Thursday, 20 December 2007

Survey finds half of spam is lottery scams


A Microsoft-commissioned survey conducted in several western-European countries has found that fifty percent of all spam received by participants is currently lottery scam spam. Three percent of respondents reported losing money to the scam in the past year.

Fourteen money mules arrested in Holland

Source: The Register

Dutch authorities have arrested fourteen people who were allegedly operating as money mules in relation to compromised bank accounts at ABN Amro. The money was forwarded to Russia and Ukraine.

Gartner Phishing Report 2007

Source: Gartner

A Gartner survey on phishing in the USA for the year 2007 has revealed a number of trends. 3.2 billion dollars were lost to phishing in the USA, slightly up from 2.9 billion last year. The average loss per incident dropped from $1,244 to $886, but the total number of incidents increased from 2.3 to 3.6 million. Most of that increase arose from higher success rates, rather than more phishing: 3.3% of phishing targets suffered financial loss in 2007, up from 2.3% in 2006. The major method of extracting funds was the debit or check card, accounting for 47% of incidents.

Tuesday, 18 December 2007

Commercial Bank Clients Spearphished

Source: The Register

A researcher from SecureWorks has uncovered a strain of malware being used in a highly targeted manner to compromise commercial clients of banks. The malware is capable of piggybacking a fraudulent wire transfer onto a legitimate Internet banking session. The software is custom built to interface with around twenty different banking sites.

China-based web exploits in progress


Finjan is warning of a sharp increase in malicious activity coming from China. Web exploits based on multiple redirects via scripts and IFRAMEs are being placed on compromised sites, with the "mothership" hosts registered under ".cn" domain names and hosted in China.

Saturday, 15 December 2007

The Cybercrime Economy


ZDNet has a feature article on the state of the malware economy, pointing out how mature the market for exploits and underground network services has become, even to the extent of having its own affiliate model payments. The "Storm" botnet features prominently in this analysis. The article covers quite a lot of ground, and is worthwhile reading for anyone wanting an overview of cybercrime dynamics in 2007.

Postini spam report

Source: Google Enterprise Blog

Google/Postini have a report on the state of spam for 2007. Graphs show some interesting trends throughout the year in terms of messages vs bytes as spammers employed various tricks such as PDF and audio attachments. One graph showing virus attachments vividly demonstrates the intensity of "storm worm" activity around July and August.

Ipower accounts spread malware

Source: The Register

Another sophisticated and industrial-scale scheme for spreading malware has been uncovered. This one involved the compromise of thousands of web-hosting accounts at provider "", which were used to stealthily game Google search results on certain popular search terms, and then redirect visitors to malware-laden sites. The redirects only happened where visitors clicked through from Google: direct investigation of the links prompted a "404" response. (This stealth technique has been seen before: see this blog entry.)

Tuesday, 11 December 2007

Flirty chat-bot lures victims to malware


In a new twist, cybercriminals are using chat-bots to lure people to malicious web pages. From the linked article, "The software, dubbed CyberLover, is supposed to be able to conduct fully automated flirtatious conversations with users of chat-rooms and dating sites to lure them into a set of dangerous actions such as sharing their identity or visiting websites with malicious content."

Tuesday, 4 December 2007

TJX pays $41M for data breach

Source: The Register

TJX has settled with banks that were suing it, paying $41 million in damages. The settlement only relates to Visa cards; details of a settlement with MasterCard have yet to be disclosed. The case relates to a data leak which exposed around a hundred million credit and debit card details over the course of around seventeen months.

Saturday, 1 December 2007

Phishing tactics tweak: shorter domain names

Source: Frequency X

Frequency X reports that phishing gangs have recently made a shift towards shorter domain names in their phishy URLs, down from 30-37 characters to an average of 17. So whereas something like "" used to be common, they are now seeing names like "". The tactical shift is presumably an evasive manoeuvre on the phishers' part; it remains to be seen whether they stick with this strategy.

Google targeted for malware SEO

Source: SunbeltBLOG

A very large scale search engine optimisation (SEO) campaign has been taking place against Google to promote malware-laden sites under a broad variety of common search terms. Since Sunbelt reported this outbreak, Google have taken action and removed the links, but there seems to be more on the way. The malware-laden pages use stealth techniques to foil common researcher techniques for finding the pages.

FBI "bot roast" nets eight crooks

Source: FBI

"Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers."