So why would a bricks and mortar company like McColo be involved with something as nasty and toxic as hosting spammers and malware / scareware companies?

In a word ‘MONEY’ – yes cold hard cash and lots of it. According to the dedicated hosting package page on McColo’s site they charge up to $2000 per month for a single server. This is chump change though compared to the graft and ‘other charges’ that could be possible to someone who was willing to host for a purveyor of malware.

One of the malware / Scare ware hosted on servers at McColo is the ‘Spyware XP 2008/2009’ – a nasty piece of work that claims your computer is infected with 1000’s of ‘bad things’ and that you really Really REALLY need to purchase SpyWare 200x RIGHT NOW to clean up your computer. The scan this software performs is bogus and when you purchase the software online your actually sending your money to the people that infected your computer in the first place.

As demonstrated by Joe Stewart this scam installed 154,825 versions of the software in just 10 days, and then 2,772 copies of the program were later purchased from those infected users. Based on that conversion rate,  it  is estimated  that an affiliate could expect to earn over $5 million annually by maintaining a botnet large enough to force between 10,000 and 20,000 installations on a daily basis.

Another report shows that spam is profitable at a 1 click per 12,000,000 spam’s sent.  With these statistics the Storm-generated pharmaceutical spam would produce roughly $3.5 million dollars of revenue a year,” the team concluded.

Like I said – MONEY and lots of it. If you were the owner of McColo and someone came to you with the above ‘business plan’ what would you say? Sadly there are those who would take the money first and ask questions later.

Take away points from this recent anti-spam ‘win’?

If there is collaboration between the ‘good guy’s’ we can make things harder for the ‘bad guy’s’. Will this result in a permanent decline in spam? Probably not – with that much money possible do you think the scammers / spammers are going to lie down and play dead? Not likely. Expect business as usual in the next few weeks as we enter the profitable and spam lucrative ‘holiday season’

To learn more:

• http://voices.washingtonpost.com/securityfix/2008/11/study_spam_still_profitable_at.html
• http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html
• http://news.cnet.com/8301-10789_3-10086352-57.html

- Spam Cryer

SPAM, PHISHING & ONLINE SCAMS

–US Financial Crisis Ripe Pickings for Scammers

(October 2, 2008)

The mergers and acquisitions of banks resulting from the US financial crisis have provided new opportunities for online scam artists. Attacks have been seen in which the customers of a bank are asked to provide account information and other personal details to the bank’s new owner for verification purposes.  Banks would not ask for such information online; it would be done through paper mail.

http://news.cnet.com/8301-1009_3-10057180-83.html?part=rss&subj=news&tag=2547-1009_3-0-20s

Never supply personal or banking information to someone who asks for it on the Internet or if they call you as both the e-mail address and the caller ID information can be spoofed making you believe you are talking to your friendly neighborhood banker when in actual fact you are talking to a scam artist half the world away. I have a stock phrase memorized that everyone in my family is getting very good at using when someone claiming to be from a bank or financial institution calls. ‘We have a personal policy to never talk to anyone who calls us about <Banking or Credit Cards or Cell Phones or Survey’s etc> and if we want to discuss our options we will go to the local branch where we have a personal relationship with our representative – thank you and please put us on your do-not-call list’.

You should have a similar policy in regard to online survey’s and any request for personal information that comes to you unsolicited.

- The Spam Cryer

Here are some other Blog articles regarding Online Banking Scams:

What I mean is that the Spammers have reportedly broken the tools deployed by the online giants Google and Microsoft to stop spammers from trading on the good name (and thus reputation) of the large farms of mail servers hosted by these two companies.

They have to have 100’s if not 1,000’s of mail servers under their control to be able to offer the gmail and live e-mail experience to their customers and you can almost hear the splash of saliva hitting the floor as the spammers work hard to get access to all this e-mail delivery power.

These two Internet Giants had issues a while ago with spammers breaking the CAPTCA technology using automatic Optical Character Recognition (OCR) or farming it out to real humans so they had implemented additional controls in the ongoing escalation on the war on spam.

CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are those images with the distorted or obscured letters that computers are not so good at figuring out but which are a snap for a human.

As long as there is an economic incentive to send spam the spammers will have the money to either research better tools to recognize the images or will just farm it out to real people who are willing to work for a few cents per image or even for free if you make it part of a game or required to sign up for something people want like a ‘free’ ring-tone of the latest band.

More details on the Register’s website.

http://www.theregister.co.uk/2008/10/03/captcha_break/

- The Spam Cryer

Here are some more Blog articles on CAPTCHA Spam:

Commtouch Anti-Spam Cartoon

John never knew how many friends he had…until he opened the door to a truckload of spam. A short, funny movie about Commtouch RPD technology.

SonicWALL Anti-Spam Desktop

Tired of getting loads of spam and phishing emails in your Inbox? SonicWALL has a powerful, yet easy-to-use solution that can help. It’s called SonicWALL Anti-Spam Desktop and it works with Outlook and Outlook Express on your PC. Join Big Al as he provides an overview of this great desktop solution that protects you against spam and phishing emails.

