Warnings Feed

26 May 2014

Why do we accept $10 security on $1,000,000 data?

Last week we heard of yet another egregious security breach at an online provider, as crooks made off with the names, address, and birth dates of eBay users, along with encrypted passwords. They suggest you change your password, which is likely a good idea, and you better also change every other place you used the same password. But that's not much help since you can't change your name, address, and birth date, which are ever so handy for phishing and identity theft.

Continue reading "Why do we accept $10 security on $1,000,000 data?" »

Posted at 10:13 in Legal, News, Warnings |

18 March 2014

The Crap They Sell Online

The Internet offers consumers a vast global marketplace, which is really cool. Personally, I like rare audio recordings by obscure artists, and the net comes to the rescue more often than not. And talk about the savings! I recently purchase a television wall-mount for 60% less than Costco wanted for the same item! Yay me.

But at the same time, we see an endless stream of scams, and hacks, and other problems. One of the perennial things is snake oil. The term usually defines useless stuff pretending to be medicine, and is historically attributed to hucksters who sold the stuff door-to-door in the early 1900s (As an aside, an interesting historical note: Harlan Sanders sold his chicken recipe door-to-door until self-promoting himself to Colonel and making the big-time with Kentucky-fried poultry).

This snippet from Wikipedia refers to one of the first lawsuits against snake oil vendors:

The composition of snake oil medicines varies markedly among products.

The United States government in 1917 tested Stanley’s snake oil—produced by Clark Stanley, the “Rattlesnake King”. It was found to contain:

  • Mineral oil
  • 1% fatty oil (presumed to be beef fat)
  • Red pepper
  • Turpentine
  • Camphor

This is similar in composition to modern-day capsaicin-based liniments or chest rubs.

None of the oil content was found to have been extracted from any actual snakes.

The government sued the manufacturer for misbranding and misrepresenting its product, winning the judgment of $20 against Clark Stanley. Soon after the decision, "snake oil" became synonymous with false cures and "snake-oil salesmen" became a tag for charlatans.

SnakeOilDecision

But of course, those were the olden days, and people would be so foolish in these sophisticated times, now would they?

Well, witness the backlash to Anti-vaxxer Jenny McCarthy, who asked a simple question on Twitter, and got an earful of venom sent back to her.

Jenny McCarthy asks Twitter a question and gets schooled on her anti-vaccination nonsense - National Post March 17, 2014

"Dr." Jenny McCarthy

Dr. Jenny McCarthy

Witness the backlash live on Twitter - check out the hashtag #JennyAsks

 

As well, famous television weight loss snake oil scammer Kevin Trudeau was recently convicted and sentenced to ten years in prison for defrauding his victims.

Kevin Trudeau Sentenced to 10 Years In Prison - NBC, March 17, 2014

"Dr." Kevin Trudeau

Trudeau

 

Someone suggested to me that ‘"The Weight Loss Cure They Don't Want You to Know About" is probably prison food, which should keep Mr. Trudeau nice and slim for the next decade.

 

I subscribe to a newsfeed published by the United States Food and Drug Administration (FDA) and I was taken aback at how many actions they have taken against Snake Oil, mostly online sales, in these past three months. As you can see, pills for weight-loss, and what is euphemistically referred to as ‘men’s health’, are extremely popular.

 

Most of this garbage can even be readily found at legitimate on-line retailers like eBay and Amazon; a healthy dose of skepticism is what you need when buying a potentiation to make your belly smaller, or your body-parts larger.

One great source of information is Montreal’s McGill University’s Office for Science & Society run by Dr. Joe Schwarcz. He devotes his career to solid, science-backed advice on healthy living and debunking snake oil salesmen, kind of like the James Randi of the food and health set.

We encourage you to check out Dr. Joe’s website here, his Facebook page here, and his radio show here.

As the character Sergeant Phil Esterhaus used to say on Hill Street Blues: "Let’s be careful out there!"

Posted at 04:42 in Legal, Warnings, World |

26 February 2014

Opt-in At Gunpoint Isn’t Opt-in

There are loads of good reasons why you might want to require an address, and confirm it, when someone is signing up for your WIFI service.

However, one of them is NEVER ‘so we can send you unwanted spam’. Like this one :

 

Westin

 

I encountered this silly approach to ’growing a marketing list’ at the Westin Market Street in San Francisco recently, and since I figured the sign-up might be tied to my room, and disallow repeat attempts, I gave them a real address. As it turned out, I could have entered FredFlinstone@bedrock.com since they didn’t actually confirm the address …

So what has the Westin accomplished? They are forcing people to give the a ton of bad addresses, most of which will bounce, the rest of which will complain about any mail being send to them as spam, and rightly so.

What a dumb policy. I told the conference organizers about this, so they could take it up with management. We’ll see what happens next year, same time, same place.

Posted at 16:05 in Legal, United States, Warnings |

23 February 2014

Russian Cybercrime

Speaking as a Canadian, Sochi was pretty nice. However, in terms of cybercrime, NBC recently published a report which sums it up pretty well :

 Skilled, Cheap Russian Hackers Power American Cybercrime

The following clip is from a remarkable documentary called ‘Thieves by Law’ about the Russia organized crime syndicates and their relationship with the Russian government, which is pretty stunning in its assertions.

 

  

 

 

Posted at 21:08 in Frequently Asked Questions, Legal, Warnings, World |

09 December 2013

Canada's Anti Spam Law : Spam isn't Just Nigerian Princes & Body-part Adjustment

Long-time Anti-spammer & Publisher of MainSleaze Catherine Jefferson Discusses CASL and its Impact on Mainstream Marketers

In early December 2013 the Canadian government announced that the 2010 Canada's Anti-Spam Law (CASL) will go into effect on July 1, 2014. Although this law covers considerably more ground than just unsolicited bulk email (spam), it is very good news for those who fight spam, and especially good news for those of us who fight spam by otherwise legitimate companies. The reason? CASL requires (with some limited exceptions) that recipients of bulk email give explicit consent to receive the email before it is sent. In other words, CASL requires opt-in. Unlike the U.S. CAN-SPAM law and many other laws in many other countries, CASL actually forbids most spam.

CASL also has teeth. Violations of the CASL opt-in requirement can draw fines as high as $10 million Canadian per infringing email. By all appearances, the Canadian government agencies responsible for enforcement of CASL are prepared to enforce the law vigorously.

CASL applies to “criminal spammers” — the sorts of spammers that use botnets and compromised servers to advertise quack medications, controlled substances, fake luxury goods, or solicit help to move large sums of money out of Africa in return for an up-front fee. I do not expect CASL to be of much assistance reining in criminal spam, however, because I do not expect criminal spam gangs to obey CASL or pay CASL fines. Such spam gangs are often located in countries that offer them safe havens from law enforcement, and the identities of the people that run them are unknown. Other methods than CASL or anti-spam laws (such as blocklists, spam filters, and Interpol) are needed to fight that type of spam.

CASL also applies to what I call mainsleaze spammers — legitimate companies and organizations that use their own IPs or legitimate email service providers (ESPs) to offer legitimate goods and services. Legitimate companies sometimes break the law, but they do not often ignore it entirely. If prosecuted or sued, they and their attorneys normally appear in court to defend themselves. Legitimate companies also send a great deal of solicited bulk email mixed in with the spam, so IP or domain blocks and spam filters cause significant and sometimes-unavoidable false positives. Properly-written and properly-enforced anti-spam laws can target only the spam and be used to punish those who send spam without blocking email that people asked to receive.

A number of people with legal backgrounds have posted blogs detailing the provisions of CASL. I know spam better than I know the law, so I took a look at how this law might apply to a number of actual spams that I have received if either the sender or I were Canadian. Below I discuss four cases where one or more spams was sent either to my spamtraps or to a personal email address of mine. Each of the spams that I discuss was sent by a legitimate U.S.-based or multinational corporation via either their own IPs or a legitimate email service provider (ESP). 

  • Telecommunications Giant: Selling Internet & TV Service: In October 2011, a U.S. telecommunications company spammed an email address at a domain of mine that has never had a legitimate email address, advertising its all-in-one TV and Internet package. This email violated CASL. If the company sends a similar email to a Canadian citizen after July 1, 2014 and the citizen reports it, they face a stiff fine.

  • Social Networking Site: Sent Invitations to Non-Members. In early 2012 a large social networking site sent repeated invitations, and reminders, to an email address of mine that did not belong to that social network. After some pressure, the site added an opt-out mechanism, but to this day most social networking sites continue to send invitations to non-members. These emails violate CASL. If the company that spammed me continues to send invitations to Canadian citizen non-members after July 1, 2014 and one reports it, they face a stiff fine.

  • Large Software Company: Selling its Newest Product. In late 2011 a major software company spammed a pristine spamtrap with an advertisement for the new release of its flagship product. The email violated CASL. If the company sends an email to a Canadian citizen after July 01, 2014 they face a stiff fine.

  • Gourmet Food Company: “Opting-in” customers who previously opted out. I occasionally shop online at an internationally-known gourmet food company. When I first bought from them, I opted out of all offers after the first arrived in my inbox. Since then, I’ve shopped there four times. *Each* time I was opted back in and started to receive offers again, despite repeated opt-outs. As best I can tell, this practice violates CASL. If after July 01, 2014 the company continues to re-opt-in Canadian customers who opted out each time they place an order, they face a stiff fine, in addition to loosing customers. (I’ve found somewhere else to buy goodies.)

You would think that companies that obey the laws would also be open to appeals to ethics and simple good manners, but I have found that this assumption is incorrect entirely too often. The companies whose spam I discuss above generally respect the law. Nonetheless, all three of them also demonstrated a fundamental disrespect for the right of individuals to choose whether to receive that company’s email advertisements or not. Unlike many people, I know how to determine who sent me an email. I know who to complain to, and how to complain effectively. I also have a forum where I can complain and be heard: the Mainsleaze Spam Blog. That did not prevent two of these companies from spamming me repeatedly.

These spams illustrate the often-frustrating fact that the threat of loosing customers or potential customers is not enough to prevent some companies from spamming. Marketers assume that if they target their advertisements properly, most people that they target will want to receive their offers whether they asked for those offers or not. Many marketers are convinced (rightly or wrongly) that, if they spam, they will sell more goods and services than they will if they do not spam. VPs of marketing and CMOs who think this way often carry the day with company presidents and CEOs, who must answer to their boards of directors when profits or the company’s stock price drop.

Many ESPs have strong antispam policies. Some of these ESPs enforce those policies effectively and consistently. At the end of the day, though, all ESPs depend upon the companies that mail through them to keep them in business. So, when companies are under pressure to spam, their ESPs are under pressure to help them spam or at least to look the other way.

Fortunately good laws can bring their own financial pressures to bear. Legitimate companies do not like to pay substantial fines any more than individuals do. As the saying goes, $10 million here, $10 million there, and pretty soon you’re talking about real money. If companies and ESPs believe that they are likely to be prosecuted and face fines that top out at $10,000,000 Canadian dollars per email, most will stop spamming, even those who are otherwise willing to spam.

CASL also allows non-Canadians to complain about spam that they receive from a Canadian company, although it defers to the spam laws in the recipient’s country. Canadian investigators and prosecutors are expected to act on these complaints, extending the reach of CASL outside of Canada’s borders. As an American who deals with spam, I am most grateful to Canada for helping provide me a level of protection against being spammed by companies that my own government doesn’t, under CAN-SPAM.

CASL isn’t perfect. It has built-in grace periods for many opt-in requirements (see FAQ => About the Law => Regardless of the date set for coming into force, will there be a phase-in period for compliance…), periods that exempt mailers from the full rigor of those requirements for as long as three years in some cases. Given that the law was passed in 2010, I have to wonder whether mailers really need this much time to bring their practices into compliance with CASL. It shows too much respect for the much poorer antispam laws in other countries. It also exempts some political and non-profit organizations that I believe it should cover. As with all laws, its effectiveness also depends on how well it is enforced.

However, Canada’s Anti-Spam Law is far and away the best national anti-spam law that I’ve read yet. Kudos to the many legislators, legislative assistants, consulting attorneys, and (not least) antispam activists who made it happen.

Catherine Jefferson wrote the first spam-filtering software package, SpamBouncer in 1996.

Posted at 09:00 in Canada, Legal, Prognostication, Warnings |

Tags: canada's anti-spam law, casl, mainsleaze, spam

29 November 2013

Confirmed Opt-In Aint' All It's Cracked Up To Be

There is no silver bullet, and there is no panacea.

Confirmed Opt-In is not the only way to do email marketing with permission. Permission can take many forms.

Posted at 19:54 in Warnings |

21 November 2013

'Dun & Bradstreet' Malware Email

I just received this email ostensibly from business reputation firm Dub & Bradstreet. The fact that I don’t actually have a business at present time didn’t escape me, but the verbiage of the email is compelling, and I can see why someone might inadvisedly click on the attachement

 

 

Email

 

I carefully saved the attachement and went over to VirusTotal and uploaded it there. No suprise, it is malware. See for yourself

https://www.virustotal.com/en/file/d7af52303817627a5708d3bc365499b0ec685aa52f3d698a57b38a40d6728b7e/analysis/

Looking at the headers we see that this was sent from an IP in Mexico, presumably not a sending platform used by D&B

Received: from fixed-189-17-231.iusacell.net (fixed-189-17-231.iusacell.net [187.189.17.231] (may be forged))

 

inetnum: 187.188/15 

status: allocated
aut-num: N/A
owner: Iusacell PCS de Mexico, S.A. de C.V.
ownerid: MX-IPMS2-LACNIC
responsible: Rafel Rodriguez Sanchez
address: Montes Urales, 460, Col. Lomas de Chapultepec
address: 11000 - Mxico - DF
country: MX
phone: +52 55 51095068
owner-c: CHD
tech-c: CHD
abuse-c: CHD
inetrev: 187.188/15
nserver: GWIUSACELL.IUSACELL.COM.MX
nsstat: 20131119 AA
nslastaa: 20131119
created: 20111208
changed: 20120604

 

The From: is alert@dnb.com and D&B has SPF records, but does not publish firm -all assertions which would allow a receiving system to reject such mail with 100% confidence and so we see this result: 

Authentication-Results: iecc.com; spf=softfail

 

dig://dnb.com;debug=0;querytype=TXT

; <<>> DiG 9.8.3-P1 <<>> dnb.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnb.com. IN TXT

;; ANSWER SECTION:
dnb.com. 300 IN TXT "v=spf1 mx ip4:68.233.77.18 ip4:72.19.252.170 ip4:202.129.242.64/31 ip4:204.14.232.64/28 ip4:204.14.234.64/28 ip4:96.43.144.64/31 ip4:96.43.148.64/31 ip4:182.50.78.64/28 ip4:220.130.152.173 ip4:204.92.22.200/30 " "ip4:12.129.29.143 ip4:158.151.208.120/31 ip4:158.151.214.66/31 include:alerts.wallst.com ~all"

;; Query time: 100 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Thu Nov 21 09:07:43 2013
;; MSG SIZE rcvd: 342

Posted at 12:13 in Frequently Asked Questions, Technology, Warnings | | Comments (0)

27 October 2013

The DMA Spams A Bunch of Anti-spammers

On Saturday, October 26, around 9:00 a.m. in the morning, The American Direct Marketing Association sent out an email to a list that was clearly purchased. It was sent by way of Yesmail, data broker InfoUSA’s email wing.

Here’s the payload of the spam: 

Dmaspam

 

We know it to be spam to purchased lists because it was sent to ‘tagged’ addresses, single-purpose addresses used at only one place. Chief Marketer (directnewsline / pbinews.com / primedia.com aka Penton Media) were involved in selling or renting their subscriber lists, The DMA in mailing to them, and Yesmail in facilitating the emailing. This is not the first spa, seen at these aliases, Aviationweek.com also spammed them in September.

Here’s the funny bit, they claim recipients were interested in, or members of The DMA. That’s an outright lie!

You received this email message at redacted@munged.com due to your membership, participation, or interest in DMA. 

In fact, not only did the DMA spam several people at CAUCE, but they also managed to spam Steve Linford, the CEO of Spamhaus, the world’s most well-used anti-spam blacklist. Spamhaus wrote about the issue, here. The DMA should know better than to rent of purchase lists; the provenance of permission is always lousy. The only way to properly advertise your goods and services on someone else’s list is to have them place your creative in with their regular mailings.

The spam run precipitated in four Yesmail IPs getting listed on the SBL (Spamhaus Block List)

97.107.23.191/32 

97.107.23.192/31

97.107.23.194/32

 

2013-10-27 02:00:19 GMT | yesmail.com
Spam Source (email-dma.org / thedma.org / the-dma.org) (U.S. Direct Marketing Association)



Posted at 10:05 in Legal, News, United States, Warnings, World | | Comments (0) | TrackBack (0)

28 September 2013

spamNEWS 09/28/2013

CAUCE posts regularly on topics related to spam. Here are our picks of the most interesting news items of the day.

You can follow them in real time on Twitter on Google +  or on LinkedIn

Facebook wins $3M injunction against spammer Steven Vachani aka Power.com http://news.cnet.com/8301-1023_3-57604866-93/facebook-wins-$3m-injunction-against-spammer/

Revealed: UK secretly arrested 16-year old boy for world’s ‘biggest’ DDoS-attack http://rt.com/news/uk-boy-arrested-ddos-attack-411/

Data Broker Giants Hacked by ID Theft Service http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

DMARC Forward Reporting: Why Network Owners Should be Informed, too http://blog.abusix.com/2013/09/24/dmarc-forward-reporting-why-network-owners-should-be-informed-too/

LinkedIn Class Action http://www.linkedinclassaction.com

A Study of Whois Privacy and Proxy Service Abuse by @MAAWG STA Dr. Richard Clayton http://www.lightbluetouchpaper.org/2013/09/25/a-study-of-whois-privacy-and-proxy-service-abuse/

Is Fake iMessage App Malware or Not? http://www.enterprise-security-today.com/story.xhtml?story_id=121000A6NWYX&nl=7

Do not use iMessage Chat for Android – it’s not safe [Updated] @digitaltrends http://www.digitaltrends.com/mobile/imessage-chat-android-security-flaw/#ixzz2gDyzRIv1

ICANN and Your Internet Abuse By Garth Bruen @circleid http://www.circleid.com/posts/20130924_icann_and_your_internet_abuse/

Twitter's User Growth Slows, Perhaps As A Result Of Spam Account Purges Ahead Of IPO http://www.businessinsider.com.au/twitters-user-growth-slows-2013-9

Spam Arrest's Sender Agreement Fails Because Email Marketer's Employees Lacked Authority http://www.circleid.com/posts/20130919_spam_arrests_sender_agreement_fails/

Apple's a tasty phishing target for scammers http://www.pcworld.com/article/2049287/apple-is-a-tempting-phishing-target-for-scammers.html

Ransomware Puts Your System To Work Mining Bitcoins http://blog.malwarebytes.org/intelligence/2013/09/ransomware-puts-your-system-to-work-mining-bitcoins/

KETLER INVESTMENTS CC vs. South African INTERNET SERVICE PROVIDERS’ ASSOCIATION http://badwhois.info/Ketler_Invest_v_ISPA_JMNT_REVISED.PDF

Posted at 18:26 in Legal, News, Technology, United States, Warnings | | TrackBack (0)

16 April 2013

Boston Marathon Scams

Don't Be Scammed

Predictably, within hours of the tragic bombings yesterday that took place in Boston, scam domains in their hundreds, and fake social media pages began to spring up. To profit from a tragedy is contemptible, and CAUCE officers are doing their level best to ensure these domains are blocked, and taken down as quickly as possible.

Like you, we all mourn those who had their lives taken from them in Boston, and stand with those who were injured and affected by these vile deeds.

If you want to contribute in some way, please donate blood or money to the Red Cross. Go directly to their website here : http://www.redcross.org/news/press-release/Red-Cross-Statement-on-Boston-Marathon-Explosions 

Posted at 11:34 in News, United States, Warnings, World | | Comments (0)

« Newer | Older »
Subscribe to this blog's feed
Logo-casl
Logo-onguardonlinegov
Logo-getcybersafe
Logo-maawg

Categories

Archives

Search