March 12, 2012

Wiz's email spam & threat analysis for the week ending March 11, 2012

This past week I saw a significant drop in the amount of spam I received and a shift in the top category. For the first time in probably a year or more, Nigerian 419 scams topped the list for most spams received. Gone completely was any spam for fake casinos!

Second place went to replicas Chinese watches that rip off legitimate name brands, like Breitling. This was closely followed by spam for fake pharmacies and bogus diplomas. Drugs bought from fake pharmacies, if they ever arrive, will do you no good and may actually harm you. Buying fake diplomas won't necessarily get you hired, but they will get you fired, once your deception is discovered during routine background checks.

Runners up in spam were Russian domains pushing counterfeit goods and drugs, work at home scams, weight loss pills, male enhancement, Cialis and Viagra and three malware link scams.

The malware threats from last week were all fake Intuit invoices, with links to read invoices online. Those links all led to exploit attacks against browsers and their add-ons and plug-ins. If you clicked on a link in an email claiming to come from Intuit, scan your computer for malware Trojans and Bots. You can use a free 30 day trial copy of Trend Micro™ Titanium™ Internet Security, if you have nothing else that is current for virus detection.

The following represents my email totals and spam percentages by category. All results were obtained from MailWasher Pro, which I use to filter out spam before I download any incoming email to Windows Live Mail.

These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email: 450 (10 more than last week)
Good mail: 367 (340 last week)
Classified as spam: 83 (100 last week)
Percentage rated spam: 18% (22.7% last week)

Breakdown by category of spam

Nigerian 419 scams: 19% (4% last week)
Watches: 18% (13% last week)
Fake pharmacies: 17% (17% last week)
Diploma scams: 12% (17% last week)
Russian domain links: 9.6% (2% last week)
Cialis & Viagra: 7.3% (9% last week)
Work at home scams: 6% (5% last week)
Weight Loss HCG scams: 3.7% (4% last week)
Male Enhancement scams: 3.7% (1% last week)
Intuit fraud exploit links: 3.7%

I made the following additions or updates to my custom MailWasher spam filters

No Additions last week

The following (single or wildcard) email addresses were added to my MailWasher Blacklist:

None added

About MailWasher Pro
MailWasher Pro is a POP3 and IMAP email client spam filter I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

News: MailWasher Pro is once again offering lifetime licenses, covering three computers. You should try it out and see how it works for you in reducing spam in your desktop email client's inbox.

Posted by Wiz at 1:29 AM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 6, 2012

Deadline for cutoff of DNS Changer infected PCs extended until July 9, 2012

On February 14, 2012, I wrote a blog article alerting my readers about the pending cutoff date of March 8, 2012, for Internet access for computers infected with the DNSChanger malware. The title told it all: "PCs infected with DNS Changer to lose Internet connections on March 8, 2012." I learned today (March 6) that a Federal Court has granted the FBI's request to extend the cutoff date until July 9, 2012 (Read PDF of Court Order).

When I published my article there were still an estimated 400,000 PCs in the USA infected with this malware. Many of these infected PCs belong to Fortune 500 companies and even parts of the US Federal Government, Millions more are still infected around the World. This extension of the cutoff date is to allow more time for the large entities in business and Government circles to search for and disinfect their compromised computers. It is a monumental task and many companies have already stretched the IT personnel and budgets to the limit, sniffing out any infected machines on their premises.

It was back in early November, 2011, that the FBI filed an indictment against an Estonian crime gang whose members were accused of creating and operating the "DNS Changer" malware and botnet. Search and seize warrants were obtained and the servers being used by the criminals running this enterprise were seized and taken offline. The named suspects have been arrested and are awaiting extradition, or have already been extradited to the USA, to face charges in a US Federal Court.

But, there was a downside to this victory. Innocent victims were unknowingly having all of their Internet connectivity routed though those "rogue" DNS servers that were taken down by the FBI and DOJ.

The computers and routers that had been infected with the DNS Changer malware were instructed by the Trojan to obtain all of their Internet access by going through one of the command and control servers that were taken down by the FBI. When the servers were disconnected, so was Internet access for all infected machines!

In order to minimize damage to those machines, a Judge ordered a New York hosting company to take over supplying IP connectivity to those infected PCs and routers. All requests from the "infectees" were rerouted to these interim servers, allowing the owners of the infected machines to happily go about their web browsing, online banking, auctioning, emailing, FTP-ing an IM-ing. Further, the Court set a cutoff date of March 8, 2012 for the company assigned to act as go-between for the infected machines.

In the meantime, ISPs and IP connectivity providers were notified about the IP addresses found in the log files of the seized malware servers. Owners of infected machines and routers were and still are being identified and being contacted by their ISPs or connectivity providers. It has been discovered that this process is taking much longer than anticipated when a Federal Court assigned a March 8, 2012 cutoff date for the handling of requests from the infected machines.

You can get more details in my previous blog article about the DNS Changer malware, how it affects computers and routers and links you can use to check if your systems have become compromised by this malware.

One final word: Now that we have been granted another 4 months to discover infected computers and routers, let's get to work doing so. I have checked my DNS servers and found them to be correct and clean. You can check your DNS servers here, if you are English speaking. There are equivalent DNS checking services in other languages, like http://dns-ok.de/ for German speaking Netizens.

Keep your Windows PCs patched via Windows Updates and your anti-virus software up to date with daily definitions updates. Scan for threats every night, before shutting down your PC, or yourself ;-). One of the symptoms of a DNS Changer infection is that Windows Updates and anti-virus programs get turned off. If you find that you cannot access Windows Updates or update your security programs, contact a competent computer technician or computer troubleshooter.

Posted by Wiz at 12:37 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 5, 2012

Adobe quick-releases a critical Flash Player update on March 5, 2012

It was just 20 days ago, on Feb 14, 2012, that Adobe Systems released a critical update for their Flash Player, which I blogged about here. That version was 11.1.102.62, for Windows, Mac, Linux and Solaris operating systems. Today, March 5, 2012, they released another unexpected critical patch, version 11.1.102.63, for the same systems.

Android smartphone users who have Flash installed also have upgrades waiting, to version 11.1.111.7 (Android 2x, 3x) or 11.1.115.7 (Android 4x) respectively.

The previous patch fixed 7 security vulnerabilities, one of which was being exploited in the wild in February. This latest update patches 2 more newly discovered vulnerabilities (CVE-2012-0768 and CVE-2012-0769), which they claim are not yet being exploited by web browser attack kits. That is bound to change in a few days.

The first newly announced vulnerability allows an attacker to take over control of a user's computer or smartphone via a memory corruption attack against a component of Flash known as Matrix 3D. The second vulnerability in Flash Player allows a hacker to steal sensitive information from a victim's computer or smartphone.

While the Adobe Priority table says users should apply the new patches within 30 days, I recommend you do it as soon as you read this. Exploit kit writers are not going to wait 30 days to go after unpatched computers or smartphones. If you have Flash on a computer, visit the Adobe Flash Download page and download one version of Flash for Internet Explorer and another if you use Firefox or Safari browsers.

Mac users should visit the Adobe Flash download page for other systems and browsers. Apple itself does not support Adobe Flash.

Google Chrome has released a new version of the Chrome browser, which has an embedded version of Flash. To upgrade, open Chrome, then click on the Settings wrench icon on the upper right of the browser, then on "About Google Chrome." If the update has not already been installed it will begin downloading as you open the About Chrome box.

You will have to restart your browsers for the upgrades to take effect. This goes for most plug-ins like Flash. After restarting them, go to the About Flash page and verify that you have the most current version for your browser and operating system. Your installed version is displayed above a table on the page, which lists all current versions of Flash, by operating system.

Android smartphone users must use their Android phones to browse to the Android Marketplace where they can get the new version of Flash installed.

I cannot stress enough the importance of keeping your software which is used by your browsers updated. Criminals pay talented, but unscrupulous programmers to research published vulnerabilities and write codes to attack browsers that are lured to attack servers by spam links. Victims get drafted in criminal and spam botnets and very often have bank account stealing Trojans installed as well. Further, their infected devices are used in distributed denial of service (DDoS) attacks on targets who have incurred the wrath of the criminal elements renting those botnets.

With so many threats in the wild and new ones being discovered every month, or less, it is hard to keep up with all of the updates to the various software applications that connect to the Internet via a browser, email client, instant messenger, Facebook, whatever. You need to remain concerned and stay aware of threats that are either loose in the wwild, or are about to be exploited. When you learn that Adobe has released a new version of something, check your computers to see if you have a previous version installed. If so, update everything out-dated to the latest versions.

Maintain a good line of self defense for your computers and smart devices, by installing automatically updated security software. I use and recommend Trend Micro and Malwarebytes Anti-Malware. Whatever brand you choose, make sure that if it has an annual subscription, that you keep your subscription active. An expired security program is like a sleeping doorman. No protection to mention.

Posted by Wiz at 11:16 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 4, 2012

Wiz's email spam & threat analysis for the week ending March 4, 2012

This past week saw some changes in position in the main categories of spam and threats contained in some of them. There were far less malware messages than usual. Diplomas, drugs and casinos filled the top categories, with the percentages listed further down this article.

First off I will detail the malware threats I captured this week. There was 1 scam spoofing a QuickBooks update and Intuit. This contained a hostile link to a malware exploit kit. I saw one each of fake Facebook Friend Request and a fake map to a meeting scam, with a link leading to the same Blackhole Exploit kit as the Facebook scam. One email scam claimed my credit card was blocked and invited me to open the report in the .htm attachment. Another claimed I had a DHL package that couldn't be delivered because the address was wrong. Like the fake credit card message, it contained a malicious JavaScript redirect and iframe load in the attached .htm file.

The danger lies in opening those .htm attachments, which some of the messages tell you is an Internet Explorer file. When you open those files the JavaScript codes inside them are executed immediately and you are attacked silently. If your computer has an unpatched vulnerable version of Java, or Adobe reader or Flash installed, your PC will become botted and a copy of the Zeus banking Trojan will be installed.

Last, there were 2 scams spoofing BBB complaints against me. Sadly, for anybody fooled into clicking on the links, to read the "COMPLAINT REPORT" - they got JavaScript redirected twice, ending up at, you guessed it: the Russian Blackhole Exploit Kit.

Here then are the details about this past week's spam percentages, listed by category.

These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email: 440 (just 4 less than last week)
Good mail: 340 (332 last week)
Classified as spam: 100 (112 last week)
Percentage rated spam: ~22.7%

Breakdown by category of spam

Diploma scams: 17% (5.3% last week)
Fake pharmacies: 17% (20.5% last week)
Watches: 13% (8.9% last week)
Casino:11% (18.7% last week)
Cialis (fake): 9%
Work at home scams: 5%
Nigerian 419 scams: 4%
Weight Loss HCG scams: 4% (2.7% last week)
Russian pharmacies: 3%
Viagra (fake) spam: 3%
Russian domain links: 2%
BBB fraud link: 2%
Other fraud exploit links: 4%
Other miscellaneous types of spam = 1% each: 6% (11.75% last week)

I made the following additions or updates to my custom MailWasher spam filters

Diploma Spam [Body (plain text and RegExp)],
Fake Query String in Link,
Known Spam Subjects #4,
Work At Home Scam #1, #2 and (new filter) #3,
Watches (Replicas),
New Filter: Credit Card Locked Scam

The following (single or wildcard) email addresses were added to my MailWasher Blacklist:

None added

About MailWasher Pro
MailWasher Pro is a POP3 and IMAP email client spam filter I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 3:21 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^