sorinmustaca.com – Sorin Mustaca – personal blog. Security software, agile development, scrum, programming and more

Starting as of today, I enabled the comments on my blog sorinmustaca.com . It is an experiment to see if someone really posts and to see also how much spam do I get.

IT security expert Avira found during recent surveys of its customers that email spam is still an everyday occurrence, but not the nuisance it once was. Nearly half of all end-users are satisfied with the anti-spam filters on their PCs and laptops, plus many others rely upon their Internet Service Provider (ISPs) to filter messages. The vast majority of users receive fewer than 10 spam emails per day.

“The Spam landscape has clearly changed in the last two years with the take down of a couple of major botnets,” said Sorin Mustaca, data security expert at Avira GmbH. “Considering the fact that almost all email providers have a form of spam filtering installed on their servers, end-users receive only what the anti-spam solutions on the servers don’t catch. What really surprised me was that 45% of the users answered that they have an anti-spam solution on their computers and that they are satisfied with it. Overall, there is clearly work to be done within the security industry to get rid of 100% of all spam emails, but progress is being made.”

The larger security challenges today include fighting web-based Trojans and spyware that harvest credit card numbers and personal identity information. “But I still don’t recommend anyone clicking open spam emails, as many of them are linked to malicious websites. It’s always best to stay safe from unknown links and emails“, said Mustaca.

I sometimes laugh of these scammers, but sometimes I am quit amazed of their capability to adapt to the spam filters.
My Google account caught this spam:

New nigerian scam

In text, this is :

Good Day,

I am Mr. Ming Yang,Director of operations of the Hang Seng Bank Ltd,Sai Wan Ho Branch,Hong Kong.I am here-by seeking your service in helping me receive a large amount of money and in giving a clear research and feasibility studies on areas I could invest on.Your services will be paid for,and you will be a partner,if your recommendation is accepted.

For security purpose,due to telecoms interception in Hong Kong,I shall not accept or acknowledge any phone call.Only emails would be treated in relation to this proposal but not without this code;[CODE NO:AM-001].My contact:ming_y047@yahoo.com.hk
Kind Regards

What’s wrong here ?

Cool, but not good enough to escape the spam filters.

Just stumbled upon this blog post from Symantec http://www.symantec.com/connect/blogs/spammers-introduce-new-email-internet-headers where an absolutely normal spam process is described.

Unfortunately for the author who clearly doesn’t understand Romania, he copied/pasted all headers, even those which he doesn’t understand. So, he copied all kind of bad words, things which you usually wouldn’t publish in a serious blog.

I will not publish them here because this is my blog and I respect my readers, especially in this case, the Romanian readers.

I let you alone read the funny post

Have fun !

Softpedia took again one of my posts in the Avira Techblog and wrote an article based on it:

“In the recent past we saw emails looking like phishing mails, which were spam though actually. The spammers tried to make them look as much as possible as official mails from the entity they were faking: Amazon, Twitter, Facebook, and so on,” Sorin Mustaca, manager of international software development at Avira, warns.

“[Full name] has sent you a message” the rogue communication, which appears to originate from Facebook, reads. However, instead of the actual message, the recipient is presented with an image promoting various male enhancement pills.

“We checked about 100 different emails in this category and all of them use the same domain. We were curious and investigated who owns the domain – the domain is registered in China by a single registrar who owns 14 thousands other domains,” Mr. Mustaca notes.

Remember this post about emails which looks like Facebook and Twitter phishing at first signt ?
http://msorin.wordpress.com/2010/05/20/facebook-and-twitter-phishing-on-first-sight/

Now Amazon.com got hit quite massively: Read more here in the Avira Techblog

The source of the articles is in the Avira Techblog:
Twitter Phishing (on first sight)
Facebook Phishing (on first sight)

Twitter

Over the weekend our spam traps received a massive wave of emails looking like the one below:

The emails seem to stem from “Twitter Support” (support@twitter.com) and are addressed each to exactly one unique email address. The link in the email seems to be unique for each email sent, too. Quite an effort to make the email look more legitimate. The target link is always a compromised website holding an html page.

Amazon: Bestsellers Electronics and Photo

After clicking on the URL, a multiple stage redirection takes place. On some of these redirection websites, the intermediate page raises alerts because our engine detects encrypted content in JS.

Finally comes the surprise: The target website at the end of the redirects is not a phishing website but a Canadian online pharmacy.

For me personally this was a “Wow!” moment. Why did the spammers choose to send the emails as Twitter phishing? I think that the explanation is simple – they did it because nobody did it before.

As usual, users of the Avira Premium Security Suite and the users of our gateway products have no reasons to fear: the emails are detected as phishing and all target URLs are blocked.

Facebook

Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.

The mails seem to stem from “Facebook” and use unique sender addresses that look like “notification+@facebookmail.com”.

Some observations about the current spam mails:

* Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
* There is always a fake Message-ID similar to the one from Facebook :
* The header “X-Mailer: ZuckMail [version 1.00]” is always the same
* There is an additional X-header called Errors-To with another email address at Facebook “notification+@facebookmail.com”

Amazon: Bestsellers Electronics and Photo

We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:

PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.

CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.

Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.

Short link: http://wp.me/p1Ipp-7s
Amazon: Bestsellers Electronics and Photo

Back to the roots in the online pharmacy spam http://ow.ly/16Rp0J

I am getting more and more spam like this : http://techblog.avira.com/2010/03/11/twitter-spam-getting-slim-with-slim-urls/en/

I published a new article in the Avira Techblog: Combined Avira Risk Level

We now have a new risk indicator: Global
This indicator combines the other 3 in the easiest way possible.
One might argue that Malware is more important than phishing and spam.
Maybe, but they are all treated equally in our system. This means that even if we have a Malware outbreak (level 4 and 5), we don’t generate more updates because of this.
So, until we decide to change this, the Global Risk Level remains like this