89458 patterns in 32635 domains, 12110 right anchor strings, 353802 test IPs
New patterns and updates from the various contributing feeds. There
were two minor releases since 20120126.
PLEASE NOTE that this release contains a NEW CLASS: 'dedhost'. It
replaces 'static/colo' and allows for distinction between shared and
dedicated web hosting and colocated servers. It is now reflected in
the rbldnsd files and returns 127.0.2.3.
This past holiday season showed that spending in brick and mortar stores was significantly off targeted projects.
People just weren’t spending as much money in the malls and department stores.
However every single study of consumer spending did show that companies with a strong online presence had a significant boost in sales this past year, including the holiday shopping season. In fact during December alone, non-store sales rose 10.6 percent from the same time one year ago. Even automobile sales online boasted a 9.5 percent increase.
To make sure they can stay competitive in the online retail sector, businesses must strive to build, and at the same time maintain, a solid reputation on the Internet.
Of course it was only a matter of time before spammers realized this as an opportunity to take advantage of this trend to dupe business owners into downloading dangerous malware.
Businesses are sent an email branded with the Better Business Bureau logo that reads:
“Thank you for supporting your Better Business Bureau (BBB). Your BBB receives more than 6,500 requests for information every day and provides reliability reports to consumers 365 days a year, 24 hours a day, and 7 days a week.
As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
We encourage you to use our ONLINE FORM to provide us with this updated information. The URL below will take you directly to this form on our website:
CLICK HERE to login to your BBB account
You may also complete the form on the reverse side of this letter and mail to PO Box 1000; DuPont, WA; 98327; or fax to (206)436-5496.
Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily. In addition, many consumers may search our database using your e-mail and/or Web address, so please be sure to include this information as well. As a BBB accredited business, you receive a free hyperlink from your online reliability report to your company Web site if provided to us.
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services”
Eager to keep their information and good standing current, business owners and managers who click the link are not taken to a legitimate site hosted by the BBB. Instead their computer downloads malware and their account credentials are compromised by the phisher.
Another version of the phishing scam informs the recipient of the email that a negative review of their company has been posted to the BBB site. To refute the claim, the recipient must click on the supplied URL and address the problem. Failure to do so would result in the complaint resulting in a bad report being filed.
The URL here also directs the victim to a malicious site and has the potential for account credentials being stolen.
This newest scam is the third of its kind in the last three months targeted at business owners.
Businesses have been instructed, by the BBB, to contact them directly if they receive emails claiming that they have received a negative complaint or that their information is incorrect or incomplete.
The Better Business Bureau is also taking steps to fight the problem, enlisting the help of the FBI.
“Our national organization in Arlington, Va. has been working for three months with the FBI, and I can tell you that they’ve closed down over 50 sites”, Katie Carrol, Director of Media Relations and Communications with the BBB, said.
They have also asked for business owners to help them fight this growing problem by contacting them at phishing@council.bbb.org if they received these emails, or any others like them.
IT departments should also be aware of this scam and take necessary precautions.
In house steps that can help prevent problems related to this latest attack, as well as others, include:
Liked this post? Get more anti-spam related news from AllSpammedUp.com!
Phishing Scam Targets Victims Using Better Business Bureau
A new open source toolkit is designed to provide a way for companies to educate their
employees on how to spot phishing scams, but it may give scammers a lot of help as well. The open source Simple Phishing Toolkit includes a scraper that will quickly clone any website and create a phishing lure. It also comes with tools that allow administrators to track how many employees click on the lure, what links they followed, when they did so, and even their IP addresses, browser info and operating systems.
Naturally, such tools would be very useful for IT departments and system administrators to educate employees on how to spot phishing scams. Employees falling for such scams are a leading cause of corporate data breaches, and such breaches can cost a company millions.
“The whole concept with this project started out with the discussion of, ‘Hey, wouldn’t it be great if we could phish ourselves in a safe manner?’” said Will, one of the Toolkit’s co-developers. “It seems like in every organisation there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”
While it appears the developers had honest intentions when they created the toolkit, the fact remains it could be pretty attractive to the bad guys and they have no way of controlling that. Right now it doesn’t record any data typed into the fake phishing sites it generates, but they said future versions of the kit will have that functionality. That may make it irresistible to scammers looking for a way to create phishing campaigns that’s fast and won’t eat into any profits.
