Spammers Love to Hurt Internet Users

Love is a many splendored social engineering tool and spammers are busy sending out a whole lot of their particular brand of love across the electronic universe.

An interesting blog post (Love Hurts) by Kevin Haley at Symantec points out that malicious code writers are busy spreading their work in attachments hidden in the millions of spam messages being spewed out by zombies (compromised computers). If you click on one of these attachments — and your machine isn't bulletproof — it also can become a zombie and used as part of a botnet to send out more spam. Botnets are groups of compromised computers used to form a super computer. Of course, downloading malware can also mean that all your personal and financial information will be stolen, too. Please note (as you will see below) that some forms of malware currently being sent out can do both.

Kevin's blog post came out at almost the same time Symantec issued it's monthly Spam Landscape Report. With Valentine's Day coming up, love is a predictable lure and it's probably a good idea to make sure you know who loves you before clicking on any links in an e-mail.

Another predictable finding in the report is that spam levels are continuing to rise to normal levels after they fell when McColo was shut-down. McColo (a Web service hosting provider) was shut down in November after it was discovered they were the source of a large number of botnets, which are used to send out spam. Last month, 79 percent of all e-mail was spam. The report also notes that the point of origin for spam is shifting a little. Although the United States is still number one, the number of active zombies in other countries is rising. While some of this is being attributed to McColo, the report points out that this might point to the fact that some of these countries have an increasing number of users accessing the Internet.

From a spam-commerce point of view, the report indicates weight loss products, counterfeit drugs, cheap watches and porn top the list of items available at super-cheap prices as Valentine's Day approaches.

Besides Valentine's Day, President Obama also continues to be used as a spam lure, according to the report. A lot of this spam contains malware with files names such as usa.exe, obamanew.exe, statement.exe, barackblog.exe and barackspeech.exe. The malware being spread in these spam e-mails is called the W32.Waledac, which is capable of both stealing sensitive personal and financial information and turning a machine into a zombie. It also establishes a backdoor to a machine so it can be remotely accessed.

Current events (and holidays) have been and probably will continue to be used as social engineering lures to snare the unwary.

Also noted was a rise in Russian spam hawking goods and services. With cheap long distance services using VoIP, the Russians have actually set up telephone numbers for their intended victims to call. My guess is that they will entice someone to send money, which can't be recovered when the person sending it discovers they've been scammed.

Chinese gambling spam is also mentioned as a new phenomenon in the report. It appears to be patterned after English language gambling spam, but is written in Chinese.

Last, but not least, Nigerian spam is mentioned. Nigerian or 419 spam is named after the section of the Nigerian penal code dealing with fraud. It normally is a come-on for lost riches or winning a lottery and has a lot of spelling and grammatical errors. Typically known as advance fee fraud, the victim is enticed in sending money across a border (wire transfer is preferred) to secure their fortune. Of course in the end, the victim never receives anything and is often left in financial ruin.

There are many twists to advance fee and one of them is to send a bogus financial instrument to a person with instructions to cash it. If the person doesn't get arrested for presenting it, they are instructed to send the money back to the scammer. Of course, the cashing institution eventually figures out the instrument is bogus and the victim is held liable for it.

A lot of people think that advance fee all comes from Nigeria, which isn't true. I've personally traced it to a lot of other places and called some of the telephone numbers. The person answering didn't sound Nigerian and I've spoken to a few people from Nigeria in my time. Naturally, this doesn't mean that scam activity is not coming from Nigeria and just that not all of it does.

Pam Dixon, of the World Privacy Forum, went on record recently that the spelling and grammatical errors aren't being seen as much in advance fee lures anymore. Obviously, advance fee scammers, wherever they hail from, are being more careful and have discovered spell check?

To close, the Anti-Phishing Working Group's recent report on phishing, which is delivered via spam, has noted that the number of crimeware-spreading URLs out there has increased 258 percent versus the same time period last year. It also noted a record high in the amount of hijacked and victimized brand names. Last but not least, it noted another record in the amount of malicious application variants being seen in the wild (on the Internet).

This would suggest that spam is getting more dangerous and the people sending it are becoming more sophisticated. The smartest thing to do with all spam is to delete it. Making sure your computer's security is updated with a known and reliable vendor is also a smart thing to do. After all, as I've speculated many times before, most fraud, phishing and financial misdeeds on the Internet start with spam.

Spam Levels on the Rise, Again

With the shutdown of McColo by Internet Service Providers in November, global spam volumes dropped over 50 percent. Sadly, this appears to have been a short-term fix. According to a new Symantec report, the spammers have moved to new locations and the volumes are back up to 80 percent of pre-McColo levels.

While spam originates from a lot of places, the United States is still in the number one spot, with 27 percent of the spam observed originating from there. China and Brazil tied for second place with 7 percent of spam originating from these countries.

The report indicates that URLs in Canadian Pharmacy spam messages were noted as being top-level Chinese domains (.cn TLD). Could this mean that Chinese knock-off (counterfeit) prescriptions are trying to make it appear as if they are coming from Canada? Given the recent concerns of tainted and poisonous merchandise being exported from China, this might be a concern. Of course, I would think that buying prescription meds over the Internet should be a concern to most people, anyway.

In another variation of recently observed spam, a user is invited to join a social networking site. The link goes to a real group, which was created on the social networking site by the spammer. The group then links to a free blogging site, which redirects the victim to the ultimate destination URL. At the destination URL, personal information is requested, which is probably used to sell to marketing companies or used in other spam campaigns. Please note, although not mentioned in the report, that some of these campaigns might have malicious intent or be scams.

Also noted during the holiday season was a lot of e-Card spam. This spam sometimes comes with malware (malicious software) designed to steal personal and financial information or turn your machine in to a spam spewing zombie computer using your credentials.

A partcularly deceptive spam delivery method noted recently is spammers inserting their messages into legitimate newsletters. This method seems to get past spam filters pretty effectively. If the recipient clicks on the message, they are taken to a spammer site. Here again, it might be a site selling junk, but also could be a site with more malicious intent.

Another spam trend in vogue these days is to use the recession as a social engineering lure designed to get people to click on a spam link. Messages are being sent out in the millions touting easy bail-out money to be had and an assortment of the normal get-rich- quick schemes. If it's too good to be true and doesn't make sense, it's normally a scam, and I suspect that most of this type of spam is one.

Last but not least, the spammers are still using President-elect Barack Obama's name to market coin offers, a "Barackumentary DVD" and a free Visa card for helping the Obama clan pick their dog.

Shutting down McColo by reaching out to the ISPs — which was done largely through the work of Brian Krebs at Security Fix (Washington Post) -- showed that a significant impact can be made on spam when ISPs are held accountable. Given that Brian is one person and a journalist, this was an admirable piece of work. The fact that spam is approaching pre-McColo levels tells us that there are more ISPs that need to be held accountable. Maybe in the end, government and international agencies need to follow Brian's example and and make an impact on spam levels that will last a little longer.

Spam is a dangerous pain for everyone who uses e-mail. Most scams, questionable goods and services and cyber-attacks using malicious software start with a spam e-mail. Shutting down the spam operators can only make everyone's experience on the Internet a little more safe and sane.

Fraudulent Checks Too Profitable for Criminals

Fraudulent checks, bank drafts, money orders, travelers cheques and gift cheques seem to be showing up all over the place. While a portion of these are passed by professional criminals — who sometimes recruit people off the street to pass them — a lot of people are being tricked into cashing them because they believed a (too good to be true) money-making opportunity.

Unfortunately — with the current state of the economy — people seem to be falling for the too good to be true scam opportunities more and more frequently.

Even though the quality of these fraudulent instruments varies, many of these counterfeit items are now produced with magnetic ink that scans. High quality check stock complete with the latest security features can be purchased in office supply stores or on the Internet. This means they scan through most of the readers in point of sale systems at businesses. When used with a real account number, which is why counterfeiting works, these items can be difficult to detect as fraudulent.

The increase in counterfeiting isn't limited to checks. Complete sets of counterfeit documentation are being presented at banks to open new accounts. A small amount of money is put into the account so funds verify on an individual check and then an area is plastered with a lot of checks. Sometimes this is done over the weekend and the funds put in to verify the checks are removed the following Monday. The identities used to pass these checks are often stolen. Since the identities and checking accounts are changed frequently to avoid detection, it's difficult to tie all the activity back to one group or person.

Frequently, people who are down-and-out are recruited to pass these items after receiving a promise for a few quick bucks. If they are caught they are normally considered "expendable" by the people behind the schemes. Sometimes, they even do this using their own identities.

It should also be noted that the groups opening fraudulent accounts and counterfeiting checks also set up phony numbers and even business addresses that get listed in 411 and on information sites fairly easily. Most people would be amazed at how easily they accomplish this because little to no verification is done by the companies listing these numbers. This is also done in a lot of the Internet-related scams and it is not uncommon for them to list a number to a financial institution that isn't real. When they set up these numbers, while the scam is active, they have people answering the lines. Often, if you listen carefully, it's pretty obvious that it is not a legitimate business and sometimes calls are forwarded to cell phones.

Another growing phenomenon is that fewer and fewer banks verify funds when businesses try to find out if a check being presented is good. In this instance, privacy laws and fear of litigation probably have enabled the problem to get worse. A lot of businesses use computerized check verification services, but when stolen identities are used, the checks pass through these systems fairly easily. Even worse, after the check is determined bad and the data goes in the system, innocent people are pegged as passing bad checks.

These checks often returned by the bank for “non-sufficient funds" because they aren't aware the account was set-up with fake information. Eventually the account is closed by the bank, but by this time the damage is done. Since banks frequently don't investigate thoroughly enough to determine the account was set up with fake (often stolen) information, it is never identified as fraud. The exception might be when the bank takes a loss, but more frequently they pass the losses to the entity cashing the check.

It's almost impossible to get anyone prosecuted criminally for non-sufficient funds/account closed cases, which means there is little fear of getting caught in this type of scam. Privacy laws also make it difficult for anyone outside the bank to investigate individual cases. In most cases, law enforcement needs a subpoena, which take time and effort to obtain. Given the resources available at most white collar crime units and the amount of fraud, it often seems like the system is ripe for manipulation by criminals.

Technology and the anonymous nature of the Internet have made check fraud grow substantially. All the necessary software/hardware needed is available right for sale at merchants that sell software and office supplies and on the Internet, itself.

There are also Web sites that appear to be dedicated to providing all the materials to commit fraud despite disclaimers that the items are for educational purposes only. One example, of one of these sites is called HackersHomePage. If you take the time to look at this site — you will see that the the items for sale on this site might enable someone to commit a lot more than simple check fraud.

Another growing phenomenon over the past several years has been the sheer number of counterfeit instruments being passed for a “too good to be true” money making scheme. These schemes, which normally don’t make sense, normally involve secret shopper job opportunities, offers to become a financial representative, auction deals and of course, winning a sweepstakes or lottery.

These scams lure people via spam e-mails, which are sent by the millions, daily. Once someone makes contact with the unknowing victim, they are shipped bogus financial instruments to cash. Along with the bogus financial instrument to be cashed there is a letter instructing the victim to wire the bulk of the money (normally over a border) back to the location of the scammer. Another twist in these money making schemes is to buy small and expensive items, normally electronics or jewelry, and ship them (again) normally overseas. A lot of eBay and Craigslist sellers get taken by these schemes.

From the botnets spewing the spam e-mails out in the millions to the counterfeit checks being sent by the parcelful all over the world, there is little doubt that some pretty organized criminals are behind this activity.

In 2007, an International Task Force monitored the mail in Africa, Europe and North America and intercepted billions of dollars worth (face-value) of counterfeit checks.

The coordination across International borders in these scams is pretty amazing. In any individual scam, the e-mail can come from one country, the checks from another and the request to wire the money to a third.


(Picture of checks intercepted in the mail)

There is also a trend where opportunists receive these items, cash them and keep all the money for themselves. If caught, they pretend to be a victim. If no attempt is made to wire the money to an exotic locale, they are probably in the scheme for their own personal gain. It isn't hard to look in just about any inbox or spam folder, reply to the right e-mail and have all kinds of bogus financial instruments shipped whatever address a person wants.

The first step to recognizing these scams is to understand how they work. Most if not all of the reasons these checks are being presented aren't going to make sense to a reasonable person. The cliche is that they are too good to be true and they normally are.

The best places for potential individual victims to learn how not to be taken are FakeChecks.org and OnlineOnGuard.gov.

A good resource for businesses and other public entities to learn about check fraud is the National Check Fraud Center.

In closing, the sour economy is probably fueling an increase in all kinds of fraud. The bottom line is that individuals and businesses are being ruined by it. When it comes to businesses, any dollar lost to fraud normally equates to a dollar off the bottom line. So far as the individuals being victimized, cashing these items can lead to being financially ruined and even arrested.

The best defense against becoming a victim is to know how these scams work. After all, very few people become victims when they know they are being ripped-off!