Phishy Facebook Emails

Facebook phishes are getting better. Compare this one:

facebook real

and this:

facebook scam

Notice how the key bit, supposedly defining that it’s a legit email, is successfully and convincingly faked: image

The only difference that stands out is the domain: facebookembody.com. Although Google classified it as spam they didn’t warn that it would go to a website that contains malware. So be warned. Notification emails aren’t such a good idea anymore, if they ever were.

My War On ATM Spam and Other Annoyances

By Jeremy Wagstaff

(This is a copy of my weekly syndicated column)

You really don’t need to thank me, but I think you should know that for the past 10 years I’ve been fighting a lonely battle on your behalf. I’ve been taking on mighty corporations to rid the world of spam.

Not the spam you’re familiar with. Email spam is still around, it’s just not in your inbox, for the most part. Filters do a great job of keeping it out.

I’m talking about more serious things, like eye spam, cabin spam, hand spam,  counter spam and now, my most recent campaign, ATM spam.

Now there’s a possibility you might not have heard of these terms. Mainly because I made most of them up. But you’ll surely have experienced their nefarious effects.

Eye spam is when something is put in front of your face and you can’t escape from it. Like ads for other movies on DVDs or in cinemas that you can’t skip. Cabin spam is when flight attendants wake you from your post-prandial or takeoff slumber to remind you that you’re flying their airline, they hope you have a pleasant flight and there’s lots of duty free rubbish you wouldn’t otherwise consider buying wending its way down the aisle right now.

Then there’s hand-spam: handouts on sidewalks that you have to swerve into oncoming pedestrian traffic to avoid. Counter spam is when you buy something and the assistant tries to sell you something else as well. “Would you like a limited edition pickled Easter Bunny with radioactive ears with that?”

My rearguard action against this is to say “if it’s free. If it’s not, then you have given me pause for thought. Is my purchase really necessary, if you feel it necessary to offer me more? Is it a good deal for me? No, I think I’ll cancel the whole transaction, so you and your bosses may consider the time you’re costing me by trying to offload stuff on me I didn’t expressly ask for.” And then I walk out of the shop, shoeless, shirtless, or hungry, depending on what I was trying to buy, but with that warm feeling that comes from feeling that I stuck it to the man. Or one of his minions, anyway.

And now, ATM spam. In recent months I’ve noticed my bank will fire a message at me when I’m conducting my automated cash machine business offering some sort of credit card, or car, or complex derivative, I’m not sure what. I’ve noticed that this happens after I’ve ordered my cash, but that the cash won’t start churning inside the machine until I’ve responded to this spam message.

Only when I hit the “no” button does the machine start doing its thing. This drives me nuts because once I’ve entered the details of my ATM transaction I am usually reaching for my wallet ready to catch the notes before they fly around the vestibule or that suspicious looking granny at the next machine makes a grab for them. So to look back at the machine and see this dumb spam message sitting there and no cash irks me no end.

My short-term solution to this is to look deep into the CCTV lens and utter obscenities, but I have of late realized this may not improve my creditworthiness. Neither has it stopped the spam messages.

So I took it to the next person up the chain, a bank staff member standing nearby called Keith. “Not only is this deeply irritating,” I told him, “but it’s a security risk.” He nodded sagely. I suspect my reputation may have preceded me. I won a small victory against this particular bank a few years back when I confided in them that the message that appeared on the screen after customers log out of their Internet banking service—“You’ve logged out but you haven’t logged off”, accompanied by a picture of some palm trees and an ad for some holiday service—may confuse and alarm users rather than help them. Eventually the bank agreed to pull the ad.

So I was hoping a discreet word with Keith would do the trick. Is there no way, I said, for users to opt out of these messages? And I told him about my security fears, pointing discreetly to the elderly lady who was now wielding her Zimmer frame menacingly at the door. Keith, whose title, it turns out, is First Impression Officer, said he’d look into it.

So I’m hopeful I will have won another small battle on behalf of us consumers. Yes I know I may sound somewhat eccentric, but that’s what they want us to think. My rule of thumb is this: If you want to take up my time trying to sell me something because you know I can’t escape, then you should pay for it—the product or my time, take your pick.

Now, while I’ve got your attention, can I interest you in some of those Easter bunny things? They’re actually very good.

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Podcast: HP, Palm, Spam and Social Media Cold Turkey

This podcast is from my weekly slot on Radio Australia Today with Phil Kafcaloudes and Adelaine Ng, wherein we discuss HP buying Palm, students going cold turkey on social media, and China no longer being the spam capital of the world?

To listen to the podcast, click on the button below. To subscribe, click here.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

I appear on Radio Australia Today every Friday at about 9.15 am Singapore time (that’s 0.15 GMT/UTC.) There’s a live stream of the broadcast here, or find out your local frequencies here.

Some Early Lessons from The Georgian Cyberwar

image

illustration fron Arbor Networks

There’s some interesting writing going about the Georgian Cyberwar. This from VNUnet, which seems to confirms my earlier suspicion that this was the first time we’re seeing two parallel wars: 

“We are witnessing in this crisis the birth of true, operational cyber warfare,” said Eli Jellenc, manager of All-Source Intelligence at iDefense.

“The use of cyber attack assets in conjunction with kinetic military operations in the current crisis now stands among the most significant developments ever seen in the field of information security or cyber conflict studies.”

Others suggest that in fact there are examples of earlier parallel conflicts: Kosovo, among them, says Arbor Networks’ Jose Nazario.

ZDNet’s Dancho Danchev takes the idea that this is all about denying participants a chance to get their message out a stage further: those put out of action are being forced to get their message out through other channels. Georgia’s foreign ministry, for example, has set up a blog at Blogger and the website of the Polish president.

The mainstream press is having a go at the story, too, including the Journal and the NYT. The main culprit, the articles suggest (following Georgia’s own claims), is the Russian Business Network, a St. Petersburg-based gang.

But as this article points out, finding out who is responsible is a slow business. Indeed, this is a strange feature of cyberwar that makes it more akin to terrorism than to warfare. This kind of makes the notion of establishing responsibility a little beside the point. Cyberattacks are a chance for ordinary (well, sort of ordinary) citizens to do their bit for the war effort. In this sense the government is a customer for the services of botnet and hacker groups or individuals with skills the government is happy to see deployed on its behalf, while able to plausibly deny it has anything to do with.

Indeed, we may be missing the more interesting aspect of this, one that predates South Ossetia. Now we’re just seeing cyber attacks work alongside the physical, or kinetic, attacks. A sort of psywar, since it’s mainly about getting the word out and winning hearts and minds.

But what about a cyberwar conducted on its own, but one that leads to a physical war—at least, a cold one? Joel Hruska at arstechnica points out in a piece written a week ago, that an uncovered little cyberwar—or rather cyber-hacktivism—in Lithuania, led to a serious cooling of relations between its government and that of Russia. As with Estonia last year, the attack “marked the first time I was aware of in which a single individual with a computer was able to notably impact relations between two neighboring nations.”

Georgia, however, represents the first time we’ve seen a government almost wiped off the Internet. Whether this is a prelude to it being wiped off the map is something we’ll have to wait and see. But already some conclusions are becoming obvious:

  • Cyberwar is too powerful a tool for any government to ignore, both offensively and defensively;
  • Cyberwar is not just about putting citizens of a target country in the dark; it’s about making it impossible for the target government, and its citizens, to get their side of the story out.
  • As these tools get more powerful, when will we see cyberwar as a specific phase in a physical war designed to achieve what used to be done by the physical bombardment of communication centers?
  • Botnets, and their owners, are powerful players beyond the underworld of spam and phishing. A government that has them operating within their borders must surely know of their existence; if it hasn’t shut them down already, is it too great a leap of logic to suggest there must, at some level, be a relationship between them?

Georgia gets allies in Russian cyberwar – vnunet.com

Whaling in Singapore?

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We’ve gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it’s total bogus. It’s a “click-the-link-for-malware” typical spammer stunt. So, first and foremost, don’t click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It’s very highly targeted that way.

The report says that the server that the trojan reports back to is “hard-coded to an ISP in Singapore at this time,” from where, according to Ars Technica, it “steals copies of any security certificates installed on the system.”

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, “the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore.”

There’s no evidence the “cyber ruffians” are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, “led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong.”

That said, just because an ISP may have been compromised doesn’t mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they’re smart enough to launch an attack like this, you’d have to bet against them being anywhere near the ‘command and control’ center itself.

Still, it’s unsettling that an ISP may have been compromised. So far we don’t know much more, though I’ve put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don’t expect something anytime soon.)

Stoop to Congoo?

Is business networking site Congoo resorting to spam to build its user base? I suspect it is.

Congoo is on one hand a good idea — a place to gather and monitor content on your industry, including content that is usually subscription only (like WSJ.com, who publish my weekly Loose Wire column.) But it’s also a networking tool — indeed, its blurb emphasizes that over the content:

image

But I don’t like being spammed, and I think Congoo may be doing that. Of course, they’re not alone in being accused of spamming — the likes of Plaxo, Zorpia and other networking services make it overly easy for a new recruit to send an email blast to everyone in their address book without them realizing it. To me that’s spam. Even Facebook isn’t entirely blameless: Add any application to your profile and you’re usually within a whisker of spamming all your friends unless you’re alert and scout around for the “skip” button.

But Congoo seems to be taking a different, and in a way more openly spammy, approach. It’s emailing non-subscribers — apparently at random — inviting them to join the network — with no apparent invitation from an existing user, or even a personalized email to indicate the recipient is being chosen for a specific reason. Here’s part of what I got this morning, from someone called Rebecca Simpson, identified as “Manager Network Development”:

We would like to formally invite you to add your professional profile on Congoo. You may recognize many of the professionals already featured:  Media & Advertising  Healthcare  Internet Finance Technology  Politics  & Law

Rebecca’s Congoo profile says she has “specialized in working with press and media outlets to distribute information. I have also organized and executed guerilla marketing campaigns as well as developed proprietary systems and methods for measuring ROI on Web buzz.”

That may be so, but frankly I’m not impressed at this particular pitch. No attempt is being made to categorize me, as I’ve shown only an amateur’s interest in healthcare, and my grasp of law goes no further than thinking ‘tort’ must be in some way related to the word ‘retort’. And I’ve had no prior dealings with Congoo that I can recall aside from several pitches from their (somewhat, er, insistent) PR company, whose own contact database could do with some consolidating.

It appears I’m not alone in thinking this might be a bit too spammy to be decent business practice. The net-abuse mailing list last week collected four examples of an identical message from one Heather Faulkner, who also happens to carry the title of “Manager Network Development” (how many managers of one department are you allowed? I’m not really up to date on that kind of thing), while the spam manager at AKBK Home captured more than 50 in a few hours.

And then there’s Congoo’s own policy on spam, of which this seems itself to be a transgression:

Congoo is concerned about controlling unsolicited commercial e-mail, or “spam.” Congoo has a strict policy prohibiting the use of all Congoo mail accounts to send spam.

I’ve asked Congoo for more information on this, and on their policy about emailing people. At best, I’ve got it all wrong and it’s all a big mistake. At worst, it’s a pretty poor display of a networking site trying to build its base through tactics that make it little different to those of a Viagra salesman. Times may be tough amidst the runaway success of something like Facebook, and the critical mass of LinkedIn, but stoop low and there’s no way back to standing straight.

Your Phone as Stalker

Phone spam feels like it’s getting worse.

I and my wife have been receiving numerous calls from the local arm of ANZ Bank — a bank I am happy to identify by name because I’ve sought comment from them without reply for nearly a week now. Our mobile phone numbers were probably sold by another bank or possibly by the cellphone company.

Nokia researcher Jan Chipchase starts picking up SMS and phone spam on Hutch in India within a day of activating his SIM card, and finds that the company is three times as slow at removing his number from their spam lists:

Locals in the know send a text message to opt out, a process that, according to Hutch’s automated response takes at least three days to activate: “We respect your privacy. Please give us 72 hours to include your number on our Do Not Disturb list. Thank you” and an unspecified amount of time this to filter through to the companies that already have you on their disturb list.

I’m quite aggressive at fighting SMS and phone spam, but not always successful. One nightclub spammed me regularly until I got upset. Now they don’t. (Embarrassingly, it turned out to be owned by a friend of mine.) Now a lot of people here don’t answer their phone unless they recognize the number on the display.

Still, there’s nothing is quite as bad as this case of cellphone stalking in the U.S., where one family claim to feel harassed to the point of paralysis through their cellphone. A good clear-eyed view of the mess here.

Protect Your Privacy With Twiglets

laplink

I really hate being asked for lots of private details just to download a product. In short: People shouldn’t have to register to try something out. An email address, yes, if absolutely necessary.

But better not: just let the person decide whether they like it. It’s the online equivalent of a salesperson shadowing you around the shop so closely that if you stop or turn around quickly they bump into you. (One assistant in Marks & Spencer the other day tailed me so closely I could smell his breath, which wasn’t pleasant, and then had the gall to signal to the cashier it was his commission when I did, without his help, choose something to buy.) I nearly put some Marks & Spencer Twiglets up his nose but that branch doesn’t sell them.

Anywhere, latest offender in this regard is Laplink, who ask for way too much personal information just to download trial versions of their products, including email address, full name, address, post code, company name. Then they do that annoying thing at the end of trying to trick you into letting them send you spam with the old Three Tick Boxes Only One of Which You Should Tick if You Don’t Want To End In Every Spammers List From Here To Kudus Trick:

laplink2

Rule of thumb there is to tick the third one in the row because it’s always the opposite of the other ones. As if we’re that stupid.

The other rule of thumb is never to put anything accurate in the fields they do require you to fill out. Not even your gender. Childish? Yes, maybe, but not half as childish as their not trusting you enough to decide whether you like the product on your own terms and not fill their spamming lists.

Of course the better rule of thumb is not to have anything to do with companies that employ such intrusiveness and trickery, but we’d never do anything then.

Technorati Tags: ,

Ring Tones, Drugs and the Spamming of Google News

This week in the WSJ.com (subscription only, I’m afraid) I wrote about web spam — the growing penetration of faux websites that ride up the search engines and muddy the Internet for all of us. I based it around the recent case of subdomain spam, well documented by the likes of blogs like Monetize. Briefly websites controlled by one Moldovan hit the high rankings on several major search engines using techniques that are imaginative, but not exactly beyond the intelligence of savvy search engine builders. It’s not as intrusive as spam in your inbox but it’s trashing the web and undermining the usefulness of search engines.

But it’s not just ordinary search results that get spammed. It’s news. A search for “ringtones” on Google News, for example, throws up “free mono ringtones” as the top item:

Grt

(“Ringtone” throws up similar results.) Amazing, not only is it the top story but all the six “related” stories you can see as a green link below the four are from the same domain, advertising a range of goods that can hardly be lumped together with ringtones, including sildenafil and tenuate. (Searches of those words on Google News also have the same domain as top ranked, at least at the time of writing. Here and here. In fact the results for tenuate do not throw up a single news story; all eight matches are web spam.)

The sites in question are all subdomains of www.vibe.com, an online magazine which is indexed by Google news for its pieces on musicians. The pages that hit the top rank of results for ringtone and ringtones, however, are community messageboard pages, and clearly marked as such, which makes me wonder how either the web spammer is fooling the Google bots into indexing pages which are clearly not news by any definition, or why Google’s bots aren’t doing the job they’re supposed to be doing.

Yahoo! News’ search doesn’t do much better: Its first hit is a web spam site under the domain www.ladysilvia.net, which doesn’t even pretend to be a news site:

Yrt

(MSN’s news search comes out well, without any spam in sight, as does A9, which is basically the same engine.) But why are these sites getting indexed and included in news searches? I can only assume ringtones are such big business that it’s worth the web spammers doing their damndest to push their results up not only ordinary search rankings, but I would have thought Google and Yahoo! would be on top of this. Apparently not.