This is a phishing scam looking to steal active Hotmail accounts for use as spam sending zombies, using Hotmail's good reputation to avoid email sender blockades. The phished date of birth information can be crosschecked against other stolen or looked up details about you, or they can read your personal details saved in your Hotmail account profile, to perform identity theft. This information would then be sold to more advanced cyber criminals.

The scam email I received today was sent from the IP address 62.173.55.107 which is part of the CIDR 62.173.32.0/19, which covers all IPs between 62.173.32.0 and 62.173.63.255. This CIDR is registered to ipNX Nigeria Limited, in Lagos, NG.

I discuss methods of preventing these Nigerian scam emails from reaching your desktop email clients, or forum members, in my extended comments.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

The volume of spam coming to my various honeypots and user accounts has increased slightly this week. This indicates to me that some of the Botnets that lost their Control and Command servers following the forced shutdown of colocation host Pricewert have found other server hosts that allow illegal activities. Thus, sleeping zombie bots are awakening and spamming again.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various fake pharmacies, which sell illicit and counterfeit pharmaceuticals like Viagra, weight loss scams and phishing scams.

See my extended comments for this week's breakdown of spam by category, for June 22 - 28, 2009 and the latest additions to my custom MailWasher Pro filters

Websense has been following a website code injection event they named the "Nine Ball Mass Injection," which is a follow-up to the "Beladen" and "Gumblar" mass injection attacks last month This is a situation where cyber criminals exploit vulnerable web application scripts that have not been secured by the webmasters who operate those websites. Too many webmasters use free scripts that are rarely, if ever updated to patch announced vulnerabilities. Hackers send out automatic scripts (a.k.a. robots, spiders) that try to upload hostile files to any website they come across. Once they find an unpatched point of entry they are able to alter the codes on any web pages (usually the home page) they want. In the past, hackers would deface home pages with gibberish or slogans for their causes. Now, it is criminals who sneak in dangerous hidden codes that redirect innocent visitors to hostile websites, where malware is attempted to be downloaded to the victims' computers. Most are successful, because most people do not, or cannot keep up with patches released by every vendor of the add-ons and plug-ins used by their browsers.

Most of the malware being downloaded by the Nine Ball and similar exploits is fake security applications that pretend to scan you computer, announce so many threats found, then demand payment to remove those threats. These are tandem malware programs, with part one being the fake alerts and part two being the fake remover. After you pay to unlock the remover, it only removes the alerts its sister placed there in the first place. You will have submitted your credit or debit card information to cyber criminals in the Former Soviet Union and can expect to have your accounts drained shortly.

The rest of this weeks vulnerabilities and exploits are in my extended comments.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

The volume of spam coming to my various honeypots and user accounts has decreased again this week. This is probably attributable to the forced closure of Pricewert, a spam-friendly hosting company, where Botnet command and control (C&am;C) servers and malware hosting was carried out by its customers, with no action taken by the company to halt those activities. With the C&C controllers offline their Botnets cannot receive updates or new instructions and fall silent, like zombies. Spammers then find other means of delivering their crap to us.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 scams, and dating scams. Also, the volume of phishing scams targeting customers of various banks and credit cards remained strong again this week.

See my extended comments for this week's breakdown of spam by category, for June 15 - 21, 2009 and the latest additions to my custom MailWasher Pro filters

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Spam, spam, spam, spam, spam, spam, spam (from the old Monty Python routine)! The volume of spam coming to my various honeypots and user accounts has held steady this week, still at a relatively low volume (some spammers do prune honeypot accounts from their lists). Some of this is also attributable to the forced closure of Pricewert, a spam-friendly hosting company, where Botnet command and control servers and malware hosting was carried out by its customers, with no action taken by the company to halt those activities.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 scams, fake Cialis and Viagra. Also, the volume of phishing scams targeting customers of various Australian banks and credit card holders remained in the running this week.

See my extended comments for this week's breakdown of spam by category, for June 8 - 14, 2009 and the latest additions to my custom MailWasher Pro filters

Most of the successful attacks exploit vulnerabilities in browsers (usually Internet Exploder), or their installed add-ons and plug-ins. like Apple QuickTime, Adobe Flash and Reader (and other PDF readers) and Sun's Java plug-in. If any of these items are a vulnerable version you may have your computer hijacked by cyber-criminals who will make it a zombie member of their Botnet. This will turn your PC into a spam machine, or it could be used to attack websites or Governments, with whom the hackers have a difference of opinion.

In order to stay safe from the barrage of hack attacks targeting browsers and their plug-ins it is imperative that you keep Windows and its components and all third party add-ons up to date. One way is to always select the option to automatically check for, download and install updates to those programs. If there is no automatic update mechanism for a program you use you should check to see if it has been updated. This could be at the manufacturer's website, or by using the free Secunia Online Software Inspector (requires current version of Java).

The details of this week's updates are below, in my extended comments.

Spybot Search & Destroy (S&D), a product of Safer Networking Ltd., is a free ("donation-ware") security program that is used by millions of people to fight off spyware, keyloggers, Trojans, Botnet executables, adware, hostile domains, unwanted cookies and other types of malware in the wild. Being freeware it lacks some functions that are commonly implemented in commercial security programs. It has only manual updates, which are usually released once a week, on Wednesdays (see my regular weekly articles about new updates), and limited scanning presets. Most functions must be carried out manually, but hey, it's free! Despite these limitations Spybot S&D is a well respected and effective anti-malware tool to add to your arsenal.

Spybot Search and Destroy can be downloaded for free from either www.spybot.info, or from www.safer-networking.org, or several official mirror sites. Don't fall for fake versions distributed by rogue anti spyware websites. Approved download mirror sites are listed on the Spybot S&D downloads page.

Once downloaded you should install the program onto your hard drive. There are installation options to watch for and the options you select will affect the normal operation of the program, when launched. One of the installation options is for the "TeaTimer" module. This is a realtime monitoring component that sits in your System Tray and launches itself into action whenever a change is about to be made to the system, the Registry, or your browser's home or search page. The program pops up little balloon alerts asking if you want to allow or deny the changes, or even notifying you that a suspicious program file was terminated automatically. These balloon popups can be annoying at times, although you can tell TeaTimer to remember your decisions. Unfortunately, there have been several serious false positives reported in the Spybot forums concerning the TeaTimer module deleting harmless files necessary for the operation of other programs or Windows itself. Lately, these false positives are becoming fewer and further between. It is your choice whether you want to use the TeaTimer module. I would keep Windows System Restore turned ON in case TeaTimer renders an important program, or part of Windows itself unusable (use the "Last known good configuration" startup option).

No matter which options you choose to install the program with, always select the option to update the program immediately. You can select or deselect all options later on, using the Advanced Mode. Once installed and updated it is time to Immunize, then scan for threats. These steps are described in my extended comments, along with download and forum links and more instructions about using Spybot Search and Destroy.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Spam, spam, spam, spam, spam, spam, spam (from the old Monty Python routine)! The volume of spam coming to my various honeypots and user accounts has held steady this week, still at a relatively low volume (some spammers do prune honeypot accounts from their lists). The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 and lottery scams, Cialis and Viagra. Also, the volume of phishing scams targeting customers of various Australian banks and credit card holders remained steady this week.

See my extended comments for this week's breakdown of spam by category, for June 1 - 7, 2009 and the latest additions to my custom MailWasher Pro filters

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

The volume of spam coming to my various honeypots and user accounts has been steadily increasing over the past month. This is due to the activity of various wounded spam Botnets coming back to life (after the takedown of McColo), or new ones like the Russian Cutwail Botnet, being pressed into service. The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals, Nigerian 419 scams, fake watches and Viagra, "stud" tips and male enhancement scams (same websites). I also saw an increase in Australian banking phishing scams this week.

See my extended comments for this week's breakdown of spam by category, for May 25 - 31, 2009 and the latest additions to my custom MailWasher Pro filters

Updating Spybot Search and Destroy

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.