By John Mark V. Tuazon
Computerworld Philippines
May 25, 2010

In the early days of the Internet, e-mail used to be the major carrier of spam messages on the Web. Today, according to security solutions firm Sophos, spammers have shifted to social networking sites—where users are many and prevalent—in carrying out their dastardly deeds.

Compromised social networking accounts are just like PCs with botnets installed on them, according to Clarence Phua, ASEAN regional sales manager of Sophos. “[That makes] social networking accounts valuable to hackers, because they can use them to send spam, spread malware, and steal other identities,” he explained.

Social networking sites—notably Facebook and Twitter—have recently been the target of cybercriminals due to their large user base. In February 2010 alone, market research firm comScore pegs Filipino Internet users visiting social networking sites at 90.3%, spending an average of 332.2 minutes (or roughly five and a half hours) on such sites, the highest in the region.

And where there are users, there are those who take advantage. According to Sophos’s 2010 security threat report, at least 57% of social networking users have reported receiving spam via these services, a giant leap of 70.6% from a year ago.

Social networking spam, Phua clarified, include messages, status updates, and wall posts that promote a certain product. Click-jacking—or hiding the original spam URL through a URL shortening service—is also a prevalent method for spam.

Cybercriminals—who, Phua noted, have become more notorious and financially-driven over the years—are also the main perpetrators of malware over social media. Just recently, Facebook users were bombarded by their friends’ compromised accounts with wall posts containing the “sexiest video ever,” a malware that installs an adware on the user’s browser once viewed.

Phua said 36% of social networking users have reported experiencing malware attacks through their profiles, likewise a jump of 69.8% from last year’s data.

Because of the increased incidences of cybercrime through social networking sites, Phua advised CIOs to review their internal policy on social media as well as other Web 2.0 settings. He noted, however, that administrators shouldn’t outright limit access to social media sites, for these can aid in employee productivity. “You [definitely] can’t stop them [from accessing social media sites], but you can control,” he added.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Michael Alan Hamlin

I have some ideas about online visibility and political campaigning in the Philippines, but decided to ask one of the experts in the trenches to share his views. Bon Moya, a member of Senator Mar Roxas’ New Media team and president of a web-based software developer, obliged. Here’s his perspective:

The great unwashed netizens.
Let’s begin with what we think we know. At least one in every four Filipinos are Internet users. Even if you take out those ineligible to vote, that’s still a lot of voters. About one million have broadband, with the number rapidly climbing. The rest access the Net via the office or Internet cafes. So the first thing we deduce is that Internet users are not just from the ABC social classes. Experts say that about 65% of Pinoy Netizens are from the DE classes. If you are not convinced how economically agnostic our Netizens are, check the grammar in Facebook updates.

STOP SHOUTING!
Despite the mind-boggling audience size and highly efficient cost, Web 2.0 is not a platform for broadcasting. It’s “masscom” but not “broadcom.” In traditional media, there is a handful of content generators serving a large audience. In new media, each individual behaves both as a consumer and a distributor of content. Each selectively redistributes content almost instantaneously.

Given this dynamic, the candidate who blasts a generic message loudly and broadly can be trumped by one who whispers the most relevant, compelling content to a network that takes the message and redistributes it. The key is not to inform but to involve. Because of its massive micro-networked nature, in the Net, the relevant whisper can become a scream very quickly, or may slowly crescendo over time.

VERY Up Close and Personal.
You see this line here? This is MY space. Enter only if invited. Consider the following Internet concepts: personal email address; unique User ID; secret passwords; privacy policies; SPAM; customized template; avatar. The very public Web is a very private space.

It may be difficult to imagine but Netizens are as egocentric as the politicians who demand their attention. They want to be heard more than they want to hear. So it will be a great waste of resources to provide netizens with press releases. You’ll get better traction and attention by just posting gossip… or by baring truly personal and intimate bits of your life that others are eager to share.

Consider what Mar Roxas did during his honeymoon. He tweeted about his experience and gave the public a glimpse of a part of him that was not given them before. The crucial thing is not the candidate’s ability to deliver the message to a huge audience but for the huge audience to adopt the candidate and his message.

Present but no presence.
It’s significant to note that ALL national candidates running this 2010 have an official web site. Politicians seem to think that COMELEC checks the net to determine serious vs. nuisance candidates. Likely, most of them have poor site traffic with bounce rates above 60%. At this rate, candidates are better off spending their money on pocket calendars.

If you don’t grab visitors in the first five seconds you lose them, probably for good. Hard to beat addictive massive multiplayer games, incredible videos on YouTube and the need to serve food in Café World (in Facebook). Who would want to pay P20/ hour for Internet time to see a politician’s face and read self-serving praise releases?

The elegant truth is that you don’t have to have an official site to be prominent in the Net. What you need is for your content to be on as many sites as possible. Bringing people to your site is expensive and ineffective), so bring your content to the people.

Obama, my foot!
The spiel starts with this, “In the US, Barack Obama revolutionized US elections by effectively harnessing the Internet…” Keep your wallet closed. Accept this premise only if you agree that American democracy is the same as Philippine democracy.

Like many things, Filipinos have adopted something foreign—democracy—and made it their own. Think Jeepney.

Global Parlor.
We use the Net to stay in touch and updated. We also use it rather effectively, and viciously, to spread gossip. With many of us communicating with individuals who are abroad, we have expanded our chit-chat sessions and broken down physical boundaries using the Net. But will it work for the 2010 campaign? Only if you whisper something worth distributing.

Possibly Related Posts:

• SocMed Savvy
• Independence Day
• Memo to President Aquino
• Wi-Fi’s Public Enemy: RF Interference
• Information Literacy: A Call to Action

By John E. Dunn
Techworld.com
March 8, 2010

LONDON - Criminals re-used an attack from 2008 to hit the Internet with a huge wave of ransomware in recent weeks, a security company has reported.

In the space of only two days, 8 and 9 February, the HTML/Goldun.AXT campaign detected by Fortinet accounted for more than half the total malware detected for February, which gives some indication of its unusual scale.
The attack itself takes the form of a spam email with an attachment, report.zip, which if clicked automatically downloads a rogue anti-virus product called Security Tool. It is also being distributed using manipulated search engine optimisation (SEO) on Google and other providers.

Such scams have been common on the Internet for more than a year, but this particular one features a more recently-evolved sting in the tail. The product doesn’t just ask the infected user to buy a useless licence in the mode of scareware, it locks applications and data on the PC, offering access only when a payment has been made through the single functioning application left, Internet Explorer.

What’s new, then, is that old-style scareware has turned into a default ransom-oriented approach. The former assumes that users won’t know they are being scammed, while the latter assumes they will but won’t know what to do about it.

The technique is slowly becoming more common - see the Vundo attack of a year ago - but what is also different is the size of this attack, one of the largest ever seen by Fortinet for a single malware campaign.
Fortinet notes that Security Tool is really a reheat of an old campaign from November 2008, which pushed the notorious rogue antivirus product Total Security as a way of infecting users with a keylogging Trojan.

“This is a great example of how tried and true attack techniques/social engineering can be recycled into future attacks,” says Fortinet’s analysis.

According to Fortinet, the ‘engine’ pushing the spike in ransom-based malware is believed to be the highly-resilient Cutwail/Pushdo botnet, the same spam and DDoS system behind a number of campaigns in the last three years including the recent pestering of PayPal and Twitter sites.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Gregg Keizer
Computerworld (US)
March 1, 2010

FRAMINGHAM - Microsoft has several other botnets in its crosshairs, and believes it can use the same legal tactic against them that it deployed last week to strike at the Waledac botnet’s command-and-control centers.

But the company also admitted that it had not yet severed all communications between the controllers of Waledac and the thousands of compromised Windows computers used by hackers to pitch bogus security software and send a small amount of spam.

“This shows it can be done,” said Richard Boscovich, senior attorney with Microsoft’s Digital Crimes Unit. “Each botnet is different, of course, but this is another arrow in the quiver. This is not the last [effort]…. We have other operations on the drawing board.”

Last Wednesday, Microsoft announced that it had been granted a court order that yanked nearly 300 sites from the Internet. Those sites, Microsoft said, were a key link between hackers and the PCs that make up the Waledac botnet. The legal tactic, which garnered accolades from many security professionals as a precedent-setting move, resulted in what Microsoft called “a major botnet takedown” of Waledac, a fact that some researchers disputed.

The same method can and will be applied to other botnets, Boscovich said. He declined to say which zombie PC army is next on Microsoft’s hit list. “Of course this is scalable,” he said when asked whether the legal action against Waledac would work against other botnets, or was a one-off. “This is another tool we can now use, another mechanism that is available.”

In fact, when Microsoft officials sat down in early January to decide which botnet to target, they started with a list of six, then narrowed it to three, from which they selected Waledac. The remaining five unnamed botnets remain on Microsoft’s list.

“We wanted to challenge ourselves technically,” said Boscovich when asked why Waledac was chosen. “From the technical standpoint, it had a certain reputation.”

Waledac does have a reputation. The malware that infects victimized PCs was created by, and the botnet is maintained by, hackers who previously flooded the Internet with the Storm bot from early 2007 through mid-2008. Waledac’s makers “definitely know the ins and outs,” Joe Stewart, director of malware analysis at SecureWorks and a noted botnet researcher, said last Thursday.

Boscovich admitted that Waledac wasn’t the world’s biggest botnet, but said several things recommended it for the debut of Microsoft’s legal approach to bot smashing. Among them: The identified command-and-control domains were all registered with one domain registrar, VeriSign, which made it easier to coordinate the site shutdowns; and Microsoft had been in contact with several independent researchers who had dug deep into the malware’s code and the botnet’s behavior.

Even as Microsoft said it would again swing the legal sword, it also admitted it had not completely cut ties between the infected PCs and the hackers who control them.

“They were severely impacted [by the legal action], and we expect the severity of the impact to increase over the next several days,” said T.J. Campana, a senior program manager who works for Boscovich in the company’s Digital Crimes Unit. When asked whether communications between the Waledac hackers and the botnet’s PCs had been comprehensively severed, Campana answered, “By and large, the answer is no.”

Last week, Microsoft claimed it had grabbed control of more than 60,000 bots in the Waledac collection after the court order shuttered the 277 targeted domains. Several security researchers, however, questioned whether the tactic would cripple Waledac , or even disrupt its activities, since hackers have multiple mechanisms for passing commands to machines infected with Waledac.

As a fall-back, Waledac bots can communicate to their controllers “indefinitely” using IP (Internet Protocol) addresses that are hard-coded into the bot Trojan, SecureWorks’ Stewart said last week.

Campana acknowledged those alternate command-and-control links within Waledac, and said Microsoft is attacking those as well. He declined to provide details of what Microsoft was doing, or when — or even if — the Waledac bots would be unreachable by their makers. “In addition to the legal action against the domains, we have taken other technical measures,” said Campana. “At this point, we’re still working that angle and actively adapting our measures.”

Several message security and spam filtering companies and organizations, including Google ’s Postini and the U.K.-based SpamHaus, also disputed Microsoft’s claim last week that Waledac was a “major distributor of spam” and that crippling it would reduce spam.

Symantec’s MessageLabs also weighed in on the impact issue, and like other vendors, downplayed Waledac’s significance. “There’s been no real noticeable effect of the takedown,” Matt Sergeant, a senior anti-spam technologist with MessageLabs, said in an e-mail. “It’s one of the smallest botnets out there, and the court order appears to have had very little effect on its output.”

Microsoft countered, saying it’s too early to gauge its anti-Waledac moves. “We’re still looking at the impact this has had,” said Campana, referring specifically to the monitoring Microsoft’s doing of the volume of spam addressed to Windows Live Hotmail accounts. “It’s somewhat premature to say ‘yay or nay’ yet.” The next one or two weeks will tell the tale, Campana agreed.

But Boscovich would not promise that Microsoft would make Hotmail spam data public. “We’ll look at that [decision] fairly soon,” he said.

It isn’t the first time that Microsoft has said it has crippled a botnet built by this group of hackers. In April 2008, the company took credit for crushing the Storm botnet — Waledac’s predecessor — saying that the malware search-and-destroy tool it distributes to Windows users every month disinfected so many bots that the hackers threw in the towel .

As with the Waledac take-down, researchers at the time disputed Microsoft’s claim that it had beaten Storm into submission.

Campana urged Windows users to run the Microsoft-made Malicious Software Removal Tool (MSRT) to scrub Waledac from infected systems, and up-to-date anti-virus software to keep it off still-clean machines. “This is definitely a preventable issue,” he said.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By John E. Dunn
Techworld.com
January 25, 2010

LONDON - Security vendor Websense is offering Facebook users and businesses a new free ‘firewall’ service that monitors their pages for malicious posts, links and spam.

Defensio 2.0 checks all posts to Facebook in real time against Websense’s ThreatSeeker Network, a database of problem URLs, before deciding whether to categorise a post as malicious or unwanted. This also draws from data gathered by US ISP Radialpoint and URL shortening service bit.ly before performing further heuristic analysis as a final check.
If a bad post is detected, the system logs and informs the user who makes the final decision. As with the original Defensio system - acquired a year ago when Websense bought the company of the same name - it can also monitor web pages for rogue posting, pre-emptively blocking those it deems unwanted.

“We are seeing real threats to Facebook such as Koobface,” said Websense senior research manager, Carl Leonard.

According to Leonard, an advantage of Web 2.0 monitoring was that it gave security companies a way of following criminals inside the otherwise closed world of social media, something that many security vendors can’t yet do. “We can have visibility into threats on these social networks, and have a fantastic feed of information that can benefit all our customers,” he said.

Leonard was not able to say when or if the monitoring might be available other social media sites or feeds such as twitter, where rogue behaviour can be difficult to spot.

The service is free for anyone with fewer than 50,000 posts per month, and for companies with 15 employees of less. For professional sites or sites with larger volumes of posts, the service starts at $5 (£3) per month, per site.

The issue of abuse of blog and forums by malware hawkers is long established and the company’s own research indicates that it’s become a big enough issue to drown most unprotected sites with posting spam.

Defensio monitoring has also been integrated with the company’s Web Security Gateway system.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Anuradha Shukla
MIS Asia
December 18, 2009

SINGAPORE - This year is on its way out and seemingly cyber criminals are also planning their year ahead. Secure content management solutions developer Kaspersky Lab has outlined the threats it expects to see in 2010 as a result of cyber criminal activity.

Kaspersky Lab was expecting a rise in the number of global epidemics in 2009 but this year was marked by sophisticated malicious programs with rootkit functionality. Corporates and individuals struggled with the Kido worm (Conficker), Web attacks and botnets. An increase in the cases of SMS fraud and attacks on social networks was also experienced.

Shift in cyber strategy
Cyber criminals have changed their strategy and in 2010 they will no longer attack via websites and applications. They are now more focused on attacking computers through file sharing networks.

This concept is not entirely new according to Kaspersky Lab, which points out that this year saw a series of mass malware epidemics supported by malicious files that were spread via torrent portals. This ‘approach’ helped cyber criminals spread threats such as TDSS and Virut. There will be a significant increase in these types of incidents on peer-to-peer (P2P) networks next year.

Being a criminal doesn’t mean there will be no competition similar to the real business world. Kaspersky Lab says next year, cyber criminals will continue competing for traffic and they are trying to make their businesses legal. Apparently, they want to legalise the way they earn money online using the huge amount of traffic that can be generated by botnets.

Profits from spam
Partner programs will be popular in the future as botnet owners will try to make profits from activities such as sending spam, performing denial-of-service (DoS) attacks or distributing malware without committing an explicit crime.

Google Wave has reasons to be worried next year as it will be a target for cyber attacks. Both iPhone and Android should be careful because the first malicious programs for these mobile platforms already appeared in 2009.

Kaspersky Lab notes that the major cause of epidemics will be the detection of new vulnerabilities in both software developed by third parties and in Windows 7, the newly launched operating system. Next year will be one of the quietest years for some time if no serious vulnerabilities are detected.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

Computerworld Philippines Staff
October 16, 2009

A prediction two years ago by IT security solutions firm Kaspersky Lab on the possible use of YouTube as a medium for disseminating spam has finally been fulfilled.

Kaspersky Lab reported it has detected the mass mailing of unsolicited messages that include links to video advertisements on the popular video hosting site.

However, this is the first time the company’s specialists have detected a mass mailing specifically intended to make users view an advertising video.

Kaspersky Lab’s Content Filtering Research group recorded a mass mailing that contained a link directing users to a video advert on YouTube. There were several message variations in the mass mailing, but they all included the same link to YouTube.

Due to its worldwide popularity, YouTube is a potentially attractive resource for distributing spam, Kaspersky Lab said.

“Naturally, this type of advertising is more interesting and gets more hits,” said Darya Gudkova, head of content analysis and research at Kaspersky Lab. “Two years ago, spammers used the YouTube name and the promise of interesting videos to lure users to advertising sites. Now the links really do lead to this popular video hosting site which is being used to store unsolicited advertising content.”

Yet Gudkova noted this is not the first time a creative approach has been used by spammers this year. Last April, messages were detected that contained nonstandard, complex images advertising spammer services. Noise techniques have also been applied to graphical files, causing problems for spam filters.

Kaspersky Lab reminded on how important it is for users to keep spam filters turned on in order to block unwanted or potentially hazardous correspondence. The spam filter training option in the company’s products should also be utilized to constantly improve protection against all types of unsolicited mass mailings. – Tom S. Noda

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Robert McMillan
IDG News Service (San Francisco Bureau)
October 8, 2009

SAN FRANCISCO - The head of the US Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt.

FBI Director Robert Mueller said he recently came “just a few clicks away from falling into a classic Internet phishing scam” after receiving an e-mail that appeared to be from his bank.

“It looked pretty legitimate,” Mueller said Wednesday in a speech at San Francisco’s Commonwealth Club. “They had mimicked the e-mails that the bank would ordinarily send out to its customers; they’d mimicked them very well.”

In phishing scams, criminals send spam e-mails to their victims, hoping to trick them into entering sensitive information such as usernames and passwords at fake Web sites.

Though he stopped before handing over any sensitive information, the incident put an end to Mueller’s online banking.

“After changing our passwords, I tried to pass the incident off to my wife … as a teachable moment,” he said. “To which she deftly replied, ‘Well, it is not my teachable moment. However, it is our money. No more Internet banking for you.”

Mueller said he considers online banking “very safe” but that “just in my household, we don’t use it.”

Phishing has evolved into a big problem, not just for banks, but for online retailers and even providers of consumer Web applications such as Facebook and Yahoo.

In June — the latest month for which figures are available — the Anti-Phishing Working Group counted nearly 50,000 active phishing Web sites, the second-highest number it has ever recorded.

Late last week, criminals posted tens of thousands of passwords belonging to Microsoft Live Hotmail, Gmail, and Yahoo accounts online. They are all thought to have been stolen via phishing.

Mueller’s FBI has had some success in going after phishers. On Wednesday it announced it had arrested 33 people in the U.S. in connection with an international phishing operation. Egyptian authorities have charged 47 in connection with the same scam.

“They targeted American financial institutions and also approximately 5,000 American citizens here in the United States,” Mueller said. Dubbed Operation Phish Phry, “it is the largest international phishing case ever conducted,” he added.

“Far too little attention has been paid to cyber threats and their consequences,” Mueller said. “Intruders are reaching into our networks every day looking for valuable information. Unfortunately they’re finding it. “

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Grant Gross
IDG News Service (Washington Bureau)

WASHINGTON - A Virginia software developer has pleaded guilty to charges related to creating and marketing software designed to send bulk commercial e-mail messages, in violation of the U.S. CAN-SPAM Act, the U.S. Department of Justice said.

David S. Patton, 49, of Centreville, Virginia, pleaded guilty Tuesday to aiding and abetting violations of the CAN-SPAM Act committed by spam kingpin Alan Ralsky and Scott Bradley, both of West Bloomfield, Michigan, and other spammers, the DOJ said.

Under the terms of his plea agreement, Patton faces up to six years in prison, a fine of US$3,000 and the forfeiture of $50,100 in proceeds for the sale of his software. Patton pleaded guilty in U.S. District Court for the Eastern District of Michigan.

The CAN-SPAM Act, passed by the U.S. Congress in 2003, prohibits sending commercial e-mail messages with false sender information and with inaccurate subject lines. It requires the senders of unsolicited commercial e-mail to provide working opt-out mechanisms and include their physical addresses in the e-mail.

From January 2004 to September 2005, Patton and his company, Lightspeed Marketing, developed and sold customized software products that allowed users to send large volumes of spam e-mail at high speeds and disguise the true origin of the e-mails from recipients in order to evade antispam filters, blacklisting and other spam-blocking techniques, the DOJ said.

Patton, in his plea agreement, acknowledged that he designed the Nexus software package to enable users to insert false information into the headers of the spam e-mails it sent, the DOJ said. Patton designed Proxy Scanner to enable users to make use of third-party proxy computers to relay or retransmit spam e-mails and disguise their true origin.

Patton sold both Nexus and Proxy Scanner to Ralsky and other customers, knowing that the two software programs would be used to commit violations of the CAN-SPAM Act, the DOJ said. Patton also provided ongoing support and product updates to his Nexus and Proxy Scanner customers with the intent to assist them in violating the CAN-SPAM Act, the agency said.

Patton is the 12th defendant charged in connection with the spam e-mail operation run by Ralsky from January 2004 to September 2005. Ralsky, Bradley and six other defendants have pleaded guilty to CAN-SPAM-related charges and other offenses.

In June, Ralsky and four other people pleaded guilty to charges related to a stock fraud case involving spam messages that pumped up Chinese “penny” stocks. Ralsky faces up to seven years in prison on those charges, conspiracy to commit wire fraud and mail fraud and to violate the CAN-SPAM Act.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds