Security researchers take out botnet responsible for 18 billion spam emails a day

mail-spamIndependent: If you’re a fan of fake Rolex watches and cheap Viagra look away now.

A huge spam botnet responsible for an estimated 18 billion messages a day has been taken out by security researchers.

The four year old botnet – known as Grum – is believed to have been responsible for around 18% of the world’s spam emails.

A botnet is a cluster of infected computers used by cybercriminals to send a variety of spam emails – often offering cheap Viagra, fake watches or unusual dating solutions.

The cluster of computers are usually infected using malware.

Security company FireEye and spam-tracking service SpamHaus worked with ISPs to shut down the illegal network.

The control servers for Grum were found to be mainly based in Ukraine, Russia and Panama.

FireEye security has been monitoring Grum since 2008 working in combination with the Russia Computer Security Incident Response Team and the Spamhaus Project.

Spamhaus estimated that up to 120,000 IP addresses were used to send spam each day, but that following the takedown the number reduced to around 21,000.

Writing on the FireEye blog Atif Mushtaq, a security researcher with FireEye said, “Grum’s takedown resulted from the efforts of many individuals.”

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Experts anticipate that the takedown should result in a significantly reduced level of junk mail.

On Monday a Dutch server involved in Grum was shut down.

On Tuesday command and control servers based out of Panama were also shut.

“With the shutdown of the Panamanian server, a complete segment was dead forever”, says Mushtaq.

However, the good news didn’t last long as the bot herders – who scan networks to find weak or vulnerable systems to install their bot program – started pointing the command and control servers to secondary servers located in Ukraine.

Mushtaq says that in the past Ukraine had been something of a ‘safe haven’ for bot herders and that shutting down servers there had “never been easy.”

Around 20,000 computers are thought to be still part of the botnet but are now ineffective without active control and command servers.

In recent years there has been a concerted effort to take down some of the largest botnets.

According to Atif Mushtaq global spam volume is at a record low thanks to the research community’s effort against spammers.

Mushtaq is however clear about the scale of the problems involved in taking down botnets: “The research community needs to maintain this pressure until we reach a point where the bad guys start thinking that becoming a spammer is not worth the risk. If I were to rank Grum’s takedown difficulty level from one to five where five is the most difficult, I would give Grum a two.

“When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens.”

FireEye Grum Takedown Q&A

How significant is the takedown of Grum?

Identifying the control servers quick enough so they can be shutdown is significant as it shows that the right personnel with the right tools can win.

How did FireEye bring down Grum?  (in the simplest terms possible!)

FireEye identifies command and control malware call-backs without prior signatures or URLs, by tracking the servers real time even when they move the teams were able to close in and shut them down.

Will people notice a reduction in the amount of spam they receive?

Absolutely. Time will always tell, but removing the command and control for the third largest botnet that was generating spam can only be a good thing.

What advice would you give people to avoid getting a deluge of spam emails?

Your email address is very personal and should be treated as such.

Do your best to make sure it’s not published on a website for all the world to see, protect yourself from malware and don’t open or reply to emails that don’t make sense – even if they appear to be from people that you know.

Fake Facebook Photo Notifications Contain Malware

Mashable: Sophos’s NakedSecurity blog outlined the threat on Wednesday. The company’s SophosLabs intercepted a “spammed-out email campaign” which was designed to spread malware. Sophos provided the following example:


The blog notes that the email address above misspells “Facebook” as “Faceboook.” The link takes the user to a malicious iFrame script, which exposes the user’s computer to malware. However, within four seconds, the user’s browser is directed to a presumably innocent Facebook page like the one below to act as a smokescreen.


The lab recommends checking the “Facebook” email addresses closely in emails and hover your mouse over the link, at which point you should see it doesn’t go to a Facebook page.

Have you been duped by a fake Facebook photo tag message? Let us know in the comments.

Spam attack on Dropbox users

Dropbox_logo_120H-Online: Spammers are currently sending large volumes of spam to users of cloud storage service provider Dropbox. The H’s associates at heise Security have so far received four different pieces of German-language spam at an email address used solely to register with Dropbox, and some of their readers have reported the same problem; similar reports can also be found on the Dropbox forums. In almost all cases, the spam is for suspicious-looking online casinos.

Much of the spam appears to have been sent to users with their own domains who created a custom email address such as dropbox@domain.tld to register for the Dropbox file-sharing service. This would suggest that the spammers may simply have been lucky. According to forum discussions, however, emails have also been received by people who have not used this easily guessable address format.

On the Dropbox forums, the company announced that it has asked its security team to investigate the incident, and has also called in outside experts. At present, it has found no evidence of unauthorized access to Dropbox accounts, but this could change as the investigation moves forward. The company has reassured users that a recent thirty minute web site outage had nothing to do with this incident.


‘Botnet’ sends out spam as malware spreads on Android phones: researcher

pt_948_6394_oMalware has been spreading on Android mobile phones that takes control of certain email accounts to create a “botnet” to send out spam, a security researcher says.

Microsoft security engineer Terry Zink says the malware has infected phones of users’ Yahoo email accounts to send out spam messages.

“We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices,” Zink said in a blog post on Tuesday.

“These devices log in to the user’s Yahoo Mail account and send spam.”

He said the phones appear to be located in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine and Venezuela.

“I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace,” he said.

“But if you get it from some guy in a back alley on the internet, the odds go way up.”

He said users in the developed world “usually have better security practices and fewer malware infections than users in the developing world”.

“I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for,” Zink said.

“Either that or they acquired a rogue Yahoo Mail app.”

A report earlier this year by the security firm AV-Test found some Android downloaded malicious code after installation and said this is more common in the Google Android system than in the Apple ecosystem, which has stricter security policies.

Google has a security system known as Bouncer to scan for malware but some experts recommend additional protection for phones using the platform.


Automated Skype calls and Fake Antiviruses

This is an old story back from September, 2011, but since recently I’ve seen users complaining about this, I want to share it again [Credit to NakedSecurity, SophoLabs]:

You may have received an automated call from a user who claim to be from Skype or somewhere which says:

“Attention: this is an automated computer system alert. Your computer protection service is not active. To activate computer protection, and repair your computer, go to [LINK]”

Indeed that’s a scam and visiting the link will lead to getting infected by Fake Antivirus (Scareware), the website claims that you are not properly protected – and it urges you to install its software (a steal at $19.95).


To stop such calls in the future you can set your privacy options to only allow calls from your contacts:


Here is a video that show an example of these calls:

Hackers use fake Facebook cancellation emails to deploy malware

H-Online: fb-malwareA new type of phishing strategy, which aims to trick unsuspecting users into installing a trojan by pretending to be an account cancellation request from Facebook, has been discovered by Sophos. The email messages link to a third party application on the site that will install a Java applet and then prompt the user to update their Flash player, but will actually deliver the trojan malware.

The email messages that are sent out claim to be from Facebook and state: “We are sending you this email to inform you that we have received an account cancellation request from you.” However, Facebook never sends such account cancellation confirmation messages via email. Users who want to cancel their Facebook account can do so by visiting to deactivate their account; they may later delete it after a cool down period has passed.

The malware preys on the fact that many users value their Facebook account highly and do not want it to be deleted. If they follow the link, they get prompted to install a Java applet. If they choose not to do so, the application will keep nagging until the user agrees to the applet being installed. Next, the user will see a message that they need to update Flash Player – this will actually install a trojan onto the system which allows the hackers to take over the machine and integrate it into a botnet. According to Sophos, the most commonly installed trojans are SpyEye-B and Agent-WHZ.

Phishers Offer Fake Storage Upgrades

Symantec Connect: Customers of popular email service providers have been a common target for phishers for identity theft purposes. Phishers are constantly devising new phishing bait strategies in the hope of stealing user email addresses and passwords. In April 2012, Symantec observed phishing pages that mimicked popular email services in an attempt to dupe users with attractive storage plans.

Customers were flooded with fake offers of free additional storage space for services such as email, online photo albums, and documents. In the first example, the phishing site was titled “Welcome to New [BRAND NAME] Quota Verification Page”. According to the bogus offer, the additional storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The phishing page boasted that the free additional storage plan will help customers prevent loss of data and the inability to send and receive emails due to exhausted storage space. It also stated that the plan will auto-renew each year and the customer can choose to cancel at any time by returning to the same page:


To avoid customer suspicion when the bogus offer doesn’t materialize, phishers used a time-buying strategy. They indicated that customers would be contacted 30 days prior to renewal and also that the upgrade process will take effect in a 24-hour time span. After user credentials are entered, the phishing page redirected to a page which confirmed the upgrade was initiated and complete. The phishing page then redirected back to the legitimate service website:


Similar phishing pages were observed spoofing other email services. The phishing site in this second example is titled “Obtain Free Additional Storage”. The same bait was used here as well:


To gain customer trust, the email address field was auto-populated on the fake page and is also concealed in the query string. Looking deep into these scams, it is evident these phishing scams are targeted attacks. By randomizing the email address in the query string of the phishing URL, the same phishing page can be used for targeting multiple users. Below is the URL format:


Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software which protects you from online phishing.

WikiPharmacy? Fake Notifications Spammed Out

Symantec Connect: Symantec is intercepting a resurgence of spam attacks on popular brands. Spam messages that are replicas of the Wikipedia email address confirmation alert are the new vector for the present. The said spam messages pretend to be originating from Wikipedia, and are selling meds, with the following subject line: “Subject: Wikipedia e-mail address confirmation”.

The spoofed Wikipedia page is a ploy to give legitimacy to the sale of meds online. The embedded URL in the message navigates to a fake online pharmacy site that is dressed up as a Wikipedia Web page. Furthermore, to give the email a legitimate look, the spammer has added the recipient’s IP address in the body of the spam mail. Needless to say this IP does not belong to the user.


Figure 1: Part of the spam message



Figure 2: An example spam message



Figure 3: The corresponding WikiPharmacy Web page


This is another social engineering tactic where popular brands are exploited for spamming. Symantec anticipates a surge of such attacks due to increasing popularity; a trick used by spammers from time to time to make their clandestine efforts look legitimate.

Beware of any purchases from such sites as it will put the user’s personal and banking information at risk. We recommend users not click on any URLs from such unsolicited emails. – Your photo all over Facebook? Naked? Malware campaign spammed out

SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.

The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file ( which contains a Trojan horse.


Subject lines used in the spammed-out malware campaign include:

  • RE:Check the attachment you have to react somehow to this picture
  • FW:Check the attachment you have to react somehow to this picture
  • RE:You HAVE to check this photo in attachment man
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?


The message bodies contained inside the email can also vary. Here are some examples:

  • Hi there ,
    I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.
  • Hi there ,
    I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).
  • Excuse me,
    But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

You can imagine how some people would react if they received a message like this in their email. Many might open the attachment out of curiosity (or even with trepidation that a private photo had leaked onto the internet!) and end up having their Windows computer infected as a result.

The Bredo Trojan is nothing new, and we regularly see variants of it spammed out widely across the internet using a variety of social engineering lures to trick users into opening the dangerous attachment.

Right now according to VirusTotal 29 out of 42 Antiviruses can detect this:

Keep your wits about you, and your anti-virus up-to-date, and you should have little to fear.

Free Stuff on Social Networks Not Free

Symantec Connect: In recent years, scammers have flocked towards social networking sites as they have grown and made it easier to access a large number of potential eyeballs to convert into dollars. Brands have found value in leveraging social media to know what their customers are talking about, so, naturally, scammers are doing the exact same thing.

Free iPads and iPhones

Every time Apple unveils a new iPad or iPhone, you can bet there are scammers out there trying to leverage the announcement for financial gain. In the days leading up to and after the announcement of the new third-generation iPad, Twitter users who tweet about the new tablet most likely will receive some targeted Twitter replies from scammers offering the new device for free:


Many of the links are often masked behind URL shortening services. These links actually lead to affiliate pages asking for personal information, such as email address and shipping information. However, some scammers have also begun to send users to instructional videos on YouTube. The videos guide users through a step-by-step process to get their free iPad or iPhone. Scammers then use the video description section to link to the affiliate pages:


Users can report these videos to YouTube by flagging them as inappropriate and selecting the “scams / fraud” option under the Spam category.

Free gift cards

Another common lure that scammers use on social networkers is to offer free gift cards. For instance, any time a user mentions particular brands on Twitter, scammers target them with Twitter replies enticing free gift cards:


Some of the brands presented in these scams include retailers of consumer electronics, women’s intimate apparel, and a large discount department store.


The above set of scams have relied on fake accounts posting links which lead to affiliate branded pages. For example, we saw scammers sending users to YouTube to follow a how-to video (likely a consequence of social networking sites improving their detection mechanisms to weed out direct links to these scams before they have a chance to see the light of day).

Recently, however, scammers are using a new trick to evade detection.

Fake promotional user accounts

Unlike the previous examples, where a Twitter user posts about a certain brand and receives a targeted reply with a link, users are now being directed to fake branded Twitter accounts:


Instead of seeming like a scam link, this message now looks more like it is part of a conversation with an actual (and clickable) brand. In the above example, a user posted about the Macy’s brand and, in reply, that user receives a Twitter reply directing them to what claims to be an official account for Macy’s:


Read the fine print

Misleading users, of course, is the goal of these scam campaigns. Not only are the brands misrepresented here, but the affiliate programs these scammers are part of state only in the fine print what someone can expect when responding to these offers:

image6.article thumbnail

The fine print (red box above) reads:

[Site] is an independent rewards program and not associated with any of the above listed merchants or brands. The above listed merchants or brands in no way endorse or sponsor [Site]’s offer and are not liable for any alleged or actual claims related to this offer. The above listed trademarks and service marks are the marks of their respective owners. [Site] is solely responsible for all Gift fulfillment. In order to receive your gift you must: (1) Meet the eligibility and (2) complete the rewards bonus survey (3) complete a total of 5 Rewards Offers as stated in the Terms & Conditions (4) not cancel your participation in more than a total of 2 Reward Offers within 30 days of any Reward Offer Sign-Up Date as outlined in the Terms & Conditions (the Cancellation Limit) and (5) follow the redemption instructions.

The “Rewards Offers” listed in the fine print includes signing up for a trial membership to various subscription services as well as making qualifying purchases. So, after all is said and done, the free iPad and the free Starbucks Gift Card isn’t free after all.

If you are a Twitter user and you receive replies from suspect Twitter accounts promising you something for free, protect yourself and others by reporting the account to Twitter as shown below: