Australian outfit BTC Corporation is hoping that there's still enough punters wanting in on the Bitcoin goldrush to sustain a mining-as-a-service business.…
Security vendor FireEye has bought network forensics firm nPulse Technologies in a $70m deal.…
Internet armpit 4chan now has a bug bounty – although with just $20 in "self-serve ad spend" on the website or an annual membership up for grabs, it's not particularly bountiful.…
MI5 has warned that foreign spy agencies are targeting IT workers within big organisations as a means of gaining privileged access to sensitive data.…
Hey, Linux fans: a high-profile, colossal, global outfit is about to dump a proprietary operating system and replace it with Linux in a very, very, demanding application that literally involves life and death situations.…
The glacial pace of the worldwide IPv6 rollout might cause hand-wringing among 'net boffins, but at least it's leaving time for engineers to pry around for possible problems before the whole world's on the protocol.…
Fraudsters have nicked $50,000 from a Broome Real Estate business after breaking into the agency's ANZ Bank account and altering payment details.…
Dropbox has restored sharing services after patching a flaw that allowed attackers to access shared files under specific conditions.…
Vid Web thieves may get more than they bargained for if tech pros follow the lead of one researcher – who demonstrated how to hack the systems remote-controlling the infamous ZeuS crime bot in 60 seconds.…
We’ve recently seen a return of email spam campaign featuring fake Amazon.com notifications. This appeared in the Holiday shopping season last year coming from disposable domains, and is now back, apparently coming from compromised domains in the UK. Here’s an example:
Of course, the attachment contains a malicious trojan that allows remote access to Windows systems. It’s not a particularly convincing fake. For instance, real Amazon notifications are not addressed to multiple recipients, and an order placed in February would usually have been delivered long before May 1st. What’s more, the From email address is actually a compromised domain which has nothing to do with Amazon, and the design and wording are not at all like a genuine Amazon notification. Here’s the real thing:
The book is a good read, by the way!
In spite of the obvious problems with this message, it is convincing a large number of users. Though Cloudmark is flagging these messages as spam we have received many hundreds of reports from trusted users who have taken the message out of their spam folder. We hope that once they try to download the attachment their anti-virus program will let them know they have been fooled, but this is not guaranteed. According to the invaluable VirusTotal.com only 28 out of 52 anti-virus packages currently recognize this thread, and one of the ones to miss it is one of the most popular AV packages on the market.
Like many families, mine shares an Amazon.com account (because Prime) so when I see an Amazon notification I will look at it to see what is going on my credit card. Of course, I wouldn’t open an unsolicited attachment for all the gold in Nigeria, but unfortunately many people are not so cautious, so even an inept forgery like this one can be used to spread malware. Here are some tips for avoiding malware and phishing:
At the end of last year when we looked at our Messaging Security Predictions for 2014, one of the threats we thought we might see is malware on mobile devices devoted to Bitcoin mining.
We may have to wait until the end of 2014 to see if our other predictions come true, but this one was validated last week. A recent blog post by Lookout describes malicious Google Play apps that advertise themselves as innocuous wallpaper apps but mine for Bitcoins in the background.
One nice thing about the malware is that it won’t completely drain your battery. Lookout says:
“In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone [has] network connectivity.”
So if your phone’s battery is dead, you can’t entirely blame it on that Epic Smoke Live Wallpaper app you installed last week.
In the past two weeks it’s quite possible that you received spam apparently from a friend’s AOL account, saying something like Have a nice day or People say it really works and then a link to what looks like a news magazine web site talking about diet pills. Here’s one of several that I received. Note the completely bogus footer saying the the message was scanned by Avast. That was inserted by the spammer to make it appear to be safer to click on the link.
The call to action links are actually on compromised web servers, but they redirect to a series of disposable domains. Currently many of these have the form com-XXXX.net, so we call this operation “the Com Spammers”. However, it is not a single organization. The initial redirection adds an affiliate ID as a parameter to the URL, and this is preserved via parameters or cookies right through to the final purchase. What’s more, different affiliate IDs correspond to different techniques used in sending spam, spam content, and call to action URLs.
There are also two or three different groups involved in monetization of this spam, which we believe are independent of the spammers (the people sending the messages) and landing page provider. The Com Spammers currently have three forms of monetization – diet pills, miracle skin cream, and a pernicious work from home scam that involves extracting larger and larger payments for training and services based on the promise of future riches. Similarly, if you order the diet pills, you will find yourself signed up for a monthly purchase on your credit card which is very hard to cancel. We estimate that the revenue generated by this group is millions of dollars a year. They are spending fifty to a hundred thousand dollars a year in domain registrations alone.
The advantage to a spam operation, of having multiple affiliates sending spam, is that a number of different techniques are used, and that if any one of them gets blocked, the others still operate and generate income for the landing page provider and monetizers. For instance, one affiliate may be using compromised domains as call to action URLs, another may be using URL shorteners, and another may be using disposable domains directly. We have seen members of this group spamming in SMS and on social media as well as traditional email spam. In 2012 one affiliate was data mining a major social network to obtain phone numbers and first names to send customized SMS spam. An SMS message addressed to you by name is more likely to get you to follow the link, just as a email apparently from a friend is more convincing than random spam.
It appears that recently one or more of the Com Spammers affiliates got access to information on a number of AOL accounts, including the contents of their address books. Starting about two weeks ago they started sending a high volume of spam, with the From: address of the compromised account and the recipients from that person’s address book. However, they did not have the passwords to those accounts, so they could not use AOL to send the spam. Instead they forged the headers so that the message appeared to come from AOL.
There are two standards, DKIM and SPF, which have been around for a while, by which a sender can digitally sign an email message, and guarantee that it was actually sent from the domain in the From: address. However, at that time there was no standard on what to do if the message was unsigned, or if the signature was invalid. That changed in 2012 with the publication of DMARC, which allows the owner of a domain to specify exactly how they would like unsigned or forged emails with their domain in the From: address to be treated. Not all email is tested with DMARC, but all the large email services do use it.
Initially the large webmail providers took a conservative approach to using DMARC, and requested notification rather than deletion of unsigned headers. There are legitimate reasons why someone might use a Yahoo! mail address, say, but not use Yahoo! for delivery. The most common reasons being legitimate bulk mailings by an ESP (email service provider) or traffic through mailing lists. However, there are alternative methods for dealing with both of those cases. Three weeks ago Yahoo! decided that email with forged Yahoo! headers was enough of a problem that they would change their DMARC settings to request deletion of unsigned mail with a Yahoo! from address. Since this change Cloudmark has seen a 30% reduction in spam with Yahoo! headers, compared with the prior three weeks, so it is clear that this was a good decision.
A week ago, faced with the attack from the Com Spammers, AOL made a similar decision, with even more dramatic results, as is obvious from this graph.
As you can see, the Com Spammers attack started in volume on April 15th and ended after the DMARC policy change on April 22nd. There was about a 70% drop in spam email since the DMARC change compared with the eight day period of the Com Spammer’s attack.
However, the Com Spammers are still out there, and they still have all those email addresses (including mine!) harvested from AOL address books. Those email addresses are going to get spammed for months or years to come. AOL has yet to explain how that address book information came into the hands of the spammers, though they are reported to be investigating this.
On a personal note I’d like to give a shout out to Murray Kucherawy, whose desk was right next to mine when I first joined Cloudmark two and a half years ago. Murray is the principal editor of the DMARC spec. He’s now carrying on the good work at Facebook where he is lead developer for OpenDMARC and OpenDKIM. Murray, it’s nice to see your work at Cloudmark and Facebook paying off in such a spectacular fashion.