The Spam Primer started in 1996 as a way to help people deal with a new problem: spam. Even then, author Randy Cassingham realized spam would become a huge problem for everyone who depends on e-mail (and it has: it’s estimated that about 90 percent of all e-mail traffic is spam, which makes it difficult for legitimate e-mail to get through, and to find it among all the garbage!)

The next time you hear someone say “what’s the big deal, just delete it” (or worse, “just click the unsubscribe link”), send them to SpamPrimer.com.

(Click to see full image.)

That’s just a piece of the list.  In total, I received 1,057 copies of that phish in the course of a couple of weeks.  (And every one of them was dated 3-Aug-2011, regardless of when it actually was sent.)

The attachment was supposedly a PDF containing further information.  It was, of course, a Windows executable (with “.pdf.exe” at the end of the filename), which AVG says is “VirusFakeAlert”.

Well, a well-known hacker named Charlie Miller found a way… the battery.

That’s right, the battery.  It turns out that the latest models of Apple’s MacBooks have “smart” batteries with a chip to monitor things like battery usage, status, and so on.  And, apparently, none of the designers thought to secure the battery’s microcontroller beyond a simple password, which is the same for every battery.

According to an article at geek.com:

By reverse engineering the firmware used for the chips he can tell the laptop anything he wants about the state of a battery. That makes it very simple to render the battery unusable and requiring the user to buy an expensive replacement. Although he didn’t attempt it, overloading the battery to the point where it overheats causing damage is also feasible.

It gets worse, though. Instead of relaying battery status updates to Mac OS, Miller believes it would be possible to inject malware on to the system through the chip.

As quoted in an article at tekgoblin.com:

“You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would re-attack and screw you over. There would be no way to eradicate or detect it other than removing the battery.”

You can read Charlie Miller’s own description on the blackhat.com site archives, where he gave a talk about it last month.  Note that many laptops come with such “smart” batteries, which allow things such as charging (but not over-charging) the battery even with the computer off.

(By Leo A. Notenboom of Ask Leo!)

Have you ever had a new toolbar suddenly “appear” in your browser? Although it might not seem like you agreed to install it, the likelihood is that you did.

One of the most frustrating strategies companies use to deploy more toolbars relies on your not paying close attention when installing software or other programs on your computer.

For example, let’s say you’re installing an update to the popular Java runtime, which is software used by some websites to provide rich functionality beyond just displaying static pages.

The update consists of the normal installation program, and then proceeds to ask you the normal installation things, including agreeing to the software license.

Then another screen comes up and without reading it you’re about to click Next.

Wait!

In doing so you would have been asking to have the Yahoo! toolbar installed.

Nothing against Yahoo, Java or Sun here, but this can be very annoying. It’s not that the Yahoo toolbar is bad. It’s actually a fine toolbar. The annoying part is this:

• The offer appears during an update- you’d already made your selection when you initially installed the program, there’s no need to ask again.
• It defaults to “Yes”. Anything optional, particularly anything totally unrelated to what is being installed, should default to off.
• They’re “sneaking it in”. OK, this is really subjective, but you can’t help but feel like this might be an attempt to sneak the installation in, during a process where people are usually just hitting Next repeatedly to get the install over with.

This installation is not the only case. During installation of many software packages – both initial installs and updates – the option to install a toolbar will often be selected by default. You have to click a box to opt out. This choice typically comes during the middle of the process when you’re conditioned to hitting “next” just get it over with. If you’re not paying attention once you’re done suddenly a new toolbar will “appear.” A toolbar you didn’t realize you had actually agreed to.

Typically, installers include this option to earn profit. It’s a way for those offering free software to recoup some of the cost. But this habit certainly shows up in paid for software as well.

This tactic is a perfect example of why it is important to pay attention during installations and updates. Read each step before clicking next or you might find you’re about to “ask” for something you didn’t really want at all.

BTW, I wanted to post this on our BTR blog, but they have removed that feature.  (Existing posts remain, but you can’t add or change posts.)  So much for the “B”.

However, what followed did not look like your typical phishing scheme. In fact, it was a real e-mail from SourceForge.net.  Here’s the main part of the e-mail, along with my thoughts on what they did “right”.  (As well as what they could have done “better”.)

Hello,

We recently experienced a directed attack on SourceForge infrastructure
(http://sourceforge.net/blog/sourceforge-net-attack/) and so we are
resetting all passwords in the sf.net database -- just in case.  We're
e-mailing all sf.net registered account holders to let you know about this
change to your account.

So far, it’s not much different than all those phishing e-mails we’ve seen. (Well, except for the use of proper English grammar and spelling, that is.) But, it continues…

Our investigation uncovered  evidence of password sniffing attempts.  We have
no evidence to suggest that your password has been compromised. But, what
we definitely don't want is to find out in 2 months that passwords were
compromised and we didn't take action.

So, as a proactive measure we've invalidated your SourceForge.net account
password. To access the site again, you'll need to go through the email
recovery process and choose a shiny new password:

https://sourceforge.net/account/registration/recover.php

If you need help with this, feel free to e-mail us:

sfnet_ops@geek.net

We appreciate your patience with us as we work to respond to this attack.
We'll be working through the weekend to get things back to normal as
quickly as possible.

Watch for updates on the service outages on our blog:

http://sourceforge.net/blog/

Thank you,

The SourceForge Team

So, what did they do “right” that made it stand out as real, and not likely to be a scam?

• Most phishing scams are written by someone whose native language is apparently not English. This e-mail is well written.
• The e-mail is plain text. There is no HTML (and all the possibilities of malware that go with it) in sight.
• They do not ask for any information in the e-mail.
• There is no “you must do this within 72 hours or your account will be permanently deleted” sense of urgency that scammers love to use. (The rush of “you must do it now, or else” causes many people to forget about any precautions they would normally use.)
• If you go to the SourceForge.net website and click “log in”, there is a highlighted box on the page that says:

If you haven’t yet, you need to reset your password due to the global password change event that occurred on 2011-01-28.

• Clicking on the link on the e-mail (which, being all plain-text, can’t hide the “real” website name, as you can with HTML) takes you to a page that, once again, doesn’t ask for any “confirm your identity” information. Rather, it’s just as if you clicked the “I forgot my password” link on many login pages. It simply asks for your e-mail address, and it will send you an e-mail with a special “reset my password” link that only you can use. Only someone with access to your e-mail can access the password reset.

Now, here are a few things I think they could have done better.

• The message starts simply “Hello”, with no reference to my name. Now, to be fair, the only place you give SourceForge your “real name” is in your account settings under “publicly displayed name”. Nothing requires that you give your real name, nor any other name for that matter. However, even if you used a handle or nickname, this information could have been included in the greeting.
• They included a link to a page on the website which is not the site’s main page, without including any alternate means of doing the reset.  (ie: Go to the SourceForge.net main page and click “log in”. From there, click the “reset password” link.)
• The e-mail address given to contact for more information is not a SourceForge.net address.

However, overall, they did a very good job of communicating the important information to their users, all the while standing out from the crowd of phishing scams.  Kudos to SourceForge.net for the way they handled this.

Phishing is interesting, and difficult to protect against.

But I do have a strong recommendation for the absolute best anti-phishing tool.

You

You are the best anti-phishing tool. In fact, in some cases you are the only possible anti-phishing tool.

Click here to read the rest of his article.

Now, I don’t have a LinkedIn account, though I do get the occasional “real” e-mail from them with an invitation to join from someone I know. But, even if I did have an account, I would like to think that, upon opening my e-mail in the morning and finding 217 identical messages from overnight, red flags would be going up for just about anyone.

So, what’s the payload?

In the most recent incarnation, it takes you to a page that “complains” that you don’t have the latest version of Flash installed (see my previous post on similar scams):

There’s no need to actually click the “install now” button, as simply visiting the web page with the above image will cause your browser to start the download.  (Hopefully, your browser will tell you it’s about to download a file, and ask permission.)

AVG identifies the file as containing “Trojan horse PSW.Generic8 WDK”.

If you do visit a web site that claims that you need to update your Flash player, the safest way to do so would be to visit the Adobe website directly, and download it yourself. (Even if it’s a legitimate website, I’ve heard of cases where the ads displayed on the site have been compromised. Make sure that any “out of date” notification isn’t from an advertisement.) Or, use Mozilla’s plugin check webpage to keep all of your plugins up-to-date.

This is an amazing by-product of social networks. The ability for users to identify and kill viruses, worms, trojan horses, etc. These types of unique social network ecosystems reflect activity existant in the natural world.

[...]

“Social networks have built-in antibodies…their users,” said Sean Sullivan of the Finnish security company F-Secure. “Compare the Twitter attack to a malicious attack of yesteryear that took weeks or even months to develop. This peaked and ebbed in two and a half hours,” Sullivan said.

That’s not to say that spammers don’t love sites like Twitter, because all they care about is finding some sucker to buy their product. A two-hour flood of spams is “great”, as far as they are concerned. But, it’s an interesting concept regarding worms and other malware on such sites.

Thoughts?  Comments?  Leave them in the comment area below.  Thanks.

Now, many people often send themselves a copy of important e-mails that they send to others, so they have their own copy in their inbox. And, to prevent such e-mails from possibly hitting their spam traps, they whitelist their own address. While this sounds like a good idea on the surface, it’s actually a bad idea in today’s spam-filled era.

The problem is that many spammers use this fact to actually help deliver their spam. Because the protocols used to transfer e-mail from one system to another don’t require any validation on the headers of the message (those parts of the message with things like “from”, “date”, and “subject”), nothing stops anyone from forging those header lines. And spammers will often forge your e-mail address as the “from” address, making it appear as if it came from yourself. If you whitelist your own address, any spam with your address forged in the “from” will be sent directly to your inbox.

For this same reason, “blacklisting” addresses (automatically blocking any e-mails based on that address) won’t help eliminate spam, because the spammers that don’t forge your address will simply forge different addresses. Yes, sometimes “legitimate” mainstream (sometimes called “mainsleaze“) businesses sometimes decide that spamming is a legitimate way of advertising, or use a client e-mail list to sign them up to newsletters they didn’t ask for, and blacklisting will block such spams. But, that’s the exception rather than the rule.