E-mail scam

18 Nigerian Spammers Headed for the Slammer

Nigeria’s Economic and Financial Crimes Commission (EFCC) says that their “Operation Eagle Claw” has so far seen members of 18 syndicates arrested and 800 scam websites shut down. The chairman of the anti-scam force, Mrs. Farida Waziri said:

We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails.

At the moment, Eagle Claw has delivered the following results:

Over 800 fraudulent e-mail addresses have been identified and shut down. The EFCC is fine tuning security modalities with Microsoft and upon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly.

There have been 18 arrests of high profile syndicates operating cyber crime organizations.

When it [Eagle Claw] is fully deployed, it will afford the EFCC the option of either monitoring or shutting down all fraudulent email addresses. The EFCC would also have identified victims and potential victims and advised them that their email has been compromised.

Does this mean we won’t be getting anymore of those touchy-feely emails from Mrs. Farzad Arubi (or whatever bogus names they use these days) who really needs our help to move a million dollars from her late (murdered) husband’s estate?

Not likely, but it’s good see some of the perpetrators taking it on the chin.

Panda Security Finds Automotive Industry Hit Hardest by Spam

Interesting study. It seems that spam content received is constant across all industries and the majority of it is pharmaceutical related. This could mean one of two things: either very few spammers are responsible (likely); or, a lot of men fall for the v-i-AGR*A spam. Anyway, check it out:

Panda Security has just completed a 3-month long study of spam across 11 different industries, exposing that automotive industry is most heavily targeted. The study found that 99.89 percent of all e-mail received by the automotive industry is spam, with just .11 percent being legitimate messages. The automotive industry was closely followed by the electronics industry and governmental sector as the top spam targets.

When analyzing the survey, Panda found it particularly interesting that while industries are targeted in different ratios, the content of the spam they receive (the majority of which is pharmaceutical related) is constant across all industries.

View the full press release online here: http://www.pandasecurity.com/usa/homeusers/media/press-releases/viewnews?noticia=9906

Panda has posted a breakdown of how each industry is affected to its Flickr page:  http://www.flickr.com/photos/panda_security/4026424134/

New IRS Scam and It Could Cost You More Than Taxes!

You usually see this around tax season, but it seems the cyber-crooks have figured out that fear of the IRS is an evergreen topic.

US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of “Notice of Underreported  Income.” These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

The Zeus Trojan is a keylogger that steals sensitive data, especially targeting online banking credentials. According to “New IRS Scam E-mail Could Be Costly”, in Brian Krebs’ Security Fix column, Landfill Service Corp. (LSC), a solid waste company based in Apalachin, NY is a recent victim of the Trojan. The firm may end up losing at least $92,000 from the incident. Not good.

The Zeus keystroke logging Trojan’s engine is a file called “sdra64.exe.” At least that’s what LSC’s tech guy found (Variations are sure to surface).

Rather than repeat it in my own words, here’s the US-CERT list of recommendations:

• Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS website.
• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

“Of Course, I Never Reply to Spam – Except Sometimes”

Sounds funny, doesn’t it?  But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:

This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats.  The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?”  It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.

One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.

What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.

The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.

Fellow security professionals, we have our work cut out for us.

Fraud Alert: eBay, craigslist Broken?

Bruce Schneier’s June 19, 2009 post Fraud on eBay stands as a testament to the fact that all is not well with the online auction giant.

I expected selling my computer on eBay to be easy.

Attempt 1: I listed it. Within hours, someone bought it — from a hacked account, as eBay notified me, cancelling the sale.

Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal immediately, and then — near as I could tell — immediately opened a dispute with PayPal so that the funds were put on hold. And then she sent me an e-mail saying “I paid you, now send me the computer.” But PayPal was faster than she expected, I think. At the same time, I received an e-mail from PayPal saying that I might have received a payment that the account holder did not authorize, and that I shouldn’t ship the item until the investigation is complete.

That’s one example of eBay fraud. Another report in The Consumerist, “It’s Now Completely Impossible To Sell A Laptop On Ebay,” shows another variation, clearly a Nigerian scam:

So I re-listed the item. This time, I lowered the minimum bid and paid for the ‘featured item’ option (which I thought was a stupid idea, but the only way to get my auction seen by any appreciable audience). This time, the auction ended without incident. I got an email from the bidder telling me that he was glad to have won the auction, and was excited for me to ship it… To Nigeria.

Let it be known here that though I may not be the smartest person in the world, I’m not stupid. His email went on to explain (in poor English) that he was ‘on business trip to the Nigeria,’ and that he was willing to pay me $1000 through PayPal for the laptop. Shortly thereafter I received an email from ‘PayPal’ (who is now apparently sending out their customer service emails from gMail), stating that I had received a payment, but that it would not show up in my account until I emailed them back the tracking number for the parcel. Very clever, but once again, I’m not stupid.

While I haven’t had this type of problem on eBay, I have experienced similar fraud on Craig’s list. Here’s a short excerpt from one of the emails I received from the fraudster (reportedly sent by USPS):

Thanks you for using Postal Money Order, The payment for your merchandise has been paid for,we have your $500:00USD money order sent to you by the buyer of your item Lewis Jack in our database, as soon as the item is shipped, please forward us with the shipping tracking number, so your $500:00USD money order can be mailed to your address, your money order is secure and save.

We will be glad to inform you that the payment sent to you by Lewis Jack has been processed and verified, your payment is now on hold for 48 hours from the period of time you recieve this email, we will be sending you a shipment notification email as soon as we recieve the shipment tracking number for the item your buyer purchased.

Based on the blatant outpoints in grammar and punctuation, it’s pretty obvious that this didn’t come from the United States Postal Service. It’s clearly a scam and I would never see payment if I were stupid enough to ship the item.

I’m about to list a rather expensive router on eBay and if I have any experiences similar to those of Mr. Schneier and the other gentleman, I’ll post details here.

It appears, though, that unless you’re selling low value or garage sale class items, the watchwords are: “Caveat venditor” (let the seller beware).

Accused Spam King Alan Ralsky Pleads Guilty

Once again, I’m behind on the news. This Security Fix report is almost a week old:

Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world’s top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.

Ralsky … and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act.

Under the terms of his plea agreement, Ralsky faces a federal prison sentence of 87 months and a fine of $1 million. He allegedly earned up to $3 million on the Chinese penny stock scam that he promoted using junk mail sent out by various botnets. It’s interesting that the plea agreement doesn’t call for the forfeiture of his profits. So, he’ll spend his time in a minimum-security “camp” at taxpayer expense and, probably get released well before his full sentence is up the while earning interest on the money he has squirreled away somewhere.

BTW, my apologies for being lax in keeping this blog up to date. I do have an excuse: I tore ligaments in my left hip and have been unable to sit, stand or lie down for the better part of two weeks.  Look for a more regular posting schedule next month.

Spam, Phishing, and Malware Related to Recent Celebrity Deaths

Michael Jackson malware? Farrah Fawcett phishing attempts? Billy Mays spam? Ed McMahon notifies you—from the other side of the grave–that you’ve just won the million-dollar Publisher’s Clearinghouse (but you have to send him some money, first)? Yes, expect it. US-CERT is monitoring reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths. Here’s a typical example:

To: <redacted>
Subject: Confidential===Michael Jackson
Date: Thu, 25 Jun 2009 19:25:50 –0400

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secrective to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us.

Notice the blatant misspellings, lack of punctuation and obvious grammatical mistakes from someone who is clearly not a native English-speaking person. If you get this email, delete it immediately. Same with anything related to any of the other celebrities’ deaths.

They’re all from scammers (criminals) either trying to steal your money, your identity or both.

Swine Flu Breeds Spam

As usually happens with major disaster events—in this case the impending Swine Flu pandemic—email scammers are busy perpetrating pharmaceutical and other types of scams. In some cases, they’re using celebrity names to grab attention. Spam is hitting inboxes with various subjects. The following list, compiled by McAfee and posted on the McAfee Avert Labs Blog, shows some of the subject lines they’ve seen:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

They also report a 30x increase in the number of domain name registrations mentioning “swine.” It’s a good bet that many of those names will be used by scammers.

I’ve alerted my clients to this latest wave and sent reminders to everyone that should they receive any such emails, they should immediately delete them. That’s good advice to pass along.

Beware U.S. Tax Phishing Scams

It’s tax time in the U.S. and with that generally comes an increase in the number of phishing scams directed at taxpayers. The IRS, whether we like them or not, has an excellent anti-scam/anti-phishing web site. One key thing to remember is that the IRS does not initiate taxpayer communications through e-mail. Here’s an excerpt from their site:

The IRS does not initiate taxpayer communications through e-mail.

* The IRS does not request detailed personal information through e-mail.
* The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,

* Do not reply.
* Do not open any attachments. Attachments may contain malicious code that will infect your computer.
* Do not click on any links…

Additional information is provided by the IRS in a recent press release:

Beware of IRS’ 2009 “Dirty Dozen” Tax Scams

IR-2009-41, April 13, 2009

WASHINGTON — The Internal Revenue Service today issued its 2009 “dirty dozen” list of tax scams, including schemes involving phishing, hiding income offshore and false claims for refunds….

The IRS urges taxpayers to avoid these common schemes:

Phishing

Phishing is a tactic used by Internet-based scam artists to trick unsuspecting victims into revealing personal or financial information. The criminals use the information to steal the victim’s identity, access bank accounts, run up credit card charges or apply for loans in the victim’s name.

Phishing scams often take the form of an e-mail that appears to come from a legitimate source, including the IRS. The IRS never initiates unsolicited e-mail contact with taxpayers about their tax issues. Taxpayers who receive unsolicited e-mails that claim to be from the IRS can forward the message to phishing@irs.gov. Further instructions are available at IRS.gov. To date, taxpayers have forwarded scam e-mails reflecting thousands of confirmed IRS phishing sites. If you believe you have been the target of an identity thief, information is available at IRS.gov.

I highly recommend you visit the IRS site and heed their excellent advice: How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites

Beware of E-Mail Scam Targeting Microsoft Customers

The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.

Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.

By the way, Consumer Reports has an Online Security Guide posted on their website. It’s well worth looking at and certainly good for your non-savvy users as it’s written for, well, consumers.