Nov
20
Filed Under (Editorial, Tips) by David Wiles on 20-11-2017

All of us suffer from e-mail overload. Our inboxes fill daily with a clutter of “important” mails, so it is often hard to determine which emails are legitimate, and which are phishing emails that have been designed to steal your personal info or inject malware into your computer.

I am a member of the Identity Theft Resource Center and they often provide me with valuable information and resources to combat phishing scams.

In a recent report they provided some shocking statistics, about the success of phishing attacks worldwide:

  • For instance daily, worldwide, one in every 2000 emails is a phishing email, meaning around 135 million phishing attacks are attempted every day!
  • Many of the phishing attacks try to trick you into a clicking a link that takes you to a fake webpage to fool you into entering personal information – it’s estimated that an average of 1.4 million of these websites are created every month – that is over 46 000 phishing websites that are created dailyover 1900 every hour!
  • Last week the Identity Theft Resource Center reported a new fake Netflix email about a suspended account. With many South Africans now moving away from satellite and cable subscription movie channels like MNET and DSTV, and subscribing to NetFlix, this poses a risk.
  • There is a new fake Amazon email asking you to verify your account.  Just think about this for a moment: It is very easy to purchase books, DVD, and thousands of other goods from Amazon, just at a click of a button. (you can even get a parrot to do it!) If phishers can get access to your Amazon account, then they have access to your credit card details!
  • Of course don’t forget the “classic” PayPal phishing email about unauthorized/suspicious account activity. I make use of PayPal and recieve several of these fake phishing mails every month.

According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90% chance that at least one person will fall for it! Considering the fact that there are a little under 2000 personnel working at Tygerberg Campus, daily there is a chance that at least 20 people will be caught by phishing scams!

Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations, like the university. Instead of trying to get banking credentials for ordinary consumers, the attacker may find it more lucrative to target an enterprise like Stellenbosch University.

Spear phishing attacks can extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a pay increase, that a recipient may have just received or sending a malicious attachment where the filename references a topic the recipient is interested in.

What can we do about it?

A good general rule: Don’t give out personal information based on an unsolicited email request.

Learning to recognize and avoid phishing emails and sharing that knowledge with your colleagues, is critical to combating identity theft and data loss.

Here are a few basic tips to recognize and avoid a phishing e-mail:

  • It contains a link. Scammers often pose as the IRS, financial institutions, credit card companies or even tax companies or software providers. They may claim they need you to update your account or ask you to change a password. The email offers a link to a spoofing site that may look similar to the legitimate official website. Do not click on the link. If in doubt, go directly to the legitimate website and access your account.
  • It contains an attachment. Another option for scammers is to include an attachment to the email. This attachment may be infected with malware that can download malicious software onto your computer without your knowledge. If it’s spyware, it can track your keystrokes to obtain information about your passwords, Social Security number, credit cards or other sensitive data. Do not open attachments from sources unknown to you.
  • It’s from a government agency. Scammers attempt to frighten people into opening email links by posing as government agencies. Thieves often try to imitate the IRS and other government agencies.
  • It’s a “suspicious” email from a friend. Scammers also hack email accounts and try to leverage the stolen email addresses. You may receive an email from a “friend” that just doesn’t seem right. It may be missing a subject for the subject line or contain odd requests or language. If it seems off, avoid it and do not click on any links.
  • It has a lookalike URL. The questionable email may try to trick you with the URL. For example, instead of www.irs.gov, it may be a false lookalike such as www.irs.gov.maliciousname.com. You can place your cursor over the text to view a pop-up of the real URL.
  • Use security features. Your browser and email provider generally will have anti-spam and phishing features. Make sure you use all of your security software features.
    Opening a phishing email and clicking on the link or attachment is one of the most common ways thieves are able not just steal your identity or personal information but also to enter into computer networks and create other mischief.
Aug
17
Filed Under (Editorial, Tips) by David Wiles on 17-08-2017

“Hi. Just writing to let you know my trip to Manila, Philippines with my family has been a mess…I need you to loan me some money. I’ll refund it to you as soon as I arrive home.”

or…

“How are you and your family doing? hope this email find you all in good health and spirit. I am currently in Burkina Faso on vacation but i will return back as soon as possible due to my poor health. I have tried calling you severally but didn’t get through, please can you call me on … as soon as you get this email? I have something urgent i need to talk to you about.”

That is the kind of fake e-mail thousands of university employees get every year. It appears to come from a friend or a colleague, but is actually from a scammer on the other side of the world.

All these scams have the same story, they were out of the country, they’ve been robbed and they need assistance now, or they are ill, or in some sort of trouble and need your help… This trick relies on good natured people willing to help a friend.

The Stranded Traveler scam is a way to profit from hacking into someone’s webmail account – like Yahoo!Mail, Hotmail or GMail.

This usually happens when somebody has a simple, easily guessable password on their webmail account, or they have left their details on a phishing site.

Once the scammer has gained control of the “mule’s” email account, they log into the webmail account and:

  • Change the webmail password so the real user can’t login.
  • Grab a copy of all the contacts either from the contacts list or individual messages.
  • Filter out non-personal messages to target friends/acquaintances only.
  • Send the ‘stranded traveler’ message out to the contacts and hope for replies with money transfer details.
  • Meantime the real owner of the webmail account is probably unaware there’s a problem until they try to login to their email. Even then, they probably think they’ve forgotten the password rather than being hacked. It’s only when a friend contacts them directly that the scam is revealed – usually far too late.

How to protect yourself: There are various things you can do to prevent being a victim of this scam, either having your webmail hacked or receiving scam emails.

  • Don’t click on attachments in emails from strangers, or if they are from someone you know but look suspicious.
  • Have a complex, hard to guess password. Dictionary words aren’t enough. Preferably a mix of upper and lower case letters plus digits and other characters like (!@#$%^&*)
  • Don’t reveal the password to anyone, and be careful of email messages that pretend to come from the webmail provider. Phishing messages are the most common way that people giveaway their passwords.
  • If you get an urgent email from a friend, especially one asking for money, check with them using other means. Try to call them or check with mutual acquaintances to see if the story is true beyond what you’ve learnt in the email. At worst, you could reply and ask for some information only the real sender would know (keep in mind that the scammer can read/search the hacked webmail account).

So how do scammers get your email password?

  • Phishing websites: Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message are clicked onby the victim and they are directed to a malicious website set up to trick them into divulging personal information, such as usernames & passwords.
  • Trojan programs: If you click on an attachment in an unknown email, it can trigger your computer to download a “Trojan” program that then allows cyber criminals to see every key stroke you make –including your email password.
  • Password breaker program: Often called a “brute force program,” this is software bad guys use to try every combination of numbers and letters until they hit on your password.
  • Email addresses used as logons: You know how many websites have you set up an account using your email address as your User ID? If you then use the same password for that account that you use for email, criminals have what they need: your email address and your password.
Jul
25

These days, it seems we have to hand out our cellphone number like sweets at a kids party. Whether it be required for signing up for a new account, entering into a raffle, returning a purchase at a retail store, or registering for a discount, your phone number seems to be like a “skeleton key” for opening up all manners of doors.

Does giving out your cellphone number put you at risk of identity theft?

The answer is both “Yes” and “No”.

Yes, oversharing or giving out your number too frequently can lead to more scam calls, texts or unwanted solicitors. These days, our cellphone numbers are being used increasingly by information brokers to gain access to personal information that’s kept by nearly all corporations, financial institutions, and social media networks.

If someone you had just met asked you for your ID number, you would likely not give it to them. What if the same person asked you for your cell phone number? My guess is that you would readily tell them the ten-digit number, with no questions asked.

No, identity thieves cannot open new lines of credit, apply for benefits or make large purchases with your cellphone number.

However, the real threat is with the device itself.

Your cell phone number – which is unique to you – is the doorway to your identity. It provides an entrance to all the data contained on your phone, and can link your other information to you – your email address, physical address, bank account number etc. If your smartphone falls into the wrong hands and isn’t protected, a thief could access your email account and change all of your account log-ins, get into your Facebook and post malicious links, access your two-factor authentication, or even drain money from your mobile wallet.

What can you do about it?

  1. Safeguard your mobile device: Make sure it has a passcode and is set to lock quickly. You’ll also want to have a phone finder app installed so that if it is lost or stolen you can either find it, or worst case, remotely erase all of your data.
  2. Use common sense: If you’re asked for your phone number, ask why. In general, don’t give it out to people you don’t know see if you can leave it blank on online forms – even if that means it may take a few seconds more to identify you the next time you make a purchase.
  3. Enable two-factor or multi-factor authentication on all your devices: This is what happens every time you go to an ATM: to make a withdrawal you need both your debit card and a PIN number. That’s two-factor authentication, which increases the level of security on your devices.
  4. Sign up for the “do not call” lists, which are helpful for run-of-the-mill solicitations. While hackers don’t subscribe to such lists, you won’t get as many pesky marketing calls.
  5. Get more than one cell phone, and only gives out the number to the phone that contains no data or links to personal information.
  6. Choose which private data you are willing to share: When asked for your cell number, especially at a retailer, you may be able provide an email address, zip code or just your name as a way to identify you. It’s worth asking about.

All of this takes more time and effort, but ask yourself ow much privacy and security are you willing to trade away for a little more convenience?

Jun
27
Filed Under (Editorial, Tips) by David Wiles on 27-06-2017

Your smartphone can be easily hacked easily if you plug it in to charge via USB at a public place like an airport, cafe or on public transport.

Researchers at security firm Kaspersky Labs found that they could install a third-party application, like a virus, onto the phone via its USB cable connection to a computer. It took them under three minutes.

They also found that the Android and iOS phones tested leaked a host of private data to the computer they were connected to whilst charging, including the device name, device manufacturer, device type, serial number and even a list of files.

It’s well known that public Wi-Fi connections are a security risk, but did you know that the USB cord used to charge your phone is also used to send data from your phone to other devices?

By pairing it with any charging station (airport, plane, mall), which usually has a computer hidden behind it, you run the risk of having your photos or contact info sent to that device. If the computer behind the charging station is compromised, it could inject malicious code directly into your device.

You should also avoid connecting your mobile device via USB to a rental car’s entertainment system just for charging. Use the cigarette lighter adapter instead so you don’t have to worry about your personal info being stored in a car that’s not yours.

How to protect yourself:

  • Only plug your phone into trusted computers, using trusted USB cables
  • Protect your cell phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging.
  • Use encrypted apps like WhatsApp and iMessage to communicate
  • Antiviruse programs can be a pain, but they help to detect malware even if a “charging” vulnerability is used.
  • Always update your cellphone operating system to the most recent version, as that will have the most up-to-date bug fixes.

Save

Malware: Is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.
The term “malware” is a compound word from two other words “Malicious” and  “software” and describes software created by hackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems.

Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs.

Some forms of malicious software are:

Spyware is a type of malware installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally to monitor users.

While the term spyware suggests software that monitors a user’s computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow internet connection speeds, unauthorized changes in browser settings, or changes to software settings.

Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam

Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing e-mails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details on a fake website which looks are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Spear-phishing is a more targeted form of phishing. Ordinary phishing involves malicious emails sent to any random email account, but spear-phishing email is designed to appear to come from someone who recipient knows and trusts — such as a colleague, business manager or human resources department — and can include a subject line or content that is specifically tailored to the victim’s known interests or industry.  Phishing attacks are so successful because employees click on them at an alarming rate, even when emails are obviously suspicious.

Pharming is a hacker’s attack intended to redirect a website’s traffic to another, bogus site.
The term “pharming” is a compound term based on the words “farming” and “phishing”. Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting e-commerce and online banking websites.

Save

May
15
Filed Under (Editorial, Tips) by David Wiles on 15-05-2017

Ransomware stops you from using your PC. It is malware that holds your PC or files for “ransom”.

Although there are different types of ransomware, all of them will prevent you from using your PC normally, and they will all ask you to do something (like demanding money) before you can use your PC.

Ransomware can target PC users, whether it’s a home computer, a computer on a university network, or servers used by the government.

Ransomware can:

  • Prevent you from accessing your operating system.
  • Encrypt files so you can’t use them.
  • Stop certain apps from running (like your web browser).
  • Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files.
  • There is no guarantee that paying the ransom or doing what the ransomware tells you will give access to your computer or files again.

There are two types of ransomware, lockscreen ransomware and encryption ransomware.

Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.

 

 

 

 

 

 

 

Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files.

Some versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

The latest versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:

  • Visiting unsafe, suspicious, or fake websites.
  • Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
  • Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.

It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.

The best solution to ransomware is to be safe on the Internet and with emails and online chat:

  • Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
  • If you’re ever unsure – don’t click it!
  • Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
Dec
07
Filed Under (Tips) by David Wiles on 07-12-2016

androidmalwareEarly this month it was revealed that Android users, the operating system used by most brands of South African smartphones, were vulnerable to a major security flaw.
Check Point, a large Internet security firm, disclosed that around 13,000 Android smartphones per day are being breached by a malware called “Gooligan”.

Like most hacks, this particular threat relies on the you to download apps via unsafe stores that contain malware which is specifically targeting the Google accounts of Android users. It appears that this malware targets the user’s Google accounts by stealing their authentication/passwords and presents an opportunity for criminals to access data on your Gmail, Google Docs, Google drive and other Google services – hence the name “Gooligan”.

If you download your apps from the apps store on your phone or Google Play, you are okay, because Android require app developers to go through a quality assurance process, but if you have installed innocent-looking, albeit booby-trapped software from app stores outside Google’s authorized Play store, then you are at risk.

If you’re unsure as to whether your device has been infected, a free service has been set up by Check Point to check user names.

This Check Point service requests users to enter their email address. A search is then conducted against known compromised accounts.

Google Android is the world’s most popular mobile operating system, but an ‘open’ operating system, which basically means that smartphone manufacturers are free to alter Android to work in any way they want, and anyone can release apps for it.

However, this also means Android is more prone to malware than other mobile operating systems. The logic is simple, if you wouldn’t use a Windows PC without malware protection, then you shouldn’t leave your Android smartphone exposed.

Fortunately, protecting your Android smartphone or tablet is straightforward — and free:

Step 1: Update your version of Android…

step1

It’s important to keep your Android software up to date.  As well as new features, each update includes bug fixes to help protect your phone.
Tap the Settings icon, then scroll down to About phone (or About tablet) – Software (or System) update.
You’ll see your update status, including whether your software is up to date.

 

Step 2: Prevent app installs from unknown sources…

step2

Check that your Android device is set up to only allow app installations from the Google Play store.
To do this, go into the Settings – Security. Scroll down and under Device Administration look for Unknown sources. Make sure this is unchecked.

 

 

Step 3: Restrict downloads with a password…

step3

If other people use your Android smartphone then it is essential to enable a password for installation of new apps. This is especially important for parents who don’t want their children installing sometimes expensive apps without their knowledge.
Launch the Google Play store app then tap the menu button at the top right – it looks like three stacked dots. Now tap Settings and look for User Control.
Tap Parental Controls and turn the slider On. You’ll be asked to Create content PIN.

Step 4: Read and understand permissions…

step4

When you tap the Install button in the Google Play store, your Android device will display an App permissions dialogue box.
Scroll down and tap See all to view everything that the app wants to access on your handset.
Some apps have a legitimate need to access certain features of your smartphone. A web browser, for example, will need access to the internet, while a photo app will need access to the device’s storage.
If in doubt, or if you don’t want to share the information, don’t install the app.

Step 5: Install free antivirus software…

step5

You should install antivirus software onto your Android smartphone. Fortunately, this is both easy and free.
There are plenty of good free antivirus products on the Google Play store that will protect against viruses and malware, blocking dangerous links and some even help you find your phone.

Step 6: Finally… Use common sense…

Protection is all well and good, but it pays to be cautious.
First and foremost don’t click on suspicious links and always delete anything that looks suspect. Email hacking is very common – you may receive an email from a trusted source containing a YouTube link with an unusual heading – don’t click on the link and, if your email app allows it, flag the message as spam or junk mail.
Additionally, if you get a spam text message informing you you’ve won a prize, delete it. If you haven’t entered a competition, you’re highly unlikely to have won a prize.

Jan
15
Filed Under (Editorial, Tips) by David Wiles on 15-01-2015

PhoneScamHave you ever received a call from someone with a heavy Indian accent from Microsoft saying your computer had errors or viruses? The purpose of these telephone calls is to get an easy R500 (or whatever amount they choose) by scaring you into thinking there’s something really wrong with your computer and that they can fix it for you.

These tech support phone scams have been going on for many years and scammers keep on defrauding innocent people if their money because their success ratio is still worth their time and effort. Pensioners and non-technical people are most often victims, as these smooth-tongued Indian operators are very good at blinding you with “technospeak”.

Often the caller’s number will not appear on your phone, a sign that they were using some Voice over IP (VoIP) or such technology that both completely hides their identity and costs them nothing for long distance calls.

This scam is a well-oiled machine which starts off with the alleged Microsoft representative asking you to turn on your computer to perform some checks for errors. They essentially make you open different applications which aren’t typically known by regular users.

Step 1: Scare Tactics

You will be instructed to press the “Windows” and “R” keys together to get to the Windows Run dialog box and then run a command to open up Window’s Event Viewer:

Conveniently, the Event Viewer will always show some warning or error which the scammer can use to instill fear. Often files legitimate files stored in the Windows Prefetch folder will be  called spyware and viruses, but this is a lie, as those Prefetch files are simply used by Windows to launch programs faster. The “System Configuration Utility”, also known as msconfig, will be also used to focus the victim on the status of each Service  to count how many “stopped” ones there are.

Step 2: The “Intervention”

The next step of the scan consists of allowing a remote person to fix these “issues” for the victim. This involves giving the scammer access to your computer using a remote control program like TeamViewer.

The scammers will then perform questionable tasks to “repair” the system, such as installing trials of other legitimate security software, installing malware (including rogue security software) designed to collect the user’s personal information, and deleting the aforementioned files that were previously claimed to be malware.

Step 3: The “Hit”

They then coax the victim into paying for their services or the software designed to “repair” their computer, and in turn, gain access to the victim’s credit card information, which can be used to make additional fraudulent charges. Afterwards, the scammer may also claim that the victim is eligible for a refund, and request the user’s bank account information—which is instead used to steal more money from the victim rather than providing the promised refund.

unsubscribeOnce of the most common questions I get asked by users is: How do these spammers get my e-mail address? There are a number or methods that these spammers use, and I will focus on the third of these methods, in today’s blog post: By using Subscribe/Unsubscribe newsletter services.

In the 21st century it can be said that “Knowledge and not Money is Power”. The two are closely linked. Knowledge or “data” is a hot commodity on the Internet. Facebook, for instance, has over 1.2 billion users. That is a lot of people and a lot of data! Just think of the value of that data if Mark Zuckerberg (the founder of Facebook) decided to sell that information. What would be the value of that data?

Many times you might receive e-mail in the form of a newsletter that sometimes has a button down below that’s marked “Unsubscribe.”, but will the newsletters really stop if you click on it?

There are many unscrupulous newsletter senders that will sell your email address for a commission. A very common unsubscribe tactic is to send millions of people a false “you have joined a newsletter” e-mail. When users click on the “unsubscribe” link, they are not actually unsubscribing but unwittingly confirming that they are a real person with an active email address, and this typically results in getting more spam, and soon the spam flood will spiral out of control. Furthermore the spammers will then sell their database (containing your “confirmed” e-mail address) to other spammers and unscrupulous marketing firms.

Another vector that spammers use to obtain your e-mail address is through legitimate newsletters. You may often subscribe to a legitimate newsletter service and receive newsletters with not problem, but as soon as your personal information and contact details are placed into the care of a third party (the legitimate newsletter service) you are relying on the fact that their system and database security is adequate and is not vulnerable to hacking and identity theft. Hackers could break in and steal the database of e-mail address of the original newsletter service, and very quickly your e-mail address could be in the hands of spammers and scammers throughout the world!

Another sobering fact is that often marketers and newsletter services gather e-mail addresses and then sell this to a third party. Often this is mentioned in the “Terms & Conditions” when you originally subscribe, giving them the rights to give your details to their “partners” so they can contact you.

This way you become the unwitting victim in the business of selling and exchanging data!

Remember these important tips:

  • Survey Sites tend to generate a lot of junk mail. While many people use surveys as a great part-time source of extra income, signing up for surveys, free gifts, free drawings, etc. often distributes your e-mail to many unwanted mailing lists.
  • Try to keep your junk mail to a minimum by not giving your e-mail address to anybody that you don’t know, trust, or use for business purposes like your bank, business websites, etc.
  • Many different junk e-mails can come from the same source. Once you start “unsubscribing” from these e-mails, you’ll begin to notice that some of the unsubscribe pages look the same.
  • If trying to get information from sites requiring an email address try abc@123.com or similar rather than your own email address. By entering a non existent email address yours doesn’t get logged & targeted.
  • If you cancel a subscription, and e-mail keeps coming, it may be necessary to add the junk mail’s sender or domain to your blocked list.

botnetOnce of the most common questions I get asked by users is: How do these spammers get my e-mail address? There are a number or methods that these spammers use, and I will focus on the second of the methods, in today’s blog post: By using Trojan Horses, Bots and Zombies.

Let us use a familiar example: You regularly exchange emails with your elderly mother who has got a computer. Your mother uses Outlook or Thunderbird and has dozens of emails from you in her inbox. She even added you to her address book. She also has lots of emails from a distant family member – cousin Johan from Australia. You haven’t stayed in touch with Johan that closely over the years, but you definitely know who he is.

Last year, just before the Christmas, Johan downloaded and installed this really pretty Christmas screensaver that showed tranquil tree and candle scenes when he wasn’t using the computer. What he didn’t know was that the screen saver had a sinister hidden payload. While the candles flickered peacefully on his screen, the software went to work combing through his emails and address book, his browser’s cache of past webmail sessions and other files, storing every email address it would find in a separate list.

Then it sent the entire list to a server in Russia, where a criminal combined it with other such submissions to build the ultimate monster spam list that can be sold and resold over and over again.

But as if that wasn’t enough, when the “screensaver” sent the address list to Russia, it received some content in return – messages to be sent to all of Johan’s contacts. Then, unbeknownst to John, his computer started creating hundreds of emails randomly using the harvested email addresses in the To: and From: field along with the content from the Russian server and sent them out using Johan’s Internet connection. One of them used your mother’s email address as sender and yours as recipient.

Now you received some spam from your mother asking you to buy fake watches and you’re ready to speak to her telling her to stop. Well, don’t. Your mother has obviously nothing to do with the whole thing and you’ll never find out that it was actually Johan’s computer.

You just had a look into the really nasty underworld of the Internet where botmasters (the guy in Russia) control botnets (infected computers that all report to the same server) of remote-controlled zombies (Johan’s computer) that were compromised using trojan horses (the screensaver) or similar malware.

And it doesn’t even end there. The botmaster typically doesn’t spam for his own account but hires out his botnet to whoever pays the most. The equally shady factory in China wanting to sell more fake Rolexes can now hire the botmaster to blast their offers all over the internet. The guy in Russia doesn’t even care if you open or click on that email from your mother, he gets paid either way. And when he’s done with the watches, he’ll inform his entire mailing list that they all won the lottery and can pick up the prize if only they pay a small “transfer fee” up front. And after that, he’ll mail a Paypal phish for yet another “client”. And for good measure, he’ll sell his entire email address database, incl. yours, to a friend who is in the same line of “business”.

In other words, once your email address got picked up by a botnet, Pandora’s Box is wide open. The whole scheme is particularly wicked because now you have to depend on others to keep your address safe. Unfortunately, there is little you can do:

  • First of all, do your own share: NEVER open email attachments that you didn’t ask for, even if they appear to come from good friends like Johan. If you’re still curious, ask Johan or your mother first if they really sent it.
  • NEVER download anything where you can’t in­de­pend­ent­ly verify it’s safe. With “independently verify” I mean you can read about it in forums, blogs, news sites, your local “computer geek” etc. Facebook fan pages, even with 1000s of “fans”, do NOT count, they are way too easy to manipulate and are usually full of misinformation!
  • NEVER get fooled by fake “security scans” (they’re quite the opposite!) or “video codec updates” to see that funny kitten clip. If you think you need a new Flash player, type in flash.com by hand and update from there. If afterwards the site still says you need an “update” get out of there as fast as you can.
  • Then educate your friends and family about the same. Explain how trojans work. Send them a link to this blog page!
  • You can try having multiple private email addresses. Keep a super-private one, only for family and very few of your closest friends. (Personally I know they are familiar with the dangers lurking on the net, because I indoctrinated many of them myself.) Then I use my university address for everyone I work with and I don’t use this for private mail – EVER! Then I have a semi-private one for my wider social circle. The latter two do get some spam, although it’s still manageable. I find GMail to have a very good “spam filter”, and blacklisting spammers is very easy!

Thanks to BustSpammers.com for the material.