Wiz's Computer and Website Security Blog

Why should email archiving be an important part of your company's email management?

Email is an intrinsic part of business communications and today is often the primary means of doing business with customers and communicating internally. Email is also a huge source of corporate and confidential data.

In a fast-paced environment, it's important to have a reliable email system in place as a well as a comprehensive email management strategy to minimize downtime, limit help desk calls, achieve compliance and, have a backup plan should anything go wrong.

One important facet of every email management strategy should be email archiving.

With most administrators imposing email quotas on their Exchange server because of storage restrictions and performance issues, employees tend to use Outlook's 'Auto-Archive' function to create PST files. This is often a problematic approach to email management because the administrator either has little control over the locations of the PST files (in some folder on the PC) or they are stored in a network share (with the resultant impact on storage space). Searching for old emails or conversations can be a major undertaking. Administrators simply do not have the time to search individual machines for missing PSTs and, if that PST is corrupt, go through the process to restore that file. If those emails are required for compliance or audit reasons, the administrator will be very concerned - what happens if the email cannot be located?

In small networks where the administrator has a lot more control, PSTs may be acceptable if there is a strict PST policy in place - but not in larger environments. The task to manage PSTs will reach a point where the admin has little control, PSTs are all over the place and the risk of email being lost or corrupted grows exponentially.

One way to address this set of problems and keep everyone happy is to take email storage off the Exchange Server and out of PSTs. This is achieved through email archiving. Administrators will have full control over how and where emails are stored and saved, emails are offloaded from the Exchange server and should the need arise, search for email from on single location with ease. Users, on the other hand, do not have to worry about deleting emails when their quota is reached because every email is stored for them in a central location, easily accessible via a web interface or through their email client (with the appropriate connector to the database).

While this addresses performance, storage and data loss issues, email archiving also makes the legal department happy because they know that all corporate email is stored in a central repository, is secure and easily searchable.

Email archiving is one element of your email management strategy. There are other important steps such as implementing antivirus and anti-spam at the gateway and on the Exchange Server.

In this post we have outlined how email archiving is a fundamental tool for administrators to manage their email infrastructure and to comprehensively deal with email storage issues, email compliance and e-Discovery, business records, and Exchange server performance.

This guest post was provided by Christina Goggi on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on email management.

All product and company names herein may be trademarks of their respective owners.

Posted by Wiz at 2:22 PM | Permalink

back to top ^

Over the last couple of weeks there has been a huge spam run with fake ACH canceled transaction notices, all of which came with malware inside attached files. Recipients were urged to open these files to read the failed transaction report. Effective 9/26/11, the same message text is being re-used, with the exception of how the victim is supposed to read the "Transaction Report."

Now, instead of send malware directly as attached files, the criminals behind this scam are providing links to read the "Transaction Report" at the "Nacha.org" website. At least, that is what the links show to the casual observer. If one hovers over these links they learn that the destination is not nacha.org, but a totally different website name. All of the domain names used in the spam run I saw today (9/26/2011) were registered today, with a company calling itself: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE. Most of the domains are not resolving at this time, but at least one is. That malware serving site is at na-chas-data-info DOT com (do not go there with a standard browser!).

Upon landing on this still active website, hosted on Yahoo.com, they see a fake "NACHA - ACH Transfer Rejected" titled page. Unknown to the victim, a hidden iframe is hijacking the browser away from that fake notice to a server that attacks the browser with the BlackHole Exploit Kit. That server is at: "huntcheerful.com" - hosted at p8p.geo.vip.sp2.yahoo.com.

UPDATE:
As I was typing this the malware account at huntcheerful.com began serving a 503 Service Unavailable notice. I guess that somebody at Yahoo finally read my SpamCop reports against this domain.

It appears that the six domains I reported earlier today have all been taken offline. However, the people behind this scam will keep registering new cheap domain names and will continue to abuse legitimate web hosts to serve malware to as many people that they can trick into clicking on those links.

To protect yourself, your family, and or employees, inform them that the US NACHA organization does not ever contact the public about any failed "ACH" transactions. Neither does anything going by the name ACH ever contact people whose transactions didn't go through. Only your bank will contact you if your check, deposit, or money transfer fails.

Any email about a failed ACH transaction, not coming from your known bank, is a fake and a scam and should be deleted on sight. If someone at your business receives such a notice and isn't sure if it is legitimate, call your bank and ask if a recent transaction has failed, or been canceled by the other party. In 99% of the calls they will tell you no such thing has occurred.

You can add a layer of protection to your email users by creating rules that block all emails claiming to be sent from nacha.net, nacha.org and nacha.us. If you are able to create wildcard rules, block all email from any address at nacha.anything. The email screening program MailWasher Pro, which I use, utilizes regular expressions to blacklist email senders, based on what is listed in the "From" field. The rule I use to block anything from any sender @ nacha.anything is: +@nacha.+

In addition to using blacklisted senders, MailWasher also uses custom filters, which I happen to publish for others to use. A couple of my MailWasher filters already detect, flag and or auto-delete these scams.

For those who have not yet seen these ACH scam emails, here is what one contains in the subject and viewable message body.

Subject:
ACH Payment 6911592 Canceled

From:
"ach 01" <[email protected]>

Body Text:

ACH Payment Canceled

The ACH transaction (ID:21414767 ),
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

Rejected transaction
Transaction ID: 21414767

Transaction Report: www.nacha.org/reports/index.php?number=21414767

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100
2011 NACHA - The Electronic Payment Association

The link shown above is just what the authors want you to see. The actual link led to: na-chas-data-info.com - which has just been taken offline. Hopefully, you were not one of the victims of this malware attack.

If you or your relative, or employee did click on that link, or a similar link, consider their computer to be botted and Trojanized. It should be taken offline and disinfected with the best anti malware program you have, or can afford.

Posted by Wiz at 9:14 PM | Permalink

back to top ^

Since last Sunday night, Sept 18, my incoming percentage of spam email has dropped slightly, from 36% to 35%. This makes 4 weeks in a row of small, yet steady decreases in spam. Furthermore, the amount of malicious attachments has taken a drastic downturn from the previous few weeks.

With the welcome decline in the number of malware laden attachments, what is left is standard junk email for prescription drugs, illegal to import into the USA, sold without a prescription, from Russian and Ukrainian domains. Also there were many male enhancement (Max-Gentleman) and weight loss scams (pushing HCG pills), as well as the usual batch of fake Viagra and Cialis. Again, these are prescription drugs, and even though they're counterfeit, they are illegal to import into the USA from abroad. There were even a few spam emails selling fake diplomas and a bunch of Nigerian lottery and inheritance 419 scams.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 19 through 25, 2011 (compiled at about Midnight)

Total email received: 440
Amount classified as spam: 155
Percentage of spam: 35%
Number matched by my custom filters: 140
Number caught by my Blacklist: 11
Number identified by DNS Blacklists: 4
Reported to SpamCop: 38

Individual categories of spam follow...

Percentages of spam by category of filter.

Pharmaceutical Spam: 21.80% (way up)
Male Enhancement: 21.80% (up)
.RU, .RO, or .UA links: 9.77% (up)
My Custom Blacklist: 8.27% (down)
Counterfeit Watches: 8.27% (down)
Miscellaneous filters: 5.26% (down)
Nigerian 419 Scams: 5.26%
Weight Loss scams (HCG):4.51% (way down)
Cialis (counterfeit): 4.51% (way down)
Diploma Scams: 4.51% (way up)
DNS Blacklisted Email Servers: 3.01% (up)
Lottery Scams: 1.50% (new this week)
Email Addresses For Sale (old Spammers selling to wannabe Spammers): 1.50%

Updates to my Custom MailWasher Filters:

Pharmaceuticals [S],
Unlicensed Prescription Drugs

New Blacklist entries:
*@fdic.gov (apply this blacklist wildcard rule to block current FDIC scams)

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 11:44 PM | Permalink

back to top ^

Today I saw something new to me in the spam-containing-malware category. It was an email allegedly from one account on my own domain, sent to another existing account on my domain, notifying me that my domain had been suspended! FAIL!

Keep in mind as you read this, that I received this scam email from one of the email accounts on the supposedly suspended domain! I am posting about it on my blog, which is also hosted under the same domain name! A simple check for my home page shows that it is still up and running. Obviously, the email was a scam, attempting to panic me into opening the attached file. Not going to happen Boris!

Here, for both your amusement and to warn other domain/website owners about the scam, are the significant details from the normally hidden headers.

Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200
Message-ID: <[email protected]>
Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net
Content-Type: text/plain; charset=iso-8859-2

---

Here is what I saw when I examined the source code in the message body:

aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.

jZKlDtiul,
tFJLfI wSMDlTD

------------F0C3F295E295E05
Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"

---

Let's examine these items, on at a time and see what they reveal about this message. You can apply the same techniques should you be a domain owner and receive a similar email scam.

First, let's look at the incoming email headers:
FAIL #1:
Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200

This tells me that the email was not sent by my web hosting company, nor my domain's Registrar, but by a "home" user in France, using Wanadoo.fr as their ISP (+0200 is the timezone for France).. My web host is located in the Mountain time zone in the USA, which is -0700. Furthermore, my Registrar is located in -0800.

Fail #2:
Message-ID: <[email protected]>

The above line confirms that the email was sent from Wanadoo.fr, in France, not Bluehost, in the USA.

FAIL #3:

Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net

The subject tells me that my domain, Wizcrafts.net has been suspended and that the message about it was forwarded from someone else to me. This would never happen in a real suspension notice. The web host or domain Registrar sends such a notice directly to the account owner. They would not forward it.

Next, look at the From, reply-to and To lines. They are all accounts on the very same domain that was supposedly suspended! Big FAIL!

FAIL #4:

Content-Type: text/plain; charset=iso-8859-2

That Character set is assigned for users in Eastern Europe, most notably in Latvia and surrounding Countries. The rest of the message in the body text would need to be read in an email client configured to render Character Code 8859-2, or it would read as gibberish.

So, how did the important suspended domain notice appear when I looked in the Body section?

aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.

jZKlDtiul,
tFJLfI wSMDlTD

As expected, Gibberish!

So, how was I supposed to be exploited by this email? Why, it has an attachment! If I could have read the gibberish it would have instructed me to open the attached file to learn why my domain was suspended. Doh!

Here's the payload:

Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"

Needless to say, I did not open that zipfile. It contains either a botnet installer, Trojan downloader, fake AV, or the Zeus banking Trojan. I don't live in Troy and don't accept unexpected Trojan Horses from Latvians bearing gifts. Neither should you!

If you receive such a fake warning, forward it to SpamCop, then delete it.

Posted by Wiz at 5:42 PM | Permalink

back to top ^

While checking incoming email today, I received some new variations of recent malware threats, in email attachments. Upon examining the source codes I found that some are variations of the previous FDIC (Federal Deposit Insurance Corporation) warnings, directly related to the previous few weeks of scams for ACH (Automated Clearing House) canceled transactions notices.

The new scams have the Subject: FDIC message center

There is a new twist to the FDIC scams, which I saw for the first time, today, September 22, 2011. Instead of actual text, they are now using an embedded image to convey a message meant to scare recipients into opening the attached file. This image looks like it might be sent from the FDIC, complete with official logos. Rest assured it is a Photoshopped image, containing words directing victims to open the hostile attachment.

The wording on the first captured FDIC scams of 9/22/11 read as follows:

Dear Customer,
Your account ACH and WIRE Transaction have been temporarily suspended for security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.

As soon as it is setup you transaction abilities will be fully restored.

Best regards, Online Security department, Federal Deposit Insurance Corporation.

The reason that the message is conveyed by an image is to get these scams past email spam filters, which work by identifying spam words. Since there are no actual text words, many of these scams will be delivered.

Presently, the malware attachment is named "FDIC information" - without any extension. This is an error on the part of the people who composed this template. Rest assured, there is a malware payload inside the attached file, which weighs in at 28,822 bytes. I am certain that the next batch of these scams will contain an extension, such as .pdf, .zip, or .pdf.zip, like the scams of the previous few weeks.

More information about the image-only FDIC scam.

The sender, From, is "no reply" <[email protected]>

The Subject is: FDIC message center

The second Received from line is forged to read:
Received: from fdic.gov ([192.147.69.84]) ...

The actual point of delivery is not that FDIC email server, but the one listed above it. In one case, this email was sent from a computer located at this address in India:
Received: from [122.175.154.80] (helo=ocxdv.com)

Here is the Whois information for that IP address (122.175.154.80):

inetnum: 122.169.0.0 - 122.175.255.255
netname: BHARTI-IN
descr: BHARTI Airtel LTD.
descr: ISP Division , Transport Network Group
descr: 234 , Okhala Phase III
descr: NEW DELHI
descr: INDIA
country: IN

Further, we can break down the narrow CIDR that this IP belongs to, as follows:

route: 122.175.154.0/24
descr: ABTS-MP-DSL-BPL
descr: ABTS MP,
descr: 1 Malviya Nagar,
descr: Bhopal
descr: Madhya Pradesh
descr: INDIA
country: IN

The details suggest that the email was sent from a DSL customer in Bhopal, India, whose computer was infected by a similar scam email, which the owner was fooled into opening. That computer is part of the botnet that is sending out these scams.

The purpose of the FDIC and ACH scams is to deliver multiple types of malware onto your computer. Among the payloads downloaded once this type of Trojan Horse is executed include: The Zbot, aka Zeus banking Trojan; The Bredolab botnet installer; fake anti-virus or system scanners (scareware), a rootkit to make the malware survive a reboot, a malware downloader and a "proxy server" that allows criminals to use the infected PC to anonymously browse the contents of other infected computers.

I hope that this article saves somebody out there from being tricked into opening the attachments in these and similar email scams. If you were tricked into opening such an attachment, even if you didn't notice anything bad going on, your PC may be compromised and may now be a zombie in a criminal spam and attack botnet. Your banking credentials may be stolen the next time you log onto your bank, or PayPal, or your website control panel. You should scan it for viruses, malware, key loggers, bots and rootkits, using your installed anti-virus program, after updating the definitions.

If your anti-virus program doesn't find anything amiss, or if you don't have any anti "malware" programs installed, you can download Malwarebytes' Anti-Malware (MBAM), install it, update it and scan for bad stuff. It removes anything it identifies for free. But, you may need to disable System Restore, then reboot, then rescan with MBAM. It is free to use manually (check for updates, then scan, the act).

If MBAM finds and removes threats from your computers, consider licensing it for about 25 bucks for lifetime program updates, automatic frequent definitions updates, scheduled fast scans and automatic real time protection against known bad-ware downloads. I am an affiliate for Malwarebytes' Anti-Malware, as well as a user. You can read about the program, download the latest version and register it online, via my affiliate links, on my Malwarebytes' Anti-Malware web page. Thanks in advance ;-)

If you lack anti "virus" protection, check out the legitimate products advertised throughout my blog and other web pages. Most offer a free trial for so many days. If you choose to install free anti-malware programs, make sure you update them frequently, set them to watch as you download or open files, and manually do a quick scan every night, before you shut down the PC, or go to bed.

Posted by Wiz at 1:15 PM | Permalink

back to top ^

For the second week in a row, I have seen a decline in the overall volume and percentage of spam email. While the percentage is still high, at 36%, it is down 3% from last week. Most spam for counterfeit drugs, fake diplomas, Nigerian 419 scams and replica watches is profit driven by the suckers who respond to spammers' come-ons. But, a large amount is still coming in containing malware in attachments.

The weekend of September 12 through 18 saw a temporary decline of a prolonged spam run for fake ACH failure notices, all containing the Zeus/Zbot Trojan, but it picked back up mid week. Added to the mix of hostile attachments were emails claiming to be invoices and changelogs. they also contain the Zbot banking Trojan and botnet installers.

I obtain my spam statistics form the anti-spam program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 11 through 18, 2011

Total email received: 426
Amount classified as spam: 155
Percentage of spam: 36%
Number matched by my custom filters: 129
Number caught by my Blacklist: 21
Number identified by DNS Blacklists: 4
Reported to SpamCop: 19

Individual categories of spam follow...

Percentages of spam by category of filter.

Male Enhancement: 15.58% (down)
My Custom Blacklist: 13.64% (up)
Counterfeit Watches: 11.69% (up)
Weight Loss scams (HCG):9.74% (up)
Cialis (counterfeit): 9.74% (up)
Pharmaceutical Spam: 7.79% (down)
Miscellaneous filters: 7.14% (up)
Zip Attachments (Zbot/Zeus Trojan): 6.49% (down)
.RU, .RO, or .UA links: 6.49% (down)
Software Spam (pirated "Whirl Wind Software," on Ukrainian domains): 5.19% (down)
DNS Blacklisted Email Servers: 2.60% (up)
Diploma Scams: 1.95% (up)
Loans: 1.95% (new this week)

Updates to my Custom MailWasher Filters:

ACH Fraud,
Webmail Phishing Scam
New Filter: Russian Pharmacy

New Blacklist entries:
No new addresses. But, the .DE (Germany), Russian and nacha.org wildcard blacklist entries have proved very effective in auto deleting a lot of spam this past week.

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 11:52 PM | Permalink

back to top ^

Earlier this week I noted that the spate of fake ACH transaction canceled spam emails had subsided. Well, no time off for crime fighters. They returned today, along with some fake invoices and "changelogs" in spam messages, sent from infected computers in spam botnets.

My email spam-screening program is MailWasher Pro, which uses a combinations of several tactics to determine if an incoming message is good or bad, friend or foe. The program allows users to compose their own spam detection filters, based upon various criteria found in email messages; some hidden, some visible. I write and publish filters for MailWasher Pro users and some of the most effective filters right now are the ones that detect ACH scams and emails with Zip file attachments.

All of the ACH fraud messages, along with the fake invoices and changelogs, contain malware downloaders inside the attached files. Anybody running a Windows computer who misguidedly opens the attached zip file and its enclosed .pdf.exe file, will have a botnet Trojan downloader installed within seconds. This downloader then goes to work, behind the scenes, to download and install other malware, including the infamous Zbot, aka Zeus bank credential stealing Trojan.

The subjects and come-ons used in this latest spam run are listed below, in my extended comments.

ACH Fraud emails:

Varied Subjects:
ACH Payment 19892343 Failed
ACH Payment 93454967 Rejected
ACH NOTIFICATION

Sample of Body Text:
The ACH transaction (ID: 93454967), recently sent from your bank account (by you or any other person), was rejected by the Electronic Payments Association.

Reason of rejection See details in the report below
Transaction Report report_1509.pdf.zip (ZIP archive, Adobe PDF)

2011 NACHA - The Electronic Payments Association

---

Another ACH Fraud Body Text: Please, be informed that some financial body cancelled your ACH transaction (ID: 44510732), lately started by you or another person from your check account.

Rejected transaction Transaction ID: 8574210513218 Reason for rejection: See details in the attachment Transaction Report: report_082011-65.pdf.exe (self-extracting archive, Adobe PDF)

---

Fake Invoice and Changelogs:

Subject: Re: FW: End of Aug. Statement
Body Text: Hi, as reqeusted I give you inovices issued to you per sept.Regards
Attachment: Invoices_09.11.11_c.zip

Subject: Re: Changelog 08.23.11
Body Text: Good day, as promised chnglog attached,
Attachment: changelog_09152011_Y2702.zip

Subject: Re: Changelog as promised 08.23.2011
Body Text: Good morning, changelog attached,
Attachment: log_09152011_o75993.zip

Subject: Re: Your Changelog 08.23.2011
Body Text: Hi, as promised changelog,
Attachment: change_09152011_V046.zip

---

I pray that none of my readers have fallen for these scams. I try my best to keep you aware of email threats targeting innocent Netizens every day, Chance favors the prepared mind. If you make yourselves aware of the nature of these recurring scam email messages and the types of attachments and file names they use, chance will favor you to not become curious enough to open the infected payloads in them. If you pay attention to my warnings and those of other cyber cops, your mind will be prepared to mentally flag these types of scams instantly. You will delete them on sight, or create spam rules to delete them for you. You will avoid becoming another victim of bank account stealing Trojans. Your computer will not become a zombie member of the spam botnet that sends out these fraudulent messages.

On the other hand, if you have opened one of these ACH scams, or a fake invoice, or changelog, or a fake Xerox scanned document (from previous spam runs), your computer (Windows) is most likely botted. You need a really good, legitimate anti malware program to detect, halt and remove the various components of these botnet and banking Trojans and the "rootkit" protecting them. I use and recommend Trend Micro Titanium Internet Security and also, Malwarebytes' Anti-Malware to secure my PC from hostile links and malware in email, and to block malware and viruses from being installed in the first place.

Hint! If you don't routinely receive legitimate email attachments, you can turn off downloading attachments in your email program. In Windows Live Mail (and the old Outlook Express), there is an option under "Options > Safety Options > Security" labeled as follows: Do not allow attachments to be saved or opened that could potentially be a virus." Place a check mark on the left of that option. While you are in the security tab, it is a good idea to also check the option labeled: "Restricted sites zone (More secure)." Then go to the bottom of the page and click Apply, then OK.

If you enable the option to not allow attachments to be opened or saved, and subsequently receive a legitimate attached file, like a photo, or other expected attachment, you can close that email, then return to the Safety Options > Security tab, and uncheck the option "Do not allow attachments to be saved or opened that could potentially be a virus" and apply the change. Open that email again and you will be able to download, view or save the attached file.

If you uncheck that option you should make certain you have top notch security software installed and up to date, and hopefully watching your email for threats.

After you save or view a desired attachment you can re-check the option to disallow this behavior. It's a bit of a hassle, but nowhere near the hassle of getting infected by botnet and banking Trojans, or even fake anti-virus scareware programs.

As I mentioned earlier, I use and recommend MailWasher Pro to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client. Check it out if you haven't already done so.

Posted by Wiz at 10:44 PM | Permalink

back to top ^

After peaking two weeks ago, the volume and percentage of spam in my Inbox has declined again by 2%, to 39%. While most email spam is for counterfeit pharmaceuticals and watches, much of the spam over the past few weeks has contained malicious attachments, or links to exploit attack websites.

The weekend of September 9 through 11 finally saw the (temporary) end of a prolonged spam run for fake ACH failure notices, all containing the Zeus/Zbot Trojan, as well as the almost month long campaign of fake Facebook Friend Requests (with Arabic names in the subject). Those emails were scams and had links to a website that contained both on-page and hidden codes leading to serious malware infections, including the Zbot.

The purpose of the malware attachments and hostile link spam blasts was to infect unsuspecting computer users with key loggers that steal their online banking credentials (and all their money), and to install botnet remote control backdoor software on them.

See my recent posts (listed in the right sidebar) during August and early September, 2011, about the ACH and Facebook scams leading to botnet infections. They, and other articles like them, are also found in my "Spam" category listings.

I use the anti-spam program MailWasher Pro to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 5 through 11, 2011

Total email received: 440
Amount classified as spam: 172
Percentage of spam: 39%
Number matched by my custom filters: 155
Number caught by my Blacklist: 14
Number identified by DNS Blacklusts: 3
Reported to SpamCop: 10

Individual categories of spam follow...

Percentages of spam by category of filter.

