Finally got your new computer, your internet account and are now ready to log in into the WWW world.
Spam is definitely a major concern. Spam will not usually harm your computer, however it can track all of your internet activities.
The biggest concern is the new breed of spammers. The new spammers and hackers build your trust first and usually ask you to do something like reply to the email.
Below is an article from Brian Grow (BusinessWeek Online)
Phisher Kings Court Your Trust
Computer-based fraudsters are finding new ways to trick people -- not technology -- to get the information they seek
"Lawsuit against you," reads the subject line in an e-mail that hit thousands of in-boxes around the world last month. In flawless legalese, the message warns recipients that they recently sent an unsolicited fax to the sender's office. Citing U.S. civil code, its prohibition on sending junk faxes, and an actual $11 million settlement by restaurant chain Hooters, the missive threatens a lawsuit over the alleged junk fax.
"If you do not pay me $500 by the deadline for payment, I intend to sue you for violating the Telephone Consumer Protection Act," it reads. "If you force me to sue, I will not settle for less than $1,000." Details of the alleged lawsuit are contained in the document attached to the e-mail.
In today's litigious -- and digital -- society, being notified of a lawsuit via e-mail might not seem too unusual, right? Gotcha! The e-mail is a scam that preys on deep-seated fears of being hauled into court. Its target: unlucky recipients who may indeed be among thousands of companies that send junk faxes.
 
SPAM SANDWICH. The attachment -- labeled lawsuit.exe -- is a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs, and then swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a Paris Hilton sex video, to friends and associates.
"This is one of the most innovative ideas used by spammers to target unsuspecting users," says Govind Rammurthy, chief executive of computer security firm MicroWorld Technologies, which sent out a warning about the lawsuit.exe scam in March.
As Web-based scams proliferate, it's often psychological cunning, deployed on top of surreptitious code, that is the secret to cyber-criminals' success. Like traditional con men on the street, Internet fraudsters need a never-ending supply of ways to convince victims to trust them -- to open an attachment, click a link, or innocently enter personal data on a Web page.
IN YOUR HEAD. Overpowering instincts, rather than firewalls, is the surest means, say analysts, to pickpocket personal identities and online bank accounts. "You can't install a software patch for a person's mind," says Barry C. Collin, chief executive of cyber-security consulting firm Threat and Risk Associates.
In fact, security analysts say hackers are spending serious effort in researching the psychological vulnerabilities of potential targets. Security firm TrendMicro's director of global education, David Perry, says they watch news headlines for poignant world events and often review the success of an attack by reading press releases and corporate warnings, in order to tweak the next attack for greater effectiveness.
Hackers also look for situations of confusion to exploit, such as a corporate merger. For example, at Vigilar's Intense School in Ft. Lauderdale, Fl., where they train people in ethical hacking to help fortify digital defenses, they use a bogus e-mail from someone pretending to be a helpdesk employee trying to verify account data for a database that is being combined in the wake of a merger.
TRUST ME.... "There is a lot of implied trust that you can manufacture -- and exploit," says Ralph Echemendia, an info-tech security instructor at Vigilar's. Echemendia used the 2004 merger of Wachovia and SouthTrust as a model to deploy the script and tap merger chaos.
Analysts say phishing attacks also often spike after a data security breach hits news headlines. The reason: Customers are already anticipating a potential request to update account data and monitor credit reports.
"It makes them more vulnerable to psychological scams," says Herbert H. Thompson, chief security strategist for Security Innovation.
ONE-TWO PUNCH. Take the case of a phish targeting Citibank customers this year. To build trust, it operates in two phases, say analysts. First, an e-mail purportedly from Citibank warns that customer accounts may have been compromised in a previous scam. But it doesn't ask for personal information.
Instead, the scam requests an e-mail address, just in case the victim's account is found to be hacked. Then, later, a second phish is sent out warning that, indeed, the account has been compromised -- and requests an update of financial details.
"Trust was built in the first step. Then, in the second step, they asked for confidential information," says MicroWorld's Rammurthy, who estimates some 60% of victims who received the second e-mail provided personal and financial data.
Indeed, with overall returns from phishing attacks falling, Web criminals are succeeding in finding novel new ways to convince users to open documents or click links that download data-stealing software onto PCs. Instead of directly asking the user to enter personal data into a fake Web site, cyber-criminals are embedding code into fake news articles or business-oriented "requests for proposals" which, when opened, install a backdoor into the PC, then log keystrokes. Russian security firm Kaspersky Lab estimates the use of data-stealing code designed specifically to steal financial information, known as Trojans, rose 402% in 2005.
SHARING THE STEALTH. The upshot: Fewer people are, themselves, coughing up personal info, but fraud losses continue to climb. A 2005 survey by Gartner found that just 2.5% of phish recipients responded with personal or financial information, down from 3% in 2004. But fraud losses connected to the theft of such information off the Web still rose from $690 million in 2004 to $1.5 billion last year. "If I'm a scammer, I have to do something that will make you trust me," says John Pescatore, senior vice-president of Internet security at Gartner.
Law enforcement agents say that while the thinking behind cyber-scams is not much more complex than age-old cons run by offline grifters, it's clear cyber-criminals are pooling their brainpower to devise new techniques. A DVD available in foreign black markets called "Hacker's Handbook" contains scores of tips on how to trick victims, according to Trend Micro's Perry.
Former hacker Kevin Mitnick, who now runs his own security consulting firm, hosts a two-day "social engineering" conference for clients that includes sessions entitled "Bugs in the Human Hardware." At hacker sites such as mazafaka.ru and astalavista.box.sk, criminals often share ideas on how, for example, to exploit new state laws in the U.S. requiring firms to issue warnings when customer databases have been hacked.
ROYAL SCAM. Some scam artists still plot the old-fashioned way: by holding physical court. Law enforcement agents say Nigerian fraudsters often gather in Internet cafes in the country's capital, Lagos, to concoct the newest bait.
Famous for pioneering so-called 419 letters -- pleading e-mails from bogus foreign businessmen seeking to move money out of their country by tapping U.S. victims' bank accounts -- the Nigerian scammers are now establishing romantic relationships in online dating Web sites in order to dupe lonely love interests into giving up financial information.
"It's group brainstorm," says Gregory S. Crabb, a senior investigator for the U.S. Postal Inspection Service in Washington, D.C., who has hunted cyber-criminals around the world.
CHEAP THRILLS. Hackers are even finding ways to take the pain out of writing malicious code, a move that may enable more concentration on upgrading the psychology of the cyber-scam. On Mar. 24, security firm Sophos said it had discovered a Russian Web site selling a spyware kit called WebAttacker for less than $20. The pre-fab software downloads a program that tries to turn off PC firewalls, then installs a keystroke-logging device.
Already, it has been spammed-out via e-mail touting news stories about bird flu and the recent death of ex-president of Serbia, Slobodan Milosevic. The technical skills required to be a cyber-criminal have been removed as an entry-level barrier. "In order for the cyber-crime business to continue, it is going to rely more and more on social engineering," says Ron O'Brien, senior security analyst at Sophos. (end of article)
What is Spam?
Spam is unsolicited email, not unwanted email. If you have signed up for an email list and receive and email that is not spam. If you unsubscribe to that list and continue to receive emails then that becomes spam. While spam is annoying it is generally not dangerous to your order your PC. In January of 2004 the federal Can Spam law took effect with broad reaching requirements and penalties. Tip: if you see a company name and address of the bottom of an email, that generally means you can use the remove link and it will be honored as they are following the Can Spam law. If you do not see an address and only a remove link, then it is not a good idea to use that link as that would indicate a live email address to the spammers.
How Are Spammers Getting Your E-mail Address?
Spamming companies have various methods of obtaining your e-mail address. More than 90% of spam is delivered to e-mail addresses taken from public websites. Anytime you enter your e-mail address to gain access to a website, it is vulnerable to spam. Similarly, whenever an e-mail address is used to participate in a newsgroup or web-based discussion group, spammers can easily obtain it.
Unauthorized sales of your e-mail address by companies from whom you recently purchased products or services also play a large part in the spam epidemic. Although the majority of websites adhere to an “opt out” policy that allows you to prevent distribution of your e-mail address, not all websites respect consumers’ privacy.
Some spammers also obtain e-mail addresses through trial and error. Spammers use computer programs to randomly generate e-mail addresses using a variety of letter and number combinations. Eventually, a given combination will produce live addresses, and those e-mail users will receive spam.
What Can You do to Stop Spam?
There are several steps that you as a consumer can take to stop spam. One of the most effective methods is to use “spam blocking” software provided by many Internet service providers. In many instances, consumers can obtain these tools at no additional cost.
Other alternatives include writing the postmaster affiliated with the domain owner (such as aol.com or yahoo.com) to object to the receipt of spam. Typically, the postmaster’s address can be found at the bottom of the e-mail, or you may try: postmaster@domain.com, admin@domain.com, or webmaster@domain.com. In many cases, the postmaster may not be aware of the spam being sent from its server.
Setting up multiple free e-mail accounts is also an alternative. Many providers will allow you to set up a web-based e-mail address from which you can send and receive e-mail without having to use a dedicated e-mail application such as Outlook or Eudora. This will allow you to use one e-mail account as your “junk e-mail” account.
What is the Government Doing to Stop Spam?
Congress, the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC) are taking a variety of steps to limit spam.
On January 1, 2004, the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003” (CAN-SPAM Act) took effect. This new law set out three requirements that commercial e-mail senders must follow. The first provision, requiring labeling, stipulates that every unsolicited e-mail must be clearly identified as a solicitation or advertisement. The second, offering an opt-out option, provides that commercial e-mail senders must allow an easy and legitimate way for recipients to opt out of the sender’s future e-mails. Lastly, the return address provision requires that unsolicited e-mails contain a legitimate return e-mail address, as well as the sender’s postal address.
The CAN-SPAM Act requires the FTC to issue regulations “defining the relevant criteria to facilitate the determination of the primary purpose of an electronic mail message,” and the FTC recently sought public comment on this issue. The FTC’s efforts will help determine which unsolicited commercial e-mail messages can be regulated. The FTC also sought comment on the possible establishment of a National “Do Not E-mail” registry, which would function like the National “Do Not Call” list.
The FCC is also considering regulations to cut back on unwanted e-mails. Specifically, the FCC is in the process of establishing rules that will protect consumers from the costs and inconveniences that result from unwanted commercial messages sent to wireless devices. The FCC recently sought comment on various methods of allowing consumers the ability to block wireless spam. Once comments are received, the FCC will complete the rulemaking process to further the objectives of the CAN-SPAM Act. (end of article from the 6 star team)
One particularly nasty variant of email spam is sending spam to mailing lists (public or private email discussion forums.) Because many mailing lists limit activity to their subscribers, spammers will use automated tools to subscribe to as many mailing lists as possible, so that they can grab the lists of addresses, or use the mailing list as a direct target for their attacks.
What to do and how to stop (minimize it)
- Keep at least two email addresses
- one for signing up (throw-away address), Use disposable addresses for risky activities, like signups for newsgroups and newsletters. Throw away your throw-away address every month or two. Don't be tempted to use it for communicating with any real person.
- one for family. Make the family email only for close friends and family. Guard it with your life.
- one for customers if required. Put the customer email address on your business cards, give it to acquaintances but never publish it on the web in plain text.
- Never publish your email address in plain text on the web!
- Never on the web in plain text publish your email address! Use an email encoder, as as the one at http://thespameater.com/emailencoder.html?r=0
- Use a CGI form-mailer on your website. Your address is hidden inside the CGI script on your web server. This makes it Impossible for spammers to harvest.
- Choose a user-name that is not likely to be in a spammer dictionary. For example, _don't_ use "jsmith@mydomain.com"! Use something more creative: "j.smith.parachuting@mydomain.com".
Should I hit "remove"?
A lot of the spam that we get and that people write to us about comes with instructions on how to "remove yourself from our list". Yet, more often than not, the remove instructions don't work. Why is this? Basically, you've just experienced what many call "rule #1": Spammers lie.
Remove lists don't work. In most cases you have just verify that you have a valid e-mail address, and so then they put it on the premium CD and sell it to the next spammer for even more money. The end results is that you can then get lots of spam instead of a little.
Some potential Spam indicators
- The “From” line is ambiguous, does not clearly identify the sender of the e-mail and is most likely not a valid return e-mail address.
- The “Subject” line is misleading and does not make it clear that the e-mail is a commercial advertisement.
- Message text is not consistent with the “Subject” line of the message.
- Message does not provide a valid postal address as a way for the recipient to contact the sender.
- Message does not provide any way for the recipient to decline to receive further commercial e-mail from the sender.
Software protection
As per all other Computer security measures, please make sure that you have a good anti-spam software and that it is up to date
What to look for
- Ease of use
- Are the Spam definitions updates regularly. Definitions are similar to virus definitions for antivirus software
- Customer service feedback
- Will it work on your email program. Some Anti-Spam software will only work on one email program.
Article written by Bernie Delorme, webmaster of many Computer Security resources such as
PCSecurityPost,
Antivirus,
Spyware.
Registry Cleaner.
Firewall.
PC Utilities.
Latest Antispam News:
Yahoo! News Search Results for antispam
Yahoo! News Search Results for antispam
17 Nov 2008 at 9:07pm
Company is poised to weather tough economy with diverse portfolio and strong customer base, analysts say.
18 Nov 2008 at 9:01am
Symantec CEO John Thompson is retiring. Thompson, 59, has led the Cupertino, California, security vendor for the past decade. He will be replaced by Enrique Salem, the company's chief operating officer, effective April 4, 2009, Symantec said in a statement released Monday afternoon.
17 Nov 2008 at 10:27pm
John Thompson will retire in April, but will remain chairman of the board. Company COO Enrique T. Salem will take the helm.
18 Nov 2008 at 6:31am
Dubai, United Arab Emirates, November 18, 2008: ADAOX Middle East, the regional business development centre of ESET NOD32 Antivirus, today announced the availability of ESET's Mobile Antivirus, a new security solution for mobile devices for the Middle East region.
18 Nov 2008 at 4:15am
South African mobile operator, Cell C has ordered an anti-spam service for its SMS platform from Airwide Solutions, along with a capacity boosting router.
18 Nov 2008 at 9:00am
(CSI 2008 Show) -- Sunbelt Software, a leading provider of Windows security and management software, today announced a new partnership with Team Cymru, an Internet security research firm, to deliver information and network security tools to aid cyber security professionals in the ongoing arms race against malware authors.
17 Nov 2008 at 8:14pm
The FortiGate-5001A is a high performance unified threat management blade supporting 10G Ethernet ports. Designed for the FortiGate-5000 chassis, the appliance makes it possible to achieve 182Gbps of firewall performance in a single FortiGate-5000 chassis.
17 Nov 2008 at 2:43pm
New data on the state of ISP security through 2008 suggests that companies are better equipped to deal with many common threats than they were in years past. DNS cache poisoning, and BGP hijacking, however, are both considered to be significant threats. Read More...
16 Nov 2008 at 11:04pm
Six Apart reduced the size of its full time staff by around 8% and are making some organizational changes.
14 Nov 2008 at 12:07pm
Increased cooperation among security researchers and ISPs are resulting in victories against spammers and botnet operators. But, cybercriminals move to new spots on the Internet.
Powered by PCSecurityPost
|
