Why Spam Is More Dangerous Than Ever

Can I Deal With a Debt Collector Over Email?

Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.

There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.

Unfortunately, it was a repeating number.

Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.

Multi-Tiered Attacks

Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.

That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.

Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.

There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.

“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”

Stunning Advancements

Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.

Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.

These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.

Wide-Open Attack Vector

Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”

Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.

What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.

Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.

Image: istock 

The post Why Spam Is More Dangerous Than Ever appeared first on Credit.com.

Does (at) Instead of @ Really Keep Spammers at Bay?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

Have you ever been on a website and noticed the site owner or another user has written out their email address in some variation of the following?

Name (at) domain dot com

If you wondered if the person was just averse to using symbols, you may be interested to know it’s actually a decent method for reducing unwanted spam emails and protecting yourself from possible phishing scams and even identity theft.

We talked to digital security expert Adam Levin, co-founder of Credit.com and chairman and founder of CyberScout (formerly IDT911), to learn more about how it works.

Good ‘Cyber Hygiene’

“One way spammers harvest email addresses is by sending out bots that are instructed to look for and scrape letter strings that contain the @ symbol,” Levin said.

For that reason, it’s a good idea to practice what Levin refers to as “good cyber hygiene” when entering your email address on public sites. Writing out your email address lets you do that. (Check out our tips for keeping your email safe and secure.)

Phishers can be dangerous, especially if you wade through a tremendous amount of email each day. They create emails that closely resemble legitimate companies and entities that can be difficult to spot as phony, especially when you’re in a hurry to get through your emails.

Using “at” and “dot” makes it more difficult for spambot programs to detect and grab your email address, Levin said. That can be helpful for small business owners whose information is listed on their website, social media accounts or other digital locations.

“For hackers and fraudsters, email addresses are essential tools used to phish their target,” he said. “Because the ultimate guardian of the consumer is the consumer, this is another way to be proactive about protecting your identity and personal data.”

Over the years, some spammers have made an effort to scrape even strings containing “at” and “dot” in hopes of gaining access to email addresses, though sifting through this data to find actual addresses requires manual review and is time-consuming.

If you’re concerned about spammers getting your email information or phone number through this method, you can  create an image of this data that bots can’t read. With this method, the only way for spammers to “harvest” your information is manually, which means you’re pretty safe.

The bottom line when it comes to keeping your information safe is staying vigilant. Check your financial and digital accounts regularly. Check your credit reports for free once a year with each of the major credit bureaus. Ensure the reports are accurate and that you recognize all the accounts. If you suspect there are mistakes, reach out to the bureaus (Experian, Equifax and TransUnion).

Finally, to monitor your credit more closely, you can use a free tool like Credit.com’s Credit Report Summary for a breakdown, updated monthly, of the information in your credit report, along with free credit scores. If you see your score drop for no reason, something could be up.

Image: svetikd

The post Does (at) Instead of @ Really Keep Spammers at Bay? appeared first on Credit.com.

Bing Just Banned These Ads for Being Scammy

GirlComputer

Tech support scammers love taking advantage of Windows and Mac users so they can persuade them to pay exorbitant fees for “repairs.” They also love appearing in online search engines, like Bing, where it’s easy to trawl for new victims.

Sadly, for the scammers, Microsoft’s search engine banned ads for those tech support services this week, “because of serious quality issues that can impact end user safety,” according to a company blog post. Though not every tech support ad is a scam, the company felt scammers were using those ads to take advantage of vulnerable consumers.

The news comes just days after Google banned ads for payday loans and about a year after Facebook unveiled a similar policy banning ads for “paycheck advances or any other short-term loan designed to cover someone’s expenses until their next payday.”

When shopping or banking online, it’s important to pay extra attention to the site’s security by looking for “https” at the beginning of a web address so you know it’s secure and encrypts personal information such as a credit card number or your name or home address.

Also beware of phishing, or emails claiming to be from a company or friend, that ask for sensitive information such as your Social Security number. Spear-phishing is a more targeted form of phishing, in which hackers go through lists of contact data looking for people who seem more vulnerable to their tactics.

If you believe you’ve fallen prey to an IT ad scam, be sure to check your credit report for any signs of fraud. The most common signs of identity theft include new and unfamiliar accounts in your name, mysterious addresses on your credit report and credit cards being declined at the terminal. (You can view your free annual credit reports once a year from AnnualCreditReport.com and see two of your credit scores for free, updated monthly, on Credit.com.)

More on Identity Theft:

Image: Xesai

The post Bing Just Banned These Ads for Being Scammy appeared first on Credit.com.