Male Enhancement: 26.16% (up)
Pharmaceutical Spam: 11.05% (no change)
Zip Attachments (Zbot/Zeus Trojan): 8.72% (no change)
Cialis (counterfeit): 8.72% (down)
.RU, .RO, or .UA links: 8.14% (up)
My Custom Blacklist: 8.14% (up)
Software Spam (pirated "Whirl Wind Software," on Ukrainian domains): 7.56%
Counterfeit Watches: 6.40% (down)
Miscellaneous filters: 5.81% (up)
Weight Loss scams (HCG): 3.49% (down)
Viagra (counterfeit): 2.33%
Diploma Scams: 1.74%
DNS Blacklisted Email Servers: 1.74% (n.c.)

Updates to my Custom MailWasher Filters:

Cialis,
Hidden ISO Subject,
Watches

New Blacklist entries:
No new addresses. But, the .DE (Germany) blacklist entry has proved very effective in auto deleting a lot of pirated software spam. Here's the rule: +@+.de

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 12:24 AM | Permalink

back to top ^

For the second week in a row, my volume and percentage of spam has passed 40%.This week I saw 41%, which is down just 2% from the week before. Notably, much of the spam either contained malware in attachments, or had links leading directly to malware exploits.

There were two specific classes of malware threats this week, carried forward from last week: the ACH canceled payment-transaction under review scams, containing the Zbot/Zeus banking Trojan, or 2: fake Facebook Friend Requests, leading to the BlackHole Exploit Kit, plus the Zbot and botnet installers. The preceding links are to articles I have already written, explaining these threats and how you can identify them and deal with them.

While the ACH scams seem to have subsided, the Arabic name Facebook Friend Request threats are still persisting, as of the time I published this.

In a nutshell, from August 29, through September 4, I logged the following spam statistics, using MailWasher Pro, by Firetrust.

Total email received: 431
Amount classified as spam: 181
Percentage of spam: 41%
Number matched by my custom filters: 168
Number caught by my Blacklist: 13
Number identified by DNS Blacklusts: 0
Reported to SpamCop: 17

Individual categories of spam follow...

Percentages of spam by category of filter.

Counterfeit Watches: 14.92% (Leader for 2 weeks)
Fake Facebook Fried Requests (Arabic names): 13.81% (Up by over 10%)
Male Enhancement: 12.15% (About the same as last week)
Pharmaceutical Spam: 11.60% (+3%)
Weight Loss scams (HCG): 11.05% (+2%)
Cialis (counterfeit): 9.39% (-2%)
Zip Attachments (Zbot/Zeus Trojan): 8.29% (Double last week!)
My Custom Blacklist: 7.18% (+5%)
Misc filters: 4.97%
.RU, .RO, or .UA links: 3.31% (No change)
Known Spam Subjects: 2.21%
URL Shortener Spam Link: 1.10%

Updates to my Custom MailWasher Filters:

.Info Sender - in Images and Links,
Known Spam Subjects #4,
Software Spam

New Blacklist entries:
*@nacha.+
*@yourfanbox.com

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 11:25 PM | Permalink

back to top ^

Earlier this week there was a drop off of the previous spam run of fake ACH Payment Canceled emails, all loaded with malware inside their attached files. They were replaced by a blast for FDIC scams. Now, the ACH scams have returned, with a vengeance.

The new subject in today's spam blast is: ACH Transfer Review. The forged sender is an account name like this: ach [email protected]. The body text is as follows:

Dear Client,
ACH transfer (ID:) is going to be reviewed because of the incorrectly input data
when sending the payment.

Important:
Please, fill in the application form attached attentively and send it to us.
After that your transfer will be processed.

If you have any questions or comments, contact us at [email protected].
Thank you for using www.nacha.org

(NAME REMOVED)
NACHA Risk Management Services

The attached "form" is currently named: "form-62091.zip" and it contains a Trojan Horse (currently Zbot, a.k.a. Zeus) that will infect your computer with malware that intercepts keystrokes when you log into a bank, or other financial organization being targeted by the perpetrators. It then sends your login credentials to the criminals who are renting the botnet, whose member computers are sending these scams to you and everybody else. Some variants of the ACH scams actually install a botnet (currently "Bredolab") controller, which then downloads the other bad stuff to your PC, and possibly to your networked PCs.

The email claims to come from the headquarters of ACH , but, the headers show something different. Look at these three Received from lines, obtained from three different spam emails today:

Received: from [115.118.159.231] (helo=cgorq.com)
Received: from [178.123.157.77] (helo=sqibyat.com)
Received: from [187.117.248.91] (helo=hcyayyax.com)

The IP 115.118.159.231 belongs to TATA Communications, in India. The IP 178.123.157.77 is assigned to The Republic of Belarus. Last, 187.117.248.91 belongs to someone with a hacked computer in Brazil. The real ACH payment system is managed by Nacha.org, a US based company, whose servers are here, in the USA. NACHA stands for: National Automated Clearing House Association

The real NACHA does not send email alerts to individual bank customers. It only deals with the banks and credit unions themselves. Unless you work for a bank, or credit union, you should never ever receive any email from nacha.org (or nacha.us, .net, or .com).

Since February 2011, NACHA has been the victim of sustained and evolving phishing attacks in which consumers and businesses are receiving emails that appear to come from NACHA. The attacks are occurring with greater frequency and increased sophistication. Perpetrators are sending these fraudulent messages to email addresses globally.

These fraudulent emails typically make reference to an ACH transfer, payment, or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the email recipient. The source addresses and contents of these fraudulent emails vary -- with more recent examples purporting to come from actual NACHA employees and/or departments -- and often including a counterfeit NACHA logo and the citation of NACHA's physical mailing address and telephone number.

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.

So, you now have been educated to understand that Nacha will not be sending you any emails concerning any ACH transactions. That can only come directly from the bank, or credit union you deal with, and only if you have actually made or requested a money transfer recently. These scams are actually targeting the people responsible for paying invoices at large companies. Rather then specifically targeting these companies, spammers are blasting these scams out by the billions, across the entire globe.

I hope that this article saves you, my readers, from allowing curiosity from causing their computers to become infected with the Zeus/Zbot, or the Bredolab, or any other botnet software. When these scam emails arrive, delete them instantly. Don't open them to read the content. Furthermore, make sure you have the best anti-malware/anti-virus protection you can afford, installed and updated frequently, with new definitions located in the "cloud." Trend Micro and Norton Security products both use Cloud definitions to block newly discovered malware threats in the wild. Bother include email scanners to stop you from foolishly infecting your computers by opening malware laden attachments.

Last, if you use MailWasher Pro to block spam and threats before they are downloaded to your email client, I write and publish custom spam filters, several of which detect and delete, or flag ACH, FDIC and other similar malware threats.

Posted by Wiz at 12:35 PM | Permalink

back to top ^

Just the other day, a friend of mine posted a funny YouTube recording he made of his Grandma calling him with a computer usage question. She wanted to have him tell her what it meant to "copy and paste" something. While some may find the conversation humorous, others new to computers, or those who have never had to copy and paste before and are now faced with having to perform this operation, may want to know what this means and how it is done. I shall endeavor to explain it to you.

What does the phrase "Copy and Paste" mean?

Simply put, it is a technique used by a person using a computer, or hand held digital device (tablet, smart phone, e-reader), to highlight and save a section (or an entire page) of text (see "What is Text") to an electronic storage location in the computer's memory, then insert that copied text into another place where text can be added, on that device, or onto one which is connected to it by a network.

To my knowledge, most, but not all electronic devices or applications that display text, and which allow the use of a key pad or mouse type pointer, usually have a means of allowing the viewer to copy sections, or all of the text displayed on a page, or document, then paste it elsewhere. Exceptions include documents that are specifically copy protected for legal, copyright, or licensing reasons. Furthermore, the device must have some form of electronic memory to save such copied text, until it is pasted, or the device is powered off.

Note: If you read an article and want to copy and paste sections, or all of it to a publicly viewable web location, first read the copyright notice that is usually at the bottom of every web page which contains any copyrighted material. There are stiff fines that can be levied against persons who copy and post someone else's copyrighted articles without express written permission. Copyright holders who are concerned about their rights are able to find and trace content thieves and file charges against them for violation of the DMCA.

Then, Grandma asked my friend: "What is text?"

"Text" is the (combination of) letters, numbers, punctuation marks and spaces that form the human or "text-to-voice" readable words, prices, addresses, distances, ages, and other descriptions that can be read on a page, whether printed or electronic. This assumes that one has had "book learnin'!" Text is not images, or YouTube movies, or banners ads, or logos, or audio files. Text is what is used to cipher readin', writin' and 'rithmetic!

Let's get on with the copying and pasting...

What kinds of text might one want or need to copy and paste?

Copied text may be a complex product key, or serial number, which one must copy from a confirmation email, then paste into a registration input text field of a form, on a program they have just licensed to use. Most modern serial numbers and product license codes are too complex to memorize and type, unless you have a photographic memory!

Some people read news articles, then want to copy excerpt of text of particular interest and paste them into an email, or blog article and post it for others to read (be careful not to violate someone's expressed copyright notice). Adding a copied URL link to these news or blog articles is a very good idea. It might spare you from being sued.

"Copied" text remains in a reserved place (the Windows Clipboard) until you either "copy" another word or words, or until the machine is turned off, or restarted. Rebooting a computer flushes out everything that was saved in its RAM.

Since copied text is preserved until replaced, or the machine is powered down, you can also use Copy and Paste to repeatedly add some particular text, or a URL link, to a new document you are composing. Type, paste, type, paste, type...

Now that you have the basic concept of what it means to copy and paste text, let me show you how it is done.

How to Copy text on a standard desktop, or laptop/notebook/Netbook computer.

This paragraph assumes that you have a separate keyboard and mouse and that the mouse is either a finger touchpad, or a movable computer mouse, or a trackball device, sitting on the right side of the keyboard. I also assume the the left mouse button selects or activates links, while the right button opens an alternate options menu. Your buttons may be set-up differently, to suit you. So, where I say to left click, use the button that is setup to select stuff, not the one that opens a flyout options menu.

1. On the page you are reading, locate the words, or sentences, or paragraphs, or sections of text you wish to copy.


2. Move your mouse or pointer with your right hand or fingers until it changes to a vertical bar and begins blinking at the very beginning of that section of text. Most mouse pointers will change shape to a vertical bar when you hover or click inside a section containing typed text.


3. Click down on the left mouse/pointer pad button (right hand/finger), and do one of the following tasks:
   
   1. Still holding down the left mouse/pointer button, drag the pointer to the right, until you reach the end of the text you wish to copy.
   
   
   2. Or, after clicking once at the beginning of the text, press and hold down the SHIFT key on your keyboard, with a finger on your left hand. Let go of the left mouse button and move the mouse (or your finger on a touchpad) to the right (for Western alphabets), until you reach the end of your desired section of words. Then, click the left button again, which highlights all text between those two points.


4. As you drag the pointer, the words and their background will change color to a reverse color scheme, usually to a blue background with white letters or numbers. (Words that are light letters on a dark web page will turn dark and be highlighted with a light background)


5. If you over or under shoot the letters or numbers, move your pointer left or right, or up, or down a line, until all of the desired text has been highlighted, as described in the previous line.


6. With the text highlighted, carefully, let go of the mouse/touchpad button (and the Shift key if you used it) with your fingers.


7. Press the key combination: CTRL and C   (The key combination of CTRL+C copies selected (highlighted) text to a reserved place in the computer's RAM (memory), where is is temporarily saved for future use, in a paste operation, or repeated pastes.)

Where can one paste (insert) copied text?

In order for you to be able to "paste" text, your destination file, form, page, text editor, etc, must allow for pasting to be performed. Normally, a web page can be copied from, but, not pasted to. A program with a registration tab will have an input field, labeled with words to the effect: "License Key." Some programs force you to actually type or copy and paste groups of characters, one at a time. Others let you copy and paste the entire license code in one operation.

Text editors always allow pasting, unless the document has been set to "read only." If this happened, there will be a way to remove the read only attribute (not within the scope of this article). Form fields such as "text areas" allow one to paste in, unless the designer purposely coded them as read only. If you are allowed to post comments to, or write articles on a blog, you may paste copied text. The address or location bar in your web browser allows you to paste URLs you have copied elsewhere. Search boxes may be pasted into.

How to paste (insert) text:

Left click inside the input field, text editor document, blog composition or comment area, location/address bar, registration field, etc. This makes that page, field, box, page, or document have "focus." If you intend to "paste" text between other words, or between sentences or paragraphs, left click at the point where you want your text inserted. Now, press the keyboard or keypad combination: CTRL and V. Your copied text will be pasted into that location. If you need to add more space between it and the preceding or succeeding paragraphs, use the Enter 1 line more) or Delete (1 line less) keys, at the end of the pasted text, or the end of last line above it.

If you use a smart phone, tablet, iPad, or e-book reader, consult the help file or user's guide for instructions on copying and pasting on those devices. If the device has a virtual key pad, or stylus, or allows fingertip manipulation of pages, it almost certainly allows copying of text from one place to another, on that device. If your device is part of a network of computers, and your device is able to join the network and share resources, you may be able to copy data on your device and paste it to a different computer, or hand held, on that network. See your IT guy about this and be sure to install anti-malware protection on your smart computing devices!

You can re-paste the same copied text until the "Clipboard," or text buffer has new data saved to it, or until the machine is rebooted or powered off. A machine that goes into Hibernation saves everything that was active in memory, including copied text (data). A machine that goes into Standby should also save copied text, but I wouldn't want to bet my life on that.

I hope this helps somebody who has heard about copying and pasting, but has never done it before. I hope that my use of technical computer terms isn't over your heads; it wasn't meant to be. I'm just trying to bring as many people up to speed as I can, to whatever level they are capable of understanding. I didn't always know this stuff. I learned it out of curiosity, then fascination.

Wait until you see the changes coming with Windows 8! People will use their fingers on a smart monitor screen to do what is now done with a mouse or touchpad.

Posted by Wiz at 11:29 PM | Permalink

back to top ^