I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.
Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.
Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.
Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.
The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.
Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.
While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.
The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.
Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.
Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.
Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.
There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.
The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.
To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.
Showing posts with label apwg. Show all posts
Showing posts with label apwg. Show all posts
Sunday, December 14, 2008
Sunday, May 20, 2007
Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet
Not so long ago, I did a post about how the federal government was phishing their own employees.
It didn’t surprise me that many of the phish took the bait, pretty easily. It would just mean that the federal employees, who were phished are no different from the general population on the Internet.
After all, there wouldn’t be so much phishing, if it didn’t work.
Apparently, the practice is catching on and Amy Joyce of the Washington Post did an interesting article about why the idea might be a good one.
In the article, James MacDougall (South Carolina’s computer security guru) as saying:
Mr. MacDougall has hit an important point right on the head and phishing tends to set new records, every time the Anti Phishing Working Group issues their monthly report. Their most recent report (April) indicates that not only did the number of phishing sites set a new record, but their numbers more than doubled over the previous month (March).
Spam filters designed to stop phishy e-mails seem to be under major attack, and haven't been very effective in the recent past, either.
Maybe, we are spending too much money on technology to solve the problem rather than using some good old fashioned common sense?
One of the reasons, technology tends to be defeated, or used by criminals – is that it is too easily compromised by human beings. Most financial scams rely on the greed factor, or getting people to fall for something that's too good to be true.
It doesn’t take a genius to buy DIY (do it yourself) crime kits, which are readily available over the Internet, and commit what some might consider, sophisticated criminal activity.
Relying on technology to protect us without human oversight is a big mistake, and this holds true, for more than financial crimes.
Government and private systems are attacked all the time for their information.
Technology is a wonderful tool and makes things easier, but it has limitations. Instead of throwing all of our resources into technology, which seems to have a limited life span, maybe we need to focus more on the human factors that put us at risk, daily.
Thought provoking story by Amy Joyce, here.
It didn’t surprise me that many of the phish took the bait, pretty easily. It would just mean that the federal employees, who were phished are no different from the general population on the Internet.
After all, there wouldn’t be so much phishing, if it didn’t work.
Apparently, the practice is catching on and Amy Joyce of the Washington Post did an interesting article about why the idea might be a good one.
In the article, James MacDougall (South Carolina’s computer security guru) as saying:
You can spend all the money on the technology you want, MacDougall said. But if the end users are doing dangerous behavior, there is almost no cure for that.
Mr. MacDougall has hit an important point right on the head and phishing tends to set new records, every time the Anti Phishing Working Group issues their monthly report. Their most recent report (April) indicates that not only did the number of phishing sites set a new record, but their numbers more than doubled over the previous month (March).
Spam filters designed to stop phishy e-mails seem to be under major attack, and haven't been very effective in the recent past, either.
Maybe, we are spending too much money on technology to solve the problem rather than using some good old fashioned common sense?
One of the reasons, technology tends to be defeated, or used by criminals – is that it is too easily compromised by human beings. Most financial scams rely on the greed factor, or getting people to fall for something that's too good to be true.
It doesn’t take a genius to buy DIY (do it yourself) crime kits, which are readily available over the Internet, and commit what some might consider, sophisticated criminal activity.
Relying on technology to protect us without human oversight is a big mistake, and this holds true, for more than financial crimes.
Government and private systems are attacked all the time for their information.
Technology is a wonderful tool and makes things easier, but it has limitations. Instead of throwing all of our resources into technology, which seems to have a limited life span, maybe we need to focus more on the human factors that put us at risk, daily.
Thought provoking story by Amy Joyce, here.
Tuesday, December 12, 2006
Another Record Set for Phishing and it appears Anti-Phishing Measures are being Defeated
Brian Krebs of the Washington Post did an interesting post on his blog about how phishing is increasing (again) and how anti-phishing measures (some recently marketed to users) are failing already.