What do you think? Are these toolkits helpful or just asking for trouble?
Liked this post? Get more anti-spam related news from AllSpammedUp.com!
Go Phish Yourself?
Facebook has filed a law suit a firm who, they say, bombarded users with clickjacking scams that earned $1.2 million a month.
I love it when crooks make simple mistakes that cost them. Look at the following email message claiming to come from Intuit (the accounting and tax return software company):
From: INTUIT INC.
Subject: Your tax information needs verification.
Dear Account Holder,
In order to guarantee that correct data is being maintained on our systems, as well as to provide you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.
We have discovered, that your name and/or Employer Identification Number, that is indicated on your account does not correspond to the data obtained from the IRS and/or SSA.
In order to check and update your account, please click here.
Yours truly,
INTUIT INC.Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043
Is this a phishing expedition or a malware lure? It's hard to tell because the doofus failed to set up the botnet spam sender to fill in the actual link. Here's the source code:
<a href="http://{int_link}">click here</a>
The {int_link} text is a placeholder for the actual link to be inserted. My gut feeling is that this template is supposed to be used to lure recipients to a hijacked web site for malware delivery. That's just my, um, intuition based on years of reading this crap.
Anyway, don't be surprised to see a subsequent blast with this social engineering trick — don't want to screw around with tax stuff, right? — but with the link "fixed."
Update (26Jan2012, 1800 PST): He's been going at it now for over six hours and still no change in the URL. He must be scratching his head over why he has zero responses (my favorite number). Here are variations in the Subject: line I've seen personally:
Message bodies also vary a little, but the basic intention is the same.
Somewhere along mid-run, the idiot figured out how to include the actual image binary data for the Intuit logo header at the top of the message. But he still can't figure out the active link stuff. He must have burned through at least a hundred bucks of botnet time with no chance of payback. I'm doing the Snoopy happy dance.
89384 patterns in 32614 domains, 12107 right anchor strings, 353708 test IPs
New patterns and updates from the various contributing feeds.
PLEASE NOTE that this release contains a NEW CLASS: 'dedhost'. It
replaces 'static/colo' and allows for distinction between shared and
dedicated web hosting and colocated servers. It is now reflected in
the rbldnsd files and returns 127.0.2.3.
Several new phishing campaigns have been spotted in the wild.
The first one is a new incarnation of an old scam. Emails that look like they’ve come from your friends arrive with an urgent message about them being on a trip to a far flung place such as Madagascar, London, or Berlin and needing help. You see, they were mugged/assaulted and all of their money and documents were stolen, and they really need to go home but there’s the matter of their hotel bill. The messages generally ask for about $1600 to be sent via Western Union. Of course it’s just a variation of a 419 scam. If you get one, no matter how convincing it sounds, try contacting your friend first. In 99.9% of cases you’ll find they are safe and sound at home.
Next is the Better Business Bureau, who has joined the ranks of the brandjacked as new spam messages claiming to be from them are making the rounds. The messages tell the recipient that a complaint has been filed against them and urges them to click the included link to read it and respond. Anyone who does so is taken to a malicious site that attempts to infect their computer with the infamous Zeus Trojan. Zeus, distributes by a botnet with the same name, installs a keylogger and several other nasty bits on to the infected system and steals banking info and other sensitive data.
Finally, popular companies such as Facebook, American Airlines, Paypal, and several major banks are also being brandjacked by scammers. In some cases the phishing messages are receipts for fake purchases or reservations and in others, fake message or fraud notifications. In almost all cases, the attachments and links in the messages deliver malware. It looks like the spammers are hard at work building up their botnets!
Liked this post? Get more anti-spam related news from AllSpammedUp.com!
Several New Phishing Campaigns Going Strong
Last September we reported on Microsoft’s actions in taking down the Kelihos Botnet, and the civil actions pending against alleged perpetrators including Czech citizen Dominique Alexander Piatti and the dotFREE Group SRO. We then followed up with a story on the settlement reached and the dismissal of charges againt Piatti. Today Microsoft announced new actions in the legal followup to the botnet takedown.
The Microsoft Digital Crimes unit has continued its investigation into the perpetrators behind Kelihos, and today filed an amended complaint in the U.S. District Court for the Eastern District of Virginian, naming Russian citizen Andrey N. Sabelnikov as the alleged perpetrator.
Microsoft indicated in a blog post today that former defendants Piatti and the dotFREE Group have been cooperating with Microsoft, and it is this cooperation combined with new evidence that has enabled Microsoft to amend their complaint and name Sabelnikov.
In the amended complaint, Microsoft presented evidence against Sabelnikov alleging that he wrote code for Kelihos and either created or participated in the creation of the malware. Evidence was also presented supporting the allegation that
Sabelnikov “used the malware to control, operate, maintain and grow the Kelihos botnet.”
The complaint goes on to allege that Sabelnikov registered over 3,700 domains in the cz.cc namespace with the dotFREE Group SRO, using these in the ongoing spread and control of Kelihos.
A statement on Microsoft’s official company blog by Senior Attorney for the Microsoft Digital Crimes Unit Richard Domingues Boscovich asserts Microsoft’s commitment to continuing the investigation and taking action against all the individuals who participated in Kelihos. Remember that the original complaint named twenty-two John Doe co-conspirators. One can only assume that Sabelnikov is the first, with another twenty-one to be named as more evidence is developed.
Microsoft has also made available more information on botnets and free tools to help clean users’ computers if they have been infected. You can view that information at: http://support.microsoft.com/botnets.
As more information develops on this case, we’ll be sure to keep you up-to-date with continued coverage. Those of you with an interest in the legal actions involving Sabelnikov can read the amended complaint here (PDF, new window).
Liked this post? Get more anti-spam related news from AllSpammedUp.com!
Kelihos Actions Continue: New Defendant Named
I earlier wrote about an eTrade spam campaign that morphed into a Bank of America spam campaign. Subsequent mutations saw this spammer use the same tactic over and over again, but slightly modify it. We saw LinkedIn spam and “You have a transaction” spam.
Now, the spammer has morphed again, no doubt because filters updated and blocked it. The newest technique is the following:
This is the same guy who has been operating for a month, sending out new spam blitzes every couple of days. Yet his tactics have changed. Originally, he sent out spam by using his botnets to connect to a second set of botnets to relay spam directly. Now his first set of botnets connect to Yahoo and send out spam that way; he has streamlined it presumably in an effort to get around IP blocklists.
The move to the subject line is curious. If it’s on purpose, and not because his malware is broken, he’s done that to avoid content filtering. However:
I really wish Google and Yahoo would catch this guy and shut him down.
The latest in the malware lure campaign invokes the mighty piracy-fighting lawyers at Microsoft. In the email, the recipient is essentially accused of using pirated MS products, and he/she had better click the link to register a PC and avoid court. What a bunch of bullshit.
Here's the message:
Subject: Microsoft legal department
We've been tracking the illegally installed versions of our products for a long time, we've recently won tht claim in International Court, and we were alloud to request from the providers personal details of persons using the illegally installed versions of Microsoft products. We've decided to solve this problem avoiding court. After you follow this link, we register your PC as a legal one, thereby you avoid the judicial issues concerning presumably illegally instaled software on your PC.
With Respect To You
Emeline Welsh
SHA2 check sum: c084bfe116bfe1169dc08e16923723a5a5728e11169dcccccc08e6b572849237
How 'bout the typos and use of the non-word "alloud"? Hmmm, not what I'd expect from Microsoft's lawyers. Tee hee.
As a million times before, the link leads to a hijacked web site, where a page of obfuscated JavaScript can lead a user of an unprotected PC down the path of screwdom.
89364 patterns in 32607 domains, 12106 right anchor strings, 353670 test IPs
New patterns and updates from the various contributing feeds. There
was one minor release since 20120124.
PLEASE NOTE that this release contains a NEW CLASS: 'dedhost'. It
replaces 'static/colo' and allows for distinction between shared and
dedicated web hosting and colocated servers. It is now reflected in
the rbldnsd files and returns 127.0.2.3.
The year’s off to a rousing start, with all sorts of interesting security news this week: Wikipedia led a temporarily successful foray against SOPA and PIPA by joining numerous websites that went dark for a day; the founder of Megaupload had his hands slapped when law enforcement officials told him resoundingly, “no, you can’t pirate copyrighted material” – insult was heaped upon injury when dozens of expensive cars were towed away to show him they were right; and Koobface – the Facebook botnet that has been harassing Zuckerberg for years – was taken down by its own creators after the Facebook gang teamed up with The New York Times to uncover and publish the identities of the worm’s owners. To round off the week, QR codes (like the one in the image here) may just be the latest form of spam, and news out of the Twitterverse suggests that Darwin’s cardinal rule is not only true, it’s actually a dire prophecy of our impending extinction.
The year’s less than a month old and it may already be shaping up as ‘the year of anything goes’. Topping the headlines was a mass protest against seemingly inevitable anti-piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect I.P. Act), as innumerable websites intentionally went dark on January 18. Led by students’ greatest friend and perpetual source of dubious information Wikipedia, the activist movement irritated web surfers across the globe and scored one for the little guy as the bureaucrats in Washington, DC backed off the proposed legislation and shelved the bills, albeit temporarily. It’s practically inevitable that some wily spammer will take advantage of this controversy, so keep your eyes open and watch your back.
In a related story and in the spirit of fishy timing (i.e., the same week as the aforementioned protests), Megaupload founder, Kim Dotcom, was carted off along with several other geniuses who figured they would get away with providing a conduit for copyrighted material, all the while skimming millions of dollars off the illegal activity and thumbing their noses at the FBI. German national Mr. Dotcom, lamented as his lavish New Zealand mansion was raided and dozens of vintage cars were hauled away as the spoils of war. Again, there’s more here than meets the eye, especially now that Anonymous has its back up.
In an LMAO moment, individuals responsible for Koobface – a nasty piece of malware that has been frustrating Facebook and Twitter users for years – have taken down their own command and control server after Facebook teamed up with The New York Times to uncover and embarrass five of the founders – Russian nationals living in St. Petersburg, Florida. The named individuals have scrambled to scrub their online profiles, but it’s highly doubtful that erasing their cyber identities will have much of an effect in the real world, where police carry real guns and real handcuffs.
Are QR codes the newest spam threat? Some people think so. QR – or Quick Response – codes were developed in the automotive industry and have been used for a while. Slowly entering the mainstream over the past couple of years, they are in wide use in Japan, the UK and the US, amongst other countries. Popular because of their fast readability and relatively high storage capacity (compared to bar codes), the increased use of smartphones with cameras and QR reading apps have made the codes a prime target for manufacturers and retailers; heck, even Google’s looking at getting into the game by using QR codes as a secure login method. The problem is that QR codes can contain virtually any information, meaning that they are already being exploited by scammers and spear phishers. Keep an eye on this one, folks – and think twice before you take a picture of that code staring you in the face.
Finally, from the Twitterverse, here’s one that, no matter how much you shake your head, won’t rid that sickening feeling that the human race is on a collision course with extinction. Perhaps a case of ‘you can’t spell Twitter without ‘twit’, this recent article shows just how careless – or ignorant, or both – web users really are. Get this: over a twenty-four hour period, more than 11,000 Twitter users shared their email addies with the rest of the world. A safe practice if we were living in Thomas More’s Utopia, but it’s not the case if you reside anywhere on Earth, which is rife with people who would just love to use that information against you. This is just a guess, but it looks like spear phishing season is open and Twitter is the local watering hole.
Liked this post? Get more anti-spam related news from AllSpammedUp.com!
Week in Review: You Can’t Spell Twitter Without ‘Twit’
Laura Atkins wrote this really good post yesterday talking about email address validation, asking the question, "Can you verify email addresses in real time?" In it, she highlights her poking at a specific address verification service, immediately finding an example of how it identifies a specific handle of hers as a valid address when it isn't.
