Next time you have some Viagra to sell or malware to spread, forget those passé, brute-force directory attacks. You don’t have to generate email addresses with all those alphanumeric characters or “typical” names and email structures, such as jane.smith@FORTUNE500COMPANY.com. And you especially don’t have to take days to deliver them slooowly and methodically so corporate servers don’t reject everything.

The cheaper, better, faster way to harvest directories is here! With services like LinkedIn or MeetUp and Google or Yahoo (and the hundreds of other social networking sites), you can get your corporate directories quicker and cheaper, and even more user-friendly.

Sites such as LinkedIn contain information about employees at almost every major company around the globe. In addition, these social networking site users make significant efforts to keep their profiles accurate. Sometimes, the sites are more up-to-date than a corporation’s own directories.

Spammers, you can access this up-to-date corporate directory information simply and easily.

Search engines such as Google review and index most data generally available on the web (unless asked not too), including social networking profiles. Try searching for yourself on Google – your LinkedIn profile will most likely appear in the top five.

With the right query, you can ask Google for a complete list of every employee at any company, using readily available social networking data.

With these complete, up-to-date lists of email addresses, you can reach hundreds, thousands, and millions of people easily and accurately, significantly increasing your ROI. Try it today!

—

*Of course once you have the email list, you need to actually send out the spam.  At this point, Commtouch may disrupt your plans with our Recurrent Pattern Detection (RPD) technology which blocks spam and malware and enables safe browsing. No tips here for how to bypass RPD…

A recent article in the New Scientist entitled “To beat spam, turn its own weapons against it”, describes the work done by a team of academics to find a more effective way to filter spam.  The team, from ICSI Berkeley and UC San Diego, have come up with a way of analyzing the spam email messages sent by a ‘captured’ zombie PC.  After watching the zombie’s spam outpourings for about 10 minutes, they managed to reconstruct the underlying template used to create the numerous variations of a particular spam message. This allowed them to successfully instruct spam filters to watch out for messages that match the template.

Our CTO Amir Lev discussed the validity of the academics’ approach in his blog post where he writes, “I congratulate the team; in many ways, it’s similar to how our technology works. However, I’d like to suggest that the technique as described is going to be too simplistic for the real world. Ten minutes is far too long to derive the template: in ten minutes, a botnet can deliver millions of spam messages. The template can change quite frequently, too, rendering the work done to derive the template useless.

Spying on just one zombie at one location is a major limitation: you need a widely distributed system – millions of nodes all around the internet — in order to quickly capture sufficient breadth of data. And you need fast, automatic, efficient processing to collate all that information into spam signatures for filters to match against”.  Commtouch has an extensive network worldwide collecting these sorts of samples which are analyzed with our patented Recurrent Pattern Detection (RPD). With RPD we identify the template-driven features of any new spam campaigns in seconds, by examining billions of transactions from about a million different bots daily.

I decided to review the Internet archives (i.e.: Google) to see what other academic initiatives against spam have been shared.  A May 2005 article (also in the New Scientist) discusses a community rating approach to identify spam.  This has since been used with reasonable success by some anti-spam companies, but suffers from the same issue as the new approach, namely: “give us at least 10 minutes to deal with this spam outbreak”.  As described above, 10 minutes is just too long.

Further academic initiatives that I found generally related to suggested improvements for other known techniques.  These include better signature generation and use of more mathematically complex filters.  One system uses analogies to the workings of the human immune system (“take 2 aspirin and your spam will just disappear”).

Regardless of the validity of these approaches, it’s great that academia continues to consider spam a topic worthy of research and we welcome the open discussions and brainstorming that are promoted by such initiatives.

While writing this it also occurred to me that there must be a sizeable group of “academics” working for the “other side” – let’s call them “spamademics”.  Day and night the spamademics research ways to outwit the numerous technologies arrayed against them.  Now that’s research I would love to see…

During the fourth quarter of 2009, the Mal-Bredo A virus continued to circulate the world for the second quarter in a row. Cybercriminals morphed its packaging from attachments that appeared to be from internationally known package delivery companies to attachments that appeared to be from Facebook, the popular social networking site.

Throughout the quarter, the number of Mal-Bredo A variants dropped to under 1000, while the number of actual outbreaks rose.

Blended threats, including fake Swine Flu alerts and Halloween tricks, continued to circulate, while spammers introduced a few new tricks including MP3 spam and personal enhancement spam targeting women.

Also during the quarter, spam levels averaged 77% of all email traffic, peaking at 98% in November and bottoming out at 68% at the end of December.

Read about these trends and more by downloading the Commtouch Q2 Internet Threats Trend Report.

Open source leverages the creativity of thousands while it relies upon the management of a limited number of contributors to maintain and debug the software. While open source creates true positive results such as Linux, a glitch in the most famous free Anti-Spam – SpamAssassin – resulted false positives and rejection of legitimate mail. SpamAssassin is widely used by xSPs, organizations, universities, and vendors integrating SpamAssassin as into their detection engines.

Each rule within SpamAssassin’s engine searches for specific characteristics within an email and provides a score. The combined scores provide a spam probability rating.

Until the early afternoon of January 1, 2010, SpamAssassin faced a Y2K10 issue. A specific rule checked to see if a message was sent from the future, which could be an indicator of a compromised computer. The parameter stated that messages from 2010 were “from the far future,” inappropriately giving an additional 3.2 points to each message, significantly increasing the message combined score and thus eventually raising the false positive ratio.

After reviewing the rule, I estimate that the false positive ratio generated by this bug could have topped 20% of the legitimate traffic. It might also “confuse” the Bayesian mechanism within SpamAssassin and eventually cause even more trouble.

Check out the image, which demonstrates the flow of the detection and implemented fix by the code maintainers managing this open source project. The bug was reported in March 2008 and fixed on June 2009. However, it was pushed to the beta version of SpamAssassin and not to the stable (current) version everyone is using. Eventually, the contributors fixed the problem at noon on January 1, 2010, meaning 12 hours of false positives in Europe, Asia, and Africa, but fewer missed messages in the North, Central, and South America.

Side note – the rule was changed to say mail after 2020 receives the 3.2 points. Therefore, if the administrator institutional memory does not continue through the next decade, SpamAssassin users will have a Y2K20 false positive issue, as well.

Typically, one associates phishing schemes with online banking passwords and related issues. Commtouch Labs recently reported on a brand new scheme involving the popular online role playing game, World of Warcraft (WoW). Apparently once an account is hacked, there is money to be made by selling a user’s “gold,” equipment, and even the account itself. There are several different sites set up for WoW players to buy and sell their wares; level 80, for example, can go for more than $170 US.

The attack includes an email with subjects like: World Of Warcraft-Account Instructions, World of Warcraft Account Management, World of Warcraft Account Trade Dispute Notice and of course, World of Warcraft – Account Password Change Notification.

The links within the emails all lead to mock log-in screens at various URLs that are similar to “wolrdofwarcraft,” but not quite. An example landing page is pictured below; entering ANY email and password in the fields redirects to the real WoW community site.

Read more about this new phishing scheme on the ComputerWorld blog of Amir Lev, Commtouch president and CTO.

In continuing with the tradition we began last  year, Commtouch has made a donation to a charitable organization in the spirit of the holidays. With the help of Charity Navigator, we chose four 4-star organizations and asked our partners and friends to help choose the organization (or organizations) to which we would make our contribution. After tallying the votes, this year’s donation is going to  The V Foundation for cancer research.

Since 1993, the V Foundation has raised more than $80 million and awarded cancer research grants in 38 states and the District of Columbia. Funds raised by The V Foundation have helped researchers develop their laboratories and take their science from the labs to the clinics.

According to their Web site, The V Foundation:

• Awards 100% of all direct donations and net proceeds of events directly to cancer research and related programs
• Received a 7th consecutive top 4-star rating from Charity Navigator, placing them in the top 2% of all charities evaluated
• Has raised more than $90 million to fund cancer research
• Has awarded grants to 92 institutions in 38 US states & DC

Commtouch wishes all of our partners and friends, and everyone around the world, a happy and healthy new year.

Commtouch Labs reported a recent attack involving MP3 messages. The email body and subject line were blank, as seen below, and each message had an MP3 attached to it. The MP3s are all very short and only about 16KB per message in order to trick traditional spam filters.

While the emails were all subject-less, the MP3s were creatively named. File names include: beauteously, unsecularise, sporicide, cookshack, teentsier, muftis, zoogeography and squishiness.

When played, the MP3s were all the same message…someone reciting a URL and a woman moaning in the background. It’s creatively packaged Viagra spam from our Canadian Pharmacy friends.

This attack is unique because it is not an image, it’s not URLs embedded in a message. It isn’t any of the more traditional approaches to bypassing spam filters…the MP3 message could go completely undetected by traditional engines. Filters that rely on pattern detection, recognized the outbreak and blocked the messages before they hit networks.

I checked out the link and found this:

Guess they really want us to stock up on our “personal enhancement” needs before the holiday!

Commtouch Security Alliance partners Sunbelt Software, RSA, the Security Division of EMC, and Commtouch held an informative webcast this past Thursday discussing the latest in web security threats. The webcast, entitled “Stormy Web Ahead: A Forecast of Web Security Threats in 2010,” provided essential information needed to understand the web security threats that organizations and individuals face.

The Speakers, Sean Brady of RSA, Chad Loeven of SunbeltLabs and Asaf Greiner of Commtouch, each described the threats their organizations tracked in 2009. They then went on to provide a forecast for the types of web security threats each believes companies and individuals will face in 2010.

At the end of the webcast the three speakers took part in a live Q&A session. Viewers were asked to send in questions via e-mail and Twitter, with all responses provided over Twitter. Below is a log of the questions that the panel was asked along with their responses.

Question: What impact will Windows 7 Microsoft Security Essentials (free AV) have on the threat landscape?
Sunbelt: While Win7 is certainly the most secure OS yet from MS, no OS can completely protect from social engineering or vulnerabilities in the applications.

Question: Where is most of the fraud originating from these days?
RSA: While it looks like fraud comes from all over, most of the key drivers are still believed to be out of Eastern Europe.

Question: How do you know these zombies aren’t just a myth?
Commtouch: Commtouch has been monitoring zombies sending spam. We have a list of over 10 million at any given moment.

Question: What do you think fraudsters are going to do with Enterprise data?
RSA: Once they figure out how to turn it into cash – extortion, resale, stock manipulation – you’ll see them put it to use.

Question: Do you see Mac or mobile malware reaching a critical mass in 2010?
Sunbelt: Yes. In particular, with the mobile market continuing to increase the # of nodes, the growth in mobile payments, increased mobile bandwidth and the consolidation of smartphones around a few platforms, all the pieces are in place to present a compelling target for malware authors. Same for Mac. As its total user base grows, it’s new territory for the bad guys.

Question: What is the impact of 64-bit OSs and apps on the threat landscape?
Sunbelt: There’s currently virtually no 64-bit malware, but we can expect that to change.

Question: Do people actually fall for these scams?
Commtouch: Yes. Actually every once in a while people complain that we mark these attacks as malicious. They don’t get that it is a scam.

Question: Would web reputation solve these types of attacks?
Commtouch: Reputation is an important part, however many attacks are done via compromised and UGC sites.

Question: How do you three companies work together to prevent attacks?
Commtouch: Commtouch specializes in identifying attacks across the globe. Sunbelt and RSA are leading experts at analyzing attacks.

********

If you would like to watch the webcast, a recording is available for viewing on-demand.

Commtouch Labs has seen a new trend in personal enhancement spam. Where in the past, these messages have been directed at men with subjects like Let your ‘gun’ be steel and The more inches you have the more times your lady will hit the point, this new variation is directed at women whose men have lost that spark.

The messages look like a personal letter between two friends and most samples, like the one below, includes a line announcing that the sender and her partner are about to get married after solving their problems.

The body of the email is much more subtle than what is seen in typical enhancement emails. The email reads more like a confidential chat between two close girlfriends, and less like an advertisement for men. The language here is very shy and subtle, stating that “it’s so difficult to talk about these things…” The typical, more “manly” approach urges the recipient to “be a champion in bed,” etc.

Perhaps the spammers are banking on the fact that female consumers spend more than men. Trying a new angle, targeting the women who “suffer,” the spammers hope to make a larger profit.

Clicking on the link in the message leads to a landing page like this:

The spammers have exploited pages on profiles.yahoo.com, similar to exploitations we’ve seen with live.com and others. Using legitimate sites like Yahoo! and Live.com, the spammers hope to bypass traditional content-based spam filters. More advanced, content- and language-agnostic spam filters will prevent such messages from reaching inboxes.

Commtouch Labs has run across a brilliant blended threat campaign organized by a body pretending to be the Centers for Disease Control. The attack, originating from Chinese botnets, began on the morning (EST) of 1 December 2009 and is still going strong. By the time of this publication, the attack had been flagged as “massive” by Commtouch Labs.

The email looks like this:

Note the “From” address ends in .gov; spoofing the address in this way makes the message appear to be from a government body. The .gov ending may trick some traditional spam filters as well as tricking the unknowing recipient of such a message. With everyone in a panic about Swine Flu lately, the message is definitely trying to hit a soft spot. Cyber criminals tend to use social engineering methods to distract us from the dangers that lie within the links and files.

The body of the message describes a Vaccination Profile program to lure readers to a site that was laden with malware. A recipient who clicked on “create personal profile” at the bottom of the email was directed to this link:

Including cdc.gov in the URL is designed to trick users into thinking that CDC is the domain, but the actual domain name is included AFTER the .gov, as pictured above. We blurred out the actual domain here, but it comes immediately after the .gov in the address.

The questionable link led to a landing page that appeared legitimate at first sight, but after examining the code behind the page, it was determined that the malware distributors added an iFrame of width “0” on the page. The iFrame leads to a php script which pointed to two additional iFrames – one built on the vulnerability of PDF nested viewers, and one built on PHP Javascript code:

The PDF contains this obfuscated Javascript code within the PDF itself:

In addition to the fact that Javascript inside a PDF is an interesting method of transport, the code is, as suspected, malicious.

The second file, sNode.php, also contains obfuscated code:

This file is also malicious.

Unfortunately, online crooks will use any tactic they can think of to bypass spam and virus filters. Commtouch RPD technology is based on massive pattern analysis, and thus blocked this blended threat in most of our partner implementations. But for those who rely on traditional spam filtering, the outcome may not have been so sweet.

If an email slips into your inbox, be sure to check link domains – in their entirety – before clicking. Don’t assume that if you see a .gov in the middle that it’s actually from a legitimate source. If you are unsure about the origins of an email, try to verify the details before you fall victim to the next great malware scheme. And never click on links or download files from unverified sources.

For the REAL Centers of Disease Control and everything you ever wanted to know about Swine Flu, visit the official CDC Swine Flu information page.