spam

Panda Security Finds Automotive Industry Hit Hardest by Spam

Interesting study. It seems that spam content received is constant across all industries and the majority of it is pharmaceutical related. This could mean one of two things: either very few spammers are responsible (likely); or, a lot of men fall for the v-i-AGR*A spam. Anyway, check it out:

Panda Security has just completed a 3-month long study of spam across 11 different industries, exposing that automotive industry is most heavily targeted. The study found that 99.89 percent of all e-mail received by the automotive industry is spam, with just .11 percent being legitimate messages. The automotive industry was closely followed by the electronics industry and governmental sector as the top spam targets.

When analyzing the survey, Panda found it particularly interesting that while industries are targeted in different ratios, the content of the spam they receive (the majority of which is pharmaceutical related) is constant across all industries.

View the full press release online here: http://www.pandasecurity.com/usa/homeusers/media/press-releases/viewnews?noticia=9906

Panda has posted a breakdown of how each industry is affected to its Flickr page:  http://www.flickr.com/photos/panda_security/4026424134/

“Of Course, I Never Reply to Spam – Except Sometimes”

Sounds funny, doesn’t it?  But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:

This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats.  The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?”  It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.

One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.

What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.

The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.

Fellow security professionals, we have our work cut out for us.

Accused Spam King Alan Ralsky Pleads Guilty

Once again, I’m behind on the news. This Security Fix report is almost a week old:

Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world’s top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.

Ralsky … and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act.

Under the terms of his plea agreement, Ralsky faces a federal prison sentence of 87 months and a fine of $1 million. He allegedly earned up to $3 million on the Chinese penny stock scam that he promoted using junk mail sent out by various botnets. It’s interesting that the plea agreement doesn’t call for the forfeiture of his profits. So, he’ll spend his time in a minimum-security “camp” at taxpayer expense and, probably get released well before his full sentence is up the while earning interest on the money he has squirreled away somewhere.

BTW, my apologies for being lax in keeping this blog up to date. I do have an excuse: I tore ligaments in my left hip and have been unable to sit, stand or lie down for the better part of two weeks.  Look for a more regular posting schedule next month.

Real Spam Statistics

Depending on whose reports you view, spam accounts for from 85 to 95 percent of all emails sent. This may hold true over the Internet at large, but as with any other statistical data, there are local and regional variations. My own inbox is an exception to the general rule; I get far more legitimate emails than spam.

The company I work for provides spam filtering for several SMBs, so I have to hand real data that I can evaluate. Based on last week’s numbers, we processed nearly 100,000 messages in our filters. Of those messages, nearly 70,000–70%–were spam; nearly 30,000–30%–were accepted as legitimate. Our data has its own wild variations: one set is very low with only 18% spam; another set reaches a high of 92% spam.

I’m not a statistician, but it’s easy for me to see how big a problem spam has become. I’m not ready to say email is dead as a business communication medium, but it certainly needs an overhaul.

Swine Flu Breeds Spam

As usually happens with major disaster events—in this case the impending Swine Flu pandemic—email scammers are busy perpetrating pharmaceutical and other types of scams. In some cases, they’re using celebrity names to grab attention. Spam is hitting inboxes with various subjects. The following list, compiled by McAfee and posted on the McAfee Avert Labs Blog, shows some of the subject lines they’ve seen:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

They also report a 30x increase in the number of domain name registrations mentioning “swine.” It’s a good bet that many of those names will be used by scammers.

I’ve alerted my clients to this latest wave and sent reminders to everyone that should they receive any such emails, they should immediately delete them. That’s good advice to pass along.

Beware of E-Mail Scam Targeting Microsoft Customers

The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.

Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.

By the way, Consumer Reports has an Online Security Guide posted on their website. It’s well worth looking at and certainly good for your non-savvy users as it’s written for, well, consumers.

Software for Secure Computing: Trend Micro’s RUBotted

I stumbled across this nifty free tool when running an online scan at Trend Micro’s HouseCall site. Botnets are a big problem, accounting for most of the spam on the Internet, not to mention their use in stealing financial information and launching denial-of-service (DoS) attacks. RUBotted (Beta) “…monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” Note that this tool doesn’t clean anything–you still have to use antivirus software. Alternatively, you can take advantage of one of the many online malware scanners.

The tool runs on Windows 2000, Windows XP Home and Professional, Windows 2003 Server, and Windows Vista (32-bit only), providing the latest service packs are installed. There’s one caveat, however:  Trend says, “RUBotted cannot protect computers running Panda Internet Security 2008.”

I hope that this effort by Trend starts a trend (pun intended) of vendors providing similar secure computing software, perhaps incorporating bot removal tools to boot. We’ll see.

Oscarbot.UG Eludes Detection with Intelligent Stealth

According to Panda Security, the Oscarbot.UG virus, first detected on August 17, 2008, uses intelligent stealth techniques to avoid detection.  “It deletes the original file from which it was run once it is installed on the computer. It uses several methods in order to avoid detection by antivirus companies [one of them being that it] terminates its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare or VirtualPC.”

As reported by Help Net Security, the worm “stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (these tools are often used to check in a controlled environment if an executable file is running malicious commands).

The good news is that anyone running a virtual environment is safe from infection: The worm won’t run and when you shut down the virtual machine, it’s gone. The bad news is that malware using this type of intelligent stealth is on the rise, raising the bar for anti-malware researchers.

At what point do we switch from a reactive anti-malware approach (blacklisting) to a pro-active one (whitelisting)? The day is fast approaching (it may already be here) when the programs designed to protect us become so huge and so invasive that they prevent us from getting any useful work done.

The best way to combat malware would be to take the profit out of spam, phishing scams, and other cyber-fraud crimes.

I don’t have the answer for that one.

The Best Way to Avoid Spam

In the 1986 hit movie, The Karate Kid - Part II, the kid’s instructor, Mr. Miyagi, uttered this famous line: “Best way to avoid punch, no be there!” Good advice, indeed; it’s one of those universal pieces of truth that’s so obvious, it’s overlooked. The beauty of it is that it can be applied to anything. In this case, I’ll apply it to spam email, the electronic equivalent of a punch: “Best way to avoid spam, no have email address!”

That’s not exactly practical; we all have an email address. Some of us have several of them (at last count, I have at least nine addresses and I’m sure I’ve missed a couple somewhere). In my final installment of the “How to Secure Your Computer” series, “If Spam has You Irate, Obfuscate!” I gave examples of how you can make your email address unreadable by web bots. Well, that can be a bit of work, forcing you to cut and paste, and make other efforts that can quickly become tedious. There’s an easier way.

Enter Mailinator, the completely anonymous email address that you create on-the-fly when you need to enter an email address but don’t want to use your real one. From their site:

How do I create an account at Mailinator? It’s simple, you just send email to it. Temporary accounts are created when email arrives for them. First, you give out the mailinator email address you created, and then you check it. It’s that simple.

Do I have to sign up? No sign-up, you don’t even have to tell Mailinator you’re coming.

It’s a valid, working email address that you can check just by visiting the site. Of course, anyone can check it just by entering the address in the “Check your inbox” box. Not the best of situations, so they fixed it by providing alternate inbox names . In a nutshell, you use the alternate inbox name for your email address when you post it publicly. Anyone who enters the alternate inbox name will simply get a “no messages” message. Pretty slick.

The beauty of Mailinator is that it provides a valid email address; you can download stuff from and subscribe to those sites that require clicking links in confirmation emails without having to worry about exposing yourself to spam. Use the alternate inbox name or even a different email address every time you need one.

Best way to avoid spam, no have email address — or at least use one you can throw away at will. Either way, you avoid the punch and the security risk.

Nine Steps to System Security - 2008

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.

In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, “Seven Steps to System Security - 2004″ , and “Eight Steps to System Security – 2005“, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published the last guide, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.

Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:

1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind - NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes - ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
2. Although Internet Explorer 7.0 has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, - especially Microsoft Office - not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall - it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) While Vista’s firewall does offer outbound filtering, it isn’t much better (see this article for more information). My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus.
6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend: a. Spyware Blaster. This free program blocks adware and spyware from installing in the first place and is frequently updated; b. Ad-Aware. Scan weekly, more frequently if you are a heavy surfer; c. Spybot S&D. Run it on the same schedule as Ad-Aware; d. Microsoft’s Windows Defender is an excellent product and is installed by default in Windows Vista. Configure it for real time protection and automatic updates. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications. There are free and paid versions that work with Outlook, Outlook Express. My clients swear by it. Another good program is Sunbelt Software’s iHate Spam.
8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system - they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.

While total immunity is impossible - new infections and variations on existing exploits appear daily - these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent - or if you are already badly infected - you’ll need to hire a geek like me.