Brian writes:
The Anti-Phishing Working Group reports that 52 percent more phishing sites were recorded on the Internet than a month earlier and nine times as many as were spotted in October 2005. The steep increase coincides with a massive spike in the volume of spam circulating on the Internet. According to e-mail security firm Postini, 90 percent of all e-mail these days is spam.
Brian's post, here.
Also mentioned is "Rockphishing," which takes advantage of zombie computers formed into botnets. The result is that it is making phishing extremely hard to trace.
Brian did an excellent job in his post - and I highly recommend reading it.
I wrote recently about how technology isn't winning the war against cybercrime. It seems like a lot of expensive anti-phishing software is proving this all over again.
Maybe a better approach would be to follow the money instead? After all - I'm pretty sure that is what the cybercrimals are really after.
Brian writes:
The Anti-Phishing Working Group reports that 52 percent more phishing sites were recorded on the Internet than a month earlier and nine times as many as were spotted in October 2005. The steep increase coincides with a massive spike in the volume of spam circulating on the Internet. According to e-mail security firm Postini, 90 percent of all e-mail these days is spam.
Brian's post, here.
Also mentioned is "Rockphishing," which takes advantage of zombie computers formed into botnets. The result is that it is making phishing extremely hard to trace.
Brian did an excellent job in his post - and I highly recommend reading it.
I wrote recently about how technology isn't winning the war against cybercrime. It seems like a lot of expensive anti-phishing software is proving this all over again.
Maybe a better approach would be to follow the money instead? After all - I'm pretty sure that is what the cybercrimals are really after.
Tuesday, October 24, 2006
The State of Crimeware on the Internet
"Crimeware," according to Wikipedia was a term coined by Peter Cassidy of the Anti-Phishing Working Group as a "type of computer program or suite of computer programs that are designed specifically to automate financial crime."
Last week, the US Department of Homeland Security, SRI International Identity Theft Technology Council and the Anti-Phishing Working Group issued a pretty telling report about how crimeware is being used to commit financial crimes and identity theft.
From the executive summary, here is how crimeware is used by Internet criminals:
Crimeware is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software.
Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including:
Last week, the US Department of Homeland Security, SRI International Identity Theft Technology Council and the Anti-Phishing Working Group issued a pretty telling report about how crimeware is being used to commit financial crimes and identity theft.
From the executive summary, here is how crimeware is used by Internet criminals:
Crimeware is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software.
Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including:
- Social engineering attacks convincing users to open a malicious email attachment containing crimeware;
- Injection of crimeware into legitimate web sites via content injection attacks such as cross-site scripting;
- Exploiting security vulnerabilities through worms and other attacks on security flaws in operating systems, browsers, and other commonly installed software; and
- Insertion of crimeware into downloadable software that otherwise performs
a desirable function.
Full report, here.
Recently, we've read about organized crime groups employing "highly technical personnel" and carder rooms - where financial information is bought and sold.
A recent USA Today story about "carder forums" quoted the following statistics:
$67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes.
$8 billion: Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.
93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.
26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.
Crimeware and the Internet are fueling the identity theft problem - which in turn could threaten the stability of our financial systems. Some even say, might be a National Security issue, also.
In the rapidly changing world of technology, laws have failed to keep pace. Perhaps with the upcoming elections, it's time for all of us to examine what our political representatives are doing about this problem.
We might find that we all have a common interest on this issue!
Wednesday, September 06, 2006
Do It Yourself Crime Kits Victimize the Masses
It appears that phishing attempts have hit an all time record thanks to the availability of "do it yourself kits" available on the Internet.
Phishing is a leading cause of identity theft, which impacts millions of people a year.
Dinah Greek, Computeract!ve reports:
This was the warning from the Anti Phishing Working Group (APWG) , which said the kits allow non-technical criminals to start up their own online criminal empires.
All the information they need to set up phishing emails or websites infected with malware, such as Trojans, viruses and worms, is contained in the kits bought and sold online.
Full story, here.
Do it yourself (crimeware) kits aren't entirely new and have been reported before, here.
