This week’s upsurge in attempts to social engineer control of your computer out from under you comes at the expense of the reputations of several social networking sites. Last week, it was fake news stories, with promises of horrific video of bomb blasts close to you; this week, it’s fake Classmates.com and Facebook announcements of ‘highly rated’ videos and pictures of Young Girls Doing Things. The emails all have subjects (like the following) designed to trigger the prurient interests of Internet users:

Subject: Facebook message: Facebook girl Striptease Beautiful dance (Last rated by Cecile Lucero)
Subject: Classmates private: Party Photos (Last rated by Colby Hunt)

(There’s also cross-pollination, as there have been supposed “Classmates messages” advertising that Facebook girl – she must be popular!)

Unfortunately, disappointment lurks at the URL in the body. There, you’ll find a picture and a notice that, yes, your Flash player is out of date and must be updated. The ‘update’ will not allow you to view any pictures or video; instead, it will turn your machine into a zombie, invisibly under the control of one of the botmasters.

As with any of these infection attempts, there are a number of things you can do to protect yourself. First and foremost, surf smart. Don’t install software because a website told you to; if you find that you really need to update your Flash player, go get it from Adobe themselves. Keep all your security software up-to-date – that includes anti-virus, firewall, and anti-spam software. Monitor threat evaluation sites like Threat Expert, the US Computer Emergency Readiness Team (US-CERT, and the Internet Storm Center.

And, of course, be suspicious any time someone you’ve never heard of wants to share private photos with you.

The Waledac botnet is trying to grow again, and the herders may have hit upon a great new twist. Waledac bots are currently sending out huge numbers of fake Reuters news articles about a bombing near the recipient’s location. These emails point to a “Breaking News” website that claims to have a link to video of the story that requires you to update your Flash player (except that what they serve you is not a new Flash player, but a bot infestation).

What makes this unusual is that fake news story (or, rather, the machines that host it). The infected machines serving the ‘news story’ webpages are also performing geolocation tests against the IPs trying to pull the page, and altering the content based on where they think that IP is located. If they can determine where you are, the ‘breaking news’ story that you get will be tailored to you, saying that the bombing took place in a town near you. In terms of social engineering, this goes a long way to making the content more believable.

How can you protect yourself from this? To start, make sure your anti-virus signatures are up to date. Be wary of previously unknown sites – don’t install software just because a website told you to. Visit the US Computer Emergency Readiness Team (US-CERT) website – they’ve got great papers on avoiding social engineering attacks and other email scams.

Benjamin Franklin wrote those words in a 1789 letter to Jean Baptiste Le Roy. I’d like to add one more thing to the list of certainties: “Someone is going to try to social-engineer you out of your money”. In this case, they’re using one of the other certainties to do it.

With a month to go before Tax Day here in the US, phishers are ramping up their attempts to get their hands on your financial information. There’s been a definite uptick in phishing emails posing as revenue officials. A couple of examples:

The link in this picture, of course, doesn’t go to the IRS’s website. Instead, it links to a bare IP address.

Our friends in the UK aren’t being left out, either:

The link in this phish went to a page at a free webhosting provider, not to the HMRC website.

There are many steps you can take to protect yourself. Make sure you’ve got the latest version of your web browser, as most have added functionality to point out suspicious sites. You can also install a third-party toolbar (like the Netcraft Anti-Phishing toolbar) that warns you of suspicious sites. Most importantly, be alert – know the web addresses of your revenue service (http://www.irs.gov for the US, http://www.hmrc.gov.uk for the United Kingdom) and your bank(s), and don’t enter personal information on a website unless you’re positive you’re on the correct site. If you have a question about the legitimacy of a site, you can call the customer support line of your bank or your revenue service to confirm.

This week is SPAM™ Appreciation Week in the UK. Of course, they’re celebrating the canned meat that helped win World War II, but I thought I’d take the opportunity to come up with reasons to appreciate the other kind of spam.

1) Spam makes you feel wanted
Everyone hates the empty feeling in their gut when they get home from a long day at the office, open their postal mail box and discover… nothing. No mail. There’s that tiny little ‘nobody loves me’ pang. Spam makes sure you never have that feeling when opening your email inbox, because there’s always something. Today, a sales pitch for fake luxury watches; yesterday, a notice that the long-lost great-aunt you didn’t know you had in Nigeria has passed away and left you millions; tomorrow… who knows?

2) Spam is making the Internet better
Spam is, by many estimates, as much as 90% of the email on the Internet today. That much extra mail requires lots of extra network bandwidth (between ISPs and from ISPs to customers) to make sure every packet gets delivered in a timely fashion. More spam? Spend more money upgrading your network and servers yet again, find new ways to optimize connections in equipment you already have, or look for ways to improve the protocols used to talk between networks. Everybody wins when we can find ways to push more data around. Speaking of buying new equipment, that leads me to…

3) Spam helps the economy
Even in these troubled times, network operators and ISPs are going to continue to need to upgrade servers and network equipment to handle the extra load from increasing spam, thus releasing precious capital back into the economy. Add to that the money being spent on those fake watches, and the fortunes to be recovered from those long-lost Nigerian aunts… we might almost be able to solve the financial crisis right there!

4) Spam makes people smarter
Not immediately, of course, and I’m not talking about “Make your brain larger” spam. Recipients of large amounts of spam are getting smarter regarding where and how they give out their email addresses as well as what to do with the mail they do get. Sure, there are still plenty of people who open every attachment they receive, but many more people are wary about opening things from people they don’t know, about keeping their anti-virus and security software up-to-date, and about how to report spam to their ISP. They’re also less likely to give out their email addresses without checking privacy policies, or perhaps to have one email address for private mail and separate, disposable addresses for online signups.

Given all this, I can see why folks in the UK could be celebrating spam. It certainly does have a bright side or two when you look at it the right way, doesn’t it?