Rossander's Security Reader » spam

Careerbuilder scam

Mike Rossander — Mon, 10 May 2010 13:57:03 +0000

Several coworkers and I got the same scam email this morning. The message body is attached below. It’s sneaky in its simplicity. There is so little content that the spam filters have nothing to work with – there’s little that a computer can use to differentiate this from a thousand similar but legitimate business emails.

There are a few clues for you as a human reader to look for, however.

The greeting line is generic – “Dear Employee” rather than “Dear Mike” or “Mr. Rossander”.
The From address is an odd or at least a non-corporate address (redbran@galleryfifty4.com).
The link is spoofed. That is, it appears to point to a legitimate careerbuilder.com page but when you float over the link (or right-click and look at properties), it is actually pointing to swc.com.ua/resume.pdf.
The spoofed address is in the Ukraine (the .ua part of the address). Careerbuilder is an international company but to the best of my knowledge, they do not have any servers there. And none likely to be handling english-speaking matters.
Do you even have an account with Careerbuilder? They are a legitimate company and I did have a resume on file with them once but several of my coworkers did not. The age since my last contact with the company was a clue for me – the complete lack of prior relationship a better clue for my coworkers.

Unfortunately, there is no guaranteed way to block these scams. The best we can do is delete them and move on with your day. In the meantime, remember that it’s not paranoia when they really are out to get you.

OnGuard Online

Mike Rossander — Mon, 17 Nov 2008 19:23:48 +0000

As the holidays get closer, many of us will turn to online shopping. Done right, online shopping is about as safe as catalog shopping – and much more convenient. If you don’t take basic precautions, though, you could lose your shirt. Take the time to learn about the kinds of scams and cons that are used online.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven’t already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It’s well worth the time to visit the site.

The site’s material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I’ve run across. I’ll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

CMU Anti-Phishing Game – Learn to identify fraudulent URLs
Mission:Laptop Security – Protect your laptop while traveling
Anti-phishing Father’s Day card – Flash video on phishing
Auction Action – Test your knowledge of online auctioning
P2P Threeplay! – a quick quiz on file-sharing
Invest Quest|http://www.onguardonline.gov/games/invest-quest.aspx – a simple quiz but the ‘disclaimers’ are pretty funny
From westfieldinsurance.com

How not to look like spam

Mike Rossander — Mon, 15 Sep 2008 17:35:36 +0000

Spam filters are getting better every year. They have to so they can keep up with the ever-increasing flood of spam. But no matter how good the filters get, some spam will always leak through. More worrying, some fraction of good messages will be inappropriately tagged as spam and lost. And depending on how your respective spam filters are set, your reader may never even know that the message was attempted nor you that the message was rejected.

A while back, we wrote a tip about "how not to look like a phish". I’ve wanted to write the companion article about not accidentally tripping the spam filters for several years now. I resisted because the rapid change in spammer tactics makes any list obsolete even before it hits the page. It will also never be a definitive list – the anti-spam vendors are justifiably worried about giving the spammers a roadmap showing how to bypass their filters. Nevertheless, there are some general rules worth discussing.

Your subject line is important. A blank subject line (or, worse, a subject line that is ambiguous and generic like "Hi" or "I love you") will almost certainly get your message tagged as spam. A good subject line is also a courtesy to your readers, helping them to more quickly prioritize their inboxes and give your email the attention it deserves.
Mailing to lots of people at once will increase the odds of being tagged as spam. (This is a problem for the publishers of legitimate email newsletters with large distribution lists like, say, these tips.)
Use a company-issued email address. Sending from a free email account like yahoo.com or gmail will increase the odds of getting tagged.
Avoid common spam words like "cheap" and the V- word (rhymes with the famous waterfall). That sometimes means completely avoiding certain topics (which can be quite difficult, especially in a newsletter like this one where we are discussing spammer tactics) but more often means avoiding flowery, inflammatory or overly-promotional language. In particular, avoid all caps and multiple exclamation marks.
Avoid images, fancy graphics and html code in your email. Hackers and spammers hide things in those glossy "enhancements". The simpler your message, the more likely it is to get through unmolested.
SPELL-CHECK! Spammers are getting much better at the use of grammatically correct English but bad spelling is still a surprisingly good filter for spam.
If you are sending a newsletter, always include your real contact information and a working set of “unsubscribe” instructions at the bottom of the message. This won’t actually help you get past the spam filters – too many spammers just include fraudulent unsubscribe options in their messages – but it is the law.
Try to keep your message under two megabytes including embedded pictures and attachments. This isn’t strictly a spam-filtering rule but many mail servers use a 2 meg/message limit to keep any one message from tying up the lines.

Finally, if you don’t get an answer in a reasonable amount of time, follow up on your message. No matter what you do or how good the filters get, some false positives will always exists. The person might be ignoring you but it’s more likely that they never got the message.

From westfieldinsurance.com

Spam, phish or secure mail?

Mike Rossander — Mon, 08 Sep 2008 18:54:15 +0000

For several years now, we’ve been telling everyone that email is a postcard – everything in the message is exposed to anyone who wants to read the message as it flashes by. A couple of companies have figured out how to solve this problem and their solutions are finally hitting critical mass. If you have a secure mail solution, you can finally put your message in an ‘envelope’ and keep outsiders from reading it.

The problem is that we’ve also told you as a reader to delete any message that appears suspicious or that asks you to click through some “convenient” link. The ‘envelope’ around a secured message looks a lot like a phish. (See “How it works” below.)

Here are some tips on telling the difference between a secure mail message and a spam or phish.

In a legitimate message, you will still be able to read the subject line and the sender. If you are not expecting a message from that sender, be suspicious.
Once you start working with a business partner who uses a secure mail system, all secure messages from that company should look basically the same. If the logo, the layout or the text look different, be suspicious.
A legitimate message will take you to the sender’s website to verify your login. A phish will try to take you someplace else to steal your password. If the message alleges to come from someone at redcross.org but the link is trying to take you to yahoo.com, be suspicious.
Reminder: The only part of the domain that matters is the part immediately before the top-level domain (.com, .org, etc). Ignore everything to the left or right of the dots. In the link voltage-pp-0000.westfieldgrp.com/mail/32/, only ‘westfieldgrp’ matters for verifying the legitimacy of the message. The rest is set up by the company’s IT department to point to specific places within the company’s domain.
Legitimate messages are written by professionals. Scam messages want to panic you into acting without thinking and often use phrases like “URGENT” and “log in now or your account will be closed”. If the language seems inflammatory, be suspicious.

If you are suspicious, call the sender and confirm the message. Please do not just delete these messages, though. There’s a fair chance they are legitimate and you wouldn’t want to lose good messages.

How it works
There are several ways to put your message in the secure ‘envelope’.
One technique doesn’t actually put the content in email at all. What you really send is a placeholder saying “You have a message waiting. Please sign in at my website to read it.” The message content stays on the sender’s webserver and never actually travels by email. Some large financial and medical institutions use this kind of secure messaging.
The other way is to pull the content off the message, encrypt it and reattach it to the message. The content travels by email and but can’t be read except by someone who knows the password. (If you don’t already have a password set up, you will be asked to verify your identity and create one.)

A third technique is Transport Layer Security (TLS), a method that protects the message from one email server to another. This requires some setup between the two companies but is otherwise invisible to both the sender and the reader. These messages can’t be easily mistaken for a phish so we won’t discuss them in this tip.
An example of that second kind of ‘envelope’ – the encrypted attachment solution – is shown below.

From westfieldinsurance.com

Hackers do it for the money

Mike Rossander — Mon, 04 Feb 2008 07:00:00 +0000

Every so often, people ask me "why do they do it?" Why do the hackers put so much time and energy into committing crimes and sending spam? Why can’t they channel all that innovation for good?

The stereotypical hacker used to be a pimply-faced, pizza-eating kid working late at night in a caffeine-induced frenzy for guts, glory and bragging rights – kids breaking into systems just to prove that they could or writing computer viruses to delete hard drives for the cheap thrill of vandalism. There are still some of those folks out there but the vast majority of hackers and spammers are now in it for the money . They are organized, well-educated and they’re making big bucks.

According to McAfee CEO David DeWalt, cybercrime has become a $105 billion business and is now larger than the value of the illegal drug trade worldwide. Unfortunately, computer crimes are relatively safe crimes. Hackers hide behind multiple networks and their digital footprints. Many hackers run at least part of their scam through a foreign country – often one with poor relations with the US, significantly increasing the difficulty in prosecuting any case against the criminal. Law enforcement’s ability to find, prosecute and punish cybercriminals has not kept up with the growth of the criminal activity. And even if you do get caught, DeWalt noted that “If you rob a 7-11 you’ll get a much harsher punishment than if you stole millions online.”

And even if the hacker can’t make any money off you directly (by stealing your personal information or using your computer as a point-of-entry into the corporate system), they can still hijack your computer’s processing power to attack other systems. The hacker sees your computer as an asset.

Take spam as another example. If we all stopped buying, the spam problem would dry up in a matter of months. Yet 98% of all message traffic on the Internet is now spam. Who buys that junk? According to a study from several years ago, a spammer only needs to make one sale or con per 100,000 messages in order to make a profit. With those odds, they don’t even have to be good scams. They just have to find the one gullible person among your 100,000 closest friends.

Keep your personal computer protected at all times with anti-virus, anti-spyware and firewall – and keep them all current. Keep your computer patched at all times.
Pick strong passwords and never give them out to anyone no matter how good their story is.
Be alert for phishing scams.
Never buy anything from a spammer.

From westfieldinsurance.com

Hackers go commercial

Mike Rossander — Mon, 20 Aug 2007 07:00:00 +0000

For only $700, you too can become a hacker. New hacker tools are as easy to use and as well supported as any commercial software package. The Mpack toolkit is a particularly easy-to-use hacker kit being sold on Russian e-crime forums. It is "guaranteed to bypass all anti-virus programs at the time of purchase". Like many commercial software packages, it includes a year’s worth of free updates and support for the hacker in the price. Mpack is also disturbingly common. It has been discovered embedded in more than 10,000 web sites so far.

Between the increased availability of these tools and the sheer number of vulnerabilities that they are programmed to automatically exploit, it is vital that you keep your computer’s operating system and applications up-to-date and fully patched.

Regularly check for updates and immediately load them. Consider setting them to automatically update. And remember that you have to check for updates for every program you have on the computer, not just the Microsoft updates.

Shut down your computer every night. This limits your vulnerability to automated attacks against your computer. Depending on how your network is set up, it may also trigger your update process, making sure that the latest patches are loaded to your computer when you log on in the morning.

Mpack targets security holes in many common software programs including QuickTime media player, plug-ins for the Firefox web browser and Microsoft Windows. According to researchers at one anti-virus company, this toolkit uses simple yet very sophisticated web-based interfaces and allows the hacker to take control of the victimized computer to either steal information, install keyloggers or use your computer as a "zombie" to attack someone else. You can read this technical report for more about Mpack.

From westfieldinsurance.com

Hackers attack computers every 39 seconds

Mike Rossander — Mon, 26 Mar 2007 07:00:00 +0000

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer – the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That’s an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

From westfieldinsurance.com

Pump-and-dump — bypassing the spam filters

Mike Rossander — Mon, 11 Dec 2006 07:00:00 +0000

Right before Thanksgiving, we ran a Tip on "pump-and-dump" scam emails – emails containing fraudulent stock tips. A colleague forwarded an interesting variation of this scam. This message uses several different techniques in an attempt to circumvent the company’s spam filters.

As a scam, notice that the message is urgent and timed. “It’s going to explode on Monday Nov 13th”. This scammer probably dumped the stock right around that date. Looking at the stock’s trading history, this scam probably worked. On 13 Oct, this stock cost less than a penny a share. On the 13th, it spiked up to $1.14. One week later, it was at $0.65 and falling.

Note that the scam part of this message is included as a picture, not as text. It has a lightly tinted background and small little “threads” scattered through the image. To a human, they look like the tiny imperfections that you sometimes see in high-quality paper. We easily ignore them and read the text. Their real purpose is to disrupt the computer’s ability to conduct optical character recognition. Not being able to fully read the text, the message doesn’t earn as many “points” toward being recognized as spam by the filter.

Second, note that the message is crafted to appear to be a reply even though John has never sent anything to this person. The hacker is hoping that we have a “whitelist rule” that would exempt all return messages from filtering. (That’s a common rule for companies that have had problems with good messages getting blocked as false-positives.) Unfortunately, it is trivially easy to spoof an address in an email. With the right editor, you could make your emails appear to come from the President of the United States. And while that’s certainly unethical and sometimes illegal, it’s almost impossible to trace the culprit. Email was never designed as a secure communications channel.

Third, note that the spammer included a block of text at the bottom of the message. To a human, it’s incomprehensible nonsense. To a computer, those are real words in apparently reasonable order. Since the spam filter “weighs” the sales-like content in proportion to all the other content in the message, this nonsense has the effect of diluting the spam score of the message.

As we discussed last week, researchers estimate that there are 9-10 spam messages for every good message on the Internet. Most companies have good tools but at those volumes, some spam will always leak through. If it looks like spam, it probably is. Delete it (preferably without opening the message) and move on.

From westfieldinsurance.com

Spam trends – Updated

Mike Rossander — Mon, 04 Dec 2006 07:00:00 +0000

If it seems like you’re seeing a lot more spam lately, it’s not just you. During the past few months, the incidence of spam shot up around the world. In 2001, researchers estimated that about 5% of all Internet traffic was spam – one spam message for every twenty real messages. By 2003, researchers estimated that 50-60% of all traffic on the Internet was spam – one spam message for each good message. In September of this year, that number was up over 80% – 4 spam messages for every real message.

In the past month, two new computer viruses were released both of which are specially designed to generate spam messages. These viruses are very sophisticated and have been very hard for the anti-virus companies to block. (See this TechWeb article for details.) The latest estimates are that there are 9-10 spam messages for each good message on the Internet. All that means that the total volume of spam on the Internet is way, way up.

Good spam filters are generally 95-98% effective at identifying spam messages as spam. That’s actually a pretty good ratio and is about as good as any software package can get. Unfortunately, when you pump so much increased volume through a filter with a 2% leakage rate, more spam will inevitably leak through.

Some people have asked if they can tweak that filter to block more of the spam. The cost we generally pay for that effectiveness is that about 0.5% of good messages are incorrectly identified as spam. If you tighten the spam filter, you will get an increase in the false positives. Every company is constantly trying to make sure that they are at the right balancing point.

We are in an arms race with the spammers. Every time the anti-spam vendors come up with a technique to identify spam, the spammers adapt and find another way around the filters. It has been a story of incredible creativity and innovation.

While we are waiting for the spam-filter companies to release their next round in the arms race, there are some things that you can do to keep yourself off the spammers’ target lists. Remember that once you’re on one list, spammers will sell your address to other spammers. And once that happens, there’s little you can do except to wait until your address ages off their lists.

Never buy anything advertised in a spam message. If you do, you’ll jump straight to the top of their list.
Never respond to a spam email, even to complain or to attempt to get off their list. Any reply at all confirms to the spammer that you read the message. Even if you didn’t fall for their Viagra scam, they know you might fall for a mortgage scam. Never reply to a spammer. Do not attempt to "unsubscribe" from the list. More often than not, the unsubscribe link is a scam.
If you can, delete the spam message without ever opening it. Spammers use techniques such as web-bugs to track whether or not you opened the message. Again, they hope that even if you didn’t fall for one scam, if you’re the kind of person who opens spam, maybe you’ll fall for a different one.
Do not use your work email address for internet shopping, chat boards, etc. Sign up for a free email account like Yahoo or Hotmail.

The final recommendation is to remember that spam is just like the physical junk mail in your mailbox at home. We do what we can but at some point you just throw it in the trash and let yourself get on with your life.

From westfieldinsurance.com

Pump-and-dump scams

Mike Rossander — Mon, 20 Nov 2006 07:00:00 +0000

For the past few weeks, we’ve been discussing "spear-phishing" attacks – targeted messages that are highly personalized in their attempts to con you into clicking on their link. This week, we will discuss variations on the “pump-and-dump” stock scam emails.

First, some background. Pump-and-dump scams have been around for as long as there have been stock markets. In this scam, the crook buys shares of some small, low-liquidity stock. He then starts rumors that this stock is “on it’s way up” and “about to explode on Monday”. The rumors are often crafted to appear to be insider tips. They play on the greed and vanity of the recipients. When the victims begin to invest in the penny-stock, the price does go up – temporarily. The scammer immediately sells his shares at the inflated price. After a few days, the price returns to normal and the victims are left holding shares of a stock worth only a fraction of what they paid.

One popular version of this scam is designed to look like a misdirected email. The message starts “Hi. I hope this is your email. It was great to meet you the other day and I hope you’re enjoying New York. The deal I was speaking about yesterday involves a company know as [company name]. It’s already headed up…”

Another opens “Hey, girlfriend. Remember that hot stock exchange guy that I’m dating?” before dropping the fraudulent tip. In both cases, the wording of the “tip” is designed to look like it was intended for someone else and that you got the message because the sender mistyped the email address. In fact, these are mass-mailed spam.

You can read more about this particular scam at www.nasd.com.

Never respond to an unexpected message and never follow the advice of a spammer. It doesn’t matter how good the alleged tip looks. If you’re going to invest in the market, do your homework. Invest in companies with good fundamentals whose business you understand. Don’t invest on “momentum” or insider tips.

From westfieldinsurance.com