I've talked about email address validation for a
Over on the Email Responsibly blog, Experian CheetahMail's Ben Isaacson explains "that Experian CheetahMail believes that opt-out email appending is no longer an acceptable practice, and that marketers should no longer use this practice to acquire customer email addresses."
For those of us banging the best practices drum every day, this is fantastic news. For an email service provider like
In case you haven’t been following the news, the US Department of Justice seized the file-sharing site MegaUpload, taking its domain names, $50 million in assets, and coordinated with law enforcement officials in other countries to arrest key employees, as described by ars technica.
MegaUpload, as the name suggests, is (was) a file-sharing site that officially discouraged the uploading of copyrighted material. However, the government alleges that employees of the site knew full well that they were distributing infringing content. The government points to numerous internal e-mails and chat logs from employees showing that they were aware of copyrighted material on the site and even shared it with each other. Because of this, the government says that the site does not qualify for a “safe harbor” of the kind that protected YouTube from Viacom's $1 billion lawsuit.
The obvious question arises: why do we need bills like SOPA and PIPA if the federal government already has the authority to shut down illegal file sharing sites?
In response to the US government’s action to stop illegal file sharing and copyright infringement, and the takedown of MegaUpload, hacking group Anonymous released a message sharing its thoughts:
Here are some excerpts from the transcript of the video:
We have been watching recent events as they have slowly but surely unfolded, from the distortion and destruction of the first amendment to legalize and justify political bribery, to the dawn of a new political struggle consisting of millions of citizens crying out in indignation at this misappropriation of the judicial system, and to the very proposal of the so called, "Stop Online Piracy Act", SOPA, without any concern to ethicality, morality, or responsibility.
Suffice to say, we are angry.
<snip>
Citizens of the Global Community, join us. Let us defend our home, the internet.
Operation Revenge, engaged.
Operation Megaupload, engaged.
Operation Blackout, engaged.We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
To the United States Government, you should've expected us.
Yahoo News later reported Anonymous claimed responsibility for temporarily disrupting CBS.com (showing only a pixel on the screen) and earlier launching a DOS attack on the Department of Justice.
Yet Anonymous, while condemning the ethics of the US government, redefines its own set of morals. A version of Anonymous’s voluntary botnet software, known as LOIC (Low Orbit Ion Canon), was modified to make it not so voluntary, drafting unwary bystanders, journalists, and even anons who don’t support DDoS tactics into attacks on U.S. Justice Department. Those who happened to click on a shortened link on social media services, expecting information on the ongoing #opmegaupload retaliation for the U.S. Justice Department’s take down of popular file sharing site Megaupload. Instead they were greeted by a Javascript version of LOIC — already firing packets at targeted websites by the time their page was loaded.
Note the paradox of ethical conduct:
While Anonymous’ actions are consistent with hacktivism and the hacker ethic, their brashness risks drawing the attention and ire of law enforcement.
In the stock market, there is a saying: There are old traders, and there are bold traders. But there are no old, bold traders.
Hackivists would do well to heed this advice.
In a story announced last week, Hotmail has released a new version of itself to help users deal with the problem of gray mail. Gray mail is marketing mail that straddles the line between spam and ham; to some it’s spam, but to others it is legitimate. This makes it difficult for filters to make a global decision because no matter what action the filters takes at a global level, users will either complain about missed spam or false positives (an example from back in the day were messages from reunion.com).
From the Hotmail blog:
When inbox spam was at 30%, our job was really clear—our enemy, clever as he remains, was impossible to miss. We made huge investments in SmartScreen and reduced spam to historic lows of less than 3%.
With spam at manageable levels, we began looking at the rest of the inbox, and what we found was pretty surprising.
We could easily tell which messages were person-to-person, and we identified spam getting past our filters. The majority of what was left was something we refer to as graymail, and when thinking about how to deal with graymail, it became clear that the fundamental problem wasn’t just which things to accept or reject. Unlike spam, which everyone wants to be rid of, there is no general agreement on how to deal with graymail.
<snip>
Using Hotmail’s categorization tool, you can change the categorization of a message—for example, marking or unmarking it as a newsletter. This generates feedback that the newsletter filter learns from, so it’s able to overcome previous mistakes as well as stay on top of new newsletters. This means the rules set up to deal with newsletters will not just apply to old ones, but also to new newsletters created after you’ve refined the rules to deal with newsletters. The best part is that SmartScreen learns from what customers do with their newsletters, and everyone benefits as the filter gets smarter!
The essence of the feature is that Hotmail’s spam filters are getting better and better trained to identify newsletters and allow its users to categorize the mails efficiently, visually marking them as such so users can navigate their inbox quicker.
Users can the mark or unmark newsletters depending on what they think the message is. This helps to build a more personalized inbox.
The feature is similar to Gmail’s Priority Inbox which has been around for a little over a year. It also is similar to our own feature for handling Bulk Mail, which we released 7 months ago.
Yet our feature is also different from Hotmail’s. Consider their definition of a newsletter:
To get Hotmail to identify newsletters for us, we began by making a list of newsletter characteristics and built a piece of software to extract them from incoming emails. This list forms the model of what makes newsletters different from all other mail and includes three aspects: presence of the List-Unsubscribe header, the sending email address, and what gets shown to the user.
Newsletters that have these characteristics are more often legitimate than not (well, in the past that was the case although it is less true today). By contrast, our bulk mail filter covers a wider range of email:
Spam …….—>……Bulk mail filter….<—…..….. Good mail
Thus, whereas Hotmail leans more towards legitimate mail, and so does Gmail, we lump dark gray-hat marketers in with lighter gray-hat marketers.
As I have written elsewhere on this blog, bulk mail (and snowshoe spam) is among the most complained about spam today. But it’s still difficult to differentiate. The future of spam filtering lies not in detecting malicious spam from botnets, but in personalizing the user experience so that the bulk mail they want does arrive in their inbox.
89341 patterns in 32601 domains, 12105 right anchor strings, 353626 test IPs
New patterns and updates from the various contributing feeds. There
was one minor release since 20120123.
PLEASE NOTE that this release contains a NEW CLASS: 'dedhost'. It
replaces 'static/colo' and allows for distinction between shared and
dedicated web hosting and colocated servers. It is now reflected in
the rbldnsd files and returns 127.0.2.3.
A new spam campaign is brand jacking popular social networking site LinkedIn to spreadlinks leading to shady domains. The emails, which look like notifications from the site telling the recipient they have a message waiting, contain links that allegedly lead to the messages. Instead they take the recipient to a pharmaceutical site offering fake prescription drugs and male enhancement products.
Spam involving these sites is nothing new. Even though the infamous Canadian Pharmacy ring was severely incapacitated when first Spamit and then Rustock went down in 2010, it hasn’t stopped spammers from trying to cash in on these fake pharmacies. While some actually sell drugs, they are almost always fakes made in India. Since these copycat drugs are made with absolutely no regulations or oversights, the FDA issued a warning to consumers to avoid ordering from these types of sites. There are also variants of these sites that are little more than fronts for phishing operations (people place their orders but never get anything and their CC info is stolen) or attempt to deliver malware.
While like most phishing emails, hovering your cursor over the URL will reveal that the link is fake, there are still people who see the LinkedIn branding and click, thinking it’s legit. What’s more unbelievable is that some of those people will actually stay on the site and buy something. As long as these tactics work, spammers and phishers will keep using them.
Have you ever fallen for a phishing email? Even if you only clicked on the link, it counts. Share your story with us!
Liked this post? Get more anti-spam related news from AllSpammedUp.com!
Fake LinkedIn Emails Delivering Spam
Planet Antispam is a weblog aggregator, collecting postings from various
anti-spam weblogs.
Planet Antispam provides its aggregated feeds in RSS 2.0 and RSS 1.0, and its blogroll in FOAF and OPML.
Please leave a comment here
if you have feedback or comments on this aggregator, or would like to add a weblog.
Note that some of the posters whose content is aggregated here have made their content
available under licenses that prohibit further re-publication; if you wish to republish
it, you will need to contact them individually.
Last updated:
January 27, 2012 07:03 PM
All times are UTC.
Powered by:
