One common form of spam that we see across all sorts of platforms is work from home scams. As well as traditional email, this can also be found on most social networks, and more recently in SMS.

The spammers often link to what appears to be a legitimate news web site. This SMS message, which addresses the recipient with the correct first name

takes you to a fake news web site that looks like this

There are three ways that this spam can be monetized. First it can be used for collection of personal details for identity theft. Secondly it can be used as an advanced fee scam – in order to earn money you first have to buy materials from the ‘employer’ that turn out to be worthless. Finally it can be used to recruit money mules for bank fraud.

Money mules are a vital step in a common form of bank robbery. It works like this. The controller of a small business receives an email addressed to them and opens an attachment. This contains a trojan, which takes over their computer. The trojan installs software which collects the credentials used to access the company bank account. This is usually more successful when the company banks with a smaller regional bank that does not have the same sort of fraud prevention in place as a major bank.

Meanwhile, the criminals have recruited a number of money mules who have been doing pointless make work tasks for a month or so, and have provided their bank account details to the hackers to receive payment. On the day of the theft, the hackers access the company bank account and start transferring money out to the money mules. They are limited to under $10,000 or $5,000 per mule, depending on the institution they bank with, so in order to steal $1,000,000 they will need at least a hundred mules. The mules are instructed to withdraw the money in cash, collect a small commission themselves and transfer the rest via Western Union or MoneyGram to an offshore recipient, often in Eastern Europe. In most cases the money mule has no idea they are participating in anything illegal.

As far as the criminals are concerned, money mules are a limited resource, as they are hard to recruit and can only be used for one fraudulent money transfer. Brian Krebs reported on a theft last month where he speculates that the hackers could not take more than a million dollars out of the account because they ran out of mules. Shortly after this theft we saw a spike in the volume of SMS work from home spam. For the two weeks after the attack, we saw 280% more work from home SMS spam than the two weeks before. Was this the criminal gang looking for new mules after they had burned up their entire gang in a particularly profitable heist?

One technique used in spam detection is setting up large numbers of email addresses that have no real user. They are just exposed on the web somewhere, and then anything that is sent to them must be spam. These are called honeypots. Perhaps something similar would work to detect this sort of bank fraud? Set up some fake identities, (let’s call them honey mules) sign them up for work from home schemes, and have a bank account that is flagged with the financial institution so that any transfer into the account is immediately regarded as fraudulent. That way the sending institution can be notified that the sending account has been compromised and can block further transfers and even reverse many of those those that have already taken place before the other money mules can remove the money from the accounts. Of course, this would require close cooperation of the banks, law enforcement, and whoever is operating the fake identities.

Unfortunately, nobody has an economic incentive to do this. Business bank accounts do not have the same legal protection as consumer accounts, and when there are losses due to unauthorized transactions in most cases the business eats the loss, and not the bank. Even when the bank can be proved in court to have provided inadequate security, the losses are usually taken by small regional banks rather than the big institutions that have the resources to investigate cyber threats.

Still, the million dollars heist last month is getting to be serious money. If there is anyone out there who is interested in the honey mule scheme, give us a call and we’ll be happy to provide you with all the latest work from home spam in email and SMS.

More resources:

• FBI Warning on Work From Home Scams [PDF]
• US CERT Warning on Money Mules [PDF]
• Brian Krebs on Small Business Bank Fraud Victims

Early last year I wrote about the increasing amount of spam that was using hacked web servers to obfuscate the spammer’s call to action. Back then the volume was creeping up to 1% of all spam. Since we’ve been seeing even more of it lately, I decided to take a look at the figures and see what had been going on in the past six months.

The average for the six month period was 7.7% of all spam, but we have seen much higher peaks,including the recent period from December 30th through January 8th where one relentless porn spammer pushed the ratio up to 37%. The good news is that this particular spammer was sending out millions of messages a day, but only using a group of a few hundred URLs in his messages, so they are easy to block. Billions of electrons where shuffled from botnet to spam folders with almost no real impact.

This particular spammer was only uploading a single file to each hacked domain to do his redirection. Others upload multiple files to allow more URLs to be used, and we have seen some domains in which the 404 page not found response has been hacked to redirect to the spammers landing page, so the spammer can send out each spam email with a different URL. So long as they are not part of the original web site, they will redirect if the recipient clicks on them.

So how are these web sites being hacked? The majority that we see are WordPress sites, and a significant minority are Joomla. Mostly theses are sites belonging to individuals and small businesses who may have set up a site a few years ago and make very few updates, to either content or software. However, older versions of both WordPress and Joomla have some well documented vulnerabilities, so if you don’t keep your site up to date you may well be a target.

