Phishy Facebook Emails

Facebook phishes are getting better. Compare this one:

facebook real

and this:

facebook scam

Notice how the key bit, supposedly defining that it’s a legit email, is successfully and convincingly faked: image

The only difference that stands out is the domain: facebookembody.com. Although Google classified it as spam they didn’t warn that it would go to a website that contains malware. So be warned. Notification emails aren’t such a good idea anymore, if they ever were.

My War On ATM Spam and Other Annoyances

By Jeremy Wagstaff

(This is a copy of my weekly syndicated column)

You really don’t need to thank me, but I think you should know that for the past 10 years I’ve been fighting a lonely battle on your behalf. I’ve been taking on mighty corporations to rid the world of spam.

Not the spam you’re familiar with. Email spam is still around, it’s just not in your inbox, for the most part. Filters do a great job of keeping it out.

I’m talking about more serious things, like eye spam, cabin spam, hand spam,  counter spam and now, my most recent campaign, ATM spam.

Now there’s a possibility you might not have heard of these terms. Mainly because I made most of them up. But you’ll surely have experienced their nefarious effects.

Eye spam is when something is put in front of your face and you can’t escape from it. Like ads for other movies on DVDs or in cinemas that you can’t skip. Cabin spam is when flight attendants wake you from your post-prandial or takeoff slumber to remind you that you’re flying their airline, they hope you have a pleasant flight and there’s lots of duty free rubbish you wouldn’t otherwise consider buying wending its way down the aisle right now.

Then there’s hand-spam: handouts on sidewalks that you have to swerve into oncoming pedestrian traffic to avoid. Counter spam is when you buy something and the assistant tries to sell you something else as well. “Would you like a limited edition pickled Easter Bunny with radioactive ears with that?”

My rearguard action against this is to say “if it’s free. If it’s not, then you have given me pause for thought. Is my purchase really necessary, if you feel it necessary to offer me more? Is it a good deal for me? No, I think I’ll cancel the whole transaction, so you and your bosses may consider the time you’re costing me by trying to offload stuff on me I didn’t expressly ask for.” And then I walk out of the shop, shoeless, shirtless, or hungry, depending on what I was trying to buy, but with that warm feeling that comes from feeling that I stuck it to the man. Or one of his minions, anyway.

And now, ATM spam. In recent months I’ve noticed my bank will fire a message at me when I’m conducting my automated cash machine business offering some sort of credit card, or car, or complex derivative, I’m not sure what. I’ve noticed that this happens after I’ve ordered my cash, but that the cash won’t start churning inside the machine until I’ve responded to this spam message.

Only when I hit the “no” button does the machine start doing its thing. This drives me nuts because once I’ve entered the details of my ATM transaction I am usually reaching for my wallet ready to catch the notes before they fly around the vestibule or that suspicious looking granny at the next machine makes a grab for them. So to look back at the machine and see this dumb spam message sitting there and no cash irks me no end.

My short-term solution to this is to look deep into the CCTV lens and utter obscenities, but I have of late realized this may not improve my creditworthiness. Neither has it stopped the spam messages.

So I took it to the next person up the chain, a bank staff member standing nearby called Keith. “Not only is this deeply irritating,” I told him, “but it’s a security risk.” He nodded sagely. I suspect my reputation may have preceded me. I won a small victory against this particular bank a few years back when I confided in them that the message that appeared on the screen after customers log out of their Internet banking service—“You’ve logged out but you haven’t logged off”, accompanied by a picture of some palm trees and an ad for some holiday service—may confuse and alarm users rather than help them. Eventually the bank agreed to pull the ad.

So I was hoping a discreet word with Keith would do the trick. Is there no way, I said, for users to opt out of these messages? And I told him about my security fears, pointing discreetly to the elderly lady who was now wielding her Zimmer frame menacingly at the door. Keith, whose title, it turns out, is First Impression Officer, said he’d look into it.

So I’m hopeful I will have won another small battle on behalf of us consumers. Yes I know I may sound somewhat eccentric, but that’s what they want us to think. My rule of thumb is this: If you want to take up my time trying to sell me something because you know I can’t escape, then you should pay for it—the product or my time, take your pick.

Now, while I’ve got your attention, can I interest you in some of those Easter bunny things? They’re actually very good.

Podcast: HP, Palm, Spam and Social Media Cold Turkey

This podcast is from my weekly slot on Radio Australia Today with Phil Kafcaloudes and Adelaine Ng, wherein we discuss HP buying Palm, students going cold turkey on social media, and China no longer being the spam capital of the world?

