Spammers are continuing to use the oldest trick in the book - social engineering - to try to get you to be part of their plan. The US CERT (Computer Emergency Readiness Team) has released a number of advisories over the last few weeks on recent Spammer tricks of impersonating someone trusted like the tax department or a trusted news source to get you to click on a one of their web links.

Here are some recent samples:

IRS Rebate Phishing Scam

• www.us-cert.gov/current/archive/2008/04/25/archive.html#irs_rebate_phishing_scam
• www.us-cert.gov/current/archive/2008/03/31/archive.html#internal_revenue_service_tax_scams
  

Federal Subpoena Spear-Phishing Attack

• www.us-cert.gov/current/archive/2008/04/25/archive.html#federal_subpoena_email_scam

Radiation Leak - from a trusted news source

• www.us-cert.gov/current/archive/2008/04/11/archive.html#email_attack_circulating

The text included with the links the Spammers send may make your pulse race (I can get my Tax rebate now!) and thus they try to get the emotional part of you to take control of your mouse before the logical part of your brain (This sounds fishy - better be safe and delete this message or call them direct to confirm) kicks in.

Guess what? - By clicking on the link you played right into the Spammer's plan and you either filled in a form (Phishing) and gave them information they can use to steal your identity or money or your computer got infected and is now playing it's part in sending out Spam.

How do you keep yourself safe while on the Internet?

Install and use a good anti-virus / anti-malware product and keep it up to date.

Take the time - once in a month at least - to do a full update for security patches and then do a full anti-virus / anti-malware scan of your computer.

Use some reputable online scans to double check on your Anti-Virus.

F-Secure Health Check Online scanner

• www.f-secure.com/healthcheck/

Panda Active Scan

• www.pandasecurity.com/canada-eng/homeusers/solutions/activescan/default.htm?track=80383

Kaspersky

• http://usa.kaspersky.com/products_services/free-virus-scanner.php

Secunia's Online Scanner (checks to confirm your software is up-to-date)

• http://secunia.com/software_inspector/

(Warning - These companies use these online services to try and sell you on their products - you may have to provide an e-mail address to start one or more of these services so you may get marketing related messages after using these services)

At work you will want to use a higher-end firewall (such as a firewall from Fortinet or Secure Computing) or a dedicated web filter appliance (from Barracuda Networks) with a second layer of anti-virus / anti-malware / web content filtering between your computers and the Internet.

Spammers are the problem but we have to do our best to be part of the solution!

- Shaun

According to John Leyden (from "The Register") in his article "Security gumshoes locate source of mystery web compromise", the source of the mystery injection of more than 10,000 websites back in January has been uncovered!

He says:

"Thousands of legitimate websites were compromised at the start of the year to serve up malware, as we reported at the time.

It seemed that the exploitation of SQL Injection vulnerabilities was involved in the automated attacks. The precise mechanism was unclear until earlier this week when security researchers discovered a malicious executable later linked to the attack on a hacker site.

The hacker utility used search engines to find insecure websites that it then tried to exploit using an SQL injection attack. The exploit included an SQL statement that tried to inject a script tag into every HTML page on the website.

The tool - which had an interface written in Chinese - was programmed by default to insert a tag to the same malicious JavaScript file that featured in the January attack, solid evidence that it was at least partially behind the assault.

The tool runs a script called pay.asp, hosted on a server in China. This suggests that hackers running the attack were keeping count of the number of sites they had compromised, in order to work out how much they stand to get paid.

Further analysis of the tool by security researchers at the SANS Institute's Internet Storm Centre (ISC) is ongoing. The tool came to their attention via a tip-off from Dr Neal Krawetz. The initial attack was uncovered by security researcher Mary Landesman, of ScanSafe, who described it as the time as a new type of compromise.

The constant, changing flux of the malicious JavaScript served up by compromised sites made initial analysis difficult. With the benefit of the hacker tool used to pull off the attack this all becomes much clearer, much like it was easier for scientists to unravel a cure for the mystery pandemic that blighted mankind in the Twelve Monkies after they obtained a sample of the pure source.

"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," writes ISC handler Bojan Zdrnja.

Website owners ought to use the discovery as a wake up call on the need to ensure that their web applications are secure, he added."

If you are worried about SQL injection and other attacks on your website then you should take a look at Barracuda Network's newest solution called the Website Firewall. For more information or to arrange for an eval unit please visit: www.BarracudaNetworks.ca/Searchresult.aspx?CategoryID=74.

As some of you may know,  ORDB.org (aka the Open Relay Data Base) was one of the original real time or IP based black lists. The idea was that as your mail server or anti-spam service (like CudaMail) was getting a connection from a sending mail server you could ask ORDB.org if the senders IP address was known to ORDB and if it was you had a pretty good idea that you didn't want to accept this e-mail as it was most likely spam being routed through an open relay mail server.
 
Well after running as a free service for years the ORDB.org service was shut down on December 18, 2006 and instead of replying it would just time out.  Not a big deal and since your mail server didn't get a reply either way you went on to other tests. They announced that they were going off-line and at some time in the future they would be replying with a positive result to any new queries. This has happened many times over the years with various free anti-spam databases for a variety of reasons. Most administrators didn't notice the ORDB.org announcement or put the removal of this test on their 'to do' list and promptly forgot about it until now.
 
So on March 25, 2008, after giving fair warning, the DNS servers for ORDB.org started to answer every query with a positive result. All mail servers still using a SPAM filtering solution that references ORDB (relays.ordb.org) started to immediately block all incoming e-mails regardless of their real status as spam sources. You can't blame the admin of ORDB.org as they were doing this service for free and had been paying for the bandwidth used up by all these timed out queries for the last 2 years.
 
While the CudaMail system does still use some of the no charge databases out there to block spam it does not use ORDB.org. Barracuda Central has also been actively working on their own internal reputation system. The Barracuda Reputation system is very mature at this point with the end result is that this database is flagging new spam sources before the no charge databases like ORDB.org used to do. The real benefit of Barracuda Central maintaining this database is that there are dedicated people paid to maintain it as part of their business plan and the problems experienced by people who rely on the free databases will not happen to CudaMail.

Now go have a nice spam free day!

- Shaun Sturby

Notorious 'spam king' Robert Soloway has pleaded guilty to additional charges (fraud and tax evasion) related to his previous conviction for sending out huge volumes of Spam.
 
US Department of Justice indictment against Soloway:

> www.usdoj.gov/usao/waw/press/2007/may/soloway.html

Seattle times article on Soloway's guilty plea on the new charges:

> http://seattletimes.nwsource.com/html/localnews/2004283998_spamking15m.html 

The question to the reader therefore is 'Do you think that this sentence will result in less spam to your inbox?'
 
Sadly the answer is probably 'no' as the trend in Spam is still increasing and human nature, on both sides of the equation, being what it is won't change.
 
There are a number of sites you can go to if you want to look at Spam trends and one such site is Barracuda Central:

www.barracudacentral.com/index.cgi?p=spam
 
You can go there if you want to look at the pretty graphs but the number that jumps out at me is that worldwide the number of messages processed by all Barracuda Anti-Spam Firewalls yesterday was over 2 Billion. 2,277,470,908 to be exact and of that number the vast majority or 2,170,841,992 (95.32%) were blocked as Spam. This is in contrast to the same statistics a year ago where the number of messages processed per day was around 1 Billion per day and the Spam percentage was around 92%.
 
Sadly, the Spam mix is still about 50% off-brand pharmaceuticals and about 25% knockoff products which tells you what is profitable to the Spammers. If people stopped responding to these advertisements and voted with their cash then the Spammers would not be profitable and would have to look elsewhere for their next easy meal.

Will human nature change overnight?
 
Probably not. Consumers want a good deal and are not likely to change and the Spammers have found a financial niche that they fit into so expect the volume of Spam to continue and even increase as the effectiveness of anti-spam solutions like the Barracuda appliances, which CudaMail is powered by, makes the Spammers job that much harder. They will ramp up their efforts to sneak Spam past such solutions rather than change their nature.
 
- Shaun