
Please note the following: In order for us to upgrade your account you need to verify your user/password of your account. Please remember to input your Sponsored Search user and password correctly NOT your email and password.
Please visit the following link to verify your account:
hxxp://onlinemarketingyahoo.com/adui/signin/loadSignin.htm
Sincerely,
Your Partners at Yahoo! Search Marketing Copyright 2009 Yahoo!, Inc. All rights reserved.
Note the generic nature of the introduction, which should generally be one of your first tipoffs that the email is not authentic. If you have a personal relationship with a company and they wanted to send you an important email communication they would use your real name. Also note the missing period between "onlinemarketing" and "yahoo" in the URL. If you weren't looking closely, this could be easily missed by someone reading the email (even if it were present, the actual URL for Yahoo!'s Local Advertising tool is "searchmarketing.yahoo.com", not onlinemarketing,yahoo.com. This point might also be missed by the casual recipient.
The potential audience being targeted by this email is somewhat limited because it will only make sense to those who are customers of this Yahoo product. That rarely seems to stop most spammers.
Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites. This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.
The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites.
We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see. They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity. No work required on a hacker's part to organically generate interest. That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years.
An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera. These fake websites are being used to inject malware onto curious users' computers. They could also very easily be used in phishing campaigns to steal user's personal information.
Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post.
Roger Thompson, Chief Research Officer at AVG Technologies, said in an article posted on Network World that the latest vulnerability in Microsoft's Video Controller ActiveX library could be the next Conficker.
I very much disagree with that sentiment.
Conficker was similar to the Slammer worm from back in 2003 where there was no overt action required on the part of any individual person to get infected. You could get infected simply by being out of date on security patches. The current Directshow exploit requires a user to visit a malicious web site (links to sites hosting the exploit code are currently being sent out in spam emails) to get infected. Also, the user must be an admin on their computer to get infected by the Directshow exploit. Most people do run in this mode, however so that won't be much of a hurdle to clear, but the requirement that a user must visit a web site hosting malicious code is a tactic that users are becoming more accustomed to avoiding.
There are some similarities here that are worth pointing out, however.
For starters, there are claims that Microsoft knew about this vulnerability well in advance of exploit code being released for it, but neglected to patch it. This makes sense considering Windows Vista and Internet Explorer 8 are not vulnerable to this exploit, but Windows XP and Internet Explorer 6 and 7 are. This does beg the question though as to why Windows Vista is not vulnerable since it has been out for well longer than the exploit has supposedly been known by Microsoft. This is similar to the Conficker situation because the MS08-067 vulnerability that allowed that worm to appear was also being exploited for about a month prior to Microsoft releasing an out of band patch for it. Unfortunately, at that point the damage had already been done and regardless most of the machines that were infected with Conficker are running versions of Windows XP that had never installed a single Microsoft security update (see research at http://mtc.sri.com/Conficker).
Anyway, I digress from my point. Although I do believe that the Directshow exploit is significant and that the out of band patch that Microsoft released to address it is absolutely the right thing for them to have done (as opposed to waiting for their typical Patch Tuesday release next week), I believe it is blowing the situation out of proportion to say that this will be the next Conficker.
As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.
All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously.
Some of the subject lines that we have seen thus far include:
Amazing firework 2009
Amazing Independence Day salute
Amazing Independence Day show
America for You and Me
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrate the spirit of America
Celebrate with Pride
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
Fourth of July Fireworks Shows
God Bless America
Happy Birthday America!
Happy Birthday USA!
Happy Birthday, America!
Happy Fourth of July
Happy Independence Day
Home of the Brave
Independence Day firework broke all records
Let the fireworks begin!
Let's celebrate Independence Day
Light up the sky
Long Live America
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Stripes Forever
Super 4th!
The best firework you've ever seen
The best of 4th of July Salute
This Land Is Your Land
Time for Fireworks
Well done 4th!
Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.
Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:
The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC. So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.
Below is a screen shot of the fake video web site.
Here's to everyone having a safe, happy, and malware free July 4th holiday :)
In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds. This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.
This new tactic is similar to the twoprevious instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express. The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic. This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin.
A screen shot of the received message is below:
As you can see, this isn't the full message, but the pertinent parts are included. There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic.
The creators of this new variant also put a little extra care into how they crafted the URL used in the email. As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon. In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing. The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important.
For example, here is one of the URLs that our TOC observed:
You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path.
As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft. Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification.
Poisoning search results with content that leads unsuspecting users to spam or malware content is nothing new. We've been seeing abuse of Google's PageRank system since early 2008 where spammers would artificially inflate the rankings of their spam web sites and send out email links which emulated the click of the "I'm Feeling Lucky" button on Google's search page to auto-redirect users through Google to fraudulent web sites.
We are now seeing something similar with Twitter. According to this post on Mashable's web site, spammers are using the accounts that they are setting up on the popular micro-blogging site to increase the ranking of certain topics so that they will appear in the list of Twitter's most popular topics and organically increase clickthroughs. In some cases the sites that users are being directed to also can inject malware.
Be careful with these sites because as we have seen with some other Twitter exploits, the possibility exists that you could also have your account credentials stolen and used as another vehicle for distributing Twitter spam. Twitter has been built to be easy for end users to use and interface with. This methodology has been great to drive user adoption. The unfortunate side effect that because of its popularity it has been an increasingly focused target for cyber criminals.
In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers.
In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email.
Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement. As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication. A statistic that seems to be quite different than the adoption rates of F500 brands. For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions.
Will SPF and DKIM stop spoofing? No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials.
The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late? I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen. In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means. This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals.
Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet. To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.
My apologies for being a bit light on posting this week. I have been in Amsterdam for the 16th MAAWG Conference. It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
Message Subject: Microsoft Outlook Setup Notification
Message Body:
Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.
The MX Logic Threat Operations Center has observed a new type of malware in the wild being sent out as an email posing as a reconfiguration notification for Microsoft Outlook.
The message subject is "Outlook Setup Notification" and contains the following text within the message body:
You have (1) message from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
The attached file is named micr__outlook_update_6556.zip and has and md5 checksum of 7aa706c521dd8a11ef23b35fc5c4d543.
So far we are not seeing any variants to neither the attachment name (which could easily be made more random with the digits on the end) nor the hash so the malware is not morphing at this point. That could easily change as it is trivial for AV vendors and spam filters to block this particular threat.
The graph below shows hourly volumes of this new threat since about 11:30am MST on 6/2, when we originally started to observe it hitting our systems.
It looks like Western Union is the target of yet another spoofing campaign by spammers. We've seen these come and go on a fairly constant basis over the past few months where several different brands have been targeted (we've also blogged about them before), but since this one appears to be coming out in pretty high volumes, I thought it was worth mentioning.
The message itself appears to come from the Western Union Support Team (see sample below) and follows the same basic tactic that many of its UPS, DHL, FedEx, and previous Western Union scams employed whereby it is trying to trick the recipient into believing that a package or transfer that they had attempted to send was not delivered and to print out and bring the attached invoice (read: malware) to their local branch. Note the lack of specificity as to where to actually go which has been a common thread in previous scams as well.
Our Threat Operations Center is currently monitoring approximately 100,000 of these new Western Union emails per hour. Below is a graph showing the timeline and prevalence of the most recent Western Union scams starting from the 11th of May. The spike on the far right is this most recent variant.
As is usual, if there is a question about a transaction that you had made with a vendor, use the tracking number that they provided you and visit their web site or call them directly to lookup and verify your transaction. Do not fall victim to these scams.
Every so often our Threat Operations Center runs across things that are either too interesting or too humorous to not pass along. Yesterday, we saw another one of those examples.
The scam du jour targets the US Treasury. The email appears to come from the U.S. Treasury Support Center and has a subject line containing the words "Federal Reserve Bank" with various other words/phrases like "Attention" or "Read Carefully" either prepended or appended in an effort to grab the attention of the reader. As is commonplace with most of the scams that we run across, it has share of grammatical comedies.
I found two things most interesting in this case: 1) The actual email does not do anything to convince the user that they have to do something RIGHT NOW in order to avoid some loss of privilege or convenience (e.g. their online bank account will get locked out) as most do. 2) (and in my opinion the more comical) The URL in the email contains the word "phishing" in it. Now, I understand that the phishing reference is likely in relation to the content of the message, but I found it simultaneously funny and ironic that an obvious scam would risk tipping off a would-be victim by including a word that would set off as many red flags with someone as obvious as "phishing."
As of the time of this writing the domains that are associated with this scam are still up, however the web sites that are being pointed to by these particular scams appear to be down. The fact that the domains still exist is reason to believe that they will be recycled for future federal bank related scams.
Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu. With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.
Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up. Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations. We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware.
News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic. Be aware. If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly. Clicking on links within emails is an invitation for trouble.
It seems lately that if we aren't talking about Conficker, we are talking about Waledac. To make things even more interesting there have been purported links between the Conficker and Waledac botnets as during the last week the infected machines associated with the former pulled a code update from the latter.
Today's topic is Waledac specific: a new spam campaign with an SMS Spy theme. Ever wanted to spy on your girlfriend's SMS messages to see if see is cheating on you? Curious as to whether or not your significant other is truly in love with you? Waledac wants to "help" you find out.
Starting earlier this morning our Threat Operations Center began detecting a new spam campaign from the Waledac botnet that contains a link to a web site where users can download a 30 day free trial for a piece of software (read: malware) that when installed on your partner's mobile phone will allow you to read all of the SMS messages that they receive.
The email received looks like the following:
We have seen a number of subject lines associated with this campaign including:
Are you ready to know the truth
Are you sure in your partner
Can your love life be re-ignited
Does your partner truly love you
Have more fun and pleasure in your intimate life
Keep a spy eye on your girlfriend
Make Sure your girlfriend
Now, It's possible to read other people's SMS
Now, you can read any SMS message
possible to read other people
Read his SMS
Read other people's SMS online
The world's most advanced sms reading program
We will teach you to be the master of making love art
What's your hall of shame
You can read anyone's SMS
Are you interested in reading other people's sms?
Do you trust her?
Do you trust your partner blindly?
Do you want to test your partner
Free program for reading sms
Is your partner cheating on you?
Is your partner faithful?
Is your wife or girlfriend cheating on you?
Read her messages
Read your girlfriend sms online
You can download new program for reading sms
Below is a screen shot of the site that the user is directed to when the email link is clicked:
It is important to note that by simply visiting the web site does not infect the user with Waledac. They must download and execute the file (currently named "sms.exe") after clicking the "Download Free Trial Link"
*** UPDATE 1 4/16/2009 11:20am MST *** Funny enough there is an article posted on NetworkWorld today which discusses a potential vulnerability with Apple's iPhone which could result in the execution of shellcode on non-jailbroken versions of the device. Such a vulnerability could result in an exploit that could allow an attacker to see someone's SMS messages according to the article. Maybe the Waledac authors know more than we are giving them credit for :)
Below is an updated volume graph.
As you can see from the above graph volumes were in the 2-4k range per hour until about 2am MST this morning before peaking at about 12,000 during the 6am hour. More updates as they become available.
*** UPDATE 2 4/17/2009 10:40am MST *** After waning for a bit during the mid-morning hours yesterday, volumes started to pick up again at around Noon MST. Current averages are between 12-20k messages per hour and have been maintaining in that range for about the last 24 hours.
Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases. Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites. Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site.
We saw a couple of different iterations of their most recent Valentine's Day campaigns. One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card. Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy. Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites. As with many other Waledac/Storm generated web sites, just about everything on the page is an image. This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped. These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet.
Below is a screenshot representation of the fake couponizer site:
Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.
Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.
Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):
You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next. The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.
Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before.
Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September 2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm. This botnet clearly isn't just about holidays anymore.
Starting earlier this morning our Threat Operations Center started tracking a new Classmates.com themed spam email that links to a video site that contains malware.
The sample messages that we have received have a from line that spoofs that classmates.com domain and would appear in your mail client as "Classmates [random word] Center" where [random word] is words like "updates" or "manager" (So, it would appear in your mail client as "Classmates updates Center" or "Classmates manager Center" (note the lack of capitalization of the added middle word) where "Classmates" and "Center" are capitalized.
The message content is fairly static with a few variations between the samples. Below is a copy of one of the emails:
Special video report February 25, 2009:
One of your classmates has sent you a video invitation:
"Read the story and see photos of my wedding and our tour,Please discover our video invitation to your family. I hope to get back from you soon..."
Sincerely, Corine Sutherland.
2009 Classmates Organisation Message Centre.
The elements that we have seen vary between samples are the link to the malware site and the name in the closing of the message.
Once clicked the user is brought to a classmates.com branded site with a link to a executable file posing as a video. The file name downloaded is "Adobemedia10.exe".
Volumes have ranged in the 30-70k per hour range since the 6am MST hour this morning.
The subject lines that we have observed associated with this campaign are:
2009 Annual Meeting
2009 Classmates - 2009 Meeting
2009 Classmates - Annual Meeting
2009 Classmates - Getting Video
2009 Classmates - Ill have more to say about the specifics of the meeting soon
2009 Classmates - Meetings
2009 Classmates - Save video fragments from movies with the simplicity of pressing ...
2009 Classmates Annual Meeting
2009 Classmates Annual Meeting -- Coming Soon! - Modern ...
Microsoft has announced that they have added Srizbi botnet code detection to their Malicious Software Removal Tool (MSRT) with its latest update. As mentioned in the article, Microsoft claimed victory over the Storm botnet by cleaning up over 91,000 Storm infected PCs within 24 hours of their initial Storm heuristics were released back in September 2007.
As with when the original Storm botnet was mostly eradicated, Srizbi isn't a major player in the spam wars these days. The Srizbi botnet never quite recovered from its days as one of the most prevalent spam botnets after McColo was shut down back in November. The Cutwail and Mega-D botnets who were also largely affected by McColo are doing quite well for themselves, however.
As Joe Stewart said in the article, Microsoft would have served itself better to go after one of the newer botnets on the scene, like Xarvester or Donbot, or even Cutwail or Mega-D. With all of the news surrounding Confickr and how that botnet still lies in waiting to come alive that would be another prime candidate to target. I agree with Joe where he said it will be nice to get these machines cleaned up, but it isn't going to have an affect on spam volumes.
It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.
The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):
----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"
You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------
We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain.
Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:
Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2). As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign.
The commercial AV guys don't appear to be up on this one yet so keep your eyes open! We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.
A co-worker sent me a link this morning to this energy drink called SPAM. Before you go any further, this is NOT a product endorsement :)
I remembered pretty quickly that I have actually had this drink before.
A couple of years ago I was in Brussels for the annual European MAAWG conference and while walking the streets around the main square in town I pass by a convenience store with an advertisement that took up about a quarter of the doorway that said "SPAM Energy Drink. Living on the Edge". Obviously I couldn't travel one-third of the way across the world for an anti-spam conference and not take up the opportunity to confront my primary nemesis in a lowly can form. Surely, I could conquer SPAM now! I was about to climb the mountain and reach the pinnacle of my career! I was about to eliminate SPAM!! Who needs wild predictions from Bill Gates on the demise of SPAM. SPAM was in the palm of my hand!
Unfortunately, its demise wasn't to be...
As with several other energy drinks, it had this Liquified PEZ candy taste to it. At first it wasn't too bad and I slowly sipped from the can while walking so that I could enjoy every last moment of what I thought would be SPAM's existence. SPAM eventually started to overtake me, however. Each sip became less and less savory and my stomach started to feel more and more nauseas. As I approached the world famous Mannequin Pis statue I could no longer tolerate the taste and was looking for the nearest trash container despite the fact that I still had about half the can to go.
SPAM won. I tried my best, but at the end of the day it was not to be. I'll be heading to Amsterdam this June for another MAAWG conference and rest assured I will be looking for an opportunity to even the score! Last time I didn't know what to expect and it kind of took me by surprise. It won't happen again!
Last week Heartland Payment Systems Inc reported a data breach of over 100 million credit card numbers and cardholder names. Monster.com is now also reporting a compromise of passwords, user IDs, names, email addresses, and other PII of an undisclosed number of accounts and is advising all of its users to change their passwords immediately. It's too bad that most of monster.com's users only regularly access their accounts when they are actually looking for a job which means that many may never get the message or take the time to update their password. This leaves a lot of accounts as wide open opportunities for identity and data theft.
Combine all of this news with this report on CNN Money that over 71,400 jobs were lost today alone (when I last looked at the report it was 68,000 so the number is getting larger as the day wears on!) and we have a dangerous cocktail for fraud and fraud victims!
So, it is a given that there will be more (and already has been) fraudulent activity related to the monster.com and Heartland breaches. The bigger problem that comes out of this is that we now have over 71,400 people now trying to figure out how they are going to support their families and themselves while they look for new employment.
These newly unemployed job seekers are now prime targets for cyber crime. Whether it be stock pump and dump scams, fraudulent IRS refunds, phony job announcements (work at home opportunities appearing to come from monster.com?), or "make a quick buck" schemes, people in vulnerable positions are frequently the most likely victims of criminal activity. As such, it is important for everyone to be more diligent than ever in trying to separate the wheat from the chaff as it relates to any kind of "too good to be true" offer. Good social engineering preys on weaknesses and stresses a potential victim's urge to "act now". During times of unemployment or uncertainty your inherent ability to judge is clouded and irrational decisions are often made resulting in more complicated problems. Be educated, be aware, and be diligent. Don't be a victim.
Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.
Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link. No malware is attached to the email itself. Subject lines also have a love theme to them. Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you". Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:
Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves. Infection does not occur merely by visiting the page. The executable file (e.g. you.exe or love.exe) must be run to install the malware.
This page is also using Google Analytics to track number of visitors and where those visitors are coming from.
Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours. Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:
Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes. It was very successful for them the last time around so why fix what isn't broken, right? Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.
*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day. Average volume since 9am is about 11k per hour. We will continue to monitor over the course of the weekend and will post updates as necessary.
*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend. The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign. If you are not already doing so, you may want to consider blocking access to them. Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST. Maybe they were watching the NHL All Star Festivities :) Current volume graph below ***
A couple of days before the inauguration of president-elect Barack Obama spammers are sending out political propaganda that would have you believe that Barack Obama no longer wishes to be President of the United States.
Spam emails are being sent out with subject lines such as "Haven't you heard latest news about our president-elect?" (Funny enough, one of these samples originated in Brazil. Is Obama about to be President down there too? :) ), "End-time for USA", and "Who will be our president now?". The messages are single line spam messages with phrases of only a few words followed by a link to a barackobama.com look-alike site. Some of the phrases being used in the emails that we have observed are "Barack Obama abandoned sinking ship" and "Obama doesn't wany anymore to be a president".
The site that users are lured to if they click the link in the email looks like this:
All of the links on the site link to a file named pdf.exe which McAfee is calling part of the Waledec family of malware. Waledec is widely considered to be the new incarnation of the Storm Worm based on its similarities in behavior to the original Storm which has been eradicated.
As is often the case with these new outbreaks, AV detection is scarce so be aware of this new tactic. Taking a brief opportunity to toot our own horn, we predicted this type of attack in the January edition of our Threat Forecast and Report.
Volumes are currently averaging about 4,000 per hour hitting the MX Logic systems. We will continue to monitor this over the weekend and update as necessary.
*** UPDATE 1/19/2009 3:30pm MST *** Volumes have averaged between 5-16k messages per hour over the weekend and into Monday with today's average hovering around 10,000 per hour. No new significant variants have been observed. Below is an updated volume graph:
As you can see, there are still significant peaks and valleys in Obama email message flow which means that this campaign is still actively sending out spam. With Tuesday's inauguration we will continue to monitor for either another resurgence of this tactic or the emergence of another new variant from the PCs responsible for sending out this current spam wave. As soon as anything crops up, we will be sure to make you all aware.
Starting at about 6:50am MST this morning we started to see a new spam outbreak alleging to be from CNN. Emails will appear to be from several different senders such as "CNN News Centre - Headline News", "Media News", and "News Centre" with addresses such as support@cnn.com and hot@cnn.com. The email that our Threat Operations Center has observed thus far is centered around the current Israel conflict in Gaza.
Here is a sample message of what we have seen:
Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here were graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.
2009 Cable News Network. A Time Warner Company. All Rights Reserved.
The URL being linked to is changing from message to message , however the "edition.cnn.2009" at the start of the URL appears to be static through the samples we have observed thus far. Also, the page "israel-gaza.htm" has been linked to in all samples we have seen.
Volumes started out fairly modest at about 50 instances seen within the first 45 minutes, but started to pick up pace very quickly at around 8am MST where we saw another 1,300 within about 10 minutes. We are continuously collecting volume numbers and will post more updates as needed.
If the link in the email is clicked, the user is brought to a fake news page like the following:
Some sample subject lines include:
Hamas launching rocket war after Gaza evacuation
Hamas Goads Israel into War
Israel's War Crimes
War in Gaza: while Israel and Hamas fight
This tactic is similar to the CNN fake news update that we originally saw back in August 2008 where an email purporting to be from CNN was sending users to fake video sites where they were then directed to download a video codec in order to watch the video. The video codec is actually malware.
Due to the effectiveness of the previous CNN outbreak (our Threat Operations Center intercepted about 835M fake CNN messages during a two week period back in August) and the worldwide interest in what is currently happening in Gaza we felt it was appropriate to send out this threat alert to raise awareness in this campaign that appears to be quickly picking up steam.
We will continue to actively monitor this tactic for changes both in volume and content and will report on those as they surface.
**** UPDATE 1/8/2009 2:00pm MST *** After monitoring this threat for the past several hours, peak volumes have so far occurred during the 10am MST hour where our Threat Operations Center observed just over 80,000 of these messages.
Current volume graph:
It also does not appear that the domains being used are fluxing across many IP addresses. Of the domains that we have observed being pointed to by these CNN emails, they have been pointing to 5 IP addresses. Those are 99.135.187.5, 173.21.75.102, 75.45.181.113, 91.123.159.112, and 98.141.74.204. We will continue to monitor in the event that this changes.
The fact that volumes have dropped from their peak is not to say that this tactic is waning. Recall that during the original CNN outbreak back in August it took 3 days for volumes to peak so it is still possible that as developments continue to evolve in Gaza that additional variants of this email and malware may crop up. Additional updates to follow as they become available.
*** UPDATE 1/8/2009 3:20pm MST *** I stand corrected on my previous update. The domains being used to host the fake video codec downloads are indeed fluxing, albeit not very quickly. Current volumes are still holding steady at about 15,000 per hour.
Starting Tuesday morning our Threat Operations Center started to observe a new wave of fake UPS Delivery Notifications. These emails contain an infected zip file that when opened will install malware onto the user's PC.
Fake UPS delivery notifications are nothing new as a tactic. We originally spoke about them back in October 2008 here. Since that time, we have seen a number of similar UPS variants, each with very limited success. Although this new lure is not much different than the ones sent previously, it appears to be having greater penetration rates based on the volumes we are seeing. Although the actual volume is not significant, it is currently representing about 75% of the infected emails that we have seen over the past 24 hours.
The fake notifications that we have seen thus far have been straight forward to identify. They appear to be from "United Postal Service" contain a subject line of "Delivery Problems" and an attachment of UPSinvoice.zip. The email content is as follows:
Hello!
Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your UPS Support Team
You'll notice that the text of the message is almost exactly the same as the variant that we saw back in October save for the date referenced in the message and who the message is signed as.
Similar to the previous tactics that we have seen, the email is very generic. It does not reference neither where the package was attempted to be sent to nor does it say where to pick up the package. Couple that with the fact that UPS does not ask does not ask for a contact email address when a package is shipped, there is no chance that messages of this type should be considered legitimate.
I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance.
Businesses do have a lot of choices when making decisions about protecting their network infrastructures. They can choose to do it in-house using a number of open source solutions or commercial desktop software. They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ). No matter which type of solution you prefer for your organization, most all are effective at stopping spam. Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions.
Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown. Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so. The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets.
I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless. There have been few arrests since CAN-SPAM went into effect 5 years ago. At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.
At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem. I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime? Money. Lots of it. WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture. Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities.
So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today? I would say both yes and no. Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available. Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.
An MXL co-worker (Thanks, Grant!) directed me to this blog posting by a guy named Lance Winslow titled "SPAM Killing Small Business Productivity". It is no surprise to anyone that any small business that has not taken steps to protect their infrastructure with some kind of anti-spam/traffic shaping/traffic control device or service (I am partial to the managed service form factor, BTW :) ) is feeling the effects of the amount of spam flying over the internet on a daily basis. So, in that respect Lance hasn't started off his post with anything revolutionary.
Then things start to get weird...
Lance states "...the Federal Trade Commissions; FTC’s war on SPAM is killing small businesses and flooding their inboxes with junk mail". What?! Last I checked, a LOT more people than just who are involved in the FTC are fighting spam on a daily basis and doing a pretty decent job of it. I work with many of them on a daily basis both at MX Logic and at our many competitors. Secondly, how is the FTCs war on spam killing small businesses and flooding inboxes with junk mail? Last I checked, that was the spammers who were responsible for that....oh yeah, and the infected PCs that they use to do their dirty work. I'll concede that CAN-SPAM hasn't done much, but spam hasn't increased as a result of CAN-SPAM. Spam has increased due to money chasing criminals using spam as a vehicle to make money.
Lance then goes on to say "America Online indicated that it culls 75% of the incoming SPAM thru filters and many other companies are able to do this too. But what if you are a small business which does not have such features on your website? What do you do then? You cannot do a thing." Strike 2! Firstly, I know quite a few of the anti-spam folks over at AOL personally and I'll be more than happy to publicly defend them and say that I am sure they are catching more than 75% of incoming spam. If that were MX Logic's catch rate I surely would have been fired years ago! It certainly hasn't been my looks that has gotten me by! :) Further, how can Lance ascertain that there is nothing you can do if you do "not have such features on your website"? I am going to guess that he is really referring to inboxes here and not web sites (as web sites are a bit of a different animal than what he originally started out his post with). Has he ever looked into the cost of a Managed Security Service or a network appliance? Anyone can deploy anti-spam defenses at fairly low cost per user. The cost can even be free if you are willing to do the work yourself to maintain your own installation of a software based service like Spamassassin.
His final paragraph states "A concocted report from MX Logic purports that SPAM is down a whopping 9%? If you believe that you are on drugs just like the FTC. If you are a small business getting 300 junk mails per day, obviously this is not going to help you in the least as it still means you are getting over 275 junk mails a day. Worse the figure of nine-percentile is said to be a complete misrepresentation and convenient fabrication." Perhaps Lance should do a bit more reading about the decline in spam volumes since the shutdown of McColo back on November 11th (although I do appreciate that he is reading our report!). Although the botnets that were originally debilitated as a result of the McColo shutdown are back online, spam volumes overall are still down from where they were pre-McColo. Now, I will agree with Lance's point where he said that if you were getting 300 spam emails per day and are still getting anywhere from around 275 per day, you are still getting deluged (perhaps our sales folks should try to sell Lance an anti-spam solution :) ). At a micro level this doesn't seem like a big deal, but when looked on a much more macro scale in an environment like ours and other major ISPs who process hundreds of millions of emails per day, the effects are dramatic.
I'm curious as to what authority he stands on or interviewed to make the statement that drops in spam volume are a "complete misrepresentation and convenient fabrication" ? How is saying that spam volumes are down convenient for us? In our business, spam sells. The more there is, the better sales numbers grow as businesses become more aware of the inadequacies of their own systems in trying to manage spam themselves. They realize that they NEED an alternative so that they can focus on their core competencies and not just on keeping their mail servers online. As a result, crises and large spam events like the CNN outbreak from back in August are great for our sales numbers. It certainly makes selling the need for a solution easier on them. I've been accused during media interviews by less tech savvy reporters of trying to spread FUD because "I have to say that spam volumes are up because fighting spam is the business that we are in", but never that I'm lowering numbers for convenience. I don't quite see how that argument makes any sense.
The closing of his post is the coup de gras: "If you have innovative thoughts and unique perspectives, come think with Lance." I would certainly say that Lance's perspectives are unique (and completely uninformed), but his thoughts are not quite so innovative (however quite imaginative!).
Ireland is tired of spam and is putting legislation into law that will fine spammers up to 250,000 Euros if convicted according to this siliconrepublic.com story. The story does not go into specifics of the law or what an email needs to contain in order to be in compliance (e.g. CAN-SPAM has several rules that marketers must follow in order to be compliant), but references "spammers" as a general term.
Lost in the noise of all of this let us not forget the difference between a "spammer" and a "spam message".
Spammers are people who send nothing but spam 100% of the time. Spammers utilize botnets to conceal the original message sender and utilize networks that they otherwise have no right or license to use.
Compare this to a (accidental) sender of a spam message.
Most ESPs occasionally sign up customers whose intentions are to use the ESPs network to send out email to purchased lists or to people who did not specifically opt-in to receive that mail. Of course, this is unbeknownst to the ESP until the email goes out and the complaints roll in about spamtrap hits, unknown user rates, and users hitting the "This is Spam" buttons in their webmail clients. The good ESPs will shut those folks down immediately and make them go troll their email elsewhere. Does this make these ESPs spammers? No. Are they culpable under this new law? Not sure yet, but those details will certainly come forward.
I can respect what Ireland is trying to do here, but I hope they can take a lesson from the United States and not repeat the same mistakes of CAN-SPAM. If not implemented correctly (i.e. enforce policy on the true spammers and the ESPs who are not making good faith efforts to remove bad customers from their systems) the only people they may end up hurting are the legitimate email marketers who occasionally have an "oopsie" from a bad customer while the true spammers continue their practices unfettered.
Happy 5th Birthday to the CAN-SPAM Act (The Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003! The CAN-SPAM Act was the brainchild of Senators Burns of Montana and Wyden of Oregon in April 2003 before undergoing some revision and being signed into law by President Bush on December 16th, 2003 (ok, so the real birthday was yesterday). The CAN-SPAM Act took effect on January 1, 2004.
Although a standard for how ESPs enforce compliance on the part of their customers, it has largely been ignored by spammers. MX Logic has been tracking adoption of the CAN-SPAM Act since its inception and even at its peak only about 3% of all spam was in compliance. This was in May 2004. Compliance has typically hovered around 0.2-0.3% since 2005. As a result, many have resorted to calling it the U-CAN-SPAM Act.
If you are not familiar with the CAN-SPAM act it imposes a number of requirements on commercial email:
-- Ensure that the "FROM" line clearly reflects the sender's identity
-- Include subject line text consistent with message content
-- Include the advertiser's valid postal address
-- Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial email from the sender
As part of the CAN-SPAM Act the FTC was also authorized to create a "Do Not Email" registry, much like the existing "Do Not Call" registry for telemarketing.
We blogged back in October about a loophole that auspiciously exists in the CAN-SPAM Act which does not disallow the mass sending of unsolicited political email, due to its non-commercial nature. This opinion drew quite a bit of both positive and negative comments from both sides of the aisle.
So, as we move forward into 2009 and you toast in the New Year, be sure to raise a glass to the CAN-SPAM Act. Five years of reducing spam to nobody!
It has been one month since McColo had its upstream bandwidth cutoff by Global Crossing and Hurricane Electric. What has changed since?
As we've previously reported (here and here), immediately after the McColo shutdown we saw a 50-60% decline in spam volume. This drop carried on for about 9 days even though in the middle of all of this McColo was briefly brought back online by TeliaSonera. During this brief uptime the Rustock botnet was able to update itself and point its bots to different command and control hosts. It wasn't until 4 days later that Rustock came back with a vengeance and resumed its normal spamming activities.
Since that time we have also seen the Mega-D botnet come back online as well. The current net result is still positive as spam volumes are still about 40% lower than what they were prior to McColo. This is largely due to the fact that the Srizbi botnet still only shows minor signs of life despite reports that Srizbi is back in the hands of its original owners.
I am still surprised that these botnets were so easy to cripple to begin with, even if only temporarily. What this will end up leading to, however is the bigger, better botnet which will have more redundancy built in, have command and control centers that are live on multiple networks having bandwidth provided by multiple providers and fast fluxes both its nodes and nameservers to create a truly interconnected network that can only be taken down by effectively removing all of the connected, infected machines. Add in encrypted channel communication between the nodes and some of the DDoS defense mechanisms incorporated by botnets like Storm and your botnet is bulletproof.
As defenses improve, attack tactics evolve. Just like when Word macro writers realized that they had to move on to the next generation of infection, those who are diligently working on new botnet communication technology are working on the next generation botnets (yes, plural). Get ready.
Back in May of this year we blogged about the increased use of Calendar Spam - unsolicited calendar invites being sent by spammers to deliver content to your inbox. These are particularly annoying for several reasons:
-- Some phones (like the iPhone) will automatically wake up when you receive a new calendar invite and display the details of the invite on screen
-- The default behavior of the most commonly used calendar applications is to automatically display events that you have been invited to on your calendar regardless of whether you have accepted the invitation or not, and in many cases will even block out the reserved time on your calendar as "Tentative"
-- If you ignore the invite and it was sent with a reminder attached to it, the message will notify you again shortly before the proposed meeting is scheduled to take place
-- If you decline the invite, you have essentially validated your email address to whoever is the recipient of the notification that you refused the meeting
Earlier this week myself, my boss, and our CTO received an unsolicited calendar invite from the folks over at Nimsoft (sorry, you spammed so you get called out in public) alleging that they have made several unsuccessful attempts to contact us via telephone (they never called me!) and want to setup a demo of their new monitoring solution. That same day my boss received an email advertising this concept of In-Calendar "Marketing" (ironic that they sent a spam email to advertise their calendar "Marketing", no? :) ):
So, In-Calendar "Marketing" is essentially riding on the coattails of tactics spammers use to attempt to increase deliverability into the inbox. Their primary intent is to attempt to circumvent spam filters because they know they aren't sending legitimate or wanted content.
It's a clever tactic because it increases the stickiness of the message as well. If you get a Viagra email in your inbox and you delete it, no harm and no foul. With calendar spams, the time may get reserved on your calendar and appear to others as if you are scheduled for a meeting thus reducing your own productivity as well as remind you of the unwanted invitation before the demo/sales call/whatever was scheduled to begin.
I can certainly understand why these marketers (a term I am using very loosely in this case) are doing whatever they can to increase their own deliverability rates, especially in tough economic times, but instead of resorting to tactics that are clearly being used as a copycat spammer tactic maybe they should try following published best practices instead. A novel concept....
Happy "Cyber Monday" - what is widely considered to be the official start of the online shopping season. After eating too much turkey, gravy, mashed potatoes, and stuffing on Thursday (and probably Friday, Saturday, and Sunday too!), then spending way too much time in line for Black Friday shopping deals that probably weren't worth getting up at 3am for, today is the first day back at work after the long holiday weekend. As such, today is also the day that many people start buying presents online.
According to comScore, spending on Cyber Monday has historically reflected overall holiday season spending. The question that I have though, "Is Cyber Monday relevant anymore?" Many retailers now offer the option, even on Black Friday, to order items via their web site to get the same deals. So, many of the specials that people were standing in line for on Friday could have been purchased online, at home, in your pajamas.
From a security perspective, Cyber Monday is the start of a season where we attempt to educate users as much as possible as it relates to being aware of the "too good to be true" deals that may arrive in your inbox and have typically offered a couple of pointers to keep yourself safe online:
-- Shop only with vendors that you already know and trust. Don't give your credit card information away to someone that you don't already have some kind of pre-existing shopping relationship with.
-- Avoid clicking on what appear to be links to legitimate web sites in an email or IM. If you want to go to the Land's End web site to shop, go to the URL directly. The link may actually go to a look-alike site setup solely to steal information.
-- Ensure that web sites that are accepting credit card information and/or that you have to log into have SSL encryption on the pages that are processing this data. This should be a given and a standard nowadays, but the lack of existence of encryption of your sensitive data should be your first red flag that your business should likely be taken elsewhere.
-- Look for seals from organizations from privacy enforcement organizations like TrustE and BBBOnline. Although this isn't a guarantee that their site cannot be compromised, cooperation with these organizations means that they do not ask for sensitive information like social security number without explicitly explaining in their Privacy Policy why they are collecting it. So you can at least be certain going in why you are being asked for something that you wouldn't normally provide. You can then make an informed decision as to whether you want to take your business to another merchant.
These tips are not just important for Cyber Monday though. They are relevant to the entire holiday season and for the entire year. Sometimes with the rush and hurry to find the best deals for that must-have gift we let our guards down or think that it is too inconvenient to go through some of these extra steps. The question then comes down to, whether you want to take a few extra minutes to make educated decisions about who you are giving your credit card data to now or risk spending a lot more time trying to clean up an avoidable mess later.
Here's to a fun, safe, and secure holiday season. Cheers! :)
Apparently you just can't keep a good botnet down.
As expected, the honeymoon that we have been on since the November 11th shutdown of McColo is over. As we discussed in our previous post about the volume declines after the McColo shutdown, the Rustock botnet was able to update some of its infected machines during an approximately 12 hour period that McColo was brought back online by TeliaSonera, a Swedish ISP. Rustock has come back and come back strong over the past few days mostly sending out Canadian Pharmacy spam (one of our all time favorites).
Above are traffic graphs for the three major botnets that were affected as a result of the McColo shutdown. The big dropoffs for Srizbi and Mega-D are both on November 12 (the day after McColo was taken offline). Traffic from both the Srizbi and Mega-D botnets have been virtually non-existent since the 12th.
The Rustock spike started on November 20, about 5 days after McColo was temporarily brought back online.
Just to keep us all on our toes, we've even seen some signs of life from the Storm botnet that most of us had written off for dead. Although it is felt that some of this traffic was coming from poorly configured Barracuda devices, we're still keeping an eye out in the event that there is potential of this botnet coming back.
Despite the resurrection of the Rustock botnet, overall mail volumes are still down about 30-35% from where they were prior to November 11. Today, Fireeye is reporting that the Srizbi botnet is back under the control of its original owners and that new command and control servers have been registered in Russia. So, it stands to reason that Srizbi will not be dormant for much longer before we start to see spam volumes increasing again. The last two weeks has been a nice holiday before the holiday, but it looks like we are very quickly getting back to business as usual....and that's just the way I like it!
Last week we reported the significant decrease in spam volumes as a result of the shutdown of McColo, a hosting provider that was catering to spammers. I wanted to take a few minutes and lend a bit more color and data to what we originally reported now that we have had a few days to let the real effect soak in.
We continue to see over an over 50% decline in total mail flow (all spam). In fact, that percentage appears to have leveled off at over 60%. A bit lower than the 75% reduction some are reporting, but no matter how you slice it the effect has been more than significant.
Below is a graph outlining hourly mail flow patterns since November 1:
The significant drop-off that you see about two-thirds of the way through the graph correlates directly with the McColo shutdown on 11/11. According to our stats that dropoff occurred during the 1pm MST hour on the eleventh.
A couple of botnets in particular appear to have been severely debilitated as a result of the McColo shutdown. Those are the Srizbi, Rustock, and Mega-D botnets. Traffic associated with the Mega-D botnet (named such because of its advertisement of male enhancement products) has declined over 95% since 11/11 and Srizbi volume has declined by over 80%.
Sophos is reporting that McColo was briefly brought back online this weekend by a Swedish ISP named TeliaSonera. After receiving many complaints about the matter from security researchers they were taken offline again, but not before the folks responsible for the Rustock botnet were able to release a code update to their bots to point them away from McColo. It is unclear at this point whether that update was released to a significant base of Rustock infected PCs, but it does breathe new life into a botnet that had briefly been put on life support. So far today we are not observing any significant effect as a result of the Rustock update.
Spam percentages have also taken a big hit as a result of the decline in spam volume. For the past 2 years we have been reporting spam at about 90% of all email traffic on the internet. Since the McColo shutdown those volumes have occasionally dipped down in the low-to-mid 70 percent range, percentages that we have not seen the likes of which since the first quarter of 2006.
Although the short-term effect of the McColo shutdown has been significant we still do not believe that spam volumes will be affected over the long haul. Botnets come and go and malware techniques will continue to evolve. As Storm declined in volume, botnets like Srizbi, Mega-D, Rustock, Cutwail, and others have been more than ready to pick up the slack. The punch line to all of this remains the same. The people who can have the most impact in continuing to win battles in the battle against spam are the people who are providing domain registrar service, DNS service, and ultimately bandwidth service to bots and botnet owners. If bots cannot communicate, they cannot thrive. The events of the past week have been a perfect example of that.
Just hours after Barack Obama was projected by all of the major news outlets to become the 44th President of the United States, cyber criminals have already launched a link-based malware campaign using Obama as a lure. Uncle Sam wants you to vote. Spammers want you to join their botnets!
As with most effective malware campaigns, timeliness is everything. From what we are seeing so far, the social engineering tactic being used coupled with the interest of the election and its outcome, high volumes of this tactic are already being observed as many users are being tricked and infecting their PCs with this malware which will be used to send out more of this type of spam.
Starting at about 8am MST this morning we started to see messages come into our spamtraps purporting to be from various credible news organizations using from addresses like news@bbc.com, news@cnn.com, election@usatoday.com, among others. The emails have subject lines such as "Barack Obama Wins", "Election Night Results", and "Fear of a Black President".
The messages themselves vary a bit, but the basic premise is the same across the different variants that we have observed so far.
Here is one sample:
-----------------------------------------------
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
------------------------------------------------
As usual, note the grammatical errors.
The link in the message brings the user to a look alike news web site which alleges that the user must download an updated version of flash to view the video of Obama's speech:
Clicking on the download link attempts to download a file called adobe_flash9.exe, which contains the malware.
If early indications are any result of future success, this campaign is going to be a success, but won't win the popular vote (ok, sorry for my bad political humor). In the first 2 hours we have already seen almost 1M of these messages (over 350k in the 8am MST hour and over 600k in the 9am hour).
The folks over at Websense reported another Obama malware campaign in Spanish. This, however appears to be a very low volume, targeted campaign. We have seen less than 50 of these total, but it underlines the fact that cyber criminals are definitely jumping on the post-election bandwagon and doing it in a big way. Strangely enough, if this trend continues we might see more post-election spam than we saw pre-election. Who would've expected that?
According to this PC World Article, spammers have started using political hacktivism by reaching out to keep voters from going to the polls during this election season. Emailed warnings have been sent to people in Maryland telling them that they cannot vote in the election if their homes have been foreclosed on. There have also been reports in Florida that emails have been circulating that your driver's license and social security information will need to match up with federal records in order to be able to vote.
I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic? These emails have been sent out en masse and have not been targeted towards a particular party affiliation. So, it isn't like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other. Either way, in this financially motivated underground economy, it isn't clear to me what a spammer would have to gain by spreading these types of messages. There is no proof at this time that these emails are in any way associated with either the Obama or McCain campaigns.
This certainly isn't the first time that email has been used to spread false political messages, but in many of those cases there has been a target or some kind of agenda associated with it. Barack Obama has been the social engineering lure used in a couple of spam and malware campaigns since the Democrating National Convention concluded, but those have been attempts to discredit Obama by associating him with non-existent online sex videos.
The long and short of all of this is, with one week to go until the election there are likely to be more email campaigns with similar political themes. It is also entirely possible that as users are visiting more and more political web sites to ensure that they are informed about all of the local issues that they will be voting on that some of those web sites may become compromised by cyber criminals. Compromise of legitimate web sites is becoming more and more common. So, be sure that your computer is up to date with all of its latest security updates and patches.
As if the election season didn't wear on everyone's nerves enough between all of the empty promises, rhetoric, and smear campaigns, now we have to deal with candidate "spam" on top of everything else.
Why is spam in quotes?
As we mentioned in the September version of our Threat Report and Forecast (download it here), because of how the CAN-SPAM law is written, it is targeted towards what is defined as "commercial" email messages. Political campaign ads that are not attempting to sell anything do not fall into this category. Hence, politicians can send out as much politically motivated email as they want without penalty.
...and boy have they....
From our observations, Obama has taken the clear technological lead as it relates to using email as a medium to reach out to potential voters. According to our statistics, we are processing about 20,000 messages per day on behalf of the barackobama.com domain, and that doesn't account for the tens or hundreds of other domains that are also likely registered on behalf of the Obama campaign. We are only tracking barackobama.com. On the flip side, the number of messages that we are seeing for johnmccain.com is quite small (a couple hundred per day) in comparison.
Unfortunately, the people running Obama's email campaign and/or web site have some issues to resolve with respect to how their emails are being sent to potential voters. For starters, there is no confirmed consent when an email address is signed up to receive Obama updates. So, nothing stops me from going to the barackobama.com web site and signing up some of my John McCain supporting friends from receiving daily updates on Barack Obama (to be fair, the John McCain web site has this same problem!) as he blazes the campaign trail. Yes, there is a link to unsubscribe from these messages at the bottom of the email, but many users do not believe that these links work, especially in instances where they never asked to receive the mail in the first place. They think "If I didn't ask to receive this, why would I believe they would actually stop if I ask them to?" Note that I am not making any claims as to whether or not their particular unsubscribe mechanisms work, rather the mindset of a person who received an email they didn't ask for.
The Obama folks also seem to have a problem targeting their emails to the proper audience. This has caused people receiving their emails to report them as spam to their service providers which has resulted in a number of providers starting to block their emails unless the user has added the sender to their personal allow list.
I'll illustrate with my own example.
A few weeks ago I signed up a throwaway account at a free webmail provider to sign up for emails from Obama off of his web site. The emails starting flooding in...like this one:
This message was sent by illinois@barackobama.com asking me to attend an event in Wisconsin (Ahem, I live in Colorado). This email is similar to about 8-10 that I receive daily from the Obama campaign telling me about events in New Hampshire, Virginia, North Carolina, Ohio, New Mexico....and on and on.
This is where we get into the argument that I am in very frequently with bulk emailers with respect to "content vs. consent". Many bulk emailers will argue that "You signed up on the site, so they can email you." Although I partially agree with that, many users take a different tact, one of relevance. As a user of email, although I signed up to receive email from barackobama.com, I also gave them my zip code during that sign up process. As such, they should be able to target which messages I receive and which ones I do not. I don't care about Obama rallies in Ohio, North Carolina, Virginia, or any of the other states that aren't either where I live or within some relatively close proximity. To most people these types of emails are considered junk. The content isn't relevant to them. Although we consented to receive emails from Obama, there is a level of expectation that based on the fact that you know where I live, you will send me content that I have a chance of caring about. This sort of targeting is not difficult to do.
Disclaimer: Do not consider this post as an endorsement or lack thereof for either candidate. This is simply data that I have collected based on my own personal experiences.
As if Windows users didn't fear Patch Tuesday enough, today there is a new email-borne malware campaign attempting to trick people into installing a piece of malware posing as an official update from Microsoft.
As with many poorly constructed malware campaigns, there is a lot of broken English in the email (even in the Subject line!). The PGP signature at the bottom of the message also appears to be random.
The subject line of the message is "Security Update for OS Microsoft Windows" and alleges to contain an update for several unsupported versions of Windows. This is likely to attempt to infect users who are still on these ancient versions of the Windows OS. Considering the fact that versions of Windows like Windows 98 have been unsupported for so long, if you are still using it, you are likely already infected with lots of other malware and are already a part of many other botnets.
Fake Microsoft Updates are certainly nothing new. We've been seeing them for a couple of years now, but the timing coinciding with Patch Tuesday throws in a wrinkle that I do not recall seeing previously.
It is important to note and remember that all Microsoft Windows updates are distributed either by download off of the Microsoft Web site or through the Windows Update service. Microsoft never releases official patches by email. It is likely that most people are not even seeing this email arrive in their inboxes because most organizations filter out executable attachments (the email comes with a .exe attached to the message) by default.
The message follows:
-----------------------------------------
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
As is typical with any high profile news story, our Threat Operations Center is immediately on the lookout for any new spam campaigns that might start using that story as a social engineering lure.
This post is an alert that we are likely to start seeing spam campaigns (none have been observed by our TOC as of yet) related to the OJ Simpson guilty verdict from last week. Similar to the CNN and MSNBC campaigns from August it is likely that these spam emails will use a lure to an online video to trick users into visiting malicious web sites that download alleged video codecs that are actually malware.
It appears that some search engines are already being poisoned with links to malicious video downloads based off of certain search criteria related to the verdict. It is typical for these types of tactics to start bleeding into email as well.
If/When we start observing these tactics, we'll be sure to post them along with their details.
Today must be "Return of the Old Tactics" day. A little while ago I wrote about a new tactic being employed for an old Google AdWords phish, and now we are seeing a spin on the fake FedEx delivery notification emails that have been so prevalent over the past month, except now they are targeting UPS.
We are seeing a number of emails hitting our spamtraps that appear to be from "United Postal Service" with a subject line of "[NO-REPLY] UPS Tracking Number 89259281" (the eight digits at the end are random). These messages have an attachment of UPS_LETTER.zip which contains an executable file of UPS_LETTER_N839925.doc.exe. (the 6 digits in the filename may be random as well. We are still collecting more samples to be sure).
The message body has the following text:
Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your UPS
This tactic is similar to the FedEx scam (see original post from August 22nd here) in that the message claims to be a notification of non-delivery of a package that you sent and the spammer wants you to open a copy of an "invoice" (read: malware). Also similar to the FedEx tactic, the message is very non-descript as to where to pickup the package, which should be an obvious tipoff that something is not quite kosher with this email.
We are still collecting volume stats on this new tactic, so as soon as I have those, I will update this post.
*** UPDATE 10/2/2008 13:45 MDT *** As of 9am today average hourly volume is approximately 100,000 fake UPS notifications per hour. We are continuing to monitor to see if this increases or decreases but as of the time of this update we have seen over 2M of these messages processed by our systems.
I figured that I should write about something timely before I started getting into the things that I have been backlogging lately.
If you recall, back in May we wrote about Google AdWords Phishing (click here for the original post) where the phishing message body was a plain text email alerting users that their AdWords payment could not be processed and that they had to login to the AdWords site (via a link in the email that lead to a fraudulent web site).
The latest tactic has a couple of different twists. The first one of note is that this particular spammer is using an image within the email to render the phishing content. See the below screen shot which is a sample of the email:
The email looks like an HTML formatted message, but it is actually a single image with the spam content contained inside and an image map where the link is. The link points to a legitimate sounding domain as well: selectadwords.net, hosted out of Spain.
The second twist from the original scam is that this message is telling you that you need to renew your AdWords service or else the account will be deactivated. As with many other scams, this is to try to instill a sense of urgency on the part of the recipient and to try to get them to take action before they have a chance to think about the fact that this might be fraudulent....all in all I would say this is a pretty well done scam.
So, why phish Google AdWords? AdWords accounts are separate from Gmail accounts (even though they are all under Google, you use different logins to access each) so they aren't using the information to compromise legitimate accounts to send out spam. They are likely using them to try to extract the payment information used on the account to either steal money or use it as an intermediary account to transfer funds as part of a larger fraud scheme.
As always, if you receive any messages that look like this, promptly delete it.
MX Logic is always looking to find out more about the folks we serve, so we can do a better job at helping to make life just a little easier for IT Managers the world over. To that end, we've just put together a simple, short survey for IT professionals that will provide a better picture of spam and email security concerns facing businesses.
Care to share your opinion? It will only take 2-3 minutes. Once we have enough responses, we'll share the results here on the MX Logic IT Security Blog.
It looks like the spammers using image spam are on the move again.
We've written before about spammers sending out links in emails that point to images that are being housed on free image hosting services like ImageShack and Flickr as vehicles for delivering image spam (see here and here for the original posts from May and June 2007). Other folks have recently written about Google's Picasa image hosting service recently being abused in the same way.
In a spin on blog spam, we've now recently started to see image spam being hosted on Windows Live Spaces, a blogging and social networking platform by Microsoft. In this new tactic, spammers are setting up bogus Live Spaces, hosting an image in the blog section of the page, then spamming out links to the site. So far the spam images that we have seen have had a debt consolidation flavor like this one:
Most of the spamvertised links that are pointing to these images are very obviously suspect and have the format of http://cid-[series of alpha characters].spaces.live.com (e.g. hxxp://cid-8bbc31c85ef08898.spaces.live.com/). Current volumes of these types of emails is about 11,000 per hour.
There is no malware component associated with these campaigns that we are currently observing. It is usually the next logical step so I wouldn't be surprised if we started seeing them soon.
I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September. The latest edition can be downloaded here.
In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist. So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.
Some of the subject lines that we are currently seeing targeting Obama are:
Obama is ponstar now
Porno with Obama
Sex Video with Obama
Obama Sex Video
Barack Obama Hardcore
Barack Obama sex story with girl
Obama private porno
Barack Obama sex story with Ukrainian girl
Note that we have not yet seen any similar tactics targetting John McCain.
Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers. Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.
Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.
There haven't been many dull moments in Threat Operations Center over the past few weeks. Between multiple CNN spam updates which then morphed into MSNBC spam followed by fake FedEx non-delivery notifications last week, Britney Spears tabloid spam, and up to 30% increases in total spam volume, everyone has certainly been drinking from the fire hose.
We had a new guy named Tyler start recently as well who hasn't yet run for the hills screaming in the midst of all of the chaos. Sounds like a keeper to me!
Beginning yesterday we started tracking the return of Hallmark E-Card spam. If you recall, sending out fake e-cards that lead to malware sites was a popular tactic of the Storm Worm. These new messages appear as if they are being distributed via the Srizbi botnet, but are largely the same as their Storm counterparts.
Below is a screen shot of a sample message that landed in one of our spamtraps:
As with most spammers nowadays, you can tell that they went to some great lengths to ensure that the email looks as legitimate as possible.
In many previous e-card variants all of the links within the email would point directly to the malware hosting site. This trend has recently been shifting and this new Hallmark E-Card tactic improves upon that by only pointing the "here" link above to the malicious web site. All of the other links like Customer Service, Store Locator, etc actually point to the same locations that the real hallmark.com site point to. So, if a suspicious recipient of one of these messages clicks on any link in the email other than the malware download link they may be tricked into believing the message is legitimate since it will direct them to the Hallmark site. Seeing this, they may be more apt to click on the download link and become infected.
Emails associated with this new "e-card" appear to be from "E-Cards@Hallmark.com" and will have subject lines like "You've Recieved a Hallmark E-Card!". The other tell tale sign of these fakes can be found if you mouse over (but don't click!!) the "here" link as it links to an executable file like postcard.gif.exe as opposed to an actual web page.
Be on the lookout for these new fake Hallmark E-Cards, especially as we move closer to the Holiday Season (it's still a ways off, but I am sure some stores will have Christmas items on the shelves soon!) as these are likely to become a popular tactic again for Halloween, Thanksgiving, and Christmas.
Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered. It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).
Sample subject lines that we have seen in our Threat Operations Center include:
You Have A Package!!!
Tracking N <fake tracking number>
Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.
It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.
According to a small, recent study performed by Marshal, up to 30% of internet users admit to buying items like sexual enhancement pills, adult entertainment, software, luxury items, and clothing from spam that they have received. These kinds of studies come up every few months or so and the percentages of email users who admit to buying from spam vary wildly (see this Techdirt article which briefly mentions a couple of them). Many of these studies have small sample sizes and little information is given as to the some of the other demographics of the participants in the survey (which I think would also be VERY interesting). No matter whether you believe the real number is closer to 4% or 30%, the underlying moral of the story is that a significant number of people are purchasing products from spammers. The answer to the spam-old question of "Who would actually get tricked into buying \/1agra?" is "A lot of people!" Spammers wouldn't continue to spam if it wasn't a profitable venture.
The 30% figure seems a bit high to me in today's internet, especially with the prevalence of spam filters which keep almost all of the junk mail out of user's inboxes. This does lend credence to the theory though that improved social engineering and targeting of spam emails does have a significant effect on the ROI for the spammer. Even though far less spam is arriving in the inbox, a significant percentage of people are still buying it.
I like to play with numbers and derived (what I thought are) a few interesting stats.
Let's do some math (everyone's favorite subject):
Number of spam messages per day on the internet: 150B (industry estimate)
Cost to send a spam message $0.000001 (estimate)
Amount in losses from phishing in 2008: $4B (estimated by Gartner)
So, if you assume 150B spam messages per day at $0.000001 per spam message. That works out to spam costing spammers approximately $150,000 per day to send.
If you divide the $4B in losses from phishing ALONE by 365 (the number of days in a year) you get almost $11M per day in losses! This doesn't even include profits from the things the things that we mentioned at the start of this post such as porn and enhancement pills or even stolen credit cards and compromised bank and brokerage accounts. Cha-Ching!
To be fair, this isn't an apples to apples comparison because we are considering the cost to send ALL spam every day compared with the losses incurred just from phishing, but even just to compare these numbers is staggering! Just using the $11M and $150,000 numbers spammers make over 73x what they spend, just in phishing returns.
How many businesses do you know that would like a 730% daily profit margin? Raise your hand if yours would :)
So, as we've said before: Spam is easy. Spam works. Spam makes huge profits for the criminals behind it all. The numbers are hard to deny. Look for more spam headed toward the inbox, mobile device, or blog nearest you!
Typically when a new, effective, high volume spam or worm tactic is released into the wild (Paris Hilton Videos, Free World Cup Tickets, Fake News Headlines, etc) the copycats are waiting in the wings and ready to latch onto whatever that tactic is hoping that they might see some success from it as well. This time, however it appears that the people responsible for the CNN Spam outbreak last week (original post here and update here) are now responsible for a new outbreak today alleging to be MSNBC news updates.
Similar to the CNN outbreak from last week these new MSNBC messages are identifiable by a very distinct subject line. All of the messages that we have seen thus far appear to be from "MSNBC Breaking News" and have a subject line that starts with "msnbc.com - BREAKING NEWS:" followed by some fake news headline.
Here are some examples of what we have seen in our Threat Operations Center thus far (and as usual, some that are just bizarre):
msnbc.com - BREAKING NEWS: Americans love law suits for breakfast
msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: I will be suing you
msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death
Find out more at http://breakingnews.msnbc.com
=======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/25384336, select unsubscribe, enter the
email address receiving this message, and click the Go button.
Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/)
If a user is tricked into clicking on the breakingnews.msnbc.com link (which doesn't really go to an MSNBC page, but you probably already guessed that), they are presented with a page that looks like this:
This is the same tactic that we saw with the CNN fake news updates from last week as well as with the Porntube malware tactic that we saw back in June (original post here). At this point, you are caught in an endless loop where you either need to kill your browser session or click the OK button, but doing that infects you with the malware.
So far we have seen two variants of these emails. The first links to a file named up.html at the end of the "breakingnews.msnbc.com" URL which linked to a page that is branded CNN, not MSNBC. This should be an immediate red flag to any user that something is not right. The newer variant that we just recently started seeing within the past hour links to msn.html. This page uses the same logo that is on top of the real msnbc.com site and will likely look more legitimate to users.
So far volumes have been ranging in the 1.5 to 2 million message per hour range. Although nowhere near the peaks that we saw with the CNN outbreak from last week, it also took 3 days for the CNN spam to reach those volumes. So, I would say that at this point since we have only been tracking this new variant for about 12 hours the lower volumes are no indication of what is to come, but just like in movies, the sequel usually isn't as good as the original...
The MX Logic Threat Operations Center has been a hoppin' place since the CNN Fake News updates that we originally reported the other day started coming in.
Volumes peaked at over 10M messages per hour (stopping just short of 11M) on the morning of the 7th and have been on a very slow, but steady decline since then. That isn't to say that the threat has gone away, however as since midnight we are still seeing an average of 8M per hour hitting our systems.
Below is a graph showing per hour volumes of the fake CNN news updates starting from 8/4 at 5pm MDT:
We've also seen several morphs of this spam over the past couple of days. Initial variants used the same subject line of "CNN.com Daily Top 10" linking to malware infected sites using the filename index2.htm (e.g. http://infectedsite.com/index2.html)l. Up until this morning we have seen several different filenames at the end of the URL (e.g. cnnlive.html, cnnnews.html, cnnonline.html, cnnplus.html, cnntop.html, and cnnvideo.html), but no movement in the subject line. As of this morning we are seeing a new morph using the subject line of "CNN Alerts: My Custom Alert." This is likely in response to all of the media attention and awareness that has been brought up over the past couple of days with respect to the original fake news update spam.
We've also noticed that in some cases the pages being linked to in these spam messages are being hosted on legitimate web sites. One of the recent variants that we have seen linked to hxxp://scsroofing.com/cnntop.html. Scsroofing.com is (according to the site) "UK based company offering specialist independent advise on all aspects of industrial and commercial roofing"
According to Websense, they are also seeing this campaign being distributed via blog spam, which could account for some of the drops in volume that we have been seeing over the past 24 hours.
Continue to be on the lookout for these new variants as well as others that may crop up. Also be aware that with the Olympics now underway in Beijing that we may see similar types of messages relating to news and video updates related to the Games.
Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds. The subject of the email is "CNN.com Daily Top 10." Our Threat Operations Center has seen over 5 million of these just in the last hour alone and over 80 million in the last 24 hours.
Below is a screen shot of the message.
Over the last few weeks we have been seeing large spam runs of what we are calling single-line spam where an email contains a brief lure based on fake news headlines such as "US track team disqualified from Olympics" or "Beijing Olympics postponed indefinitely" followed by a link. The web site linked to in the message is a link to a "video codec" (er, malware) that the user is prompted to download in order to view the online video.
The tactic being used here is similar to what we saw with the Porntube malware that we saw back in June (click here for original Porntube blog post) where the user is prompted to download the video codec when the page initially loads. If the user clicks "Cancel" to not download the codec, another popup is presented where the user is told that they have to download the codec to view the video. This endless loop continues until the user kills their browser session at the operating system level or installs the "codec."
This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.
According to a recent study done on email addiction, Denver is the ninth most email addicted city in the United States (click here for more info and for the other cities in the top 10. BTW, I LOVE the picture on the top of that linked page. Even if you don't care about the list, go for the picture. It's worth it!).
This is not surprising considering the technical culture that exists in and around Denver and I would say its ranking is about right in comparison with the other cities. My biggest surprise was Detroit. I have never been to Detroit, but it has never struck me as a tech-centric city so I am surprised that one is on the list. You could easily win an argument with me on that point though since I really have no personal experience of the city to speak of.
As I sit here in the San Jose airport, I see a number of people checking email on their laptops an on Blackberries (this is San Jose! Where are the iPhones?!). People who are addicted to email need effective email filtering to keep all of the junk off of their mobile devices and out of their inboxes. As more and more malware is developed for mobile devices and as more and more personal information is being stored on those devices, that need will only continue to increase.
This list will be definitely be making it over to our sales folks :)
I've officially had enough of the moniker "Spam King." In an attempt to continually overplay the significance of every American spammer arrest, the media insists on calling every arrested, indicted, and convicted spammer a "Spam King."
The latest example is Eddie Davidson who recently walked away from a minimum security lockup in Florence, CO (By the way, how is Colorado getting so popular for spammers lately?) while serving his 21 month sentence for mass mailing stock pump and dump spam on behalf of nearly 20 companies. According to this article, he is yet another to earn the spam monarch title.
If the numbers reported in the article posted by thedenverchannel.com are true, hundreds of thousands of stock pump and dump spam (over what time frame these messages were sent was not given) hardly puts Mr. Davidson in the realm of a king in the spammer community. Compare that to the hundreds of millions of messages that MX Logic processes alone on a daily basis and I would put him more into the realm of a child learning to walk. If you want your true Spam Kings, check out the Top 10 Worst ROKSO Spammers according to Spamhaus here.
As I've stated previously, I am certainly not bemoaning the fact that governments around the world are stepping up their efforts in order to get as many spammers off the streets as they possibly can, but can we please not sensationalize them by calling them Spam Kings?
Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out. Granted, new Storm Worm variants are nothing new. They come out all the time. I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.
The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).
This is a screen shot of what the site looks like:
Clicking on the banner at the top of the page attempts to download a file named winner.exe. Clicking the "Click Here" link attempts to download mylove.exe.
Here are the virustotal.com results for winner.exe and mylove.exe:
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.1.0
2008.06.30
-
AntiVir
7.8.0.59
2008.06.30
-
Authentium
5.1.0.4
2008.06.29
-
Avast
4.8.1195.0
2008.06.30
-
AVG
7.5.0.516
2008.06.30
-
BitDefender
7.2
2008.06.30
-
CAT-QuickHeal
9.50
2008.06.30
-
ClamAV
0.93.1
2008.07.01
-
DrWeb
4.44.0.09170
2008.06.30
-
eSafe
7.0.17.0
2008.06.30
Suspicious File
eTrust-Vet
31.6.5914
2008.06.30
-
Ewido
4.0
2008.06.27
-
F-Prot
4.4.4.56
2008.06.29
-
F-Secure
7.60.13501.0
2008.06.26
-
Fortinet
3.14.0.0
2008.07.01
-
GData
2.0.7306.1023
2008.06.30
-
Ikarus
T3.1.1.26.0
2008.06.30
-
Kaspersky
7.0.0.125
2008.07.01
-
McAfee
5328
2008.06.30
-
Microsoft
1.3704
2008.07.01
-
NOD32v2
3229
2008.06.30
-
Norman
5.80.02
2008.06.30
-
Panda
9.0.0.4
2008.07.01
Suspicious file
Prevx1
V2
2008.07.01
-
Rising
20.51.02.00
2008.06.30
-
Sophos
4.30.0
2008.07.01
-
Sunbelt
3.1.1509.1
2008.06.30
-
Symantec
10
2008.07.01
-
TheHacker
6.2.96.365
2008.07.01
-
TrendMicro
8.700.0.1004
2008.06.30
-
VBA32
3.12.6.8
2008.06.30
-
VirusBuster
4.5.11.0
2008.06.30
-
Webwasher-Gateway
6.6.2
2008.06.30
-
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.1.0
2008.06.30
-
AntiVir
7.8.0.59
2008.06.30
-
Authentium
5.1.0.4
2008.06.29
-
Avast
4.8.1195.0
2008.06.30
-
AVG
7.5.0.516
2008.06.30
-
BitDefender
7.2
2008.06.30
Trojan.Peed.JLV
CAT-QuickHeal
9.50
2008.06.30
-
ClamAV
0.93.1
2008.07.01
-
DrWeb
4.44.0.09170
2008.06.30
-
eSafe
7.0.17.0
2008.06.30
Suspicious File
eTrust-Vet
31.6.5914
2008.06.30
-
Ewido
4.0
2008.06.27
-
F-Prot
4.4.4.56
2008.06.29
-
F-Secure
7.60.13501.0
2008.06.26
-
Fortinet
3.14.0.0
2008.07.01
-
GData
2.0.7306.1023
2008.06.30
-
Ikarus
T3.1.1.26.0
2008.06.30
Email-Worm.Win32.Zhelatin.zy
Kaspersky
7.0.0.125
2008.07.01
-
McAfee
5328
2008.06.30
-
Microsoft
1.3704
2008.07.01
-
NOD32v2
3229
2008.06.30
-
Norman
5.80.02
2008.06.30
-
Panda
9.0.0.4
2008.07.01
-
Prevx1
V2
2008.07.01
-
Rising
20.51.02.00
2008.06.30
-
Sophos
4.30.0
2008.07.01
-
Sunbelt
3.1.1509.1
2008.06.30
-
Symantec
10
2008.07.01
-
TheHacker
6.2.96.365
2008.07.01
-
TrendMicro
8.700.0.1004
2008.06.30
-
VBA32
3.12.6.8
2008.06.30
-
VirusBuster
4.5.11.0
2008.06.30
-
Webwasher-Gateway
6.6.2
2008.06.30
-
So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon. The IPs that are hosting the infected URLs are being rotated using fast flux. In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times.
This is not likely to be the only time this week that we hear from Storm. Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge. Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless.
Expect to see some revisit of Storm sometime later this week. It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.
We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component. Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours). From what we can tell thus far the malware appears to be related to the Srizbi botnet.
There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories. Here are some example subject lines that we have seen so far:
Batman latest movie bombs at box office Britney found hanged in locker room Celtics disqualified from NBA title China Earthquake claims 1 million lives Dan Brown's latest novel David Cook American Idol - latest NEW single Donald Trump missing, feared kidnapped Egypt Giza pyramids rocked by massive earthquake Eiffel Tower damaged by massive earthquake Eiffel Tower suffers structural damage, collapse possible Find out about Harry Potter's last novel Ford unveils latest 2 door design hatch Get Smart -- movie premiere Get star wars photos Get the latest discount plan from Ford Cars Great Wall of China damaged by earthquake Hiliary admits past failures Hillary Clinton reveals husband's scandal secrets Italy knocked out of Euro 2008 Las Vegas Hotel caught in fire Lastest! Obama quits presidential race London rocked by gas attack, army on high alert Love Guru sneak previews here Man wakes up from 40 year coma Nokia unveils revolutionary new phone design Obama suffers setback in polls due to sex secrets Obama withdraws from elections Oprah found sleeping the streets Osama Bin Laden caught finally Paris Hilton found to be gay Saddam Hussein found dead Star Trek star dies at age 79 Statue of Liberty struck by lightning, catches fire Stonehenge damaged by massive earthquake Top 10 movies of all time Top comedy downloads Top film from the Cannes Turner Empire poised for bankruptcy file Usher and Rihanna making out Watch movie premieres now White House hit by lightning, catches fire Windows Vista URGENT upgrade installation
The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control. Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):
hxxp://envol-restaurant.com/r.html
hxxp://spizarnia.nazwa.pl/r.html
hxxp://wandea1.wandea.org.pl/r.html
Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:
If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:
At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window. The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).
Keep on the lookout for these as they are currently being distributed in fairly high volumes.
*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour. Looks like this one hit quick and is now tailing off.
Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China.
Some of the subject lines associated with these messages include:
2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China
This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails. This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat."
If a user clicks the link within one of these emails, they are not immediately infected with Storm. They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:
It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.
Volume of this variant is pretty low. We are currently seeing on the order of about 900 per hour in our Threat Operations Center. Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer.
I wonder if the folks over at Google got the message that service providers had finally had enough of dealing with the backscatter that was coming out of their mail servers because it has also significantly dropped off since we first started talking about it back in April. Backscatter (bounce messages attempting to be delivered to users that do not exist) rates from Google were over 50% on some days. This means that over 50% of the total mail that we were receiving from Google were these invalid bounces. The backscatter rate has dropped now to about 2% of the total mail from Google. That is still higher than what most would call acceptable, but when you are comparing over 500k messages per day to about 10-15k, I would say that is a significant improvement no matter how you slice it.
Unfortunately, though the problem has shifted from backscatter to 419 phishing scams. A 419 phishing scam is the advance fee fraud type of scam where for a small amount of money you can be promised to receive much more in return. 419 scams are also typically called Nigerian Scams. The term 419 comes from the Nigerian Criminal Code that deals with fraud.
Although still about 25% of the email that we get from Google's network is spam, the traffic has shifted from about 50% backscatter to about 50% phishing, in particular from IP addresses that start with 72.14.204, 72.14.214, and 72.14.246.
This is certainly not intended to single out Google either as they are not the only free webmail provider that we see enormous amounts of spam from. We see plenty from Yahoo and Hotmail as well. Google is the main provider on everyone's radar right now because of the quickly changing nature of attacks against their system and the rapidly changing view across many different industries of the viability of using Google as their business mail host. More and more legitimate businesses are having trouble sending email from their hosted GMail accounts to service providers because Google's mail servers are ending up on block lists with increasing regularity, a trend that is only gaining momentum amongst industry insiders.
Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos. We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique.
Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.
Where did it go?
It seems to have migrated over to Microsoft's Live SkyDrive service. If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs.
Here is the basic premise on how this tactic works:
-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait. The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)
-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website
-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.
The HTML file being hosted on SkyDrive is a simple, one line script :
Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam. I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.
As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.
*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic. I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):
Hi fellow
Is the Rising Cost of Prescrlption Drugsare cause of concern?
The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.
You can cut your Medicalbilling.
Simple Way to Cut Your Prescrlption Costs optfor Generic.
Genericpharmacy: A Cheaper Effective Alternative
Forget about huge spendings You can save upto 8O%
Hugesaving because the solutions is directly from manufacturer.
As I was going through one of our spamtraps a few minutes ago I saw a brand new message come in which claimed to be a CNN News Update. This was especially interesting to me because none of our spamtraps subscribe to any updates from CNN (or any other news organization for that matter).
So I started to do a little digging....
Below are the (somewhat elided) headers:
Received: from unknown [219.87.137.170] (EHLO mail.tfmi.com.tw) by
XXXXXXXXXXXXX (XXXXXXXXXX) over TLS secured channel with ESMTP
id XXXXXXXXXXXXXXXXXXXXXXXXXX (envelope-from
<news@cnn.com>); Wed, 28 May 2008 11:32:13 -0600 (MDT)
Received: from User (dsl-KK-static-static-237.201.95.61.airtelbroadband.in
[61.95.201.237] (may be forged)) (authenticated bits=0) by mail.tfmi.com.tw
(8.12.5/8.12.8) with ESMTP id m4SHTkxC005178; Thu, 29 May 2008 01:29:49 +0800
If you are not sure how to read email message headers, here is basically how this message breaks down: It originated from a static DSL customer in India (dsl-KK-static-static-237.201.95.61.airtelbroadband.in) and routed through Taiwan (mail.tfmi.com.tw), then sent to our spamtrap.
Whoever is sending these spam messages either doesn't know what they are doing or is testing the waters for an upcoming spam/malware run. Here's why:
When I opened this message in an email client, the HTML within the message never attempted to render. Why? Because the content type of the message was set in the message header as plain text. This means that the email client should not attempt to render the HTML (show it as it would appear on a web page) rather display the raw HTML text to the user. Only the truly geeky, like me, would take the time to actually analyze this gibberish.
Also, the email had every link within the message (including the help text at the bottom of the message which is supposed to link to the CNN web site) pointed to a web site hosted in Italy. Here is an example taken directly from the email:
For assistance, go to <a href="hxxp://www.colectionarul.com/existenz1.html">CNN web page</a> and choose the "Help" link on any page.<br> If you do not want to recive any more news from CNN <a href="hxxp://www.colectionarul.com/existenz1.html">click here</a>!</span></font> <font color="#808080" face="Arial"></font></p>
There doesn't appear to be anything malicious on the page being linked to at colectionarul.com (at least right now), which leads me to believe that this was either someone who didn't know what they were doing and thus sent out a horribly broken spam message or someone who was doing a test run and that this was a prelude to more current event based social engineering tactics similar to what started the huge Storm Worm outbreaks in January 2007.
Sometimes the depths to which spammers will stoop really sickens me.
Even in today's criminally infested internet I sometimes naively hope that there is still some kind of Code of Conduct where trying to capitalize off of certain catastrophic events was considered taboo. As we've seen before, such as with the devastation caused by Hurricane Katrina back in 2005, the Indian tsunami in 2004, and now with the earthquake and aftershocks that have already killed over 28,000 people in southwest China's Sichuan province (with estimates that the death toll will be over 50,000 before the final counts are tallied) over the past week and a half, scams looking to tug at both your heart strings and purse strings have started popping up.
I'll abbreviate the message that we received for the sake of brevity (it's about the longest phish I have ever seen) as it gives a fairly detailed account of the plight of the person allegedly sending the message:
Dear friend,
I don't know your exact name. I can only guess.
I ask you to read my letter up to the end. After that you will be in the right to send my letter in a garbage basket or.......
My letter is caused by despair. I don't know to whom to address. I am compelled to ask for help any person. Namely you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.
My name is Arnulfo. My situation plunges me into depression and despair.
I will tell you shortly. I do not even know how to express correctly my thoughts. How to write you about it. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it's stupid or incorrectly. But it's the only thing that is left to do. I just ask to understand me. I even must say that it is a shame to do it.
I will continue. I don't know where you are. And I do not know what news you watched on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it's awful...
Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we
could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese
language and culture. There I also have got acquainted with Jin It's my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.
All. Everything was good. Yes, everything was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not want to describe that occured with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife's parents. Jin was in despair.
But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one output. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I could not stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I do not know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.
[ SEVERAL UNIMPORTANT PARAGRAPHS REMOVED ]
Also some kind people which know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1500$. I have no opportunity to find such sum of money. I tried all ways to find thó money. I do not wish to think that money solve everything in this world. I believe that the main thing is people and love. And I want to believe that I will be able to be beside my Jin soon . We are sure will be happy together.
Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I shall understand you.I I address to you for a help. Your help is required to me. I will tell directly that I ask you to help me with money. I will return you money
later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I shall see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I shall return the money to you in the same way. I am ready to return you more.
I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.
I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have compelled me to write this letter to you. I wish to use all variants To be near to my love.
And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.
I don't know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:
arnulfoqramos@yahoo.com.ph
I have registered it right now. I shall wait fo your answer to this e-mail. If you want to answer me
Yours faithfully Arnulfo
The words that I want to use to describe people who would try to capitalize on an event that has affected hundreds of thousands of people aren't appropriate for corporate blog nor for any other conversation for that matter. Every time I see these types of things, it further lowers my faith in humanity.
Please be on the lookout for this and other related scams over the coming weeks as we are sure to see more of them, likely alleging to be from relief organizations and/or companies who claim to be affiliated with them.
If you wish to make a donation to your favorite relief organization to help them to provide assistance to people around the world being affected by these horrific natural disasters please contact them directly. Do not respond to solicitations via email, even if they look legitimate or come from an email address that potentially looks legitimate.
*** UPDATE 5/21/2008 11:20am MDT *** Here are some of the subject lines that we are seeing associated with this scam:
-- Help me
-- Help me please. Read through the letter
-- Last hope. Help me please
-- I ask to help. Please
I wanted to take a moment to respond to the New York Times article that appeared on their website on May 10th with respect to mobile phone spam.
Largely up to this point the United States has missed the boat as it relates to mobile phone spam. This is largely because the problem pales in comparison in the US to the rest of the world. When it is more of an issue here, however it will definitely become more problematic for consumers. In the United States your cell phone number very much becomes tied to your identity. If you change your cell phone number it is a real pain to have to make sure you notify everyone in your contact list (family members, friends, colleagues, etc) that you can no longer be reached at your old number. This combined with cell phone number portability that was introduced a few years ago makes it simple to even switch carriers and keep your number, which hadn't previously been possible. In some other countries, like Japan where mobile spam is a huge problem, cell phone numbers are throwaway. When the Japanese start getting spam on their cell phone, they change numbers until the new number starts getting spammed. Rinse and repeat.
In the United States there has mostly been a wait and see mentality as it relates to mobile spam, but few who have gotten spam on their mobile phone would disagree that it isn't an issue that needs to be addressed.
Let's look at it from the carrier's perspective first though. The article states that "Communications companies say they are not interested in spam as a profit center." I would say that "publicly" this is true, but if you look at it from a sheer numbers perspective, they carrier's are already making big money as a result of mobile spam. Let's use the following statement from the article: "getting as few as 10 unsolicited text messages a month at 20 cents each would cost an extra $24 a year".
Here is where the numbers game really kicks in.
If you assume 10 unsolicited text messages per month (which is a lot in my opinion!) this equates to $2 per month (using their pricing model). Surely some people will wait on the phone on principle alone in order to fight this additional $2 charge on their bill every month, however many will say that the long telephone waits in order to fight the charge and get it removed is simply not a productive use of their time and will leave it alone. This, of course, begs the question what the breaking point is? At what point do the lines cross whereby it is an efficient use of time to fight the charge. The answer to that question will lie with each individual consumer.
Where was I? Oh, yes! Security!
The article mentions that "The carriers regularly adjust spam filters to block offending messages. At Sprint, more than 65 percent of all text messages sent over its network are identified and blocked as spam before they reach customers." Spammers are aware that spam filtering for SMS spam is still not very mature. As such, it is a target that is more easily exploited than spam over email. To look at this as a cynic, is this also something that cell phone companies are putting considerable money towards stopping considering the amount of revenue being generated?
I as well as many others across the security industry have been predicting the wider scale movement of spam to mobile devices for the past couple of years now and have also discussed how much easier that movement is becoming due to the inbox and the personal computer becoming a lot more mobile. I wouldn't yet say that we have turned the corner as it relates to mobile spam nor would I say that we are on the verge of an epic increase, but the problem definitely continues to grow as the filtering technology lags behind. Mobile malware continues to grow also, albeit not nearly at the same rate as personal computer based malware. Now that most phones are coming with internet access, however the protections on those devices need to be at least on par with what is being provided for PCs.
Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court.
Here is an elided sample that has been received by our Threat Operations Center:
UNITED STATES TAX COURT
WASHINGTON, DC 20217
Docket No. 622-555. Filed May, 2008.
COMMISSIONER OF INTERNAL REVENUE
Petitioner.
v.
EXECUTIVE NAME HERE
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE
Respondent.
PETITION
The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008
This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals.
Respectfully submitted,
Bennett H. Klein
Tax Court Bar No KB0214
400 Second Street, N.W.,
Washington, D.C. 20217.
The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th. Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately. It would not surprise me if the same people behind those scams are also originating from the same group of people.
*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour. Very low volumes in an attempt to fly under the radar as much as possible.
There have been more and more complaints popping up on the internet lately in relation to a new type of spam: Calendar Spam. Calendar Spam introduces some new annoyances and some potential tricky pitfalls that we are used to seeing from typical spam.
Since the announcement of the Google CAPTCHA compromise and the influx of spam and blowback that has been eminating out of the Google network since, it is clear that there is no easy solution to this problem from Google's standpoint (I am giving them the benefit of the doubt that more is being done on the backend than their claims that they are shutting accounts down as quickly as they can, which is clearly a futile effort). Now spammers have started also abusing the Google system to send out spam calendar invites.
One might say: Calendar invites are no more intrusive than spam. I can easily delete them from my inbox just like any other message.
True, except the default behavior of the Google Calendar (and of the Outlook calendar, actually) is to automatically display events that you have been invited to in your calendar, even if you have not responded to them. So, what this means is that if the spammy calendar event was sent to you with a reminder (which they all are), then you will still receive the reminder notification even if you deleted the original invite from your mailbox.
So, what to do? Should you decline these events? Doing so and sending a notification back to the original sender is essentially a validation of your email address which will open the floodgates for more spam. Ignoring it obviously doesn't yield the desired result either as we just discussed.
In fairness, Google does provide some guidance on how to prevent Calendar Spam, which essentially involves not auto-adding events to your calendar. A nice work around, but certainly not a "fix" in my opinion. This is an important calendaring feature, which is why many of the widely used calendars support it. Simply turning it off because you are receiving spam calendar invites is merely an inconvenient band-aid.
I've also seen some people say "Google signs their mail with DKIM. Shouldn't that help?" Neither DKIM nor Sender ID Framework do anything to determine the reputation of the sender nor does it make any positive or negative determination as to the content of the message. They only help to determine whether or not the message was spoofed or forged. In this case, since the message is originating through Google's own servers, it will pass any kind of authentication mechanism.
This goes back to the age old discussion that we have had many times in that spammers will latch onto any type of technology they can get their hands on and will use and abuse it in every way possible (many times in ways you and I never even thought they could be abused!).
Clearly Google's problems are running deeper and deeper by the day. New vulnerabilities and abuses of their services are being unconvered on a seemingly daily basis. More and more service providers are starting to block communications from Google as a result which will start to make them a less viable option for users and businesses alike which will cut into Google's top and bottom lines. Google has some great tools and certainly are an innovation driven company. Now if only their security would start to catch up to their innovation...
The folks over at Trend Micro have a good write up on a new type of phishing scam that has started floating around over the last week or so: Google AdWords Phishing.
It looks like the scammers are using the same general content in their phish with a couple of different variations on the subject line and the tagline that appears at the end of the message.
The phishing link mentioned in Trend's blog points to a Chinese registered domain that appears to have been taken down as of the time of this posting, but being the resilient type that cyber criminals are they have started to send out a new spam run with links pointing a new domain (also Chinese registered): adwords.google.com.s0leo9.cn, which is currently still active.
Below is a screen shot of one of the phish examples that we saw hit one of our spamtraps (note where it is different between here and the screen shot posted on Trend's blog):
From a volume standpoint these phishing attempts appear to be coming in waves. For example, on Tuesday, May 6th our Threat Operations Center was seeing approximately 2,200 of these hitting our systems in the early morning hours up to about 7:00am. After that it dropped off to about 2 per hour. In the early morning hours of May 7th we were again seeing up to 550 per hour.
This tactic won't resonate very well with most people as even though there are quite a few organizations out there who are using Google Adwords to promote their products on Google search result pages, the actual audience that this type of scam will make sense to is pretty limited.
30 Years and Still Going Strong with No Signs of Slowdown
It would be inappropriate for me to let this day go by without wishing a happy birthday to one of the most important and controversial terms of the early 21st century.
I try to shy away from actual definitions of spam because it's scope has gotten so much wider from when the first spam message was sent by Gary Thuerk to a large swath of ARPANET addresses 30 years ago this month.
So, was Thuerk an overly aggressive marketer? Or a pioneer setting the stage for modern day cybercrime? In my opinion the answer is both, but to that I would add the disclaimer that if he didn't do it surely someone else would have.
One could also make the claim that spam started even prior to that using the CTSS (Compatible Time-Sharing System) "mail" command back in 1971 where a developer wrote a long anti-war message that began with "THERE IS NO WAY TO PEACE. PEACE IS THE WAY." Despite being told that using the CTSS mail system in that way would likely be viewed as abusive he defended his position with the statement of "but this is important!"
Obviously spam has evolved quite a bit from its days of ARPANET and CTSS, but there are still a lot of parallels in why spam is sent. The primary end-goal was the use of network technology and over the wire communication for the purpose of making money. Whether that has to do with trying to sell a product (either legitimate or illegitimate) or trying to get a user to install adware or crimeware on their PC, money has been, still is, and will continue to be the primary reason for spam.
As we also know, "Spam Ain't Just for Email Anymore." but still carries the common theme of network abuse. Social and mobile networks have been common recent additional avenues that spammers have been exploiting as well through SMS spam, blog spam. Also, communication technologies like Instant Messenger and Voice over IP (VoIP) haven't been immune either whose abuse have borne acronyms like SPIM and SPIT.
Bill Gates was clearly way off base when he predicted in January, 2004 that spam would be gone in two years. Spam is more prevalent than ever not only in our inboxes, but in just about every way that we communicate and collaborate. As long as people continue to respond to spam it isn't going anywhere. In fact, it will only continue to become more pervasive and unavoidable.
I just had to take a moment and share a couple of spam messages that came into our spamtraps over the past couple of days that I thought were somewhat humorous.
So, apparently if I had bought my Viagra on Sunday, I would have gotten a 73% discount:
However, if I held out until Monday, I would get an 81% discount:
At this rate, if I hold out a couple more days I should be due about a 115% discount and actually be able to make money off the spammers and beat them at their own game! :)
According to a blog entry posted recently by Websense, it looks like spammers have found a way to break the Hotmail email account signup CAPTCHA.
Ever since the story broke in late February about Gmail's CAPTCHA technology being broken, we've been seeing large numbers of both spam and backscatter (at the rate of about 40-50% of all mail traffic) from Google's mail servers. This has also caused some of Google's servers to trigger our automated blocks on an occasional basis. It looks like other anti-spam vendors have followed suit in this approach as well.
It looks like Hotmail will soon be in that same boat unless they can figure out a new system and get the spam accounts shut down.
Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months. The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.
When I first opened this message I thought "Neat! Google video spam!" It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.
Here is a screenshot of the spam:
Clicking any of the links downloads a file named video_codec-v2.12.384.exe.
So far AV pickup is pretty spotty (stats courtesy of Virustotal):
Antivirus
Version
Last Update
Result
AhnLab-V3
-
-
-
AntiVir
-
-
TR/Dropper.Gen
Authentium
-
-
-
Avast
-
-
Win32:Agent-GPS
AVG
-
-
-
BitDefender
-
-
DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal
-
-
-
ClamAV
-
-
-
DrWeb
-
-
-
eSafe
-
-
suspicious Trojan/Worm
eTrust-Vet
-
-
-
Ewido
-
-
-
FileAdvisor
-
-
-
Fortinet
-
-
-
F-Prot
-
-
W32/Agent.Q.gen!Eldorado
F-Secure
-
-
Suspicious:W32/Malware!Gemini
Ikarus
-
-
Virus.Win32.Agent.GPS
Kaspersky
-
-
-
McAfee
-
-
Proxy-Agent.af.dr
Microsoft
-
-
Trojan:Win32/Danmec.gen!A
NOD32v2
-
-
a variant of Win32/Agent.NEQ
Norman
-
-
-
Panda
-
-
-
Prevx1
-
-
Heuristic: Suspicious File With Bad Child Associations
Rising
-
-
-
Sophos
-
-
Troj/Bdoor-AJR
Symantec
-
-
-
TheHacker
-
-
-
VBA32
-
-
suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
I was forwarded this article this morning regarding an FBI sting operation using fake web links in an effort to catch people who surf to child porn sites. I am all for prosecuting people who are breaking the law, particularly in relation to offenses relating to child porn, but the method described in the article has an uncomfortably high potential for false positives.
For starters, web sites are in the public domain and are accessible by anyone, anywhere, and at anytime regardless of how they got there. How is the FBI to know that you found the web site as a result of one of their email lures and didn't stumble upon it some other way having no original intention to visit a child porn site? Have you ever found yourself on a porn site or some other site that you weren't expecting as a result of a mistyped URL, unintended mouse click, or deceptive web site? Sure you have!
The article mentions another real possibility of accessing the site via an unsecured wireless connection. Could you frame your neighbor with the dog that barks all day that you don't like by jumping on his open wireless network and surfing to this mousetrap site? What if a bot on your PC was emulating clickthroughs to the site in an attempt to throw authorities on a wild goose chase?
I agree with the author where he states that this potentially sets a dangerous precedent if this type of surveillance continues to be allowed to stand up as evidence. Granted, we've all heard the "someone must have been using my wireless network" and "I must have had malware on my PC" defenses before, but this situation could have some serious federal level consequences. Sounds dangerous to me!
Back in May, 2007 Robert Alan Soloway, a "Spam King" (as he was dubbed) was arrested on criminal charges by the Justice Department (read the original blog post with my thoughts on this event) and at the time there was a lot of discussion amongst the media as to whether or not this was a significant event. Would spam volumes fall? What effect would it have on the spammer community? Have we won a major battle in the fight against email and internet pollution?
My opinion then was that it wouldn't have an effect and the numbers over the past 10 months since his arrest have backed up that claim. Since May, 2007 email spam volumes have actually increased by about 150%!
So, did this have an effect on the spammer community? Clearly not from the standpoint of the cyber criminal's use of email as an effective delivery vehicle. If it had any effect at all, it was from the perspective of further emphasizing that spammers should remain as behind the scenes and as stealthy as possible. Soloway very much bucked the trend in this regard and even went so far as to mock a lawsuit filed against his company by Microsoft.
Based on Soloway's guilty plea he faces up to 26 years in prison. His sentencing is scheduled for June 20th. So, the question remains: "Have we won a major battle in the fight against email and internet pollution?" I believe the answer to the question is "Yes", but true success in this war is clearly not defined by victories in small, individual battles. For every spammer arrested, prosecuted, and fined there are many others ready and willing to carry the torch.
Over the last few weeks we have seen a significant increase in what is known as Google Spam in the Threat Operations Center; sometimes peaking at almost 5% of our overall spam volume.
Google spam is defined as spam that abuses the Google PageRank system by artificially inflating the ranking of a spam site. Once a spam site has been ranked on the top of the Google search engine based on certain keywords, spam blasts are sent out which craft URLs that query on these keywords and emulate the Google "I'm Feeling Lucky" button which automatically redirects users to the query's top ranking site.
Most of the Google spam that we have seen thus far redirects to different variations of pharmacy sites pushing pills and enhancement products, typical to most health related spam.
One element of Google spam that hasn't received much attention, however is the potential for attachment based malware distribution via this tactic. The potential for drive-by malware download as a result of malicious javascript or iframes is obvious and well documented, but another potential threat vector is the possibility of Google Spam directing a user to a malicious PDF.
Many users by default have their PCs setup to automatically open common attachment types like PDFs without so much as a confirmation box asking the user whether or not they are sure they want to open the file. This convenient feature is a wide open hole for malware injection, especially considering the PDF exploits that have been published over the last several months.
To better protect themselves users should not be allowing any attachment type to be opened by default, no matter how common. Although it might be an inconvenience to have to click a button on a confirmation dialog every time we open file types that we are used to using and that we may open 50 times per day, it at least puts one more step between ourselves and potentially malicious downloads. Allowing any file to be opened on your PC without your prior knowledge and consent enables a level of trust from an untrusted network that should never exist.
Tax Season is here and the IRS scams just keep on coming. We've already seen and talked about many different variants of the IRS phishing emails that say you are due a refund that they will gladly refund to your credit card, but now it appears that the scams have moved into malware downloads.
We've seen a new IRS scam over the past couple of days which is trying to trick users into thinking that they need to update the tax software on their system. Why would the IRS care what tax software you have on your system or if you have any at all? Of course, the real answer is, "They don't."
An example of the message that we are seeing:
Dear Tax Payer,
As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.
To begin the update, please visit hxxp://nzkaa . info and click "Open" when asked how to begin the download.
After doing so, no further action is required on your part.
Thank you for your cooperation,
IRS.GOV Agent #4[3
The URL above is obfuscated in the event that it is still hosting malware. At the time that I visited the site it appeared as if it had been taken down, however the registration of the domain is still active, so it is possible that it could move to another IP and be a malignant site again.
A couple of interesting/humorous things about this new spam:
-- Every spam message that has hit our systems relating to this scam has come from the same IP address: 92.48.88.145, an IP out of the UK (I wasn't aware that the IRS had offshored their email distribution :) )
-- The web site in the spam is currently (subject to change while the domain is still active) being hosted on an IP out of the Bahamas. Another thing the government has decided to offshore, apparently.
-- Every message has HELOd (the start of the SMTP conversation) as "Exploit". At least they're honest :)
As with the other government agency scams that we have seen to date, volume is low. The MX Logic Threat Operations Center processed around 2,000 of these messages on 2/4, 1,600 on 2/5, and about 550 so far today (as of 1pm MST).
As with the other IRS and other government agency scams that have preceded this one, the government does send personal email to alert you of software updates, refunds, or any other official matter. The IRS knows how to get a hold of you if they need to do so.
I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years.
As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago. Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition. Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.
MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites. The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity." This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.
Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.
Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm. Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray. For $40 Unigray alleges that it can clean your PC of MonaRonaDona. Of course, all it really cleans is your wallet out of $40 :)
Personally, this worm seems like a lot of work for what will likely be very little reward. It is different though, especially with the hacktivism angle, from most other malware which makes it interesting.
We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times. Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies. As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!
Looks like the government agency spoofs from last summer have returned!
During May/June, 2007 we saw nearly weekly variants of emails being spammed that were spoofing different government agencies largely targetted towards C-level executives containing a keylogger payload. These emails started off with the malware attached to the email message itself, then migrated to a pull infection model where the user downloaded the malware off of a web site via a link embedded within the message.
Starting today we've started to see a resurgence of this tactic, but this new variant is spoofing the Department of Justice. This department had not been one of the spoof targets of the previous spam runs. Below is a redacted screen shot of the new scam (courtest of McAfee):
As you can see from the above screen shot, the message has an attachment named complaint.zip which contains the malware payload.
A couple of similarities in social engineering tactics between this scam and the previous scams from this summer are the inclusion of the name of the person and the name of the company that the message is being sent to. You'll notice from the screen shot that there are also grammatical errors and misspellings.
A few particular examples that I have seen were sent from IPs in Italy. Somehow I doubt the DoJ has contracted with anyone in Italy to start sending legitimate complaint notices :)
Volumes of this scam have been pretty low; on the order of a few hundred being seen by our Threat Operations Center per hour. No information yet as to specific targetting of this scam. This post will be updated as more information becomes available.
Between our webmaster working on a new blogging tool for me to use and the first of three Messaging Anti Abuse Working Group (MAAWG) meetings for the year in San Francisco last week (I am now Chairing the Botnet/Zombie Subcommittee), I've not had nearly the time that I normally have for blogging over the past couple of weeks. I've been queuing up topics in the meantime though so we should be back on our regular posting cadence now.
In comparison to most previous years, 2008 is off to a pretty fast start as it relates to spam and malware. Save for last year when the Storm Worm started January off with a bang, the months of January to April are typically a bit slow from the perspective of new worms, malware, and spam volume. The primary reason for this "slow season" is that a good number of your malware writers are of high school/college age. Those folks are in school or otherwise occupied during the early months of the year. Come May or thereabouts, schools start letting out for the summer, kids find themselves with more idle time, and the flood of malware and spam begins. Infections rise, spam levels rise, and things quickly start hopping around our TOC.
2008 has somewhat bucked the trend in that regard as we have seen a number of developments just in the first two months of the year alone: MBR Rootkits, Drive-By Pharming, and continually high spam volumes which normally drop off by as much as 30% after the first of the year. In fact, the spam volumes that we have been observing this week are UP about 20% from any other week so far this year!
We've also seen social engineering tactics like Fake Microsoft updates with links to malware and IRS phishing scams claiming that you are due a refund from the IRS that will be gladly credited to your credit card if you provide them with your card number (not new tactics, but worth noting nonetheless) as well as Google spam (email with links to Google search results which forward you to sites that have abused Google's PageRank system).
Google spam is currently accounting for around 100,000 messages per hour that we are seeing in our Threat Operations Center. Although this doesn't represent a significant percentage of volume, it is the most prevalent spam tactic that we are currently observing. Compare that to IRS phishing which we are currently seeing at a rate of less than 100 per hour.
If the first two months of 2008 are any indication of what the rest of the year will be like, perhaps it is appropriate that it is the year of the rat according to the Chinese calendar :)
So who is Ron Paul, you ask? He is a Texas Congressman running for the Republican nomination for President of the United States in the 2008 election.
Who else is Ron Paul, you ask? He is the subject of a massive spam campaign over the last week (which continues today) where emails are being blasted out on his behalf in an effort to drum up support for his candidacy.
Unlike most spam which generally has all sorts of randomized content in an effort to get past spam filters, the content of these messages are pretty static save for the subject line and a small snippet of random characters at the very end of the message which are otherwise meaningless. Some of the subject lines that we have seen associated with the Ron Paul spam are:
Who is Ron Paul?
Vote Ron Paul 2008!
Iraq Scam Exposed, Ron Paul
IRS Fears Ron Paul?
Ron Paul Exposes Federal Reserve!
Ron Paul Wins GOP Debate!
Each of these subjects have a commonality in that they have 7 random letters at the very end of the subject line in mixed case (upper and lower case) presumably in an effort to throw off anti-spam filters. Folks from the Ron Paul campaign deny having anything to do with the spam run which is originating mostly from botnet machines and open email relays.
This isn't the first time that email has been used as a vehicle to distribute large spam runs containing political motivated propaganda. Back in May, 2005 machines that were infected with the Sober-N worm were being used to mass distribute spam that decried the Dresden bombing and the admittance of Turkey into the European Union. Like those emails the Ron Paul spam messages had no further action required by the end user. Meaning that there was no link to click in the email to visit an internet web site nor was there a distributed attachment.
This brings up a couple of interesting threat scenarios from where I sit:
As the 2008 presidential campaign wears on I would definitely expect to see more political campaign based propaganda spammed out. This particular spam run happened to be pro Ron Paul, but expect to see smear campaigns sent out as well in an effort to build up negative public opinion. It'll be up to the public to be much more diligent in understanding what the candidates true opinions are on the important issues and not assuming what they read in email or on the internet to necessarily be true.
Another possibility that exists here is the potential for the distribution of malware via these spam messages. I could easily see a lure where political messaging is used as a social engineering technique to get people to open an infected attachment or get someone to click a link which takes them out to a malicious web site infected with malware.
As with any current event or subject that people are passionate about criminals will also try to prey upon those feelings and will likely also setup phishing sites posing as campaign contribution sites (similar to how we see fake donation web sites pop up after natural disasters).
So, as always there is a wide open potential for further abuse here and I would not be surprised at all to see them all used over the next year leading up to the elections (exactly one year from today, in fact). Always be careful about what you read, be careful about who you are giving your confidential or personally identifiable information to, but ALWAYS be careful about what you click on. Things are not always as they appear to be.
I was talking with our PR firm today with regards to the importance (or lack thereof) of the Robert Soloway arrest. Since it seems as if everyone has an opinion about the topic, myself included (I'm not typically known for lacking an opinion on something, for better or worse), I figured that I would make mine known.
Before I get labeled as a naysayer, let me first say that anytime a spammer is arrested, particularly one that was responsible for as much spam and fraud that he was responsible for, it is a good day. Soloway operated in a manner where he didn't make great strides to hide who he was or what he did. He is widely known throughout the industry both for his "business model" as well as his arrogance and confidence that he would never be caught. So much for that.
The bigger question at hand though is whether or not the arrest of Soloway will make any real difference in the amount of spam that is on the internet? My opinion is that it won't. If it does, it will only be a short term blip on the radar. There are certainly enough other people out there ready, willing, and able to pick up the slack in Soloway's absence. There are more people jumping into the spamming fray on a daily basis, not to mention that Soloway wasn't the biggest spammer out there anyway. Yes, he was a big fish in the pond, but there are certainly bigger fish still out there.
The spam fight is by no way over. This is a great victory, but is only one small battle in the overall picture. Hopefully we will see more of these arrests coming in the near future because a big part of the spammer bravado is the feeling that they cannot and will not be caught. Until more of the big fish are taken offline there is little to deter more little fish from jumping into the pond with the same arrogance.