To listen to the podcast, click on the button below. To subscribe, click here.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

I appear on Radio Australia Today every Friday at about 9.15 am Singapore time (that’s 0.15 GMT/UTC.) There’s a live stream of the broadcast here, or find out your local frequencies here.

The Undignified Death of Social Networks

I’m intrigued, and slightly depressed, at how social networking sites deteriorate so quickly into what are little more than scams. I think it started about a year ago, when a number of sites started pulling the stops out to build up membership.

Now, it seems, it’s all about the money. Take Quechup, for example, which has never had a very good reputation, though some say it’s undeserved. I don’t think anyone would try to argue that now.

I opened an account at Quechup about a year ago, and left it, with no friends. no connections, no activity (a bit like my real life.) I didn’t get anything until last month. In the past month I’ve received more than 30 messages. All of them from people I don’t know; all of them, from the subject line, spam:

image

So what’s the scam, then?

Well, if you’re fool enough to open one of these messages, that’s your limit. Suddenly your inbox looks like this:

image

The message is basically that you can’t open any messages until you upgrade your membership:

image 

Upgrading, of course, costs. Not a lot, but if you’re curious to find out who’s been scamming you, sorry, flirting with you, you have to cough up:

image

My question is this: Who is behind the spam in my inbox?

Admittedly, my profile is a bit provocative:

image

Still. One can’t help feeling that either the spam is being allowed by Quechup as a money-making exercise, or, the only other explanation I can think of, it’s spamming its members with silly messages in the hope they’ll be curious enough to upgrade and read them.

Either way, it’s a social network that’s dead from the neck up.

Sad, really.

Your Phone as Stalker

Phone spam feels like it’s getting worse.

I and my wife have been receiving numerous calls from the local arm of ANZ Bank — a bank I am happy to identify by name because I’ve sought comment from them without reply for nearly a week now. Our mobile phone numbers were probably sold by another bank or possibly by the cellphone company.

Nokia researcher Jan Chipchase starts picking up SMS and phone spam on Hutch in India within a day of activating his SIM card, and finds that the company is three times as slow at removing his number from their spam lists:

Locals in the know send a text message to opt out, a process that, according to Hutch’s automated response takes at least three days to activate: “We respect your privacy. Please give us 72 hours to include your number on our Do Not Disturb list. Thank you” and an unspecified amount of time this to filter through to the companies that already have you on their disturb list.

I’m quite aggressive at fighting SMS and phone spam, but not always successful. One nightclub spammed me regularly until I got upset. Now they don’t. (Embarrassingly, it turned out to be owned by a friend of mine.) Now a lot of people here don’t answer their phone unless they recognize the number on the display.

Still, there’s nothing is quite as bad as this case of cellphone stalking in the U.S., where one family claim to feel harassed to the point of paralysis through their cellphone. A good clear-eyed view of the mess here.

Protect Your Privacy With Twiglets

laplink

I really hate being asked for lots of private details just to download a product. In short: People shouldn’t have to register to try something out. An email address, yes, if absolutely necessary.

But better not: just let the person decide whether they like it. It’s the online equivalent of a salesperson shadowing you around the shop so closely that if you stop or turn around quickly they bump into you. (One assistant in Marks & Spencer the other day tailed me so closely I could smell his breath, which wasn’t pleasant, and then had the gall to signal to the cashier it was his commission when I did, without his help, choose something to buy.) I nearly put some Marks & Spencer Twiglets up his nose but that branch doesn’t sell them.

Anywhere, latest offender in this regard is Laplink, who ask for way too much personal information just to download trial versions of their products, including email address, full name, address, post code, company name. Then they do that annoying thing at the end of trying to trick you into letting them send you spam with the old Three Tick Boxes Only One of Which You Should Tick if You Don’t Want To End In Every Spammers List From Here To Kudus Trick:

laplink2

Rule of thumb there is to tick the third one in the row because it’s always the opposite of the other ones. As if we’re that stupid.

The other rule of thumb is never to put anything accurate in the fields they do require you to fill out. Not even your gender. Childish? Yes, maybe, but not half as childish as their not trusting you enough to decide whether you like the product on your own terms and not fill their spamming lists.

Of course the better rule of thumb is not to have anything to do with companies that employ such intrusiveness and trickery, but we’d never do anything then.

Technorati Tags: ,

Measured vs Spewed: The New Reviewers

(A podcast of this can be

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

.)

The walls of elite reviewers come tumbling down, and it’s not pretty. But is it what we want?

I belatedly stumbled upon this piece in The Observer by Rachel Cooke on a new spat between editors, reviewers and blogger reviewers, and not much of it is new. There’s the usual stuff about how bloggers are anonymous (or at least pseudonymous) and the usual tale of how one writer got her spouse to write an anonymous positive review on Amazon (why hasn’t mine done one yet!) to balance against all the negative stuff.

As Tony Hung points out, the piece gets rather elitist by the end, although I have to like her description of Nick Hornby, a great writer and careful reviewer: “[H]is words are measured, rather than spewed, out; because he is a good critic, and an experienced one; and because he can write.” Measured vs spewed is a good way of putting it. It’s also a good way of thinking about the two very different beasts we’re talking about here.

There are two different kinds of reviews, serving two different purposes. The point here is that there are two different kinds of purposes here. If Nick Hornby likes a book, I may well buy it because I like Nick Hornby’s work. Of course, I’ll also enjoy his review as a piece of writing in its own right; chances are he’s put a huge amount of effort into it. It’s all about who writes the review. (And we need to always keep in the back of our mind the tendency, noted down the years in Private Eye, that reviewers in big name newspapers often seem to end up reviewing books by people they know, often rather well. It’s a small world, the literary one.)

If I’m reading about a book on Amazon I’m less picky about who and more about how many, and what. If 233 out of 300 people like a book on Amazon I am going to be more impressed than if 233 out of 300 people hated it. I’ll scan the reviews to see whether there are any common themes among the readers’ bouquets or brickbats. Take Bill Bryon’s latest, for example: Most reviewers loved it, and quite a few fell out of their chair reading it. Take Graeme Hunter, who writes: “Bill has managed yet another work of ‘laugh-out-loud’ ramblings, but this is his first to make me cry at the end.” That tells me that regular readers of Bryson are probably going to like it. But not everyone. One reviewer, J. Lancaster, wrote that while he was a big fan, he found the book “slow and ponderous and lacks the wit, insight and observation of, well, all his other books.” That tells me something too: Don’t expect to be dazzled all the way through.

Now note that these reviewers have attached their real names. They’re not anonymous, pseudonymous or fabrications of someone’s imagination or close family. Their writings may not be that literary, but that’s not what I’m looking for in an Amazon review. With Amazon, I’m looking to mine the wisdom of the crowd — the aggregate opinion of a group of people all with the same interest as myself in mind: not wasting our money on a dud book.

Compare what they write to the two snippets of blurb from big name publications on the same Amazon page:

New York Times
‘Outlandishly and improbably entertaining…inevitably [I] would
be reduced to body-racking, tear-inducing, de-couching laughter.’

Literary Review
‘Always witty and sometimes hilarious…wonderfully funny and
touching.’

Useful, but not much more useful than the Amazon reviews.

The bottom line is that reading a review on Amazon is like polling a cross section of other people who’ve read the same book. It’s like being able to walk around a bookshop tapping strangers on the shoulder and asking what they think of the book you have in your hand. Their responses are likely to be as spewed as an Amazon or blog review. But it doesn’t lessen their value. If all you want to know is whether the book is worth reading, you may be better served than some ‘measured’, self-conscious professional review.

This is the difference that the Internet brings us. It’s not either/or, it’s about consumers having more information about what they’re buying, and having a chance to give feedback on what they have bought. That all this is a little unnerving to those writers used to being far removed from the book-buying mob, and the pally/bitchy relationship they have with reviewers should come as no surprise. My advice: get used to it.

PS I spewed this piece out in 27 minutes. (You can tell – Ed)

Ring Tones, Drugs and the Spamming of Google News

This week in the WSJ.com (subscription only, I’m afraid) I wrote about web spam — the growing penetration of faux websites that ride up the search engines and muddy the Internet for all of us. I based it around the recent case of subdomain spam, well documented by the likes of blogs like Monetize. Briefly websites controlled by one Moldovan hit the high rankings on several major search engines using techniques that are imaginative, but not exactly beyond the intelligence of savvy search engine builders. It’s not as intrusive as spam in your inbox but it’s trashing the web and undermining the usefulness of search engines.

But it’s not just ordinary search results that get spammed. It’s news. A search for “ringtones” on Google News, for example, throws up “free mono ringtones” as the top item:

Grt

(“Ringtone” throws up similar results.) Amazing, not only is it the top story but all the six “related” stories you can see as a green link below the four are from the same domain, advertising a range of goods that can hardly be lumped together with ringtones, including sildenafil and tenuate. (Searches of those words on Google News also have the same domain as top ranked, at least at the time of writing. Here and here. In fact the results for tenuate do not throw up a single news story; all eight matches are web spam.)