Even if you do always have the latest software in place, you can still be hacked if you install the wrong theme or plug in. Just recently in the black hat underworld, malicious code was offered for sale that allows the user to add a trojan to installable WordPress modules…

Once the user installs the innocent looking plug in, the hacker can then upload and execute arbitrary code or even use the built in redirect manager.

That was offered for sale for just $100, but sorry, it’s all sold out now.

To prevent the embarrassment of having your web site redirect to a porn site in Russia, keep your web site software up to date, be careful what themes and plug ins you install, and keep an eye on your server log for any traffic to pages you don’t recognize.

October is National Cyber Security Awareness Month. In recognition of that, the National Cyber Security Alliance teamed up with the Department of Homeland Security and the security industry to sponsor the opening bell ceremony at NASDAQ. Held at 4 Times Square on Monday, October 15, the principal bell ringer was Jane Holl Lute, Deputy Secretary for the Department of Homeland Security. Also participating was Congresswoman Yvette Clarke and Congressman Jerrold Nadler, both of NYC, as well as representatives from dozens of security companies (including Cloudmark).

The event was preceded by a breakfast at NASDAQ which provided a great opportunity to chat about specific threats we’ve been observing at Cloudmark. At the top of that list were the barrage of SMS phishing attacks that continue to plague mobile users. As we’ll discuss in a later blog post, it’s not just the increase in SMS phishing numbers that is so concerning – it’s also the sophistication in the social engineering methods used in the attacks. There was also some chatting about passwords and how to devise better solutions that are truly scalable.

Though October is designated Cyber Security Awareness Month, the National Cyber Security Alliance operates year round to promote better online security practices. Whether you want to protect yourself, protect your business, or help educate others, the NCSA has many opportunities for you to get involved.

One thing any smartphone user can do to further online security – forward any SMS spam you receive to 7726 (7-7-2-6 spells S-P-A-M on old style alpha-numeric keypads). Forwarding SMS spam to 7726 not only helps protect other users, it also helps mobile providers investigate and take action against SMS spammers and scammers.

Overall, the bell ringing ceremony was a fun event with a serious message. It’s great to see the industry come together to fight cybercrime and Cloudmark will certainly continue to be a part of that effort.

During the first week of September, Cloudmark observed a 913% increase in the volume of SMS phishing attempts, making SMS phishing currently the single largest SMS text messaging threat. The surge appears to be the result of a single set of attacks which initially started on September 4th. Thus far, attackers have used over 500 unique pitches in the phishing scams, but the general characteristics are as follows:

Fwd:Good Afternoon .Attention Required Call.(xxx)xxxxxxx

The phone numbers victims are instructed to call include:

2012040735
2055612208
2105278888
2814920248
3124924053
3474105894
4016488505
5612357256
6164993061
6783847527
7145911051
7272162029
7739121434
8164101809
8177863304
8323086322
8645825454
8667368703
8775924747
8888408034
9738818000

Investigation reveals the attackers are using several phone ploys to trick victims into divulging sensitive credentials. These ploys range from claims of Bank of America account suspensions, Macy’s credit card collections, and even the U.S. Veteran’s Administration health services.

Victims who fall for the phishing scam and divulge their credentials risk being subjected to bank account theft, credit card fraud, and even outright identity theft. Stolen information can even be used in social engineering scams to elicit further information from unrelated accounts.

If you’ve been the recipient of this SMS phishing attempt, forward the text to short code 7726 to notify your carrier and to facilitate resolution. And remember, never divulge sensitive information to any source you have not fully vetted. When in doubt (which you always should be) contact your bank, credit card company, or health provider by known good numbers you have on file – never respond via the contact details provided in an unsolicited SMS text.

The Internet Engineering Task Force met in Taipei in mid-November. Cloudmark was in attendance, working to advance several things through the IETF processes, including

• a new working group that will produce protocols and advice documents relevant to reputation services (see my previous posts about DKIM and domain reputation);
• creation of a working group seeking advancement of SPF to the standards track; and
• a working group to develop and standardize a more useful replacement to the only-somewhat-useful WHOIS service.

There’s already active interest in all three of these areas.

We’re also championing the work of some best practices documents covering things like greylisting and handling of malformed mail, both with input from the Messaging Anti-Abuse Working Group.

And we’re keeping an eye on developments in the web and IPv6 communities within IETF, with an eye towards how those changes will affect messaging security.

For more information, contact us through your representatives, or find us through the various IETF mailing lists dedicated to those purposes.

The next meeting is at the end of March in Paris. We’ll be there!