Last January we released a new Web security service – Commtouch GlobalView URL Filtering SDK. This innovative solution leverages our many years of messaging security and OEM partnership experience, plus unique Data Cloud architecture, to provide highly accurate, secure protection against growing Web threats while enabling safe, compliant browsing. The service utilizes a combination of eight security categories such as “compromised sites,” “phishing and fraud,” and “botnets,” to proactively defend against various Web-based threats before users’ first clicks.

The threats within the Internet landscape may be growing, but our ability to monitor new threats and outbreaks provides a significant advantage to our partners and the end user. As our Chief Technology Officer Amir Lev recently said, at Commtouch, the GlobalView™ concept is more than just a brand name — it is our philosophy of examining what is happening around the world, then extracting and synthesizing valuable data in order to provide advanced security tools.

The data we have gathered enables us to build useful tools for monitoring malware outbreaks plus spam and zombie/botnet trends. We have taken all these tools and developed a new Online Security Center that also features a real-time outbreak monitor that dynamically displays outbreaks and their geographic origins.

I want to talk about two new graphs covering our web security offering.

Web Categories Infected with Malware

The explosive increase in Internet use has brought with it new threats for both home and business. Attackers are finding increasingly sophisticated ways to utilize the Web for their activities, such as infecting Web sites with malware – both legitimate Web sites and less reputable sites (e.g. those hosting pornography). Gartner, the industry analyst firm, pointed out that in the first quarter of 2008, more than 50 percent of infected sites were, in fact, legitimate ones that had been silently manipulated by attackers  — an alarming statistic that shows how important it is to have highly accurate solutions to identify and block access to malicious web sites.

This pie chart shows the distribution of malware-infected Web pages across non-security categories. In order to better understand how the malware is distributed across the Web, we looked at all the malware Web pages in our data centers and checked to see what other categories they fall into – I like to think of these categories as “malware hot spots.” This graph provides a sense of which content is more likely to become the target of a malware attack, and is constantly updated since we know that threats are trend-oriented and can shift from one category to another depending on trends found within the Internet ecosystem.

Web Categories Manipulated by Phishing

Similar to the malware pie chart, this graph shows how phishing scams are distributed across Web pages in non-security categories. As I see it, analyzing this graph provides insights about the impacts of social engineering. Since attackers are usually financially motivated, it only makes sense to assume that they hope to maximize their attacks, and so the higher ranked categories in the graph have a higher ROS (Return on Scam) or their scams are more profitable.

However you interpret the data, these tools are just one of the many and growing number of tools that we provide to our partners and the entire security community as part of our GlobalView security offerings.

Check them out for yourself! The new Web Security Lab can be found in our Online Security Center. Want these graphs to appear on YOUR Web site? E-mail bizdev@commtouch.com to find out how.

Members of the Commtouch team will be at RSA in San Francisco this week to join in the dialogue about information security. Are you attending? We’re always looking to meet people who have an interest in messaging and Web security. So stop by our partners’ booths on the show floor, come see us at our hospitality suites, or contact your Commtouch account representative to schedule some time with a member of our executive team.

We’re all familiar with those 419 schemes - you get an email claiming that you’ve won $2,000,000 or that someone found a bank account that belonged to your uncle’s cousin’s step-sister’s nephew’s neice and that you are listed as the beneficiary. All you have to do to claim the money is send your bank account information and all kinds of personal information to some guy in Nigeria and he’ll be sure to wire the money directly to your account. There are, in fact, people who still fall for that.

We recently came across a spam sample that takes those old 419 schemes to a new level. As seen in the example below, the email appears to have been sent from the United Nations.

It states:

This message is to all the people that have been scammed in any part of the world, the United Nations have agreed to compensate them with the sum of US$500,000. This includes every foreign contractors that may not have received their contract sum, and people that have had an unfinished transaction or international businesses that failed due to Government problems etc.

They claim to have a database of victims’ names and instruct the recipient to contact some guy named Jim, located in (you guessed it) Nigeria. Ole Jim has $50,000 for each person that contacts him with bank account information. It’s like a scheme to scheme the schemed.

My favorite part of the email is the closing: “Making the world a better place.” Gee thanks, Jim…I’ll be sure to call you with all of MY bank account information…you’ve made the world a much better place and now it’s so easy for me to claim my money!

Those guys think of everything, don’t they? They should think about checking the spelling and grammar before sending these emails out. I mean, I would HOPE the United Nations would be able to construct sentences with proper English, right?

The major news of the first quarter was the rapid propagation of the Conficker worm. Research indicates its three variations have infected more than 15 million computers, weaving a massive zombie botnet, since appearing on the scene in November 2008. The botnet lay dormant for weeks, leaving computer users nervous and vulnerable; and only in the last days leading up to the publication of our report did it begin to be activated for malicious purposes.

Throughout the quarter, spammers and malware distributors continued to exploit legitimate sites to bypass traditional content filtering technologies. Recent tactics include the targeting of ISPs and the borrowing of images from legitimate, well-known hosts to use in e-mail messages.

Another growing trend is the use of social networking sites (e.g. Facebook, Twitter) for phishing schemes. By pulling on the heartstrings of networks of friends, unknowing users have fallen victim to money-making and password-stealing schemes.

Read about these trends and more by downloading the Commtouch Q1 Internet Threats Trend Report.

OEM partnerships  (or Embedded technology partnerships) have been an important part of the software industry since its inception. In this model a company embeds technology from a technology provider in order to improve its existing product or service. In the competitive world of messaging and Web security, more and more companies are turning to acquire technology by forming OEM partnerships in order to embed into their technology a subject expertise, since this allows them to focus on their core business while securing best-of-breed technologies for their clients.

Selecting and evaluating a technology to embed is a strategic decision. While it is important to examine a technology in terms of its performance and how it fits into existing infrastructure, it is equally important to evaluate the company behind the technology and properly assess the business match between technology provider and potential partner in terms of finances, support, engineering and marketing.

Commtouch has been providing security technology in an OEM business model for nearly a decade and today powers the solutions of more than 100 partners around the world. Over the years we have gained tremendous expertise not only in developing award-winning technology, but also in developing a proven business infrastructure that successfully supports our partners along the way.

I wanted to share with you a few insights gathered over the years about how to evaluate a technology provider.

Business Model

Understanding a technology provider’s business model enables the potential partner to determine the provider’s commitment level to meeting its needs.

• Clear Focus – Companies that focus exclusively on selling their technology via embedded technology partnerships avoid commercial conflicts with their partners. A technology provider that employs a multi-channel go-to-market strategy (direct, channel-based) may eventually compete directly with its partners. This can affect communication between the companies, and may jeopardize business success.
• Core Strategy – Pursuing an OEM strategy appeals to many companies due to the inherently lower costs of marketing, sales, support and operations. Companies that approach this tactically can change their business model whenever they are presented with additional opportunities. Companies that approach the OEM model as a core strategy typically focus on growing their partner portfolio rather than finding alternative go-to-market strategies to expand the business. The roadmap of such companies is guided mainly by the requirements and focus of their partners.
• Flexible Commercial Models – Technology providers need to support varying commercial models that map to partners’ diversified needs.

Financial Standing

The way a business is funded and its past financial records are indicators of its ability to execute and operate in the future. Recent worldwide economic developments further underscore the importance of selecting a financially sound technology provider that demonstrates longevity and growth.

• Financial Stability – A company that is not well-funded poses a real threat to the success of its partners. Moreover, start-up and venture capital-backed companies perform under pressure to bring the highest return on investment, a pressure that can cause shifts from one business model to another. It is common for these companies to be bought by bigger and better funded companies, as seen many times in the security industry. Typically the buyers are uninterested in continuing to support the OEM business model, leaving their partners to seek alternatives.
• Profitability – An older company that has never reached profitability may not always make sound business decisions, and a well-funded startup company that has not yet achieved profitability has not yet validated its ability to succeed. For a technology provider to be solid and reliable for a long-term partnership, it is not enough to be funded; it must be profitable as well.
• Transparency – In order to truly assess stability and profitability and to increase confidence, clearly documented financial statements with full disclosure are required.

Market Positioning

• Proven Experience – The ability to provide high quality technology wrapped in a supportive business infrastructure for long periods of time reduces risk factors and increases confidence levels.
• Market Recognition – Awards and recognition by industry experts together with existing partner references can provide a clear image of the technology provider’s record of success.

Support

• Structured for success – The provider’s support personnel and processes must accommodate its partners’ unique requirements, with in-depth knowledge of partner products, built-in feedback processes, streamlined escalation and full integration and operational support.
• Engineering and technology support – Full, on-demand engineering support ensures a smooth transition, seamless integration and ease of use.

There are more important issues to the subject, such as the technology infrastructure and marketing activities that support the OEM model, but I think this should give you a clear image about what needs to be considered in such a process, beside the actual product/service that is being evaluated.

I wrote the following questions in order to give you a short summary of the most important factors you might want to answer when you evaluate a new technology provider:

Summary Questions

Business Model

• Is the embedded technology model the company‘s core business?
• Does the provider have offerings that compete with yours?
• Does the provider’s commercial terms match your needs?

Financial Standing

• Is the provider profitable and financially stable?
• Is it a public company or a startup?

Market Position

• Is there a track record of success? How does the industry valuate the company?

Technology

• Does the provider’s technology match your potential future integration needs?
• How easily can it be integrated into your current offerings?

Marketing

• How will the provider support your sales and marketing activities?

Support

• Does the provider have the required infrastructure to provide the highest level of support?

As tax season approaches, the numbers of IRS and tax-related spam and phishing outbreaks are rising. As seen below, the latest outbreak is a very official looking email, complete with an @irs.gov email address and IRS logo across the top. They even remembered to add a copyright at the bottom.

Anyone would be excited to receive an email promising a tax refund of any kind. Who doesn’t want free money from the government!? In this case, unknowing recipients follow the link in the email and find themselves on a page set up by cyber criminals to look identical to the actual IRS Web site. Recipients are prompted to fill out a form providing various bits of personal identifying information like social security number, address and even ATM card number and its PIN. Once submitted, the sneaky cyber criminals have direct access to the victims’ financial accounts.

The IRS is aware of these schemes and has set up this informational page for people who feel they have been targeted. The first point they highlight on the page? That the IRS will not use email to initiate communications with tax payers.

According to the site:

The IRS does not request detailed personal information through e-mail.
The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

If you receive any “phishy” emails like the one pictured above, report it immediately to the IRS by forwarding it to phishing@irs.gov.

We’ve examined spam and phishing attacks in non-English languages before, and it appears that Italians aren’t safe from these schemes either. A recent phishing scheme has surfaced with nearly a nearly immaculate Web site duplication. CartaSi, a well-known Italian credit card company, is the latest target.

The circulating email (seen above) alerts CartaSi customers that their account statements are available online and encourages users to log-in to “view it, print it and save it to your personal files on your PC.” The link is written out as a CartaSi URL but when a user clicks it, the page is redirected to a page hosted on ns1.druti.net, which has been found to be a “Reported Web Forgery.” Unknowing users are tricked into supplying their account information to the cyber-criminals who can then use the information to gain access to financial statements. These criminals have an eye for detail as the fake landing page is actually a near perfect replica of the legitimate CartaSi Web site as seen below.

The forged site:

And the legitimate CartaSi site:

Seems phishing schemes are getting quite elaborate and cyber-criminals are taking more time to develop really great fake sites to trick unassuming users.

Back in early 2008, TechCrunch reported about a Facebook phishing scheme where some users received wall posts proclaiming that funny or scandalous pictures had surfaced. When a user clicked on the link, he or she was redirected to what looked like the Facebook login page, but which actually was an imposter site that collected usernames and passwords of unknowing users.

The newest occurrence is a bit more confusing and a bit more dangerous. As reported on CNN and MSN, some users have received what appear to be desperate messages from their “friends” who have found themselves in a financial bind. These messages have arrived as both direct messages to a user’s inbox or as an updated status on the victim’s profile proclaiming that the person urgently needs help.

The messages are actually part of a new 419 scheme where cyber criminals try to steal money by pulling on heartstrings and testing the loyalty of friends. CNN reported about Bryan Rutberg whose status update was mysteriously changed by hackers to an urgent plea for help.

His online friends saw the message and came to his aid. Some posted concerned messages on his public profile — “What’s happening????? What do you need?” one wrote. Another friend, Beny Rubinstein, got a direct message saying Rutberg had been robbed at gunpoint in London and needed money to get back to the United States.

So, trying to be a good friend, Rubinstein wired $1,143 to London in two installments, according to police in Bellevue, Washington.

Facebook has set up an online reporting system for victims who have either received or sent these kinds of messages and warns users to use caution when dealing with requests for money or personal information.

If you receive a message from one of your “friends” requesting money, my personal advice would be to call them and check it out. You may find that they’re actually sitting at their desk at work, drinking coffee and completely unaware of their plea for help.

On the same note, I feel like if I was robbed at gunpoint in London, I’m not sure I would send a message to anyone via Facebook. I would most likely call my parents or my friends and talk to them directly…

MailChannels integrates email traffic shaping with Commtouch filtering technology to create a powerful new anti-spam solution for the hosting industry. View the full release.

It happens to the best of us, really. I’m not sure I ever really think about how humans are involved in the great processes that go into bringing me my Google search results, but over the weekend, this human intervention became obvious. Anyone who used Google between 6:30 a.m. and 7:25 a.m. (Pacific Standard Time) on Saturday received “This site may harm your computer” for every query; both CNET and TechCrunch give detailed time lines of the situation.

According to the official Google blog, the problem was caused by human error and the company worked as quickly as they could to reverse the issue once it had been discovered. Google works closely with StopBadware.org to establish criteria for maintaining a list of possibly malicious sites in order to protect Google users from malware or other online threats. In this case, a little human error caused every indexed site to be categorized as malicious.

In their blog, Google documents the incident as such:

Unfortunately (and here’s the human error), the URL of ‘/’ was mistakenly checked in as a value to the file and ‘/’ expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.

Everyday Internet browsers tend to need a little guidance to keep their computers and networks safe…they need a third party in there to warn them if a site is potentially malicious.In this case it was Google, so you know whatever they said, people were going to believe. I think they know that too…they know that if everything they serve up is labeled as “badware,” people will believe them for a little while. If the situation gets out of hand though, as it did on Saturday, people may just begin to ignore those warnings. There’s a fine line to tread there…

It’s good to know Google is looking out for its users. It’s good to know they have automatic algorithms that are manually checked to ensure our computers are safe. Kind of like checks and balances, right? Humans developed computers to help automate processes…but the humans still go back to make sure the computers are working properly.

Not to toot our own horn (ok maybe we’ll toot it just a little)…Commtouch’s newly announced GlobalView URL Filtering product is a way for security vendors and service providers to keep their users’ computers and networks safe. By leveraging a unique Data Cloud infrastructure, GlobalView URLF overcomes the limitations of previous generations’ solutions and provides highly relevant Web coverage with uncompromising accuracy and zero-hour security. GlobalView features 64 categories – 8 of which are security related – a language- and content-agnostic system, a database containing hundreds of millions of the most relevant URLs and an auto-adjusting cache.

Find out more about modern Web security measures with GlobalView URLF on our Web site, or download our white paper, Defending Against Modern Web Threats: Introducing Data Cloud URL Filtering.