We all know that spammers will do whatever it takes to find a way to send their advertisements and scams to potential victims. Spammers are circumventing methods services like Gmail, HotMail, and Yahoo use to stop automated spam to the point that even legitimate users of these services are unwitting victims of anti-spam.
Larry Seltzer at eWeek posted a blog Spammers Sidestep SMTP about what happens when spammers start using free Web-based services such as Gmail, HotMail, and Yahoo mail systems to send spam. Seltzer suggests new tests need to be developed to check for “humanness” — or perhaps a change in how e-mail is sent and received are potential solutions.
Archive
Tag: Spam
A new bot can crack defenses erected by Microsoft to keep spammers from creating large numbers of accounts on its Live Hotmail service within seconds, a security researcher said Friday.
Dan Hubbard, vice president of security research at Websense, said the bot broke Live Hotmail’s CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) within six seconds, on average. CAPTCHA is the name given to the distorted, scrambled characters that many Web services require users to decipher and type in to create a new account; the tests are meant to block automated account registration by spammers and malware authors.
The bot, Hubbard acknowledged, is similar to one Websense uncovered in February.
“In the past, though, it was kind of questionable whether the CAPTCHA breaking was automated,” Hubbard said Friday, noting that there had been some evidence that spammers were paying people to decode and type in the CAPTCHA characters. “But the bot’s breaking [CAPTCHA] in six seconds, so it’s definitely automated.”
In a long post to the Websense blog Thursday, Sumeet Prasad — “our CAPTCHA expert,” said Hubbard — provided technical details of how the bot automatically registers Live Hotmail accounts and then immediately begins using those accounts to spew spam.
The bot’s total response time — how long it takes the program to grab a CAPTCHA image, analyze it and return with the correct code — is considerably shorter than that of earlier such bots, said Prasad in the blog.
One in every eight to 10 attempts to create a Live Hotmail account is successful, added Prasad, meaning that the success rate is 10% to 15%. However, the rate is actually meaningless, said Hubbard, since the bot will continue to try to create accounts using a predetermined list of account names until they’re all registered.
Copies of the bot are seeded on unsuspecting users’ PCs, said Websense, making it less likely that Microsoft will detect and stop the automated account registrations.
Free Web-based e-mail services such as Live Hotmail, Yahoo Mail and Gmail are favorite targets for spammers because the services’ domains can’t be blocked by blacklisting antispam tools, Hubbard said. “When Google, Microsoft and Yahoo [domains] are in the top 10 or top 20 spam domains, it’s hard to use reputation tools,” said Hubbard.
“You’re not going to block those [domains].”
Spammers are using a sophisticated piece of software that can create thousands of Windows Live email addresses by cracking the protections designed to prevent the large-scale creation of fraudulent accounts.
According to security firm Websense, the bot is surreptitiously installed on the PCs of end users. It then establishes a connection to the registration page of the Microsoft-owned mail service. About a third of the time, the software is able to bypass the Captcha requirement through a process that researchers have yet to precisely figure out.
The executable software,has already led to a surge of spam being sent from the Microsoft-owned service, said Dan Hubbard, vice president of security research at Websense. Its discovery comes a few weeks after the release of proof-of-concept code that defeats a similar Captcha used by Yahoo! Mail.
Free email services from Microsoft, Yahoo! and Google are rarely blocked by anti-spam products, making accounts on those services highly prized by spammers. In the past week or so, Websense antispam filters have gone from blocking fewer than 100 Windows Live accounts per day to a number that’s in the thousands.
“Some customers were actually flagging the mail as legitimate because it was coming from Microsoft Live,” said Hubbard. “Clearly, (spammers) are using the fact that (the services) are legitimate.”
Short for “completely automated public Turing test to tell computers and humans apart,” Captchas have emerged as a key barrier hindering scammers who want to create large numbers of fake online accounts. In some cases, Captcha-cracking has involved software that transmits the graphic to third-party website that promises a visitor free porn in exchange for typing in the characters. Other times, programs using highly specialized heuristics algorithms try to guess the characters, based on the arrangement of the pixels.
“Captcha breaking has been one of the largest targets of malware operators for some time, even to the point that they will go and farm out the job to human beings,” said Adam O’Donnell, a research scientist at antispam company Cloudmark. “It’s that profitable.”
For years now, the forces of good and evil have been engaged in an arms race of sorts, in which new Captcha cracks beget stronger Captcha images, which in turn lead to more advanced cracks.
Hubbard said a Websense honeynet recently caught malware. When researchers installed it on a lab machine, they discovered that in addition to sending spam, it attempted to create the Windows Live accounts. The software cuts Microsoft’s Captcha image and sends it to a server controlled by the scammers. The server then sends the text contained in the image back to the infected PC. The answer is correct as much as 35 per cent of the time.
“We don’t know what the process is,” said Hubbard. One possibility is that there are human being on the other end, but Hubbard is leaning away from that theory because it would require hundreds of people to make it work. It’s also possible the spammers have found a new type of Captcha-cracking software.
Besides being rarely blocked by spam filters, accounts with big email services are valuable to spammers for other reasons. For one, they’re free. And for another, the millions of other accounts held by legitimate users makes it hard for the services to pinpoint mass mailers.
Don’t count on this cat-and-mouse match ending anytime soon.
Spam is an annoyance most of us have just had to deal with on some level if we use email. As an IT Manager for a local company, I have dealt with spam at the prevention level as well as the user level, both with their own frustrations. Although, I must admit some level of satisfaction when able to block certain spam. Of course, that satisfaction is often short-lived and much like trying to keep your house dry by sitting on the roof holding an umbrella.
Why We Haven’t Stopped Spam
Opinion: Even very smart people are misinformed on this subject. Here’s a clue: If it were easy to fix, it would have been fixed already.
Several years ago when Bill Gates declared that the spam problem would be solved within two years, he appeared to be thinking of SMTP authentication as the heart of that solution. I wouldn’t have said what he said, but I was pretty optimistic too. Not anymore. The overwhelming power of inertia seems too much for any solution to take on. People just won’t stand for the inconveniences that fixing spam would bring.
Hackers have launched a widespread “pump-and-dump” stock spam campaign using PDF files, anti-virus researchers have warned.
In a change of tactics, the attackers have hidden the spam content within a PDF file instead of attaching an image file to plug the stock, according to a security advisory on the McAfee website.
The spammers are sending the PDF files with randomly generated subject lines, sender names and a blank message body.
The stock spam is believed to have been sent from Stration infected computers, as this attack is similar to the W32/Stration worm mass-mailing, which contained a number of PDF files, Nick Kelly, sustaining engineer at McAfee said.
“Spammers are struggling to find ways to fool spam filters and get their messages into people’s inboxes,” said Bradley Anstis, director of product management at Marshal.
“But, spammers believe many anti-spam solutions largely ignore PDF files, so they use them in an attempt to add credibility and legitimacy to their messages. We expect to see a lot more of PDF spam. This recent case is just the beginning.”
It’s the biggest spam blast in the last year
A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today.
According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. “We’re seeing 50 to 60 times the normal volume of spam,” said Adam Swidler, senior manager of solutions marketing at Postini.
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected — the password is included in the message to further dupe recipients — actually contains a variant of the “Storm Trojan” worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.
Irony, it seems, isn’t lost on the attackers. “This is really a self-fulfilling prophecy,” said Swidler, “by warning users about a worm attack to get them to click on a worm.” continue reading…
Dave Q. Lintard writes with a link to The Register’s coverage of a suit against the spammer that sued Spamhaus. e360 Insight, as the company is known, is accused of using a botnet and compromised headers to get their ‘advertising’ into the mailboxes of the claimant. These are also the folks that tried to get the Illinois courts to suspend SpamHaus’s domain registration when they wouldn’t play by e 360′s rules. ‘e360 Insight sued Spamhaus after the anti-spam organisation blacklisted its domains over alleged spamming. In a default ruling made by an Illinois court in September 2006, Spamhaus was ordered to pay $11.7m in compensation to e360 Insight, pull the organisation’s listing, and post a notice stating that it was wrong to say e360 Insight was involved in sending junk mail. UK-based Spamhaus did not defend the case and the ruling was made in its absence.’
There’s an interesting discussion going on over at Danah Boyd’s site about social network fatigue, or why people switch messaging technologies (in particular social networks) over time.
One view is that SPAM eventually overrides every technology, forcing people to move to something else. A commenter, JD, suggested that SPAM killed Usenet, Email, and IM, and even domain names (not sure about that one: phishing?). There is certainly merit to this viewpoint…it does seem that as time goes on SPAM just grows and grows…maybe we get tired not only of social networks but also of the signal/noise ratio of quality content on the medium.
I proposed another view, that isn’t necessarily opposed to the first one but isn’t quite as black/white. I think that SPAM does cause fatigue…but actually isn’t powerful enough to get us to switch technologies. I think usability has a lot to do with actual switching. Simply put, we message in the easiest way possible. continue reading…