Tag Archive for SPAM

| August 2, 2011
2 comments

Jay Leno Most Dangerous Celebrity in Cyberspace

There are many late nights when I sit in the Bach Seat after a long day of coordinating shared technical services and need some silliness. Tonight Show funny-guy Jay Leno was my late-night source of silliness until BitDefender told me he is the Most Dangerous Celebrity in Cyberspace.

Jay Leno is BitDefenders 2011 Most Dangerous Celebrity in CyberspaceAccording to an analysis of 25 million spam messages by the Bucharest, Romania-based anti-malware firm, comedian and TV host Jay Leno is the most dangerous Hollywood celebrity in cyberspace. BitDefender found Mr. Leno mentioned in the subject line of 38,000 spam messages most of which focused around medicine and the purchasing of pills but come with enticing subjects such as ‘Jay Leno found taking drugs.’

“Cybercriminals follow the latest trends just as consumers do and they use these and the names of popular celebrities in their campaigns to lure people to websites that are full of malicious software (malware),” said Catalin Cosoi, Head of the BitDefender Online Threats Lab.

AfBitDefender logoter Mr. Leno, the article at InfosSec Island says that cybercriminals next most often used Madonna and Cameron Diaz to spread spam. (I noted Cameron Diaz’s reign as the McAfee “Most Dangerous Celebrity on the Web” here). The rest of the top 10 personalities used by spammers include:

Other notables on the list are:

Notable for their absence from the list are:

rb-

The use of celebrities to promote malware and spam is deeply rooted in social networking and Web 2.0. In 2009, Barracuda Networks identified a ‘Twitter crimewave’ on Twitter after popular celebrities joined the service to tweet to fans. Criminals followed the celebrities to the new service sensing a new population of easy-to-fool users, using a range of techniques including impersonation and simple link spamming to draw people to malware-infested websites. Facebook still has a major problem with celebrity abuse.

This may seem trivial because most firms have set up gateways to filter these spam-mails from hapless users’ inboxes. However, there are enough users that ignore the warnings and open spam-mails to make spamming on a vast scale worthwhile to the spammers.

Related articles

What do you think?

Who is your favorite late nigt host?

View Results

Loading ... Loading ...

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| February 9, 2011
Comments Off on Who Moved My SPAM?

Who Moved My SPAM?

Who Moved My SPAM?Analysis of the spam trends by security vendor Commtouch reveals a significant drop in global spam levels according to the Help Net Security.  The article says that the average spam level for Q4 2010 was 83% down from 88% in Q3 2010. The beginning of December saw a low of nearly 74%.

The New York Times also noted the decline in SPAM during Q4 2010. The NYT cites data from MessageLabs that global spam volumes dropped to about 30 billion messages a day from about 70 billion before Christmas. MessageLabs says the decline added to a downward trend underway since August when spam peaked at some 200 billion spam messages a day or 92.2 percent of all e-mail.

There are several theories why SPAM is drying up. One theory in the NYT article for why the botnets stopped spamming is that an important source of business may have dried up. September 2010 saw the Russians close down SpamIt, the organization allegedly behind much of the world’s pharmacy spam. Without SpamIt, “at least for now, there’s no content to fill the spamming cannons that Rustock has,” John Reid, of Spamhaus, a nonprofit group that tracks spammers, told the NYT.SPAM Volume; Global Projections

Another theory put forward is that the botnet operators are intimidated. The NYT reports that in addition to going after SpamIt, Russian authorities recently arrested two spammers in Taganrog, in southern Russia, who had a database of nearly two billion United States and European Union e-mail addresses they had used to spread malicious programs, according to the HostExploit blog. “Even if the people were unrelated, the chilling effect of arrests can cause others to lay low for a while,” Mr. Reid said, adding, “But all this is speculation.”

MessageLabsMatt Sergeant, a senior anti-spam technologist at MessageLabs, a unit of the security software maker Symantec (SYMC) wrote in a blog post, “Did the people in charge of these botnets suddenly go on vacation? Currently, there are no explanations on why these botnets stopped spamming.”

Another theory could be that SPAMmers are changing tactics. The botnet operators seem to be shifting their focus to more lucrative social networking and mobile channels. Jamie Tomasello, Abuse Operations Manager at Cloudmark, told Help Net Security that these platforms allow SPAMmers to reach more responsive recipients compared with traditional email messages.

In a survey of Facebook users by F-Secure, the anti-malware firm, found that social networking spam is now a problem for three out of four Facebook users reported by ITNewsLink. F-Secure also found that 78 percent think spam is a problem on the site and 49 percent report they often see something in their newsfeed that they consider spam.

CloudmarkMs. Tomasello explains that technically, a botnet can send any kind of content and so they are increasingly being used to send messages that spoof content from social networking sites. This works in a similar way to email phishing attacks, where a message would drive the recipient to a malicious payload, or to a website to capture the recipient’s social network credentials. The cybercriminal could then log in to the social networking site with the compromised credentials and send spam via the platform to the compromised recipient’s friends.

Cloudmark’s Tomasello says that these messages can be much more convincing than email spam messages because social networks, and the friends a user is connected with, are often well trusted. Once a cybercriminal has compromised credentials they will use them to try to gain access to other e-commerce, social network, email, or bank accounts, because many internet users use the same username and password combination across multiple websites.

Mobile devices are also seeing increased threats. Gareth Maclachlan, Chief Operating Officer of AdaptiveMobile, a mobile security firm told ITnewslink “With the increasing pervasiveness of Smartphone devices, 2010 has undoubtedly been the year that fraudsters have truly turned their attention to mobile platforms.” Mr. Maclachlan continues:

With Smartphone penetration reported to reach 37 per cent in Europe and 44 per cent in the US by 2012, we predict that the number of threats targeted at unsuspecting mobile users will continue to increase at an exponential rate throughout the course of 2011. Even more significantly, the nature of the threats we are seeing will increase in sophistication. … next year will see the emergence of the ‘compound threat’ – intelligent scams designed to exploit multiple phone capabilities in order to reap maximum reward for the criminals, before the user even realises they have become a victim.

rb-

My SPAM data tracks what the big boys are saying. The average number of SPAM emails I receive has dropped to a near record-low 12.3 SPAM messages per day in January 2011 from a high of 77.5 SPAM messages in May of 2009.  The record low monthly average was 11.0 SPAM messages in May 2010. The number of SPAM messages I get on my Blackberry has been minimal, but the number of junk emails I get even though LinkedIn has climbed.

Monthly SPAM Averages

Are SPAMmers taking a break or reloading?

What are you doing to prevent SPAM on mobile devices?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| November 21, 2010
Comments Off on Facebook is Biggest Social Networking Risk

Facebook is Biggest Social Networking Risk

Facebook is Biggest Social Networking Risk Data from anti-malware vendor Sophos2010 Security Threat Report (PDF) says Facebook is the leader in privacy risks, spam, and other malicious activity. 60 percent of the respondents to a Sophos survey identified Facebook as the biggest security risk in social networking, followed by MySpace (18%), Twitter (17%), and LinkedIn (4%).

It is not surprising that users regard Facebook as the top risk. Facebook’s over 500 million users, offer criminals a cornucopia of personal data to exploit. “Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is to be made,” said Graham Cluley, senior technology consultant for Sophos.

Criminals have focused their efforts on social media

Sophos’ research shows that criminals have focused their efforts on social networking users in the last 12 months creating an “explosion” in social networking spam and malware complaints. Sophos found that 57% of social network users were spammed on one of the sites, an increase of 70 percent compared to last year.  They also found 36%  of social network users reported being sent malware, a 70% increase over last year. “The dramatic rise in attacks in the last year tells us that social networks and their millions of users have to do more to protect themselves from organized cybercrime, or risk falling prey to identity theft schemes, scams, and malware attacks,” Sophos’ Cluley added.

Three things working against Facebook users

There are three things working against Facebook users, themselves, malware, and Facebook. Facebook users typically give away more private information to Facebook than other sites. Though most people’s profiles it is possible to find out their first, last, and maiden names, where they live, where they went to school, and even worse, historical information like where they lived in the past. A lot of this private information is required on many online credit checks, providing a boom for criminals looking to exploit a user’s credit history or steal their identity.

The most common malware used on social networks is Koobface. Koobface can target all the popular social portals, including Facebook, MySpace, Bebo, Friendster, Tagged, and Twitter. According to the report, Koobface is capable of, “... registering a Facebook account, activating the account by confirming an email sent to a Gmail address, befriending random strangers on the site, joining random Facebook groups, and posting messages on the walls of Facebook friends. Furthermore, it includes code to avoid drawing attention to itself by restricting how many new Facebook friends it makes each day.

Another threat is Facebook applications. Criminals can create malicious Facebook applications designed to steal information and they can find holes in pre-existing applications and exploit them. Legitimate Facebook apps will give away your information if you allow them to (as I have written about here and here). Once an app has permission it can harvest all the information in a Facebook profile and send it to criminals. Before users grant an application access to all of their information, they should Google the publisher to see if they are legitimate or not. Any application that starts doing anything strange or suspicious should be removed immediately.

Facebook has tried to address these risks by issuing a new privacy policy. However, Sophos’ Cluley called it a step backward, because the new settings are “encouraging many users to share their information with everybody on the internet.” According to Facebook only 35% of their users actually customized their settings leaving 65% who presumably didn’t change their settings and continue to share valuable data, which is then used to propagate spam and malware.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , , , ,
| August 16, 2010
Comments Off on 2009 SPAM results

2009 SPAM results

2009 SPAM results PC World chronicles how analysts at the a California-based security company FireEye executed a plan to shut down the Mega-D (or Ozdok) botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.

According to the article, the botnet’s command infrastructure was its weak point. The Mega-D owned bots infesting PCs were directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of destinations to try if it couldn’t reach its primary command server.  Taking down Mega-D would need a carefully coordinated attack.

To coordinate the attach the FireEye team contacted the Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with others in Turkey and Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The FireEye team took down the U.S.-based C&C servers.

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no­­where. This cut off the botnet’s pool of domain names that the bots would use to reach the overseas ISP-based Mega-D C&C servers.

As the last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the earlier year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days after FireEye’s operation, Mega-D’s share of Internet spam to less than 0.1 percent, MessageLabs states.

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?”

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement,  “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

rb-

The takedown of Mega-D by FireEye has had a noted decrease in the level of SPAM I observed. During the 10 months before the Mega-D takedown, the daily average of SPAM messages (DASM) received 49. After the November 2009 takedown, the DASM rate dropped to 33. A step down into the numbers reveals that the November 2009 DASM was 35 and the December DASM was 29.


The overall DASM trend line for 2009 was down. In order to keep the trend going down, firms should investigate the ShadowserverASN & Netblock Alerting & Reporting Service. This free reporting service is designed for organizations that directly own or control network space. The service provides reports detailing detected malicious activity to aid in their detection and mitigation program.  Shadowserver has provided this service for over two years and now generates over 4,000 reports nightly.  The reporting service monitors and alerts the following activity:

  • Detected Botnet Command and Control servers
  • Infected systems (drones)
  • DDoS attacks (source and victim)
  • Scans
  • Clickfraud
  • Compromised hosts
  • Proxies
  • Spam relays
  • Malicious software droppers and other related information.

Detected malicious activity on a subscriber’s network is flagged and included in daily summary reports detailing the previous 24 hours of activity. These customized reports are made freely available to the responsible network operators as a subscription service.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 21, 2010
Comments Off on SPAM Decline?

SPAM Decline?

SPAM Decline? PC World chronicles how analysts at the California-based security company FireEye executed a plan to shut down the Mega-D botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.

According to the article, the botnet’s command infrastructure was its weak point. The Mega-D malware infecting PCs was directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of other destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would need a carefully coordinated attack.

To set up the coordinated attack the FireEye team first contacted Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with one in Turkey and another in Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The Mushtaq team took down the U.S.-based C&C servers.

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere. This cut off the botnet’s pool of domain names that bots would use to reach Mega-D-affiliated C&C servers overseas ISPs.

As the last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. After, FireEye’s action Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful. Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Rb-

The Daily Average SPAM Received (DASR) index reached an all-time low in December 2009. The DASR for December 2009 was 29.4. The trend was on the decline since its all-time high in May 2008 of 77.5, but this seems different.

The impacts of the Fire-Eye operations seem longer lasting. The DASR stayed down through December and into the New Year. The month-to-date DASR index for January 2010 is a paltry 15.

Even after the McColo takedown in November 2008, the DASR never reached this low level.  Hopefully, Spammers have seen the error in their ways, repented, and found something else to do, but more likely is they have reloaded with new ammo as they exploit social networks, Adobe, IE, and Google.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »