Scams, Spam, & Evilware

You didn't really think that was the widow of an assassinated Nigerian prince who offered you 20% to help spirit her late husband's massive fortune out of the country, did you? Likewise, you didn't win Big Bucks in an overseas lottery that you never bought a ticket for. Those stock tips earn Big Bucks for their senders and lose the same for their recipients. How about that nice Russian girl who wants to meet you? They're all scams where they con you into believing you'll get what they offer while they clean out your bank account.

An E-mail from your bank? Not. The IRS? Not. The Better Business Bureau? Not. The FBI? Not. About your PayPal account? Not. Classmate has sent you an E-card. Not. They'll separate you from your money or turn your PC into an unwitting spam generator without even offering you Big Bucks or a Russian wife.

Society has always had con artists, criminals, and other unsavory characters preying on the unsophisticated, the trusting, and the defenseless. The Internet allows world-wide communications and commerce that were unthinkable before its arrival, and unfortunately, in addition to its tremendous benefits to society, bad guys have learned how to use the Internet as a communication and delivery medium for their malfeasance.

Advance Fee Fraud

The Nigerians, the overseas lotteries, and the like are all variants on the same theme – you need to send them some money to get the process started. The promises of Big Bucks sucker some victims into sending huge advances to dangerous places, sometimes resulting in the death of the victim. Nice Russian girls' travel expenses can be lower than some of the other scams, but somehow they never seem able to find the airport after receiving their travel advances. Read more at Wikipedia.

Money Laundering

Unlike advance fee scams, a solicitation to open a transfer account where your business partner deposits money into your account and you allow withdrawals minus your cut for your trouble can be an easy income opportunity, but the process, called money laundering, uses your initial innocence to disguise the source of other peoples' ill-gotten gains. This is against the law, easy for the FBI to discover, and leads to federal prison, to say nothing of the danger involved in doing business with criminals who need their money laundered.

Phishing and Other Social Engineering

Early in Internet history a criminal of only modest technical talent who can go nameless here used what he called social engineering to break into many networks. He was as obvious as calling people up on the telephone and asking for their passwords, which were almost always given without any question. He's out of prison and mostly forgotten, but many people are still quite willing to give passwords and Social Security numbers to anyone who calls on the phone and asks. Don't.

More productive than individual telephone calls is sending a few kapillion spam messages with eBay's or a bank's or some other financial institution's logo telling you to log in and verify your account information, sometimes with a time limit before your account will be terminated. That type of con is called phishing. A link that looks like it goes to a legitimate web site actually goes to a web site in a country where law enforcement can be bought inexpensively. The actual web site looks almost exactly like the legitimate institution's web site, but its only function is to harvest suckers' account information for criminal use. Legitimate merchants often send shipping confirmation E-mail containing direct links to carriers' web sites that allow you to track shipment progress. If you just bought something, you're pretty safe clicking the shipment progress link in the confirmation E-mail, but never click a link in an unsolicited E-mail message. No reputable financial institution or merchant will ever send you an unsolicited request to verify account information. Read Microsoft's page on phishing.

"Pump and Dump" Stock Tips

You might suspect the stock tips in your inbox are nothing the U.S. Securities and Exchange Commission (SEC) would approve. Called "pump and dump", organized criminals buy a huge amount of a penny stock, send a storm of spam that convinces a huge number of suckers to buy it and pump up the price, and then the spammers dump it for a huge profit at the expense of the suckers. Read more on the SEC's own web site. The Department of Justice indicted a gang of 11 on January 3 (see justice.gov/opa/pr/2008/January/08_crm_003.html). Authorities are still looking for some of the gang, but even after they get picked up, there will be lots of other gangs still at it.

You need to buy this stuff

Fake jewelry is relatively harmless. Whatever alloy is passed off as gold might turn your skin green, but overall it's not too dangerous, and jewelry store personnel are usually amused when they replace the battery in an el cheapo knockoff. On the other hand, how wise is it to ingest bargain pharmaceuticals of unknown origin, content, and impurities? A century ago snake oil salesmen sold useless and sometimes harmful medications. Today spammers run the same racket without the inconvenience of living out of a suitcase, hawking magic pills that will help you lose weight or gain some physical attribute. None of them work past the short term, if at all, and some have serious side effects or can get you in trouble with Major League Baseball. Yes, the pharmaceutical industry is widely reviled for obscene pricing in the U.S., but at least most of their products have been tested for effectiveness and side effects, and most are produced free of toxic impurities. If you are looking for a legitimate Canadian pharmacy, spam will lead you astray.

