Wiz's Computer and Website Security Blog

Often, spam recipients ask me and other spam fighters how spammers get their email addresses, despite their being super cautious about with whom they exchange email. They may only exchange messages with a few well trusted contacts or relatives, whose computers are unlikely to be infected, because they use the best security programs, operate as less privileged users and don't have Java installed. They, and/or their trusted email contacts use Yahoo email services and have done so for years without getting spammed.

One gloomy day, out of the ether, an email appears from a Yahoo.com account, with this person's first name in the subject and in the message body! The message is all about a new system their sender is using to reduce his money problems and contains a link to a website that reveals the details. The recipient clicks the link only to discover that it is a work at home scam disguised as a news article.

What this recipient didn't know is that Yahoo's email accounts are constantly under attack by hackers and spammers who try to break into member accounts by either guessing, stealing, or cracking their passwords. In my example, the recipient uses email very carefully, buy is still spammed, allegedly from a Yahoo member, with his or her own name in the subject and body text. These details were extracted when your or your friend's Yahoo account was pilfered during one of the hacking attacks.

I created a special MailWasher Pro spam filter that detects these types of Yahoo spam and flags them for deletion, or closer examination. I will outline that filter below. For the purpose of demonstration, I have changed the personal name used in these spam runs to "joe"

The following is an XML format spam filter for use in MailWasher Pro (2010 and newer).

<Filter Name="Yahoo Scam using personal name" Enabled="True">
<Description>Yahoo Scam using personal name</Description>
<MatchAll>True</MatchAll>
<Rating>-200</Rating>
<Colour>#FFCC0098</Colour>
<TextColour>White</TextColour>
<AutoDelete>True</AutoDelete>
<HideEmail>False</HideEmail>
<HideEmailOption>All</HideEmailOption>
<Rule>
<Field>Received</Field>
<Operator>Contains</Operator>
<Type>PlainText</Type>
<Expression>.yahoo.com)</Expression>
</Rule>
<Rule>
<Field>From</Field>
<Operator>Contains</Operator>
<Type>PlainText</Type>
<Expression>@yahoo.co</Expression>
</Rule>
<Rule>
<Field>Subject</Field>
<Operator>Contains</Operator>
<Type>RegEx</Type>
<Expression>(?-i)^joe$|^RE:\ (hi\s|omg\s)?joe$|^hey\ you\ joe$|^FW:\ (hey|hi\ )?joe$</Expression>
</Rule>
<Rule>
<Field>Body</Field>
<Operator>Contains</Operator>
<Type>RegEx</Type>
<Expression>(?-i)\ joe\ </Expression>
</Rule>
</Filter>

If you are receiving Yahoo spam messages like this, just change "joe" to your name that is used in both the subject and message body. Also, all of these scams I have seen so far have the personal name in all lowercase letters, thus the Case Sensitive switches: (?-i) at the beginning of the Regular Expressions. However, if you receive such scams and the first letter is capitalized, remove the Case Sensitive switch, or Capitalize the first letter of your name (match the case of the spam).

Since this is not 100% accurate (a friend or newsletter might use your name in this fashion), I set the rating to -200, but did not set it to auto-deletion. However, if you find that every time this filter highlights an incoming Yahoo message that it is a scam, go ahead and switch to auto-delete. Contact me if you want personal assistance with this or any other MailWasher Pro spam filters.

It is doubly important that you block these work at home scams, because they are not only scams taking money for useless information. They are also used in Money Mule recruitment campaigns, where unwary respondents who are out of a job are easy prey for Eastern European gangsters looking for gullible people to launder funds stolen by banking Trojans on infected computers in victimized companies and government offices. Finally, to add insult to injury, some of these work from home pages even have a hidden iframe that contains the Blackhole Exploit Kit attack code. All at once, you could be scammed, recruited into a criminal enterprise and have Trojans installed on your own computer.

Posted by Wiz at 1:20 PM | Permalink

back to top ^

February 20, 2013

After a period of very low amounts of email spam, the tides have turned and spam is on the rise, once again. The topics being spammed now include pump and dump penny stocks, Russian dating scams, the occasional misspelled Viagra/Cialis pills, and the usual Blackhole malware exploit kits.

Since I use the "Windows Live Mail" desktop email client to compose, send and read my email, and its spam filtering rules are quite limited in scope, I long ago turned to a commercial anti-spam filtering program called MailWasher Pro, as a first line of defense against email spam, scams and malware links and attachments. The program works well enough in its basic format, with the tools built into it. But, I learned that by creating my own spam filters, I was able to identify, flag and delete the vast majority of junk email that is sent to me every day.

One thing I have learned about spammers is that they change or purposely misspell their subjects and body text quite often, to try to evade anti-spam filters that are created by spam fighters and spam filtering companies, to detect various types of spam. Sometimes they reverse or displace letters in known brand name drugs, knowing that most recipients will still interpret the real meaning.

When we read text, our human brains can make sense of garbled words and usually read totally misspelled words accurately. Try it yourself: What does this word really mean: Vigara? How about this one: Cailis? If you live in an English speaking country and read English you'll know what the real words are supposed to be. Your brain processes this information as you gain input from media sources and your interactions with other people.

If you use email for business or other important purposes, reducing the amount of spam for counterfeit drugs and goods, Russian brides, useless penny stocks and especially anything leading to a malware attack should be of utmost importance to you. A combination of MailWasher Pro and my spam filters are a great one-two punch that will make a big dent in the amount of junk email you have to deal with.

People like me, who despise spammers and scammers, are sometimes able to write our own spam filter rules that detect misspelled brand names and other commonly altered words used to promote spamvertised items and services. I personally take it as a challenge to match these misspelled words and phrases and delete them before they are ever downloaded to my Windows Live Mail email client.

I already have a very large set of spam filters published and available free for the taking on my MailWasher Pro Spam Filters page. I update them as needed to respond to changes made by the spammers who try to get past my and other people's filters. I have already created two new filters this week and updated two existing ones that are being spammed out heavily. They include the pump and dump stock scams making the rounds all this week.

My filters can block particular sender names, subjects, words and can detect hostile links and attachments. Some variants may slip through occasionally, but I am usually pretty quick to detect them and either add to or alter a rule, or create a new one. I put a lot of effort into detecting hostile links to exploit attack kits, like the Blackhole and Cool Exploit Kit. Those nasties download dangerous Trojans that may empty your bank account, steal your important logins, or steal your identity. Or, they might download ransomware that locks you out of using your computer until you pay the scammers for an unlock key you may never receive. Or, you may end up with fake security programs that display a long list of non-existent infections which can't be "removed" until you pay to register that rogue program.

See my MailWasher Pro spam filters page for downloadable versions of my current spam filters for both the old and new versions of MailWasher Pro. There is an iframe on the page which has the new xml version already loaded, for you to copy and paste individual filter rules into your own filter set. Instructions for downloading and applying the filters are on the page. You'll need to have MailWasher Pro in order to use them, but it is well worth the money.

Notice: I am both a registered user and compensated affiliate of MailWasher Pro. I can speak for the program because I use it myself. I even help people write custom filter rules to block certain spam subjects or senders, when they can't figure it out for themselves.

Posted by Wiz at 1:44 AM | Permalink

back to top ^

February 3, 2013

Last night, on Feb 2, 2013, Oracle Corporation released 2 new versions of its Java virtual machine: Java 7 Update 13 and Java 6 Update 39. These new versions contain fixes for an unbelievable 50 exploitable vulnerabilities in the previous versions (Java 6 and 7). These updates were not supposed to be released until February 19, but new Java exploits are already in the wild. So, Oracle did the right thing and released them ahead of schedule.

Some of the patched vulnerabilities have already been reported publicly and were rolled into online exploit attack kits (e.g. Blackhole Exploit Kit 2.0 and Cool Exploit Kit). Others were reported to Oracle, or discovered by them and kept quiet. Most of the exploitable vulnerabilities exist in Java 6, not Java 7. Oracle is already applying tactics aimed at getting users of Java to stop using version 6 and migrate to the new version 7 platform. Apparently, patching version 6 is no longer feasible and this update (build 39) is the last one planned for Java 6.

Secure your Java software!

If you are an end user, not an employee using a company workstation, and you have and want Java installed on your computers, go to www.java.com and download and install the latest build of Java 7. Then reboot. When the computer boots up and you are logged in, for Windows users, go to Control Panel (Start > Settings > Control Panel) > Programs and Features (or Add/Remove Programs in XP). Open the list of installed programs and find Java alphabetically. If you see any previous versions still installed (prior to Java 6 b39 or Java 7 b13), uninstall them, then reboot.

The reason for uninstalling older versions of Java is because cybercriminals and hackers have been targeting specific versions of Java, installed into default folder locations, for many years. This way, if your computer is attacked by an exploit kit but has the latest version of Java as the active one, JavaScript code might still run to search out a previous version lurking in your Program Files. If the secondary (older) Java target is installed, your PC could be exploited through that version.

Locating and getting rid of unwanted Java software

Two paragraphs ago I started off by talking about people who both know they have and want Java on their computers. These folks should update yesterday. But, many of you may not know if Java is installed, or if it is, what version or versions you have. As I wrote in the last paragraph, having an older version still installed leaves you at risk if you come across an exploit that has an older version fallback attack. Since you may not even need Java at all, you should consider uninstalling all versions you find and be done with the problem.

Windows users can go to Control Panel > Programs and Features (or Add/Remove Programs) and uninstall every version of Java you see in the list of installed programs. Then reboot the computer to finish flushing out any Java components that may have been running while you were using Windows. This protects your PC against old exploits and those that are sure to come along any day.

Mac users should read these instructions for uninstalling Java. You basically locate the "JavaAppletPlugin.plugin" and move it to Trash.

Oops; a desktop app needs Java!

However, some computer users have desktop applications (which we used to refer to as "software") that run on Java, in whole or in part. You folks can have Java with your cake and eat it too. You do this by disabling Java from running in web browsers, but allow it to run in desktop applications. Here's how: Install the current build of Java 7 and uninstall any remaining versions of Java 6. Go to the Control Panel Java icon and open it. In the "Security" tab there will be a checkbox to enable Java content in your web browsers. Uncheck that option, apply the change and click OK to close the Java Control Panel icon.

Instructions for enabling or disabling Java from individual browsers are found here.

After you disable Java content in your browsers (via the Control Panel Applet), close any browsers (e.g. Internet Explorer, Firefox, Opera, Safari, Chrome, AOL, etc) that were open, then restart them. Your browsers should now be safe from direct exploit kit attacks targeting Java plug-ins in web browsers. But, it will still run in desktop applets or offline programs requiring it.

What if I need Java to interact with a particular website?

Some of you may have to have Java plug-ins in a web browser to interact with some particular website that is important to you. In that case, you'll have to disable the Java plug-in for all browsers except the one you will use for only that or those websites and no others. If that is not feasible, consider using Firefox with the NoScript Add-on installed and active. It blocks JavaScript and Java by default, unless you specifically allow them to run, for every website you encounter. This adds one more layer of protection to a Java enabled browser, because all of the exploit attack kits I have seen use JavaScript to probe for vulnerable software, before launching actual attack code against your browser. A browser that has JavaScript disabled for unapproved websites will not allow those codes to run from the exploit website (unless you foolishly approve that site).

NOTE: When Firefox 19 is released, Java plug-ins will be disallowed from running in it. I will publish more information about the plug-in restriction when Firefox 19 has been released. When that happens, assuming that Java won't run in Firefox at all, if you must have Java in a web browser, I suggest using the regularly updated Google Chrome browser with the Java plug-in enabled. There is a "Script No" extension for Chrome browsers that acts in a more or less similar way to the NoScript Add-on for Firefox. It is just not as granular in its control of active content on web pages.

Each browser company has an options page available from one of their menus, which will allow you to control what does or doesn't run in that browser. Internet Explorer hides the Java disabling option inside the Custom Level portion of the Security tab. You actually have to set the security slider all the way to High to disable Java Applets in that browser. This also breaks "Active Scripting," which is what Microsoft calls JavaScript and presumably, Flash and Silverlight.

I use Firefox with NoScript, or Chrome with Script No. Am I safe now?

Unfortunately, cyber-criminals employ hackers to find vulnerabilities in some software running on legitimate websites, then upload hostile JavaScript into their landing pages. If you regularly visit a newly compromised website, and have already allowed JavaScript to run on it (for various web functions to work right), you could be exploited by the hostile script that was embedded into that web page, unbeknownst to the Webmaster or site owner.

Why is Java targeted by exploit kits?

Cyber-criminals make a huge amount of money selling exploit kits to botnet operators, who make huge amounts of money reselling the use of their botnets to spammers and scammers who want to install remote control software and bank account stealing Trojans onto personal and corporate computers. Java is their primary target because so many computers have it installed (by old programs, or to play games) and the majority of computer owners don't know it is there, or even if they know, don't keep it updated. I hope that my drilling these facts into your heads will make you aware that (1) Java exists and (2) it is or isn't installed on your computers and (3) if it is, it's only the most current version, and (4), you have unplugged it from your browsers if you can.

Epilogue

If you don't know if you really need to have Java installed, uninstall it and see what breaks. For most of us, nothing current will break with Java gone. If you break something really necessary, install only the most recent version and follow my previous tips for securing your browsers against Java and JavaScript exploits.

Note: Java and JavaScript are not the same. They are totally different technologies that have the misfortune of having similar names. However, most if not all Java exploit kits use JavaScript to probe your web browser for weaknesses for which it contains an exploit package. You see, JavaScript is something that is interpreted by a web browser to perform typically useful functions. Java is something that has been assembled/compiled into a tiny program, which when run inside a browser is called a Java Applet. It is poor coding in the Java executable components that allows hostile Applets to jump out of the otherwise insulated browser and into the operating system.

Posted by Wiz at 1:12 PM | Permalink

back to top ^