One common form of spam that we see across all sorts of platforms is work from home scams. As well as traditional email, this can also be found on most social networks, and more recently in SMS.

The spammers often link to what appears to be a legitimate news web site. This SMS message, which addresses the recipient with the correct first name

takes you to a fake news web site that looks like this

There are three ways that this spam can be monetized. First it can be used for collection of personal details for identity theft. Secondly it can be used as an advanced fee scam – in order to earn money you first have to buy materials from the ‘employer’ that turn out to be worthless. Finally it can be used to recruit money mules for bank fraud.

Money mules are a vital step in a common form of bank robbery. It works like this. The controller of a small business receives an email addressed to them and opens an attachment. This contains a trojan, which takes over their computer. The trojan installs software which collects the credentials used to access the company bank account. This is usually more successful when the company banks with a smaller regional bank that does not have the same sort of fraud prevention in place as a major bank.

Meanwhile, the criminals have recruited a number of money mules who have been doing pointless make work tasks for a month or so, and have provided their bank account details to the hackers to receive payment. On the day of the theft, the hackers access the company bank account and start transferring money out to the money mules. They are limited to under $10,000 or $5,000 per mule, depending on the institution they bank with, so in order to steal $1,000,000 they will need at least a hundred mules. The mules are instructed to withdraw the money in cash, collect a small commission themselves and transfer the rest via Western Union or MoneyGram to an offshore recipient, often in Eastern Europe. In most cases the money mule has no idea they are participating in anything illegal.

As far as the criminals are concerned, money mules are a limited resource, as they are hard to recruit and can only be used for one fraudulent money transfer. Brian Krebs reported on a theft last month where he speculates that the hackers could not take more than a million dollars out of the account because they ran out of mules. Shortly after this theft we saw a spike in the volume of SMS work from home spam. For the two weeks after the attack, we saw 280% more work from home SMS spam than the two weeks before. Was this the criminal gang looking for new mules after they had burned up their entire gang in a particularly profitable heist?

One technique used in spam detection is setting up large numbers of email addresses that have no real user. They are just exposed on the web somewhere, and then anything that is sent to them must be spam. These are called honeypots. Perhaps something similar would work to detect this sort of bank fraud? Set up some fake identities, (let’s call them honey mules) sign them up for work from home schemes, and have a bank account that is flagged with the financial institution so that any transfer into the account is immediately regarded as fraudulent. That way the sending institution can be notified that the sending account has been compromised and can block further transfers and even reverse many of those those that have already taken place before the other money mules can remove the money from the accounts. Of course, this would require close cooperation of the banks, law enforcement, and whoever is operating the fake identities.

Unfortunately, nobody has an economic incentive to do this. Business bank accounts do not have the same legal protection as consumer accounts, and when there are losses due to unauthorized transactions in most cases the business eats the loss, and not the bank. Even when the bank can be proved in court to have provided inadequate security, the losses are usually taken by small regional banks rather than the big institutions that have the resources to investigate cyber threats.

Still, the million dollars heist last month is getting to be serious money. If there is anyone out there who is interested in the honey mule scheme, give us a call and we’ll be happy to provide you with all the latest work from home spam in email and SMS.

More resources:

• FBI Warning on Work From Home Scams [PDF]
• US CERT Warning on Money Mules [PDF]
• Brian Krebs on Small Business Bank Fraud Victims

Terry Zink posted an article recently talking about an announcement by Twitter earlier in the month and the actions they are taking to further protect their users against phishing attacks;  they state:

By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.

Based on information from their support pages (here and here) it seems they will use (at least in part) Google Safe Browsing. Users will see the twt.tl shortener service appearing, and it will only be on DMs (Direct Messages) and the email notifications they generate, for now.

URL shorteners work pretty much as the name might suggest, taking a long URL (which might perhaps look ugly) and converting it to a much shorter one. With the rise of Twitter and other microblogging services, the need to save the number of precious characters used has seen an explosion of URL shortener services. In fact, there is a good chance that you came to this posting via one of these services.

As Terry points out in his post, these services have a fundamental flaw since spammers can and do use them to hide the true destination of their malicious URLs. The URL that they then post out is the shortened one and since the domains used are essentially ‘good’ some domain-based filters won’t flag these URLs as spam. His post finishes with:

Now, if only we could get all of the URL shortening services to subscribe to these reputation services.

We’d like to second that comment and call on URL shortening services to take more proactive steps to identify and reduce the volume of spammy links submitted via their services. Even though it only really targets phishing and malware sites, Google has an API for their Safe Browsing service which would be a useful starting point.

Within the Security Operations Center at Cloudmark, one of the many things we keep an eye on is potential new URL shortener services. Our system takes these shortened URLs and follows them to their lengthier original state. This allows us to treat any shortened URL as if the original URL had been posted and use the reputation of that rather than the URL shortener service.

One of the big problems here, though, is the sheer number of such services that are available; you can even run your own. To give you an idea, here are some numbers:

• Total number of shortener services discovered: 707
• Total number of shortener services seen in the past week linking to spammy websites: 275
• Total number of shortened URLs seen in the past week linking to spammy websites: 5868

(‘past week’ here refers to the 7 days leading up to 30th March 2010)

So in the past week nearly 40% of the URL shortener services that we know about were abused by spammers, and of those, each was used a little over 20 times on average. These are just the services we know about! Every day we discover more, and now also have some semi-automated systems in place to detect new services before us humans do. This helps us react to new spam attacks using shortener services much quicker.

We’d love to hear from any URL shortener service that does take abuse of their service seriously and takes proactive steps to identify and remove spammy links from their service.

This week’s upsurge in attempts to social engineer control of your computer out from under you comes at the expense of the reputations of several social networking sites. Last week, it was fake news stories, with promises of horrific video of bomb blasts close to you; this week, it’s fake Classmates.com and Facebook announcements of ‘highly rated’ videos and pictures of Young Girls Doing Things. The emails all have subjects (like the following) designed to trigger the prurient interests of Internet users:

Subject: Facebook message: Facebook girl Striptease Beautiful dance (Last rated by Cecile Lucero)
Subject: Classmates private: Party Photos (Last rated by Colby Hunt)

(There’s also cross-pollination, as there have been supposed “Classmates messages” advertising that Facebook girl – she must be popular!)

Unfortunately, disappointment lurks at the URL in the body. There, you’ll find a picture and a notice that, yes, your Flash player is out of date and must be updated. The ‘update’ will not allow you to view any pictures or video; instead, it will turn your machine into a zombie, invisibly under the control of one of the botmasters.

As with any of these infection attempts, there are a number of things you can do to protect yourself. First and foremost, surf smart. Don’t install software because a website told you to; if you find that you really need to update your Flash player, go get it from Adobe themselves. Keep all your security software up-to-date – that includes anti-virus, firewall, and anti-spam software. Monitor threat evaluation sites like Threat Expert, the US Computer Emergency Readiness Team (US-CERT, and the Internet Storm Center.

And, of course, be suspicious any time someone you’ve never heard of wants to share private photos with you.