You’re proud of your achievements and accomplishments. You’re also proud of all your family members have achieved.

While you have decided to share this information with friends, family, and acquaintances, you may also be sharing it with cybercriminals looking to steal your identity.

According to your family tree profile, Uncle Bob’s son, John, is your first cousin on your mother’s side. Under your own profile, you have entered the day, month, year, and place in which you were born.

Your photo on the site clearly identifies you standing next to your nephew. You have brown hair and blue eyes. Because your nephew is about 6 years old, it’s easy to estimate that you are average height.

By the way, congratulations on the new job. I see that you updated your LinkedIn profile. You have accepted a job at CNN and are moving to the Buckhead neighborhood of Atlanta.

Thanks to your very public display of achievement and accomplishments, I know your birthday, height, weight, mother’s maiden name, workplace, and can get a PO box in your neighborhood that is easy to verify as close to where you live.

Maybe I’ll order a credit card in your name, rent a car, and take a vacation. Good luck finding me. But it sure was easy to find you. Thanks!

Don’t forget, cybercriminals are very intelligent professionals looking to achieve specific ends when they go trolling on the internet looking for victims. Just like walking down the street at 3 a.m. in a large city, you need to practice situational awareness online as well.

While Commtouch technology protects you from incoming scams, you need to be vigilant against facilitating scams by over-broadcasting other aspects of your life.

No, not really – but a recent outbreak seems to use no technique at all to get recipients to click on a link to a malware-hosting site.  The emails (samples below) have no subject (other than RE: or FW:), no text telling you why you should click on the link, no hidden URLs behind on-screen hyperlinks and no images.  It would seem that the social engineering concept relies on curious users who will click on the link “because it’s there”.  Or maybe something went wrong in the mail merge when the attack was launched.

The links lead to sites requiring “the latest version of Macromedia Flash Player”.  Clicking on the download link or simply loading the page gets you free malware and an all-expenses-paid trip to the nearest botnet.  Serves you right for not knowing that Macromedia was acquired by Adobe over 4 years ago.

The Commtouch detection center has confirmed that an email I received yesterday on one of my private accounts was part of a mass phishing attack aimed at Blogger (and Google) users.  In this case I suspected it was a phishing email before opening it since I received it via an email address that is not connected to my Blogger account (and not protected by Commtouch).  The email looks like this:

There style of this email is interesting since it uses two techniques that effectively downplay the “phishy” nature of such an email:

1)        The very bare text style is similar to the kind of email that a reputable service would actually use nowadays.  Phishing-aware services such as PayPal, Facebook, and Blogger tend to use text-only emails with no links or images when contacting account owners – since spam engines may de-link and de-image a received message.  This is a real message recently received from PayPal (no images, text only):

2)        The link is “fully displayed”.  Phishing-aware users have learnt to mouse-over underlined text (“click here”) or simple domain names in order to see the full URL.  The “exposed” complex URL in the phishing email above gives the impression that mousing-over is unnecessary.   The link naturally hides one of many URLs that look something like:

Clicking on the link brings up a reasonably well copied Blogger/Google password entry page.  Unsuspecting users entering correct account data would compromise their Blogger or, more significantly, Gmail accounts.

Any email asking you to update details by clicking on a link raises phishing suspicions but this “simple” text email was well thought out.  The attack was naturally detected by the Commtouch Detection center and users of products that incorporate Commtouch Anti-Spam and/or GlobalView URL Filtering were protected.

According to Ultrascan, scammers’ income increased from $6.3 billion in 2008 to $9.3 billion in 2009.

February is Scam Awareness Month – Scamnesty 2010 – under the auspices of the UK Office of Fair Trading. UK Consumers can forward their scam mail and SMSs, and even deliver old-fashioned paper letters to Scamnesty Bins located around the UK. For more information, visit http://www.consumerdirect.gov.uk/scamnesty/.

Scammers often disguise themselves as banks, social media sites, lotteries, and friendly people asking for your assistance to claim found money.  Consumer Direct also have a great summary of the different types of scams on their website.

Commtouch’s Recurrent Pattern Detection technology blocks spam outbreaks including scam emails before they ever get to user mailboxes.  UK-based companies and hosting services not using Commtouch technology, should actively send received scam emails to Scamnesty. Those already enjoying the end results of Commtouch anti-spam, anti-malware protection, can relax knowing that they will not be funding the island villa of a successful cybercriminal.

Over the next several months, Commtouch will be visiting and taking part in a number of industry conferences and exhibitions. If you’re interested in learning about Commtouch’s advanced web and messaging security technologies for the first time, or want to catch up and find out what’s new with our solutions, we’d like to invite you to meet with us.

Throughout 2010 we will be introducing a range of enhancements to our solutions designed to provide even greater web and messaging security for service providers and security & network vendors. Meeting up at one of these events would be a great opportunity to learn what we have planned and how Commtouch can add more value to your products and services.

So if you’re in the area, make sure to drop by and visit Commtouch at one of the following events:

• MAAWG – February 16-18, San Francisco, CA
• Parallels – February 22-24, Miami Beach, FL
• RSA – March 1-5, San Francisco, CA
• CeBIT – March 2-6, Hanover, Germany
• WebHostingDay – March 17-19, Cologne, Germany

During RSA, Commtouch will be hosting its annual “In-the-Cloud” Happy Hour cocktail party on March 3rd. If you’re attending RSA, make sure to RSVP to happyhour@commtouch.com and drop by for a refreshing break after a long day.

To schedule a meeting with a Commtouch representative at one of these events, please respond to events@commtouch.com. We look forward to meeting with you.

Next time you have some Viagra to sell or malware to spread, forget those passé, brute-force directory attacks. You don’t have to generate email addresses with all those alphanumeric characters or “typical” names and email structures, such as jane.smith@FORTUNE500COMPANY.com. And you especially don’t have to take days to deliver them slooowly and methodically so corporate servers don’t reject everything.

The cheaper, better, faster way to harvest directories is here! With services like LinkedIn or MeetUp and Google or Yahoo (and the hundreds of other social networking sites), you can get your corporate directories quicker and cheaper, and even more user-friendly.

Sites such as LinkedIn contain information about employees at almost every major company around the globe. In addition, these social networking site users make significant efforts to keep their profiles accurate. Sometimes, the sites are more up-to-date than a corporation’s own directories.

Spammers, you can access this up-to-date corporate directory information simply and easily.

Search engines such as Google review and index most data generally available on the web (unless asked not too), including social networking profiles. Try searching for yourself on Google – your LinkedIn profile will most likely appear in the top five.

With the right query, you can ask Google for a complete list of every employee at any company, using readily available social networking data.

With these complete, up-to-date lists of email addresses, you can reach hundreds, thousands, and millions of people easily and accurately, significantly increasing your ROI. Try it today!

—

*Of course once you have the email list, you need to actually send out the spam.  At this point, Commtouch may disrupt your plans with our Recurrent Pattern Detection (RPD) technology which blocks spam and malware and enables safe browsing. No tips here for how to bypass RPD…

A recent article in the New Scientist entitled “To beat spam, turn its own weapons against it”, describes the work done by a team of academics to find a more effective way to filter spam.  The team, from ICSI Berkeley and UC San Diego, have come up with a way of analyzing the spam email messages sent by a ‘captured’ zombie PC.  After watching the zombie’s spam outpourings for about 10 minutes, they managed to reconstruct the underlying template used to create the numerous variations of a particular spam message. This allowed them to successfully instruct spam filters to watch out for messages that match the template.

Our CTO Amir Lev discussed the validity of the academics’ approach in his blog post where he writes, “I congratulate the team; in many ways, it’s similar to how our technology works. However, I’d like to suggest that the technique as described is going to be too simplistic for the real world. Ten minutes is far too long to derive the template: in ten minutes, a botnet can deliver millions of spam messages. The template can change quite frequently, too, rendering the work done to derive the template useless.

Spying on just one zombie at one location is a major limitation: you need a widely distributed system – millions of nodes all around the internet — in order to quickly capture sufficient breadth of data. And you need fast, automatic, efficient processing to collate all that information into spam signatures for filters to match against”.  Commtouch has an extensive network worldwide collecting these sorts of samples which are analyzed with our patented Recurrent Pattern Detection (RPD). With RPD we identify the template-driven features of any new spam campaigns in seconds, by examining billions of transactions from about a million different bots daily.

I decided to review the Internet archives (i.e.: Google) to see what other academic initiatives against spam have been shared.  A May 2005 article (also in the New Scientist) discusses a community rating approach to identify spam.  This has since been used with reasonable success by some anti-spam companies, but suffers from the same issue as the new approach, namely: “give us at least 10 minutes to deal with this spam outbreak”.  As described above, 10 minutes is just too long.

Further academic initiatives that I found generally related to suggested improvements for other known techniques.  These include better signature generation and use of more mathematically complex filters.  One system uses analogies to the workings of the human immune system (“take 2 aspirin and your spam will just disappear”).

Regardless of the validity of these approaches, it’s great that academia continues to consider spam a topic worthy of research and we welcome the open discussions and brainstorming that are promoted by such initiatives.

While writing this it also occurred to me that there must be a sizeable group of “academics” working for the “other side” – let’s call them “spamademics”.  Day and night the spamademics research ways to outwit the numerous technologies arrayed against them.  Now that’s research I would love to see…

During the fourth quarter of 2009, the Mal-Bredo A virus continued to circulate the world for the second quarter in a row. Cybercriminals morphed its packaging from attachments that appeared to be from internationally known package delivery companies to attachments that appeared to be from Facebook, the popular social networking site.

Throughout the quarter, the number of Mal-Bredo A variants dropped to under 1000, while the number of actual outbreaks rose.

Blended threats, including fake Swine Flu alerts and Halloween tricks, continued to circulate, while spammers introduced a few new tricks including MP3 spam and personal enhancement spam targeting women.

Also during the quarter, spam levels averaged 77% of all email traffic, peaking at 98% in November and bottoming out at 68% at the end of December.

Read about these trends and more by downloading the Commtouch Q2 Internet Threats Trend Report.

Open source leverages the creativity of thousands while it relies upon the management of a limited number of contributors to maintain and debug the software. While open source creates true positive results such as Linux, a glitch in the most famous free Anti-Spam – SpamAssassin – resulted false positives and rejection of legitimate mail. SpamAssassin is widely used by xSPs, organizations, universities, and vendors integrating SpamAssassin as into their detection engines.

Each rule within SpamAssassin’s engine searches for specific characteristics within an email and provides a score. The combined scores provide a spam probability rating.

Until the early afternoon of January 1, 2010, SpamAssassin faced a Y2K10 issue. A specific rule checked to see if a message was sent from the future, which could be an indicator of a compromised computer. The parameter stated that messages from 2010 were “from the far future,” inappropriately giving an additional 3.2 points to each message, significantly increasing the message combined score and thus eventually raising the false positive ratio.

After reviewing the rule, I estimate that the false positive ratio generated by this bug could have topped 20% of the legitimate traffic. It might also “confuse” the Bayesian mechanism within SpamAssassin and eventually cause even more trouble.

Check out the image, which demonstrates the flow of the detection and implemented fix by the code maintainers managing this open source project. The bug was reported in March 2008 and fixed on June 2009. However, it was pushed to the beta version of SpamAssassin and not to the stable (current) version everyone is using. Eventually, the contributors fixed the problem at noon on January 1, 2010, meaning 12 hours of false positives in Europe, Asia, and Africa, but fewer missed messages in the North, Central, and South America.

Side note – the rule was changed to say mail after 2020 receives the 3.2 points. Therefore, if the administrator institutional memory does not continue through the next decade, SpamAssassin users will have a Y2K20 false positive issue, as well.

Typically, one associates phishing schemes with online banking passwords and related issues. Commtouch Labs recently reported on a brand new scheme involving the popular online role playing game, World of Warcraft (WoW). Apparently once an account is hacked, there is money to be made by selling a user’s “gold,” equipment, and even the account itself. There are several different sites set up for WoW players to buy and sell their wares; level 80, for example, can go for more than $170 US.

The attack includes an email with subjects like: World Of Warcraft-Account Instructions, World of Warcraft Account Management, World of Warcraft Account Trade Dispute Notice and of course, World of Warcraft – Account Password Change Notification.

The links within the emails all lead to mock log-in screens at various URLs that are similar to “wolrdofwarcraft,” but not quite. An example landing page is pictured below; entering ANY email and password in the fields redirects to the real WoW community site.

Read more about this new phishing scheme on the ComputerWorld blog of Amir Lev, Commtouch president and CTO.