Is a response rate of 0.00001% good enough?
Researchers at the University of California, Berkeley and UC, San Diego (UCSD) are reporting that spammers are turning a profit despite only getting one response for every 12.5 million emails sent. That translates itself into a response rate of circa 0.00001%. Most direct mail organisations would set the bar at 2% for a ‘good’ campaign.
There is no particular news in the revelation that the spammers live off of sheer volume of spam email. The researchers here were purporting to be a fake pharmacy, peddling a herbal remedy to boost libido. This is pretty much representative, so it does call into question just how profitable it can be for them? It does bring to the fore the point, that even with spam, the laws of return on investment still apply. With such a low-margin business, they are susceptible to advances in new anti-spam and security software defences, that would render current techniques and campaigns as not worth it to them. Or, so we can but hope.
UCSD used some interesting tactics with their research. They managed to piggy-back on the ‘Storm’ network that uses hijacked home computers as relays for spam. The ethics of this are open to debate, particularly when the researched added another 469 million spam emails that the world need not necessarily benefit from.
Full details of the Symantec State of Spam report for November can be found here.
The Barack barrage
Today saw Barack Obama win the race for the White House. In the weeks leading up to yesterday’s polling day, we were able to watch how the ‘bad guys’ tried a whole slew of tactics to use the election for their own purposes. In our latest State of Spam report, we identify a couple of Barack Obama themed attacks that were used in October. We got to see a ‘Barackumentary’. Therein, the spammers offered a free DVD about Barack Obama; however, in order to receive the ‘free’ video, recipients were asked to provide personal credit card details to the sender. Regrettably, I am sure we can expect to see a lot of Barack Obama themed exploits in the weeks following his election and in the run-up to his swearing in as the 44nd President of the USA.
Now, no sooner have the Beijing Olympics started to pass into memory than we start to see the London 2012 Olympics start to be exploited by the spammers. We detected a lottery scam around London 2012, wherein the recipient is informed they have won £950K. All they need do is contact the ‘paying agent’ and provide details to collect their ‘winnings’. And so, with that, the countdown to London 2012 begins in terms of scams, and socially engineered malware attacks.
The state of Spam – September update
Symantec has released its latest ‘State of Spam’ report for September. As ever, it is a useful and insightful read. The overall percentage of email that we define as spam remains at over 80%. This has been consistent, if not annoying, for some time now. What we have seen increase this month, is the percentage of spam emails that contained links to malware, designed to infect computers with viruses and trojans, rather than simply promoting a spam product.
The spammers plumbed new depths this month. There were emails sent to parents, declaring that they had kidnapped their children and that a ransom must be paid. As proof, they offered an attachment with a photograph of the child. Suffice to say, the attachment is bogus and contains malware. They were hoping that in the panic of getting such an email, a parent would not think and immediately click on the attachment. It is depressing and outrageous in equal measure.
The spammers are also picking on and using the challenging economic and employment climate to peddle their wares. Given the credit crunch and the rising cost of living, many people find themselves considering an additional part-time job to help make ends meet. We detected bogus recruitment ads this past month. The messages purported to come from an employer offering a part-time position, where its compensation included many enticing benefits. To apply for the position, you had to click on a link, which had an executable attached to it, wherein the malware resided.
If you have the time, take a look at the report. It will amaze you as to the audacity of the spammers and reinforce the scepticism you need when reading through your email.
Beware of the ‘antivirus’
As we approach this time of year, many security vendors refresh their products. We are in the process of finishing the BETA of our Norton Antivirus 2009 and Norton Internet Security 2009 products and getting ready to release them to market. Many of our fellow competitors have launched, or are, launching their new products. So, in turn this starts to get people thinking about ‘new’ security products.
The last few days have seen reports of ‘malvertizements’ that ultimately lead to fraudulent products. Newsweek.com is one of several high-profile websites suspected of running rogue banner ads that try and trick visitors into installing fraudulent anti-malware programmes. This opens up an interesting dimension. People implicitly expect and trust that the web sites owners have checked into the people who have placed ads on their sites. The web site owners do, but incidents like this point out that they are not infallible and need to do more.
The trick of the bad guys pretending to be an anti-malware utility or antivirus product has been around for a some time. However, in recent weeks we have seen a number of examples of this resurface. Symantec’s security response blog has written about this.
What we have observed is a combination of attack elements being used in concert. First a spam email, with an Olympic led fake new story. The user is encouraged to click on a link, the link in turns asks the user to ‘get_flash_update.exe ’ or get_flash_codec.exe. These files then host a number of variants, one of which is a fake antivirus product: ‘Antivirus XP 2008’. 
A cursory glance would lead you to believe that it looks legitimate: it is far from that. Once it is installed, ‘Antivirus XP 2008’ basically gives false reports on the security of a system, claiming it has multiple threats running. The software interrupts the user constantly by popup messages, balloon reminders and such, asking the user to register to remediate the threats. The victim’s desktop background is changed to show a virus warning message. The goal of this threat is to get the victim to pay for what they think is a fully-functional legitimate security product, which of course it isn’t.
Now, you will think this blog to be pretty self serving – guilty as charged! With many new (legitimate) antivirus products making their way onto the market, you need to be mindful. If you see something about some new product from someone you have not heard of, then do your homework: ensure they really are who they say they are.
Be alert to the ‘CNN Alert’!
Many of you may have received a SPAM email with the subject line, “CNN Alerts: My Custom Alert”. This turned up in my personal email folder. It was a very authentic looking email. I thought it clever as, whilst I do not use the CNN site on a regular basis, I have used it now and again. The interesting thing about this SPAM was that it did have a link to a legitimate CNN story about the discovery of the World’s smallest snake. Clicking on this would have given the email that feel of credibility. The malicious link still exists in the e-mail but you must click the FULL STORY link to get there.
The ‘FULL STORY’ link leads to a botnet of compromised machines which host a page prompting the user to download an updated version of Video ActiveX Object. If agreed to, you’ll download ‘adobe_flash.exe’ which is detected by us here at Symantec as ‘Downloader’.
On your marks!
The Beijing Olympics start tomorrow. The World’s biggest sporting event of all time, I am sure that it will not disappoint.
In winning the Olympics, Beijing outlined that it would harness the power of IT, innovate around it, to bring the Games to new audiences. We will see a convergence of IT and Media on a scale not seen before. Many of the big Media companies and franchises have extensive plans to bring the games to the ‘net in a big way. I know that many network administrators are bracing themselves for the impact of ‘streaming’ video of Games – if they allow it on your corporate network. It will be interesting to see (or maybe not) what the strain will be on your ISP as well.
Where you have a mass audience connected to the ‘net, then in the shadows the’ bad guys’ will be lurking. In the Symantec State of Spam report for August, we are already seeing Spammers peddling their wares on the back of the Olympics. Symantec Security Response have already written up a blog on an attempted Phishing attack, purporting to sell tickets for the games. The creators of the site went to great lengths to make it convincing, even using an SSL connection, believe it or not.
So, get on your marks, get set, and it is ‘Go’ for no doubt many Olympic related Spams, Phishing attempts, links to web sites that will be showing funny/curious videos of events of the games etc. So, I say, “Citius, Altius Fortius”, to all of my colleagues in the IT Security industry, to keep you all safe and for you to enjoy the Games.
Farewell Neosploit?
The past couple of years has seen a dramatic rise in the sheer number of pieces of malware out there on the internet, hence, associated attacks. One of the contributory factors to the dramatic volume increase in attacks has been the arrival of ‘do-it-yourself’ infections kits. One of the most infamous of these is Neosploit, but there are many others such as Mpack, IcePack, Cyber Bot, Zunker etc.
Neosploit allowed a budding ‘hacker’ to launch their own exploits and amass a sizable botnet. There were regular updates and even a user forum. However, the other day, a posting appeared on a Russian web site announcing that the authors of Neosploit were going to retire the product. The translation in effect announced:
“Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.
We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”
So, it seems that the authors of Neosploit just couldn’t make it work from a commercial sense. That got me to thinking, why? Is it because the cost of them coming up with new exploits is becoming more difficult, hence costly? I do not see any particular evidence as to this. There are other tool-kits out there and many new exploits being developed on-going.
Could it be, that they are being ‘boxed in’ by better security? Well, to be fair on this one, we are finding many more exploits, so this may not be the case. Is it that the market dynamics of the ‘under-ground economy’, ultimately played against them? Well, like every efficient market, there have been new entrants and competitors to Neosploit, who could compete with them on product and price. Therein may well be the answer.
So, farewell Neosploit, but there are other exploit tool-kits out there and no doubt, new ones will make it onto the ‘market’.
You do not want this package
This month has seen a new twist on an old scam. There have been mass Spam mailings with fake invoices. One version purports to inform you that you have a package, from one of the very pick next-day-delivery companies, that could not be delivered and was returned. There is a zip file attached, you are asked to download it, print it out and then collect your parcel from your local office.
When you download and unzip the file, the malware is copied onto the system, replacing a Windows file that manages explorer, the user interface and some other important processes. Additionally, it establishes a connection with a domain, which has been used on some occasions by banker Trojans. From this domain it will redirect the request to another domain in order to download a rootkit and a rogue antivirus.
So, you get a ‘package’ but not one you want nor expect!
D’oh! Homer falls in with the malware crowd
The malware guys have now roped in Homer Simpson system into spreading malware. It appears that going back in time, there was a episode of the ‘Simpsons’ in which Homer’s e-mail address was given as “chunkylover53″. Prior to the episode’s airing, the address was registered by the production company and was then used it to answer hundreds of e-mails from Simpsons fans.
In the past few days ‘chunkylover53’ name has resurfaced, and it’s now being used to distribute a trojan disguised as a Simpsons movie file. If you get an email from Homer and his ‘chunkylover53’ email address you will be invited to follow a link to a special exclusive episode of the show available for download. The link in the message leads to an executable file.
Upon launching the trojan, the user is presented with a fake error message which is followed by several real error messages and, finally, a blank screen. Upon restarting, the system will run noticeable slower and be prone to crashes.
The other nasties in this attack is that once the malware is delivered onto the PC it has remote control software which logs the user in a botnet. The botnet itself could easily be called on to launch another attack.
What is still unclear and a matter for conjecture is just how the bad guys got a hold of the ‘chunckylover53’ email address.
Really, your face isn’t stupid
Spam is annoying. By our estimates, 80% of all email is now spam. As you’d expect, many people are now a lot smarter about how to filter out or completely ignore spam. This means that spammers are having to come with new ways to approach us and get to open and or click on attachments that are enclosed.
Recent weeks have seen the spammers switch their attention to insulting us to get our attention. There has been a flood of emails with a subject line of ‘Your stupid face’. Their intent has been to get us angry or curious enough to open the email and then click on the attachment purporting to the user’s ‘stupid face’. The attachment is a ‘video.exe’ or something similar. If you click on it, you can be directed to a host which has the malware on it and before you know it, you are infected with a bot.
This new genre of spam is being described as ‘spam slam’. So, if you see something like this in your in-box, don’t open or click on it: delete it. Even, if you think your face is a bit stupid.