Gmail Theater Act 1

Gmail Theater Act 1: Attack of the Spam

Gmail’s great spam protection in action…puppet action, that is. Learn more at http://www.gmail.com .

This makes sense as some names are more popular and thus easier for the spammers to guess. I happen to know lots of people – 10+ with the first name ‘Scott’ (one is my brother) but none that have the first name Zeus. There is an interesting graph in the PDF on page 2 that shows both the amount of spam and ham and then the ratio between them for different letters of the alphabet. What does your e-mail address start with?

This only reinforces what I have felt all along that some people are more popular spam targets than others.

http://www.lightbluetouchpaper.org/2008/08/25/zebras-and-aardvarks/

- Shaun

Here are some more articles on the study (including the original):

–Dutch Police Notify Users Infected with Bot Malware

(August 8, 2008)

Dutch police have notified people whose computers were infected with malware that made them part of a botnet comprising more than 100,000 PCs.  People were redirected to a web page containing directions on disabling the malware and a link to an online virus scanner. The police were able to automatically forward the infected users to the help page because they have taken control of the botnet. A 19-year old man was arrested last week when he tried to sell the botnet to someone in Brazil for GBP 25,000 (US $47,839).

You can view the whole article by going to:

www.computerworlduk.com/management/security/cybercrime/news/index.cfm?NewsId=10427

While the computers comprising a botnet are typically left infected but without direction when the bot herder is caught, the action by the Dutch Police in this case is an interesting turn of events.

My question to you is if your PC was infected and there was a way to inform you about it would you like to be informed – even if it was the tool used to infect your pc that was used to inform you?

- Shaun

P.S. If you’re interested in reading what other people are saying about this around the “Blogosphere” feel free to read the following blog posts:

With this in mind Watchguard released some nice video tutorials about network security that are entertaining and have some excellent ideas worth showing your average user.

Similar in style to the French children books “Martine” (You know “Martine goes to the market“, “Martine visit her friends“, etc), we follow the adventures of Bud, a typical user of online services.

In “Bud Has Mail” watch how Bud learns how to handle his e-mail more safely.

Click to watch the video

In “Bud Logs In” watch how Bud learns how to manage his network passwords!

Click to watch the video

Enjoy!

- Shaun

Eddie Davidson fugitive Spammer in Murder-Suicide.

• www.theregister.co.uk/2008/07/25/fugitive_spammer_slays_family/

Soloway given 47 month prison term.

• www.theregister.co.uk/2008/07/23/soloway_sentenced/

- Shaun

New Storm Worm Activity Spreading

Original release date: July 29, 2008 at 9:41 am Last revised: July 29, 2008 at 9:41 am

US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

• F.B.I. may strike Facebook
• F.B.I. watching us
• The FBI’s plan to “profile” Facebook
• The FBI has a new way of tracking Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• Get Facebook’s F.B.I. Files
• Facebook’s F.B.I. ties
• F.B.I. watching you

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• www.sophos.com/security/blog/2008/07/1599.html
• www.us-cert.gov/reading_room/emailscams_0905.pdf

====
This entry is available at:

• www.us-cert.gov/current/index.html#new_storm_worm_activity_spreading

[tag]US-CERT[/tag] has sent the following bulletin warning everyone that Spammers and Hackers are at it again with the “[tag]Storm Worm[/tag]” and this time they’re using news of a fictitious US war with Iran to get you to open their email.

Careful out there!

- The Spam Cryer

Original release date: July 9, 2008 at 8:48 am Last revised: July 9, 2008 at 8:48 am

US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East.

This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user’s system with malicious code.

• A video that, when opened, may run the executable file “iran_occupation.exe.”
• A banner add that, when clicked, may run the executable file “form.exe.”
• A hidden iframe linked to “ind.php.”

Reports, including a posting by Sophos, indicate that the following subject lines are being used. Please note that subject lines can change at any time.

• 20000 US soldiers in Iran
• Iran USA conflict developed into war
• More than 10000 Iranians were murdered
• Negotiations between USA and Iran ended in War
• Occupation of Iran
• Plans for Iran attack began
• The Iran’s Leader Mahmoud Ahmadinejad declared Jihad to USA
• The World War III has already begun
• The begining of The World War III
• The military operation in Iran has begun
• The secret war against Iran
• Third War in Iran
• Third World War has begun
• US Army crossed Iran’s borders
• US Army invaded Iran
• US army is about 20 kilometers from Tegeran
• US soldiers occupied Iran
• USA attacked Iran
• USA declares war on Iran
• USA occupeid Iran
• USA unleashed war on Iran
• War between USA&Iran
• War with Iran is the reality now
• Washington prefers to shoot first

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.sophos.com/security/blog/2008/07/1569.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading