sorinmustaca.com – Sorin Mustaca – personal blog. Security software, agile development, scrum, programming and more

From “about us” on the website:

notify.me delivers notifications that interest you in near real time. It eliminates the need for you to constantly check on classified listings, blogs or social networking sites. Notifications are pushed to your destinations of choice such as instant messenger, mobile phone, email, desktop or web application. Check out our wiki for examples of how people are using the service.

Sounds good… I always wanted to have something like this to filter my pages.

But it doesn’t really work… for some reasons.

Send via IM doesn’t even authenticate.

Adding an URL ends up in a disaster:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@notify.me and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

---

Apache/2.2.3 (CentOS) Server at www.notify.me Port 80

I sent them an email to webmaster (what a useless action) and to their gestsatisfaction.com forum.

Let’s see if I get a response.

IT security expert Avira found during recent surveys of its customers that email spam is still an everyday occurrence, but not the nuisance it once was. Nearly half of all end-users are satisfied with the anti-spam filters on their PCs and laptops, plus many others rely upon their Internet Service Provider (ISPs) to filter messages. The vast majority of users receive fewer than 10 spam emails per day.

“The Spam landscape has clearly changed in the last two years with the take down of a couple of major botnets,” said Sorin Mustaca, data security expert at Avira GmbH. “Considering the fact that almost all email providers have a form of spam filtering installed on their servers, end-users receive only what the anti-spam solutions on the servers don’t catch. What really surprised me was that 45% of the users answered that they have an anti-spam solution on their computers and that they are satisfied with it. Overall, there is clearly work to be done within the security industry to get rid of 100% of all spam emails, but progress is being made.”

The larger security challenges today include fighting web-based Trojans and spyware that harvest credit card numbers and personal identity information. “But I still don’t recommend anyone clicking open spam emails, as many of them are linked to malicious websites. It’s always best to stay safe from unknown links and emails“, said Mustaca.

PayPal security warning email with malware

There is a new wave of emails pretending to come from Paypal having a ZIP archive attached.
The email says that your PayPal account have been accessed by a third party and, in order to protected your account, PayPal has been locked.The user is invited to review the report attached to the email, the zip archive, containing a single executable following the template account–report.exe

There is no link inside the email, so everything was made “easy” the user : he should only extract the file and execute it.
Please don’t because it contains a malware detected by all Avira products as the dropper DR/Delphi.Gen.

The source of the articles is in the Avira Techblog:
Twitter Phishing (on first sight)
Facebook Phishing (on first sight)

Twitter

Over the weekend our spam traps received a massive wave of emails looking like the one below:

The emails seem to stem from “Twitter Support” (support@twitter.com) and are addressed each to exactly one unique email address. The link in the email seems to be unique for each email sent, too. Quite an effort to make the email look more legitimate. The target link is always a compromised website holding an html page.

Amazon: Bestsellers Electronics and Photo

After clicking on the URL, a multiple stage redirection takes place. On some of these redirection websites, the intermediate page raises alerts because our engine detects encrypted content in JS.

Finally comes the surprise: The target website at the end of the redirects is not a phishing website but a Canadian online pharmacy.

For me personally this was a “Wow!” moment. Why did the spammers choose to send the emails as Twitter phishing? I think that the explanation is simple – they did it because nobody did it before.

As usual, users of the Avira Premium Security Suite and the users of our gateway products have no reasons to fear: the emails are detected as phishing and all target URLs are blocked.

Facebook

Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.

The mails seem to stem from “Facebook” and use unique sender addresses that look like “notification+@facebookmail.com”.

Some observations about the current spam mails:

* Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
* There is always a fake Message-ID similar to the one from Facebook :
* The header “X-Mailer: ZuckMail [version 1.00]” is always the same
* There is an additional X-header called Errors-To with another email address at Facebook “notification+@facebookmail.com”

Amazon: Bestsellers Electronics and Photo

We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:

PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.

CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.

Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.

Short link: http://wp.me/p1Ipp-7s
Amazon: Bestsellers Electronics and Photo

No Words, just two screen shots

And their answer after the email above:

http://www.avira.com/en/company_news/avira_extends_security_in_the_cloud.html

Avira extends Managed Security Services portfolio to offer users security “in-the-cloud”
Tue, 02 March 2010
Avira’s acquisition of CleanPort forms the basis for the new business unit

Tettnang/ Doetinchem, 2 March 2010 – German IT security provider Avira has acquired CleanPort, an acquisition that extends Avira’s solutions for terminals and server products with a new business line. With Avira Managed Security Services (AMSS), the company immediately adds online security services to all activities for all user segments. These services will be provided through a separate data center infrastructure. This new business unit is the motivation for Avira’s strategic acquisition of the Dutch group CleanPort B.V./ ISP Services B.V./ NextIdentity B.V., effective March 1, 2010.

I usually do not start with a conclusion… But now I will.
Simply stay away from this dreadful software… !!!
It is simply buggy !

Outlook 2007 crashes almost at every signed email that this crappy software tries to display.

STAY AWAY FROM http://www.gpg4win.org/ at least until they fix these crashes !!!

I am subscribed to the TAROM (Romanian Airlines) Newsletter which is sent approximately once a month.
Each month I receive the same corrupted email which looks like the one in the picture:

tarom's newsletter

Why is this happening ?

Simply because they add some newlines in the wrong places. Actually, it is enough only the first one to ruin everything.
See the red arrows ? Those newlines shouldn’t be there.

Badly formatted newsletter

I wrote to Tarom (newsletter@tarom.ro) and they didn’t reply back. And they also didn’t fix the problem.
This could’ve been avoided very easily if they just preview the newsletter before they mass mail it.

It was Google Docs, Google Notes and now Google Spreadsheets:

Interesting to notice is also the fact that the email was sent from a Google Mail Account *ONLY* to other Google Mail accounts.
And, the famous Google Antispam didn’t mark it as SPAM:

Don’t you just hate them ?!
I do…
They are just wasting my CPU power and bandwidth to detect such stupid evasion techniques.
I mean… look at the picture below:

Why the hack would I send to myself a picture with all kind of meds and then, write at the end some text from a Microsoft newsletter ?
Can there be any clearer sign of spam than this ?

Interesting : there are 4 different links in the email. All of them are subhosts from youuljn.cn (CHINA).

Here are the spam reports from Avira Antispam:
X-Avira-SpamScore: ata: 7.600 bayes: 1.000 final: 11.737

ATA is the Automatic text analysis which check for spam techniques. And with 7.6 points, there are many. Bayes gives a plain round 1 which is 100% SPAM ))