We keep hearing about the record number of phishing attempts being recorded. Unless some of these people start getting caught - we are likely to see the number continue to grow!
And the criminal "do it yourself industry" doesn't limit itself to phishing. Kits on how to scam on auction sites are also being sold (previous post), here.
Phishing is a leading cause of identity theft, which impacts millions of people a year.
Dinah Greek, Computeract!ve reports:
This was the warning from the Anti Phishing Working Group (APWG) , which said the kits allow non-technical criminals to start up their own online criminal empires.
All the information they need to set up phishing emails or websites infected with malware, such as Trojans, viruses and worms, is contained in the kits bought and sold online.
Full story, here.
Do it yourself (crimeware) kits aren't entirely new and have been reported before, here.
We keep hearing about the record number of phishing attempts being recorded. Unless some of these people start getting caught - we are likely to see the number continue to grow!
And the criminal "do it yourself industry" doesn't limit itself to phishing. Kits on how to scam on auction sites are also being sold (previous post), here.
Thursday, June 29, 2006
And Just When We Thought the IRS Phishing Scams Were Gone for the Year
All during tax season, we saw warnings about phishing attempts using the name of the IRS. April 15th has come and gone, but the "phishermen" are still using the IRS name to lure victims.
For those unfamiliar with phishing, it normally starts with a lure - such as a refund from the IRS - in the form of an e-mail directing you to "click" on a site. The site (which is also fake) then directs you to give up all sorts of personal information, which the "phishermen" use to commit "identity theft." In more sophisticated schemes - even going on the site - can lead to all sorts of cybernasties (crimeware) being injected into your system. The crimeware allows them to track your information on a more "permanent" basis.
Phishing is on the rise and according to the APWG (Anti Phishing Working Group), May set a all-time record for phishing attempts.
Here is an interesting story from KUTV in Salt Lake City:
Tax season is over but some people are still getting notifications that they have a refund coming from the IRS. There are all types of so-called phishing schemes out there. And we found a new one today. Here is what the email looks like: Click Here.
It claims to be from the internal revenue service. It says you have a refund coming, just go to a website and fill out the refund request. And look at this: Click Here.
For the full story from KUTV: Click Here.
If you spot one of these attempts, you can forward it to the good folks at PIRT (Phishing Incident Reporting and Termination Squad) - who will take action to shut the bad guys down.
And last, but not least; you can call the IRS directly at 800-829-1040 to verify any communications, or e-mail the "suspected" phish to phishing@irs.gov. The IRS also has some pretty good information on their website on how to avoid falling for scam involving your taxes.
You can also report the activity to the APWG, which is mentioned above.
For those unfamiliar with phishing, it normally starts with a lure - such as a refund from the IRS - in the form of an e-mail directing you to "click" on a site. The site (which is also fake) then directs you to give up all sorts of personal information, which the "phishermen" use to commit "identity theft." In more sophisticated schemes - even going on the site - can lead to all sorts of cybernasties (crimeware) being injected into your system. The crimeware allows them to track your information on a more "permanent" basis.
Phishing is on the rise and according to the APWG (Anti Phishing Working Group), May set a all-time record for phishing attempts.
Here is an interesting story from KUTV in Salt Lake City:
Tax season is over but some people are still getting notifications that they have a refund coming from the IRS. There are all types of so-called phishing schemes out there. And we found a new one today. Here is what the email looks like: Click Here.
It claims to be from the internal revenue service. It says you have a refund coming, just go to a website and fill out the refund request. And look at this: Click Here.
For the full story from KUTV: Click Here.
If you spot one of these attempts, you can forward it to the good folks at PIRT (Phishing Incident Reporting and Termination Squad) - who will take action to shut the bad guys down.
And last, but not least; you can call the IRS directly at 800-829-1040 to verify any communications, or e-mail the "suspected" phish to phishing@irs.gov. The IRS also has some pretty good information on their website on how to avoid falling for scam involving your taxes.
You can also report the activity to the APWG, which is mentioned above.
Subscribe to:
Posts (Atom)