The sites in question are all subdomains of www.vibe.com, an online magazine which is indexed by Google news for its pieces on musicians. The pages that hit the top rank of results for ringtone and ringtones, however, are community messageboard pages, and clearly marked as such, which makes me wonder how either the web spammer is fooling the Google bots into indexing pages which are clearly not news by any definition, or why Google’s bots aren’t doing the job they’re supposed to be doing.

Yahoo! News’ search doesn’t do much better: Its first hit is a web spam site under the domain www.ladysilvia.net, which doesn’t even pretend to be a news site:

Yrt

(MSN’s news search comes out well, without any spam in sight, as does A9, which is basically the same engine.) But why are these sites getting indexed and included in news searches? I can only assume ringtones are such big business that it’s worth the web spammers doing their damndest to push their results up not only ordinary search rankings, but I would have thought Google and Yahoo! would be on top of this. Apparently not.

From the Ashes of Blue Frog

The Blue Frog may be no more,  but the vigilantes are. Seems that despite the death of Blue Security in the face of a spammer’s wrath, the service has built an appetite for fighting back. Eric B. Parizo of SearchSecurity.com reports on a new independent group called Okopipi who intend “to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends “unsubscribe” messages to spammers and/or reports them to the proper authorities.”

Okopipi has already merged with a similar effort known as Black Frog and has recruited about 160 independent programmers, who are dissecting the open source code from Blue Security’s Blue Frog product. The idea seems to be the same: automatically sending opt-out requests to Web sites referenced in received spam messages, the idea is to over-burden the spammer’s servers (or those of the product he’s advertising) as a deterrence and incentive to register with Okopipi. By registering he can cleanse his spam list of Okopipi members.

Some tweaks seem to be under consideration: Processing will take place on users’ machines and then on a set of servers which will be hidden to try to prevent the kind of denial-of-service attack that brought down Blue Frog.

Possible problems: I noticed that some of the half million (quite a feat, when you think about it) Blue Frog users were quite, shall we say, passionate about the endeavour. These are the kind of folk now switching to Okopipi. This, then, could become an all-out war in which a lot of innocent bystanders get burned. The Internet is a holistic thing; if Denial of Service attacks proliferate, it may affect the speed and accessibility of a lot of other parts of it, as the Blue Frog experience revealed. (TypePad was inaccessible for several hours.)

Another worry: Richi Jennings, an analyst with San Francisco-based Ferris Research, points out on Eric’s piece that project organizers must ensure that spammers don’t infiltrate the effort and plant backdoor programs within the software. “If I’m going to download the Black Frog application,” Jennings said, “I want to be sure that the spammers aren’t inserting code into it to use my machine as a zombie.” I guess this would happen if spammers signed up for the service and then fiddled with the P2P distributed Black Frog program.

Another problem, pointed out by Martin McKeay, a security professional based in Santa Rosa, Calif., that spammers will quickly figure out that the weak link in all this is it rests on the idea of a legitimate link in the email for unsubscribing, and that spammers will just include a false link in there. Actually I thought the link Blue Frog used wasn’t unsubscribe (which is usually fake, since if it wasn’t would then pull the spammer back within the law) but the purchase link. How, otherwise, would folks be able to buy their Viagra?

One element I’d like to understand better is the other weakness in the Blue Frog system: That however the process is encrypted, spammers can easily see who are members of the antispam group by comparing their email lists before and after running it through the Blue Frog/Black Frog list. Any member who is on the spammer’s list will now be vulnerable to the kind of mass email attack that Blue Frog’s destroyer launched. How is Okopipi going to solve that one?

The Blue Frog Burps His Last?

Bobbie Johnson, technology correspondent at The Guardian is reporting that Blue Security is killing off the Blue Frog, saying it “could no longer continue to operate in the face of an escalating threat to the internet from a malicious Russian spammer known only as PharmaMaster.” The Blug Frog had been under serious attack from PharmaMaster, knocking it and much of Canada off the air via Denial of Service attacks on its servers.

Eran Reshef, the founder of Blue, said his company, which recently drew $4.8m (£2.5m) in funding and counts several senior industry figures as directors, was simply unable to become trapped in a war against a criminal group. “This is something that’s really got to be left to governments to decide. To fight the spammers you really need to spend $100m.”

Reshef is quoted as saying “it’s a dirty little secret that there is no real way to totally prevent denial-of-service attacks – if the attacker is prepared to put enough money in, then they can beat you every time.”

A surprising conclusion, if true (Bobbie has checked around and says it is so.) Certainly I think Reshef is right that it’s up to governments to deal with this kind of thing; Blue Frog was good in principle, but its supporters began to sound more like vigilantes than a serious and kosher effort to combat spam.