Botnets ramping up efforts using news headlines and video links
The authors of the Storm, Srizbi, Pushdo and Rustock botnets (and others) are ramping up their individual efforts to assemble the largest collective botnet the World has ever seen, using fake news headlines in the subject and body of spammed emails. The latest fake news about the Olympics is sent from the Storm Botnet. Almost all of the BotMasters are purported to be based in Russia and are members, or former members of the notorious Russian Business Network. The purpose of this rush to acquire more and more zombie computers in a short time is undisclosed right now, but may be in preparation for a cyber war, in which the zombie computers will be used in denial of service attacks against other governments, anti-Russian websites, universities, or military installations.
Or, the purpose may just be to have more power to send gazillions of spam messages hawking male enhancement pills, fake pharmaceuticals, shady loans, or counterfeit watches and shoes, but I think they already have enough zombie computers to do that work.
I don't want any of my readers to fall into these traps and have their PCs drafted into these hostile robotic armies. Therefore, you need to know that the authors of the tens of millions of spam messages that are spewing out of hundreds of thousands of zombie computers, some at the rate of up to 10,000 spam emails per day - per PC, are using every social engineering trick they can come up with to fool you into clicking on a link in just one of these scam messages.
The fake news alerts I referred to earlier usually have sensational subjects and short descriptions in the body, some of which match the subject, but some of which are totally unrelated. There may or may not be links to a real news website, but there is always one or more to a compromised computer or website, or directly to a hostile file. These hostile links may have the text "Read More," or "Watch Video," or "Play," etc. If you mouse over the links you will see the real destination in the status bar of your browser, for browser-based email, or your email client. They will not lead to CNN, or the news agency they claim to represent, but to a strange web site, or numeric IP, where you will be attacked by all manner of exploit codes.
If these automatic exploits fail to infect your computer you will be offered a manual link to do it to yourself. This is usually in the form of a pop-up about your needing to download a new version of ActiveX Object, or Flash Player, or Video Codec. Some of the most recent spam messages I have seen this week have direct links to download Trojan files. They are disguised by words like Play, Movie, Watch(it), Video, etc, to make you think you are going to see a movie clip about the news in the spam message. Instead, you will become instantly infected with whatever Trojan is being hosted on the destination web server, or zombie PC.
If you want to read the news online just go to cnn.com, or abc.com, etc, and read it. If you subscribe to breaking news alerts you could be fooled into opening a scam message that uses a subject and body text and images stolen from CNN, MSNBC, Reuters, or the BBC. Because of these scams being in the wild right now, and being so hard to authenticate, you are best to download a news widget from the organization to which you wish to subscribe. CNN has a breaking news widget that sits in the Windows System Tray until a news alert comes through. Then, it opens a balloon message above the System Tray with the headline displayed. If you click on the story it will open in your default browser. Other news organizations may offer a similar widget. Just be sure you go directly to the news website to look for it. Do not click on links in unsolicited email messages.
The volume of these messages is increasing, not decreasing and the subjects, body text and link anchor text is morphing on a daily, or bi-daily basis. Learn to spot these scams and delete them from your inboxes. If you have a real email client that allows you to create filter rules, just add the subjects to your blacklist. If you use MailWasher Pro to screen your incoming email for spam or link threats you can download and install my custom MailWasher Pro filters, which are updated frequently to detect these ever changing scams. Since the Trojan video link spams began pumping out a couple of weeks ago I have sometimes been updating my published MailWasher filters on a daily basis. Contact me if you wish to consult with me about anti spam solutions.
MailWasher Pro also lets you read the full headers with one mouse click on a button. This is useful when you want to verify who the sender really is, if you know how to interpret the information in the headers. Most of the fake news alerts spammed out in the last few weeks have forged sender domains that do not match the organization they claim to come from. Here is what you can look for, when reading the headers.
With the Headers displayed in the Preview Pane, look at the "Received: from" lines to see if it contains the domain belonging to the news organization listed. CNN will always send email alerts from its own email servers (e.g. mail.cnn.com). Ditto for every other reputable source of news. Also, look at the "From:" line to see the domain of the sender, not just the name that displays in the "From" column in MailWasher or your email reader. While this field is always forged in spam messages, the most recent CNN and MSNBC scams had sender domains after the @ sign that did not end with cnn.com, or msnbc.com. This is a dead giveaway that they did not come from a real news organization.
If you want to install my Wizcrafts' Custom MailWasher Pro Filters there are three versions to choose from. Filters.txt contains a lot of older filters dating back over 8 years, plus my newest filters. All are set to notify only by checking the Delete box, in the Delete column. You must manually click the Process Spam button to actually delete them from the mail server.
Filters2.txt contains my current filters and some from the last year or so and is considerably faster that filters.txt. It also flags spam for manual deletion.
Filters3.txt is the one I use, minus my personal identity filter rules. It automatically deletes most spam that is matched by its filter rules and even adds some senders to the blacklist, for automatic deletion of subsequent spam messages. Some is still marked for manual deletion when I can't be certain that a rule will not match a legitimate email message. Better safe than sorry! However, MailWasher Pro has a Recycle Bin, just in case you delete a wanted email message. As long as you set the scanning depth to at least 275 or 300 lines you should be able to recover most accidentally deleted messages. That scan level will slow down your email processing, because my rules use a lot of complex regular expressions, but this also makes them more accurate.
MailWasher Pro can simultaneously check for incoming POP3 email on numerous accounts and different mail servers, on assignable standard or SSL ports. You can download a 30 day trial, or purchase MailWasher® Pro here. The current price is only $39.95, for a lifetime license, which includes free upgrades for as long as you or the maker continues to grace this planet. You can install MailWasher Pro on multiple computers or transfer it to new computers once you purchase the license key and paste it into the Registration field. Just save the email that contains your registration key. They even offer a 6 month money back guarantee, so you really can't lose anything but about 95% of your spam!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.