This article is about cybercriminals taking email exploit attacks to a new level. Tonight, I processed an email scam (to SpamCop) that claimed to come from a service known as 'Bill Me Later' - detailing an online payment I was supposed to have made over the phone. Except, my name is not Dr. Mary Olsen, MD!

The message, which was carbon copied (CC) to dozens of other recipients (whose email addresses were viewable in plain text), started off with the following totally fake text:

"Thank you for making a payment over the phone! We've received your
Bill Me Later® payment of $60.12 and have
applied it to your account."

The scam goes on to list various account numbers and (fake) payment details. It was also loaded with images and clickable links (20) to view many details, including:

Manage your account, Make a payment, View statements, Account Summary, Home, Make a Payment, About Bill Me Later, Offer, Directory, View Statements, Merchant Sign Up, Store, View Account, Summary, FAQs, Register Account
and 4 image links.

What is astoundingly different about this scam is not just the unusually high number of links leading to an exploit kit, but the fact that they all led to different domains. Normally, I see one or two domains used in hostile link scams. Twenty different compromised domain links is a new record for me.

Each one of these 20 links (see compromised website list) leads to a different website, to a sub-directory (folder) containing 8 mixed case alphanumeric characters, then, /index.html. Here is one sample URL (deactivated for your safety): h**p://webprof.ro/Tv2YU8u6/index.html

I have added up all my incoming email and counted those classified as spam, and found that in the last week, my percentage of spam has been almost 40%. During the same period last year, it measured just 30%. This is a 10% increase.

I measure the amounts and types of spam with MailWasher Pro (2012), which compiles very good statistics for its users. If you don't already know about this program, it is a spam filter and email classifier, which sits between your email servers and your email client. It receives either POP3 or IMAP email from your mail servers and applies any filter or blacklist rules you define. I write and publish spam filters for MailWasher Pro and most of them are so reliable that I set them to automatically delete known spam. In case the filters are in error, I am able to restore the wrongly deleted messages from the MailWasher Recycle Bin.

While the volume and percentage of spam has increased over the last 7 days, an interesting development occurred: there was no spam with either malware links or attachments! In the previous weeks there were many such hostile messages, spoofing all manner of known websites and banks. Make no mistake, the malware scams will resume soon. Stay alert, especially if you have Java, Flash, or Adobe Reader installed on your computers or smart phones/tablets.

I always advise my readers to hover over links before clicking on them. Doing this causes the actual URL (web address) to be displayed on the bottom of your browser (Web-mail) or email client (desktop email program). This gives the savvy user a chance to see if the link claiming to lead to Intuit actually goes to a website that has nothing to do with intuit.com, or facebook.com, paypal.com, linkedin.com, etc, etc.

On the other hand, clicking (without hovering first to check it out) on a poisoned link takes you to a compromised website, which uses JavaScript and iframes to redirect you to a Russian malware server, where your computer is attacked for any vulnerable software. If you have any exploitable, unpatched software installed, your computer may be taken over by criminals and drafted into a spam and attack botnet, and have malware installed which steals money from your financial accounts, or extorts money from you to fix non-existent problems.

Let's move on to the spam analysis for the week...

Let's take a look at this scam from a curiosity point of view.

First of all, the sender has covered his tracks by using compromised email relaying PCs in a botnet. Two computers were used, both belonging to US residents. One belongs to an organization named "Secured Private Network" - which is obviously not so well secured! The second relay occurred via an open relay in a mail server belonging to CrystalTech Web Hosting.

The return path was interesting. It used a (possibly spoofed) account on a Ukrainian domain: terence_m@e-mail.ua. However, the From address shows test@milkom.net, which is obviously spoofed.

The message body claims to be from the "United states ambassador to nigeria
Ambassador terence mccauley" - yet it is filled with incorrect grammer, bad spelling and letter cases. I have to believe that any school kid in the USA knows that titles, countries and personal names always have the first letter capitalized.

The scammer claims to have plans to be: "coming to your country for an official meeting and i will be bringing your funds of ($500,000:00) FIVE HUNDRED THOUSAND UNITED STATES DOLLARS {bank draft} along with me." He goes on to demand an up front payment of $250 processing fee! "the cost of registering it is $250 USD the fee must be paid in the next 48 hours via western union."

Finally, to add insult to injury, the scam contains this outrageous statement:

Please, if you know you will not or can not send the requested $250 USD, please, dont bother replying this mail.

It is the up front, advance fee demands that gave these scams the name 419 scam. You see, section 419 of the Nigerian Penal Code makes it a serious offense to commit financial fraud involving advance fees. Yet, Nigerians go to Internet Cafes every day and mail out thousands of such scams to people in all parts of the World, but especially English speaking people in North America, the United Kingdom and the lands down under.

Never reply to a Nigerian scammer and never give them your phone number! There is no 500 Gs waiting for you, and you are not the beneficiary of anybody who died and left millions in a Nigerian bank. They will bleed you out of all your money with new fees and bribes and never send you the promised funds (because they do not exist). This has happened over and over to greedy people who fall for such scams. W.C. Fields once said "Never wisen up a chump or give a sucker an even break." That is exactly how Nigerian 419 scammers behave. They target the elderly as well as business owners and town clerks.

Does this worry you? It should if you are one of the people operating an unsecured wireless router. Not because of what Google was doing with this openly transmitted data, but because if a Google van can read your unencrypted data, so can a neighbor's hacker kid, or somebody with bad intentions driving down your street, looking for wireless connections to piggyback on, or data to steal (a.k.a: War-driving).

Here is what the FCC determined about Google Street View vans intercepting wireless data as they dove down streets:

The FCC has been investigating, and recently fined Google $25,000 [details] for the incident. In its report, the FCC concludes, "For more than two years, Google's Street View cars collected names, addresses, telephone numbers, URLs, passwords, e-mail, text messages, medical records, video and audio files, and other information from Internet users in the United States."

So, how can you make sure that something like this doesn't happen to your wireless connections? Secure your wireless routers, or hotspots! Here's how...

The words and phrases in the subjects and message bodies used by scammers over the last few years has been morphing. We still see some of the old topics being used; recycled is a better word. But, new subjects and message bodies are being developed by clever copy writers who are employed by malware distributors. I want to share some of the recent social engineering topics and hook lines that I have seen in spam/scam emails that are detected by MailWasher Pro and subsequently reported to SpamCop.

The most recent scam is one I don't recall ever seeing before. It seems to target business owners who might hire accounting firms to take care of their books and taxes. It is a very clever scam, leading to huge exploit kit, containing over 18,000 bytes of JavaScript codes. Included are over 2 dozen script tags, most of which probe your browser and computer for exploitable plug-ins, like Java, Flash, Adobe Reader and Internet Explorer's ActiveX. If the victim's browser has any of the vulnerable versions of these plug-ins installed, silent exploits take place, resulting in the PC becoming a zombie in a spam and attack botnet. They are also treated to a free installation of a bank account stealing Trojan and maybe even a free scan from a fake anti-virus scanner that demands money to remove the fake detections and the barrage of warnings it fires at you.

Here then are the subjects and message contents of some email scams I analyzed today.

On the same date, all support and patches for Microsoft Office 2003 will also come to an end.

Windows XP has enjoyed a long life since its official release to retail date of October 25, 2001. It has been the most popular version of Windows since Windows 95 was released with parties and huge fanfare on August 24, 1995. XP has received three service pack upgrades since 2002, ending with SP 3, which was issued on April 21, 2008. Windows XP market share peaked at 76.1% in January 2007. But, with the introduction of Windows 7, there has been a steady decline in the number of XP users online. As of today, the market share for XP is only about 29%.

If you are reading this from an XP computer you need to begin planning to upgrade before all support for your aged operating system ends on April 8, 2014. Since there won't be anymore patches, you will be left unprotected by Microsoft against any vulnerabilities that may be discovered running in the wild after that date. History teaches us that as soon as support is dropped for one of the versions of Windows, cyber criminals ramp up their attacks to try to draft as many of the unpatched machines as possible into spam and DDoS attack botnets.

Another fact we have seen play out is that security software vendors begin to drop support for any version of Windows that has been end-of-lifed by Microsoft. So, people hanging onto XP after April 2014 will not only be left out in the cold by MS, but will soon see an end of support from anti-malware companies as well. Without virus and malware protection or Windows Updates, those computers will become cannon fodder for exploit kit writers.

I have already upgraded to Windows 7 and love it! My XP desktop computer is only turned on once a month, on Patch Tuesdays, to download any available Windows Updates. That machine is only here as a backup unit in case my main Win 7 computer hard drive crashes. It would only be used until I could restore a saved Acronis image of the operating system to the new hard drive. I save a complete image of the hard drive once a week, but backup my documents and libraries every night.

If you have programs that are only written for Windows XP, without newer versions that work under Windows 7, even in Compatibility Mode, you should consider buying a copy of Windows 7 Professional. It allows you to download a free, fully licensed copy of XP Pro, with SP 3, which you install into a virtual machine that runs inside Windows 7, as an application. You can run any Windows XP based program inside that Window, as though you had booted into XP. Of course, it takes away a gig of your RAM to run XP in the virtual machine, but, be happy if it runs at all.

Note: Your computer must have a CPU that supports running Virtual Technology (VT) in order to use the XP Mode in Windows 7 Professional. Learn more about the hardware requirements for running XP as a Virtual Machine in this article.

Well, it may have taken Apple 2 months to issue "a" patch, but they enjoyed doing that so much that they have now released their third patch in 7 days! Yes Mac owners, you have three critical patches to download and apply, including the latest one issued late yesterday (April 12, 2012).

You see, Apple has a policy of discontinuing support for certain third party software for various reasons. They decided about a year ago to drop support for Adobe Flash. Not too long ago they also decided to drop support for Oracle Java and removed it from the list of applications that are installed or updated by Apple Software Updates.

This decision to stop deploying Java with Apple/Mac updates was a tactical error in my opinion. It was well intentioned, but short sighted. Java exploits are absolutely the number one infection vector used by perpetrators of the ZeuS Trojan and various botnet installers. Java is cross-platform, and has been described by its original maker Sun Corporation as "write once, run anywhere" technology. Java is not a scripted language, but is deployed as compiled mini-programs, known as Applets, using what are known as .JAR files to distribute these programs and their supporting files.

Run Anywhere includes Mac OS computers, as well as smartphones, tablets, ATMs, on and on. Even though the user base for Mac computers is relatively small, compared to Windows, they have now become targets of Java exploit kits, due to the erroneous attitude of many Mac users that they are immune to malware sneak attacks. This has been proven to be wrong thinking.

All of the software updated by these companies, over the past three months has suffered from highly critical security vulnerabilities, many of which are now being actively exploited by cyber crime gangs who publish exploit attack kits. Java exploits are almost always the first types of exploits targeted by crimeware kits, like the Russian Blackhole kit.

Some of you may be wondering how these exploits are delivered to your computer in the first place. The most common method of luring potential victims to scripted exploit kits is via cleverly crafted, hostile email spam messages. These hostile spam messages differ from standard commercial spam in that they aren't trying to sell you counterfeit pills, watches, or pirated software. Rather, they use well constructed come-ons to con or panic recipients into either opening attached files containing Trojans or JavaScript codes redirecting your browser to a malware server, or clicking on obscured links to compromised websites.

After one clicks upon such a link, the scripts on the compromised landing page usually redirect you to other compromised websites and scripts, until you ultimately arrive at a distant server owned by cyber criminals, often in Eastern Europe. These servers use domains registered in places like Russia and the Ukraine to launch exploit kit attacks on your web browser and its add-ons and plug-ins, with Java plug-ins leading the pack. Adobe Reader (PDF files) and Flash are major secondary targets, followed by iTunes and Quicktime, Microsoft Word and just about any popular software that can be used to gain access to the operating system.

This is why reputable software companies release security updates on a more or less regular basis. Microsoft releases Windows Updates almost every month, on the second Tuesday of the month. Adobe has agreed to also release any critical patches on the same Tuesday. This has become known as Patch Tuesday. Make a note of this and if you have a Windows computer running XP with Service Pack 3, or Vista, or Windows 7, or Windows Server 2003 or newer, set your Automatic Windows Updates to check for updates at least every Tuesday, at the equivalent of 2 PM Eastern time for your time zone. Accept all updates rated Important or Critical. Reboot after all updates are installed and log back into an administrator level account to ensure that any further processing takes place, before logging into a less privileged account.

Note: There have now been four Patch Tuesdays so far in 2012, with the most recent being April 10, 2012. If you have not run Windows Updates this week, do so now. Two very serious vulnerabilities were patched this week. One is for Internet Explorer and the other for Microsoft Word. Exploits are now in the wild for both vulnerabilities.

If you are a member of Facebook and receive Friend Requests from senders with odd sounding names, you need to do something proactive before clicking on any links in those emails. You need to hover your mouse pointer over all buttons, images and text links, without pressing any mouse buttons (do not click!). Then, with your pointer over these links, look down at the "Status Bar" on the browser, or message window, or preview pane in the email client you are using, and look carefully at the URL being displayed.

The links and buttons in the Facebook Friend Request scams look like any other Facebook request, with a few exceptions. The photo of the alleged requester is missing, showing an outline of a shadowy head. When you hover over the picture, or name, or the Confirm Request buttons, or the Unsubscribe link, all of the links will be obviously fake, leading to anything other than facebook.com. Furthermore, for the last couple of months, the links are unbelievably huge, occupying multiple lines of codes. Herein lies the weakness in the scam.

Furthermore, Most of the scams spoofing facebook Friend Requests lack the line under their name, showing the person's statistics. E.g. 37 friends · 29 photos · 13 Wall posts. A real Friend Request contains these stats.

Making sense of what appears senseless
I am going to impart some WIZdom to you to bring you up to speed on the nature of the hostile links in the current (April 2012) fake email Facebook Friend Requests.

Here is an excerpt from one which I received a couple of minutes ago:

From: "American Express"
Subject: Confirmation of email address change

Thanks for updating your email address

We changed your e-mail address in our files to {spoofed or harvested email account}. If the new e-mail address is not correct or you did not request this change, please click here,..{spoofed link leads to malware}

If you lack any installed computer security, here are some options for you to try:

• Trend Micro security programs (I use this)


• Malwarebytes Anti-Malware (I use this)


• Kaspersky Lab's Products - Try out a free 30-day trial!

This discount is an affiliate offer, not offered to the general public arriving at their website via normal methods. No coupon codes are needed to get the discounts. I never cared for those codes anyway. Too much room for typos.

Here is a breakdown of the programs being discounted, along with their list and discounted prices.

Trend Micro Maximum Internet Security for 2012
This includes the whole ball of wax. All of the protections offered by the other Trend Titanium programs, plus additional protections against phishing and man in the middle attacks, computer and identity theft, both at home and when you're on the road using a wireless connection at a hotel, motel, coffee shop or fast food restaurant. It even includes a security app for Android Smartphones. Also included is Smart Surfing for Mac.

Regular price: $79.95 Sale price: $55.95. Learn more or Buy it now

Read the details about this program and find my yellow highlighted discount links on my Trend Micro web page.

Trend Micro Titanium Internet Security 2012
This is the most popular security program from Trend Micro, best suited to computer towers that stay in one location. Some of the key features are Enhanced Behavior Monitoring/Proactive Intrusion Blocking, Antivirus Security, Spyware Protection, Detect and Block Image Spam, Personal Firewall, Fraud Defense, Data Theft Protection, Wireless Network Monitoring, Network Control, and, coolest of all, you get all this protection for up to 3 home or mobile computers with just one license fee.

Regular price: $69.95 Sale price: $48.95. Learn more or Buy it now

Read the details about this program and find my yellow highlighted discount links on my Trend Micro web page.

Trend Micro Titanium™ Antivirus Plus Anti-Spyware
Trend Micro Titanium Antivirus + is very light on computer resources, because it uses a set of fairly small on-disk definitions that get loaded at startup, covering the most prevelant known threats. Additional real-time threat protection comes from Trend's in-the-cloud† security technology which is constantly updated as new malware is identfied and definitons are written.

Regular price: $39.95 Sale price: $27.95. Learn more or Buy it now

Subscribers to any of these Titanium programs are protected against hostile and compromised web pages by the Trend Micro Web Threat technology, which blocks access to bad websites before they can exploit your computer.

This 30% off sale ends on April 30, 2011. If you were waiting for a great discount before buying commercial security for your computers, now is the time you've been waiting for! Furthermore, because we are currently into a model year and subscriptions run 365 days, you would be entitled to a free upgrade to version 2013 of the same program.

I know this because I purchased a one year subscription to Trend Micro 2011 and received a free upgrade to version 2012. I'll be renewing it for another year next month. Having tried many other security programs I see no reason to change. Trend Micro does what it's supposed to do, without slowing me down or annoying me with a lot of pop-ups, like some other security programs did. The web threat protection blocks dangerous web pages from loading, preventing their exploit kits from attacking my defenses.

Read the rest of the details and find my highlighted discount links on my Trend Micro web page.

Second place went to replicas Chinese watches that rip off legitimate name brands, like Breitling. This was closely followed by spam for fake pharmacies and bogus diplomas. Drugs bought from fake pharmacies, if they ever arrive, will do you no good and may actually harm you. Buying fake diplomas won't necessarily get you hired, but they will get you fired, once your deception is discovered during routine background checks.

Runners up in spam were Russian domains pushing counterfeit goods and drugs, work at home scams, weight loss pills, male enhancement, Cialis and Viagra and three malware link scams.

The malware threats from last week were all fake Intuit invoices, with links to read invoices online. Those links all led to exploit attacks against browsers and their add-ons and plug-ins. If you clicked on a link in an email claiming to come from Intuit, scan your computer for malware Trojans and Bots. You can use a free 30 day trial copy of Trend Micro™ Titanium™ Internet Security, if you have nothing else that is current for virus detection.

The following represents my email totals and spam percentages by category. All results were obtained from MailWasher Pro, which I use to filter out spam before I download any incoming email to Windows Live Mail.

The caveat is that the Mac must contain an Intel processor and a decent amount of RAM. The full requirements are as follows:

• A Mac computer with an Intel Core 2 Duo, Core i3, Core i5, Core i7, or Xeon processor.


• Minimum 2 GB of memory (4 GB of memory is recommended to run Windows 7 in a virtual machine or if your host OS is Lion)


• About 500 MB of disk space on the boot volume (Macintosh HD) for Parallels Desktop installation.


• About 15 GB of disk space for each virtual machine.


• Mac OS X Lion 10.7


• Mac OS X Snow Leopard 10.6.3 or later


• Mac OS X Leopard v10.5.8 or later


• A valid license for the version of Windows you intend to install with Parallels.

For those who want to install Windows 7 into their Mac, you can buy a copy from Tiger Direct or NewEgg.

Parallels Desktop for Mac allows you to install Windows, or any other supported operating system - like Linux, into a virtual machine (VM), then install applications compatible with that operating system and run them as if you were using a Windows or Linux computer. This means that if you have a Mac that meets the requirements to run Parallels, you an install a valid copy of Windows 7 into it, then install Windows only software and run it as an application inside the Mac desktop. You can maximize the Parallels windows to be full screen if you need all of the monitor for your Windows applications,

Parallels 7 is currently on sale for 25% off the regular price, but only through March 13, 2012. You can learn more about Parallels here, or here.

If you have an older version of Parallels you may be entitled to a greatly reduced upgrade license for the current version.

When I published my article there were still an estimated 400,000 PCs in the USA infected with this malware. Many of these infected PCs belong to Fortune 500 companies and even parts of the US Federal Government, Millions more are still infected around the World. This extension of the cutoff date is to allow more time for the large entities in business and Government circles to search for and disinfect their compromised computers. It is a monumental task and many companies have already stretched the IT personnel and budgets to the limit, sniffing out any infected machines on their premises.

It was back in early November, 2011, that the FBI filed an indictment against an Estonian crime gang whose members were accused of creating and operating the "DNS Changer" malware and botnet. Search and seize warrants were obtained and the servers being used by the criminals running this enterprise were seized and taken offline. The named suspects have been arrested and are awaiting extradition, or have already been extradited to the USA, to face charges in a US Federal Court.

But, there was a downside to this victory. Innocent victims were unknowingly having all of their Internet connectivity routed though those "rogue" DNS servers that were taken down by the FBI and DOJ.

Android smartphone users who have Flash installed also have upgrades waiting, to version 11.1.111.7 (Android 2x, 3x) or 11.1.115.7 (Android 4x) respectively.

The previous patch fixed 7 security vulnerabilities, one of which was being exploited in the wild in February. This latest update patches 2 more newly discovered vulnerabilities (CVE-2012-0768 and CVE-2012-0769), which they claim are not yet being exploited by web browser attack kits. That is bound to change in a few days.

The first newly announced vulnerability allows an attacker to take over control of a user's computer or smartphone via a memory corruption attack against a component of Flash known as Matrix 3D. The second vulnerability in Flash Player allows a hacker to steal sensitive information from a victim's computer or smartphone.

While the Adobe Priority table says users should apply the new patches within 30 days, I recommend you do it as soon as you read this. Exploit kit writers are not going to wait 30 days to go after unpatched computers or smartphones. If you have Flash on a computer, visit the Adobe Flash Download page and download one version of Flash for Internet Explorer and another if you use Firefox or Safari browsers.

Mac users should visit the Adobe Flash download page for other systems and browsers. Apple itself does not support Adobe Flash.

Google Chrome has released a new version of the Chrome browser, which has an embedded version of Flash. To upgrade, open Chrome, then click on the Settings wrench icon on the upper right of the browser, then on "About Google Chrome." If the update has not already been installed it will begin downloading as you open the About Chrome box.

You will have to restart your browsers for the upgrades to take effect. This goes for most plug-ins like Flash. After restarting them, go to the About Flash page and verify that you have the most current version for your browser and operating system. Your installed version is displayed above a table on the page, which lists all current versions of Flash, by operating system.