Clicking on the links takes you to a website that will try to get you to sign up for a mix of various offers that are likely to cost you money in the long run.  You’ll also have to agree to get more email from a variety of “marketing partners” and to convince one of your friends to do the same.

To be fair, when you get to the website, they do tell you that in order to be eligible for your “free” iPad, you will need to go through all these conditions:

But that’s a lot of conditions that have to be meet.  Also note that it states “Your information will be shared with our marketing partners”, but it doesn’t mention who those partners are.  So you could be signing up for a lot of email from many different companies that you may or may not care about.  You also need to convince one of your friends to sign up and give their permission  to be sent  these emails.  Here’s one section from the Terms & Conditions that outlines what will occur if another unique household, that you have referred, doesn’t complete the program requirements.:

“J. If at the end of the 60-day period you have successfully completed the required number of reward offers but you have not referred (1) unique household(s) that also completed the program requirements, you will not be eligible to receive the reward. However, as a consolation for participating, you may automatically receive a check for a minimum amount of $25 or a $25 (minimum amount) gift card to the merchant of our choice.”- Terms and Conditions, I. ELIGIBILITY – J.

The Terms and Conditions also state that there is no way to cancel an account once you create it:

“C. Expiration/Cancellation of Account

(1.) Your account will expire 60 days from the date you register on this website. Upon expiration, you will no longer be eligible to receive the reward.

(2.) There is no way to cancel an account. If you no longer wish to remain a part of this website, you should refrain from accessing your account.”

- Terms and Conditions, II. REGISTRATION – C.

 

Lastly, when you try to leave the page, you get a “Confirm Navigation” window just to make sure you really want to leave:

Unfortunately, Google’s infrastructure has grown so big and fast that there are a few Google properties that aren’t signed by DKIM yet. There are also some Google applications whose email components are outsourced to other companies, like SalesForce, who in turn send mail claiming to come from Google that, of course, isn’t signed. And in some cases, mail that goes between two Google services and is then forwarded to other addresses goes out unsigned.

This means it’s impossible to apply these implicit DKIM rules across the board to keep these scams at bay before they can get started: If we turn them on for everything, some legitimate mail will be bounced, or some mail that deserves preferential treatment won’t get it.

We know about these limitations of DKIM already. And we know it’s a challenge for any large organization to ensure that any new email policy (or any kind of policy, really) is applied across its entire infrastructure when parts of it operate independently. In the end, though, it means the full benefits of DKIM can’t be realized when the roll-out is only partial. Google has told us they’re aware of these issues and they’re working to tighten it all up.

This is important to remember for all sites, whether deploying DKIM as a signer or as a verifier. When we wrote the DKIM RFCs, we included a lot of discussion about these topics, and experience since then has shown that this was time well-spent.

Here’s a closer view of the message. For those unfamiliar with MMORPGs, the spam is selling virtual game currency for actual money. The spam is also selling “Power Leveling”, where you pay to have someone play your character to build it from a low level to a high level.

“3. More spam in your inbox — The new trend in spamming is sending emails from advertising companies that obtain their email lists through shady but legal means. They may buy the lists from companies that are going out of business or partner with other advertising entities or mail-list providers without taking into account privacy policies.

They can do this because under the U.S.’ CAN-SPAM Act advertisers are not required to receive consent before sending advertising. Since this method is cheaper and less risky than bombarding us with spam from networks of compromised computers, we expect this activity to continue to grow through 2012, possibly resulting in more spam in your inbox.”

From: http://blogs.mcafee.com/consumer/2012-mcafee-threat-predictions-consumers

While some legitimate companies are purchasing lists through shady but legal means, the assumption that these emails will end up in the inbox does not necessarily follow.

One example of a shady means of purchasing a list is a practice called “email appending” or “epending”. This can occur when a business has a name and a physical address for a person but doesn’t have the person’s email address. So they pay a third party to do data matching to try and find the person’s email address.

I lot of legitimate businesses will argue that this is not shady, because they do have a relationship with the person. However, there at least two major issues with this practice.

First, if the person did not give the company their email address, then they have not given the company permission to email them. When people have not given a business explicit permission to send them email, they often express their displeasure at receiving the messages by hitting the spam button, which increases the complaint rate for that legitimate business.

Any business, even legitimate businesses, which have high complaint rates on their messages, are likely to have their messages moved to the spam or junk folder, instead of the inbox.

Secondly, companies that do epending, often do it wrong. They’ll match up addresses that belong to completely unrelated people, or they’ll match up email addresses that haven’t been used in years and hit inactive account spamtraps.

When a legitimate business suddenly starts to hit spamtraps in high volume, it’s pretty obvious that there is something wrong with their email addresses acquisition and email list hygiene practices.

McAfee also calls into question the practice of emailing to a list when one company acquires another company. When a legitimate business acquires another legitimate business and the acquired company has a list of email addresses that they send to regularly, then yes, the acquiring company should be allowed to send email to that list of email addresses.

However, to prevent an increase in spam complaints the acquiring company should follow a couple of best practices:

1. Make sure the messages from the new company include the branding of the old company, so that people can easily remember that they have given permission to receive the messages.
2. Make it easy for people to communicate that they do not want to get emails from the new company. It should be easier than clicking on the spam button. The best way to do this is to ask people to confirm they want to receive email from the new company.  An alternative approach, which is still ok but not as effective at reducing complaints, is to let people click a link saying that they don’t want to receive the emails. Either link should be near the top of email and easy to find.

In 2012, Cloudmark will continue to encourage legitimate businesses to follow good list hygiene practices. If legitimate business continue to follow good practices, then people will not need to complain by clicking the spam button.

To check whether your Mobile Operator supports forwarding spam text messages, you can go to the carriers website or you can test it out by texting the the keyword “HELP” to 7726.

Below are some sample messages that are all part of a recent large spam campaign from a single spammer. Cloudmark research shows that the spam below was responsible for over 40% of all spam mobile complaints received from North American mobile subscribers in the month of October.

Data analyzed indicates that the spammer is using thousands of content variations – multiple phrases; multiple word misspellings; changing URLS, etc. These techniques are clearly designed to evade simple spam keyword or hash-based content filtering. In addition, the spammer is using hundreds of mobile phone numbers to send the spam. This allows the spammer to evade simple volume detection by limiting the number of spam messages sent by each mobile number each day. When a series of mobile number have been identified as a spam sources and are shut down by a network operator, the spammer immediately starts using a new series of mobile phone numbers.

The graphic below is a partial list of target “call-to-action” URLs that the spammer is trying to get the unsuspecting subscriber to visit. Cloudmark has detected over 100 spam URLs related to this spam campaign, all of which trace back to a single webserver operated by a single spammer.

The spam attack described above is an example of “affiliate referral spam”, a business model that is very common in email and just now becoming prominent in SMS. The spammers get paid based on referrals for loans, via web redirects that send traffic immediately to an affiliate program or by accepting applications that are forwarded to affiliate programs. Since the spammer may only get paid a few cents for each referral, the spammer must send millions of spam messages to make a profit.

Affiliate spammers also make money by collecting information and reselling subscriber phone numbers, email addresses, and other information to other mass marketing organizations. By visiting the spammer’s website, entering information, and clicking Submit, the unsuspecting mobile subscriber is agreeing to be spammed not only from this same spammer, but also agrees to allow their information to be resold to others. The graphic below is an example loan applications designed to collect information that is then resold as part of a referral program:

When a subscriber clicks on “Submit”, they are agreeing to the terms of the privacy policy published on the website. The privacy policy typically gives the spammer permission to spam via any means, regardless of listing any national do-not-call lists. The policy also typically permits them to resell your information to other marketing affiliates.

Some example terms from common spammer privacy policy include: “By submitting your information at the Website, you agree to receive mobile marketing including, but not limited to, text-message based marketing from us and our third party advertisers and marketers.” “Even though your telephone number may be listed at the Federal Trade Commission’s Do-Not-Call List, we retain the right to contact you via telemarketing.”

It is imperative for mobile subscribers to take the appropriate steps if they receive unsolicited SMS messages to ensure to minimize their exposure to fraud. Some basic tips:

1. If it sounds to be good to be true, it likely is.
2. Users should never click on embedded links in an SMS text, especially from an organization one has never done business with before. If a mobile user believes that a message is legitimate, Cloudmark recommends that they access the information directly from a browser rather than by clicking on any embedded links.
3. And of course, always use the same precaution on your mobile devices that you would exercise on your PC.

Additionally, many US operators now have measures in place that enable users to report suspected fraudulent or spam messages by forwarding spam text messages to 7726 or “SPAM” via their mobile device. Users should check with their operators to learn if the 7726 reporting service is available.

The text in each fraudulent SMS appears as if it is coming from a major bank or credit card company such as the ones seen recently with Wells Fargo and Visa. The cyber criminals, also known as Phishers, are sending texts with messages such as those below.

When an unwitting recipient calls the number, they are asked for their name, bank card number, account number, expiration date, security/pin code and/or address – all the data the criminals need to gain access to their credit card or bank account. The Phishers become the suppliers of financial institution credentials and sell this data to another element of the cyber fraud chain called Cashers. The same methodology used in email fraud scams can now be leveraged in mobile fraud scams.

The Cashers main role is to take the phished credentials and obtain funds directly from the victims’ accounts. Cashers can leverage the acquired data to create an actual replica of a victim’s bank card simply by using a card reader / writer similar to the one below.

There are varying degrees of difficulty in cashing out certain credentials. For banking credentials, the preferred, though more difficult, method, is ATM fraud. In ATM fraud, the Casher actually encodes the banking information (tracking) onto an ATM card and withdraws the maximum daily funds. The main difficulty with tracking is the encoding of the bank data to the ATM card. The preferred hardware used to encode information onto magnetic stripe cards is the MSR–206. Although the MSR–206 hardware most preferred by Cashers can be easily obtained, each bank uses a specific encoding algorithm to translate the credentials into the encoded data written to an ATM card. The tracking algorithm may be as simple as appending the expiration date and cvv2 code along with a fixed numeric value to the end of a check card number, or as complex as encrypting the information with a secret key and then encoding the encrypted block to the card.

See more details on the economy of phishing at http://www.cloudmark.com/en/whitepapers/the-economy-of-phishing.
It is imperative for consumers to take appropriate steps if they believe they have received unsolicited SMS messages. This will help minimize their exposure to risk and fraud.

http://mashable.com/2011/11/28/ups-package-not-delivered-scam/

• a new working group that will produce protocols and advice documents relevant to reputation services (see my previous posts about DKIM and domain reputation);
• creation of a working group seeking advancement of SPF to the standards track; and
• a working group to develop and standardize a more useful replacement to the only-somewhat-useful WHOIS service.

There’s already active interest in all three of these areas.

We’re also championing the work of some best practices documents covering things like greylisting and handling of malformed mail, both with input from the Messaging Anti-Abuse Working Group.

And we’re keeping an eye on developments in the web and IPv6 communities within IETF, with an eye towards how those changes will affect messaging security.

For more information, contact us through your representatives, or find us through the various IETF mailing lists dedicated to those purposes.

The next meeting is at the end of March in Paris. We’ll be there!

We’ve seen a number of variants in this campaign (some with attachments, some with no attachments and bad links), all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic “UPS Customer Services”.

The from address is faked so that it appears to come from the domain ups.com.  Many of the images are copied from legitimate UPS emails and many of the links go to the legitimate UPS site.   However, clicking on the call-to-action link that says “Track your shipment now” will take the unsuspecting consumer to a website that can infect the computer with a virus.

Initial reports indicate that spammers were testing out the campaign and the effectiveness of the spam defenses.  Cloudmark observed a lull over the weekend, which was followed by a huge blast with rapidly evolving mutations on content.  Cloudmark’s flexible fingerprinting system was able to stop the attack within 12 minutes.

Timeline of the UPS email fraud

With Cyber Monday kicking off the online holiday shopping frenzy, online shoppers should remember to be vigilant about any email message that they receive.  No matter how eager they are for their shiny new purchases to arrvive, they should take the time to check the original shipping confirmation that comes directly from the online vendor where the purchase was made.

In addition, rather than clicking on embedded links in an email, they should go directly to the shipping site and plug in the tracking number.