The guys at rustylime describe how they are using a honey pot form fields to detect spam bots.

This method is interesting, since the false positive rate will be close to zero – any decent browser will not show the ‘honey pot’ fields and a human won’t be able to enter information there accidentally. The false negative will be low, since most spam bots will enter information on those fields. The problem, of course, is that the spam bots can be adjusted specifically for rustylime (now that they outlined their spam comment fighting technique), either by looking for these specific field names or by calibrating their spam bots to render the page and filter out invisible parts (this would be a serious technical challenge for the spammers).

Of course, a post on SecuriTeam blogs, a web site that is probably frequently read by spammers, is not going to help them keep a low profile against spammers – so my apologies to the rustylime people. Lets hope their comment spam queue remains clean, and maybe someone can pick this up and find a more generic way to fight comment spam using browser-invisible fields.

Just weeks after we started getting PDF spam, this morning I received my very first DOC spam. The document spam talks about the usual “I am Barrister Musa Adams a Solicitor. I am the Personal Attorney to MR. Harry Edward Cook a national of your country, who used to work with CADBURY NIGERIA LIMITED, on the 21st of April 2004, my client, his wife and their three children were involved in a car accident along Shagamu Lagos Express Road.” which makes it very uninteresting, but unlike “regular” (non-DOC) spam of this sort, it doesn’t get filtered as documents aren’t currently being scanned for spam.

Now that we are done with PDF and DOC, what is left? RTF?

1. phish an hotmail acount.
2. send email from the stolen acount to all the friends listed for the person, saying you are stuck in nigeria and are in an emergency, asking your friends for money to be wired.

http://www.rediff.com///news/2007/jul/16tps.htm

hillarious!
(thanks suresh)

gadi evron,
ge@beyondsecurity.com.

in the past two weeks, ecards became a major threat.

ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. with the storm worm and massive exploitation, i believe it has become prudent to filter out all ecard messages in your email systems.

further, some training or awareness information on this subject distributed to your organizations could be very useful.

gadi evron,
ge@beyondsecurity.com

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion.

you can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_botnet_03.pdf

for the full book, you would need to spend the cash.

enjoy!

gadi evron,
ge@beyondsecurity.com.

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit kudos to me

cfp: isoi iii (a da workshop)
=============================

introduction
————

cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at: http://isotf.org/isoi3.html

details
——-
27th, 28th august, 2007
washington dc -
aed conference center:
http://www.aedconferencecenter.org/main/html/main.html

registration via contact@isotf.org is mandatory, no cost attached to attending. check if you apply for a seat in our web page.

cfp
—

this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email contact@isotf.org as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)
——————————————–

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba

Davis Freeberg wrote an excellent piece on penny stock scammers putting advertisements in the top financial magazines. This is embarrassing enough – you’d expect Forbes to do a minimal background check on their advertisers, especially when the advertisement is stock related. But to make matters worse, Business Week and Smart Money ignored Davis’s email, while Investors Business Daily went as far as tagging this as “new and interesting investment opportunities”. Hey guys, I have a bridge to sell. Mind if I run the ad in your newspaper?

David also does an interesting analysis on the performance of those stocks, and sums it up well: You Can Get Better Odds In Vegas.

More here:
http://davisfreeberg.com/2007/06/15/who-needs-spam-when-you-can-advertise/

The Jerusalem Post just sent me an interesting apology today. Here is how I would summarize it:

“We sold the email you gave us to a third party so that they can send you advertisements. Unfortunately they forgot to mark it clearly as spam – no idea how that happened and we’ll ask future spammers to clearly say so when we sell them the list again”.

Of course they are wrapping it with niceties and sincere apologies; I would appreciate a proper explanation on why the email I gave them when I asked to view an article online was later used to send me “alerts” and “updates” not to mention given to 3rd parties I’m not gonna vote for. BTW, this is not the first time I get an advertisement from the jp, but they are usually better disguised as “informationals”.

From:
The Jerusalem Post

To:
Aviram Jenik (an email address reserved only for the Jerusalem Post)

Date:
Today 04:37:28 pm

Clarification:

In recent days, registered users of jpost.com have received a paid email advertisement for Rudy Giuliani.

The bottom of this email advertisement stated that it was “Paid for by the Rudy Giuliani Presidential Committee, Inc.” However, correct practice is to mark such emails as advertising in the “Subject” box as well. Because of an internal error, this practice was not followed. We have taken steps to insure that it will be in future.

We would like to stress again that the content of this advertisement has no connection to The Jerusalem Post newspaper or its online content, and does not reflect the editorial views of The Jerusalem Post in any way.

Commercial Department

The Jerusalem Post online

a friend just sent me this link. take a look.

newsgator online. indeed, it’s usually a smart strategy for keeping track of your company, products and identity in the blogosphere.

except when nude japanese nurses sneak into the picture

gadi evron,
ge@beyondsecurity.com.

for a long time now i’ve been getting spam email, much like everyone else. for a couple of years now, i’ve also been getting subject lines that at first, although not always, made me look at the spam for a fraction of a second.

these subject lines would mention issues i care about, such as security. the f-up would be the viagra that would sometimes follow in the same subject line.

very recently i spoke on a mailing list about macchiavelli. today i got a spam with macchiavelli in the subject line (regular spam body, same subject mistake).

spammers are smarter. the smarter they are the more annoying they become, because “they just don’t get it”.

gadi evron,
ge@beyondsecurity.com.

http://www.spamsuite.com/node/129 (Search warrant application)
http://www.spamsuite.com/node/130 (Schmutz affidavit)
http://www.spamsuite.com/node/131 (Reyes affidavit)

Original post:
http://blogs.securiteam.com/index.php/archives/914

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.

thanks,

gadi evron,
ge@beyondsecurity.com.

A big victory against spam. From the nwsource.com article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

http://www.mortgagespam.com/soloway/

Early press accounts:

http://www.kndo.com/Global/story.asp?S=6587991

http://seattletimes.nwsource.com/html/nationworld/2003727576_webspam30m.html

http://seattlepi.nwsource.com/local/317795_soloway31.html?source=mypi

Update post and more documents:
http://blogs.securiteam.com/index.php/archives/919

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,
ge@beyondsecurity.com.

Being knee deep in online mischief all day I sometimes forget that most of the online attacks are simply extensions of offline ones. The Nigerian scam has been performed via fax and (snail) mail for decades now – I even got a 419 scam by postcard a year back that made me feel very special that someone will waste a stamp on me.

Spam is obviously just an online extension of junk mail, only in a different order of magnitude, and same goes for phishing compared to identity theft. But there is one fraud scheme I’m especially fond of – ‘pump-n-dump’, where you get a spam email about a stock that’s about to go up (“skyrocket”), hoping enough people will buy it and make it go up so that the person who initiated the attack can sell quantities of this penny stock and leave the victims with a worthless piece of paper.

The ‘pump-n-dump’ is an extension of phone-based fraud that was featured in the Sopranos (with Chris’s crew running the scam) and outlined nicely in “Boiler Room”. Wikipedia has a nice description on the scheme and origin of the term.

The reason I’m reminded of this is because I actually got a call from a boiler room, sorry, from a law office with offices in Park Avenue and London. The call could have been a scripted audition to “Boiler Room 2″ to play the part of the junior associate creating warm leads to Ben Affleck’s gang. It included everything to the immortal “I will only call you if we have something really good” and “we might have something for you in 2 weeks”. Amazingly enough they did have something really good for me and exactly two weeks later I got a call from the Vin-Diesel wannabe following up on the warm lead created by the associate. Unfortunately this time I didn’t have the time to play along so I don’t know if he would have told me there’s a maximum for new clients and 5,000 shares is as much as he can sell me…

My only complaint now is that my spam filter who is doing such a good job filtering pump-n-dumps is unable to handle human conversations and filter boiler room calls. Actually, there’s one more complaint – why is it I always get stuck in the Boiler Room-like movies instead of getting a visit from Halle Berry a-la swordfish?…