Spam

Spam is easier to send than to defend against. Its greatest strength is its anonymity; no requirement for sender identification allows anyone to send mail with any from address. Several years ago the major software and Internet companies had a sit down to address the problem, but they divided into two hostile and unyielding camps, and after a lot of hot air they all went home and blamed the other side for their total failure. If receiving mail servers could validate the sender of incoming mail – the technology is available – a good deal of spam could be eliminated, and a good number of spammers could be shut down or even prosecuted. Perhaps some day the major players will put their customers' well being ahead of their own egos and selfishness, but meanwhile, it keeps coming.

They harvest E-mail addresses by stealing them from legitimate directories, crawling the web just like Google looking for addresses, and other legal and illegal means. They create large networks, called botnets (bot short for robot), of innocent compromised computers running programs in the background that contact networks of servers in countries with flexible law enforcement to get spam content and addresses. Security researchers have identified botnets with as many as 80,000 compromised computers all unknowingly sending spam, and there are many more, some bigger.

Viruses, Spyware, and Other Evilware

Once upon a time, most viruses and worms were written in their bedrooms by teenagers without girlfriends, often called "script kiddies" for their technology and their age. General losers, most are not very good programmers, and although such cyber-vandalism can do a lot of damage, the major anti-virus products provide fairly effective defense.

Now, scumbag advertisers, organized crime, Sony BMG Music, Sears, and their ilk are at it. They have the funds to pay far more talented programmers than your average script kiddie, and they have launched full scale assaults against the world's computers, producing spyware, adware, Trojan horses, keystroke loggers, rootkits, spam generating botnets, and other evilware. They observe web sites visited, and then pop up ads, redirect searches to their sponsors, and even redirect specifically requested web pages. They harvest credit card and bank account numbers, and they install botnet software that turns innocent computers into big time spammers. Anti-spyware products attempt to defend against these types of attacks, but the bad guys have a substantial lead.

In Sony BMG's case, they did a lot of damage to the computers of many people who never expected music CDs from a supposedly reputable company deliberately and surreptitiously to install unremovable software that was supposed to prevent illegal copying but also impaired their computers. Read the Boing-Boing article for details. Would you like to know everything your neighbor ever bought from or had serviced by Sears? Read The Consumerist's article on how scarily easy that is to do or the CA Security Advisor Research Blog.

What not to do

What not to do can be more important that what you do to resist the bad guys.

• Do not respond to any unsolicited E-mail or phone call asking for any account or personal information. Phishing and other social engineering techniques get far more information of far more reliability at far less cost than more sophisticated methods of attack.
• Do not open E-mail attachments unless you really know they're legitimate. Most E-mail attachments upon opening install evil software on their readers' computers, but do nothing if not opened.
• If a window pops up on your PC announcing that you have been infected with spyware, adware, pornography, or some other form of evilware or embarrassing content and you can click here to clean it up, don't. Most of those are opportunities to inundate suckers with lots more of whatever they purport to remove, or at best to pay them for a lousy product.
• If you do a Google search involving virus or spyware, you will see paid entries from self-proclaimed anti-virus and anti-spyware companies and self-proclaimed review web sites. Most of the review web sites are shills for the self-proclaimed anti-virus and anti-spyware products, which at best do a lousy job and in many cases infect your computer with more of what they claim to prevent. Check reputable publishers such as Ziff-Davis (www.zdnet.com) and IDG (www.idg.com) for reviews of such software.
• Stay off tacky web sites, particularly naughty pictures and celebrity gossip. Mainstream magazines' web sites are usually safe, but the personal web sites of the paparazzi who feed the tabloids can download evilware onto your computer while you're reading about the latest escapades of the latest bimbette.
• It's OK to unsubscribe from legitimate mailing lists, but never hit the unsubscribe button from a scumbag spammer. That will tell the spammer that your address is good, which will get them a premium when they sell your address to other spammers.

What to do

After not responding to social engineering, your computer needs technical defense.

• Keep your system up to date. Run Microsoft Update periodically or enable Windows Automatic Updates on the Control Panel, Security Center.
• Run defensive software and keep it up to date. The industry started with anti-virus products, and then others addressed newer types of threats with what they called anti-spyware products. Separate anti-virus and anti-spyware products, even from the same vendor, are not as effective as and burn more computer resources than single products that defend against all types of evilware technology.
• Use the firewall that is a Windows XP component or a third party firewall.
• Use a broadband router. Routers are built into many cable modems, most 2wire DSL modems recently shipped to AT&T customers, and the small black SpeedStream 5100B DSL modems with five lights on the front panel. If you have an older SpeedStream DSL modem with only four lights plugged directly into a network port on your PC, you are more vulnerable to attack from outside than if you were behind a router.

Free Anti-Virus and Anti-Spyware Products

AT&T/SBC DSL customers have been and later this month we hope will again be able to download Norton security products on up to seven PCs at no additional cost as part of their service. For details sign in att.my.yahoo.com using your @sbcglobal.net E-mail address. Find the downloads and you will see the following selections:

• AT&T Yahoo! Browser – Most people use Internet Explorer, and a few use Firefox. We know of no reason to clutter a computer with AT&T Yahoo!'s own browser and recommend not selecting it for download and installation.
• AT&T Yahoo! Messenger – Many Instant Messenger (IM) users prefer AOL Instant Messaging (AIM). Only select this if you really use Yahoo!'s IM.
• AT&T Yahoo! Toolbar – This toolbar gets added to your browser and provides a field that goes directly to Yahoo! search and contains a number of buttons that go directly to Yahoo!'s pages for sports scores, stock prices, etc. It also slows your browser down every time you activate it and has a pop-up blocker that competes with Windows XP's and can be confusing when you have to tell both of them that you really want a specific popup. We recommend against selecting it.
• AT&T Yahoo! Music Jukebox – You probably already have iTunes or some other music software. We know of no reason to clutter a computer with this product.
• AT&T Yahoo! Online Protection – This is what you really want, and at the time of this writing, you can't have it until January 15.
• AT&T Yahoo! Dial Connection Manager – Even if your only connection to the Internet is through a dial-up modem, you don't need this; Windows has a dial connection manager built in.

Comcast cable Internet customers may run McAfee security products at no additional cost as part of their service. Sign in www.comcast.net and look for the security download. You will have to create an account with McAfee using your @comcast.net E-mail and a password, and then you can download and install McAfee security software.

Grisoft produces free versions of their AVG Anti-Virus, Anti-Spyware, and Anti-Rootkit as three separate products downloadable at no charge to home users at free.grisoft.com. Perhaps some day they will be integrated into a single free product, as they are in the paid versions of AVG Internet Security.

The top free anti-spyware programs are Spybot Search & Destroy 1.5.1, downloadable from www.safer-networking.org, and Lavasoft Ad-Aware 2007, downloadable from www.lavasoft.com. Microsoft now has a free anti-spyware program called Windows Defender. It's built into Windows Vista and downloadable only for Windows XP and Windows Server 2003 at www.microsoft.com/athome/security/spyware/software/default.mspx.

Trend HouseCall

Trend Microsystems is one of the major commercial anti-evilware software vendors. In addition to their popular commercial products, they allow users to run a single scan and repair from their web site. Start at housecall.trendmicro.com, hit a couple of introductory "Scan Now. It's Free!" links, accept the license terms, and you will get a choice between Java and Browser plug-in (ActiveX) versions. Unless you know what Java is and want to use it, use the Browser plug-in (ActiveX) version. Follow the prompts, which might require unblocking popups and authorizing a download, and it will scan your system for evilware and offer you removal options.

Some other commercial vendors offer free scans, but they only scan for evilware and report it. If you want to remove it, you have to buy their production versions. Trend's Housecall is full service.

Apple

Sony BMG's and most other evilware are Windows-specific, but Mac users must not get complacent. Mac OS X, built upon OpenBSD UNIX, is often considered more secure than Windows, but it is not impenetrable. So far most of the bad guys have targeted the easier to attack and more prevalent Windows systems, but we have seen recent Mac attacks, and as Windows tightens up and more people buy Macs, Macs will become more desirable targets. If you have a Mac, keep its software current and resist the temptation to open unknown content. Never forget that Nigerian widows, nice Russian girls, stock tips, and other "social engineering" scams do not rely on any technology and have always been the bad guys' most effective penetration.