Slashdot Mirror
Google Says Spam, Virus Attacks to Get More Clever
eweekhickins writes "Google's Postini team says new attacks will take the form of sneaky viruses that will blend with spam, leveraging specific current events, such as the Super Bowl or the Summer Olympic Games. Better yet, virus attacks will target executives at companies whose intellectual property is deemed valuable on the black market.
A lot of these attacks will masquerade as legitimate business agencies, such as the Internal Revenue Service, the Better Business Bureau and the SEC."
that these will be successful. So many suckers, so little time.
I prefer the "u" in honour as it seems to be missing these days.
It's also recently been reported that users are becoming more idiotic.
The bastards!! I'd better warn my associates in South Africa.
Seriously, TFA comes off as a padded version of "uhm, so...they're probably going to keep finding new ways to do this...since that's what they already do". The report itself looks to hold a little more substance, but then, I guess it's hard to make news out of spam that doesn't involve a big shift in the court, because it's pretty boring by definition.
Damn, my entire security plan really depended on them suddenly getting really really stupid. If the scammers suddenly forgot how to send email, switch on a computer, or breathe air my life would be so much easier.
Slashdot Burying Stories About Slashdot Media Owned
Crims have always been good at adapting and exploiting conditions. The Mafia really got their power due to exploiting the prohibition. Cable thieves in South Africa are using rolling blackout schedules to plan their cable thefts.
As more business services are done online it makes sense to phish for more than some lame paypal accounts.
Engineering is the art of compromise.
Should we expect reports of the sky being blue, unless it's cloudy? Water wet, rocks hard, that sort of thing?
IT systems are increasingly complex, security is still an after-thought on products (instead of a core design consideration), and there's also the simple economies of scale; what was tens of thousands of targets, became millions of targets, and is now probably billions. A simple crack that works on 0.001% of the systems will still be cost-effective for whatever the net result is, most likely.
And? Their point?
Postini's a relatively recent Google acquisition. I'm not sure it's fair to say "Google this" and "Google that" when the agreement to acquire Postini is less than a year old. The spokesperson was probably just speaking for their own team and from their own culture.
A lot of these attacks will masquerade as legitimate business agencies, such as the Internal Revenue Service, the Better Business Bureau and the SEC.
Will these attacks masquerade as legitimate business agencies, or as agencies such the Internal Revenue Service, the Better Business Bureau, and the SEC?
I've been getting a few spams lately that are ASCII art advertising for "viagra". Fairly clever way of getting past the filters, anyway.
Hail Eris, full of mischief...
E pluribus sanguinem
Hmmmmm... I wonder why that may be?
We already see this behavior. Phishing anybody? How many of us get "BRITTAANNYIES OUT LATE NIGHT PARTYING" emails?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
How can Postini/Google possibly know what strategies spammers intend to pursue? It seems unlikely that the spammers would volunteer this sort of information ahead of time.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
This is a sales pitch, there's nothing new in that article. Google is just fishing for more business for postini...
It seems odd that spammers will need to start using more complicated techniques, as it doesn't seem like people are getting any smarter.
Well that seems the way to go. I must admit a general low opinion on most executive types; one of my favorite examples of why I have a low opinion would be the dressing down a fellow IT staffer got from the CEO. The CEO was upset that when he dialed numbers from his phone's address-book while out of state he was getting wrong numbers and or invalid number recordings. After being told that he needed to dial the area code, the CEO erupted loud enough that I could hear it through the handset "Why do I need to know about area codes!?!?" Anyway I am certain that whatever directed attacks spammers/virus writers/phishers make against these less than stellar inDUHviduals will succeed at alarming rates.
Email spam gets smarter, yet email servers remain stupid.
The sheer amount of bounced spam that I get makes me want to surrender my email account and move to a mountaintop in Nepal and herd goats.
... All people living today will be older or dead tomorrow!!!
(translation for sarcasm impaired - "duuh!!")
-Em
RelevantElephants: A Somatic WebComic...
Nice demo. The link for this article leads to an ad page which won't close if you have AdBlock installed.
I use Gmail for one of my email accounts, and have used this address (without obfuscation) on the Internet for eight years or so. Therefore, I get a lot of spam. Recently, I've noticed more and more getting through Google's spam filters lately.... but what really amazes me is the volume.
Here's a simple example: most Gmail users know they have a Spam folder, into which Gmail transfers any messages which appear "spammy." This works pretty well, and I keep around 30 days worth in there, as I used to occasionally look through for false positives (which happened sometimes.)
The problem now is just that there is too much spam to do this. Let's compare: here is the count of spam in ONE Gmail account, for the past 30 days -- can anyone match it?
Spam (84194)
I figure that's a rate of 2,800 per day, or 116 per hour. Nearly two spam messages, every minute, 24x7.... and most of it consists of duplicates. Why are the spammers doing this? Unless they are paid per message they send, I don't see it improving their chances of getting a message past filters.
Paul Gillingwater
MBA, CISSP, CISM
Only if we stop using the phrase, or using an "anti-phrase"(see link below), will people wake up to the fraud brought upon the rest of humanity by these IP abusers. http://www.techdirt.com/articles/20080306/003240458.shtml
Decent cryptographic technologies have been with us for a while. I wonder about someone like Verisign making an EV-like system for E-mail certificates, where people/companies/organizations can apply, and after a thorough vetting, get a certificate (preferably on a hardware cryptographic token) that that person is whom they claim to be. Of course, E-mail clients like Thunderbird, mail.app, and Outlook would have to be updated to show that a mail is authentic.
This would help against spam similar to how anti-phishing technologies in IE and Firefox protect against bad websites, but its still not perfect.
S/MIME and PGP are strong technologies to help against fraud. I just wish more companies would send out mail with it. For example, one could register a PGP public key with a shop, and when the shop would send E-mail, it would send it signed, and encrypted to that key. Even just using S/MIME's signing capability which works with virtually any E-mail client [1] would help matters greatly.
[1]: Even pine and mutt support S/MIME. A lot of cellphones support this functionality as well, such as all recent Windows Mobile devices and Blackberries.
total sales pitch here, this has been happening for several years where the malware writers use news headlines to trick people into opening email and links...
nothing to see here, please move on.
how at the end it asks you to click a link to download the full report. (ITS A TRAP!!)
WoW: Scheod 70 orc warlock on Shadowmoon
I hope it gets so bad that we are just flooded and 99% of the users are infected. millions of dollars lost.. death and destruction everywhere.
Perhaps then something might get done.
---- Booth was a patriot ----
I'm not interested in the Super Bowl, nor am I an executive :)
Hopefully the spammers will develop better bots which target only those.
Patents Drive Free Software as Hurricanes Drive Construction Industry
The underlying concept of your idea is good.
However, I can see a few issues that would impact the rate of adoption and the overall utility of your approach (assuming, for the sake of simplicity, that the cryptographic aspects are implemented in a truly secure manner, the crypto itself is strong, etc. I fully realize that this is like the proveribial "frictionless surface" and the proverbial "ideal conductor" used in science books. I'm just trying to cover the big points here, OK?):
1. It will not happen until Verisign (for example) decide that there is enough of a market that they can make a decent profit.
2. It will either price small businesses out of the market (given Verisign's prices, this is likely) or it the price will be such that small businesses can afford it and then so can the spammers. Before you start claiming that is why there is a vetting process, I would suggest that hurdles low enough for small "mom-and-pop" businesses to jump will be low enough for a determined spammer.
3. Either we need a "Root CA" mechanism like other certificates (again, profit and "are you sure you can trust this") or the whole "web of trust" thing from PGP. The web of trust would be difficult in that it would make legit messages appear fake until you can determine it. Also, how would "Joe Sixpack" know the difference between a legit cert for the IRS and a faked one?
Your idea is good. Unfortunately, the current environment is not ready for it. I hope we will see the day when it will work.
any one notice the sudden surge of viruses on emule? Practically all searches return bogus results which really is malware, or virus infected executables.
This seems like the same old, same old to me. So what makes this clever is that they are hiding the spam and phishing in topical ways? I'm sorry, but I don't see this as being more effective or likely to gain them any more suckers. Spam is spam, it doesn't matter if they dress it up in a 'current' way it won't fool anybody that wasn't fooled before.
"According to this email, I can buy Viagra and support the Obama campaign!"
Well, thanks to the Internet, I'm now bored with sex.
Their Gmail service has a hard time stopping spam as it is....
I'm not a human, but I play one on T.V.
At what point did Captain Obvious start working at Google?
I've already seen two of these.
One was an ordinary phishing attack.
The other gave a URL in a valid subdomain of irs.gov
So either
- the attack was broken (certainly possible)
- the attack was relying on DNS cache poisoning or compromised servers
I've sometimes wondered how much (if any) spam is actually just a numbers station.
no way.. seriously? and I thought they would get less creative!!
I think the only correct response is, Huh?
I will create a sig when innovation restarts in the U.S.
We already get SPAM that says it is from the Department of Justice. It acts like of you don't click the link then you cannot find out about a lawsuit that was brought against you and therefore you can't mount a defense. Pretty clever but I saw right past it.
Water is wet!!!
Take off every 'sig' for great justice.
I strongly object to the fact that virus evolutionist theories are taught on this forum. Actually, all the viruses were created by God 6000 years ago, and no evolution can happen. You have no proof. Your fallacious theories should not be taught in public schools.
My first program:
Hell Segmentation fault
Well then, if google says it's true, then I better go out now and buy that Google Postini Subscription so they can protect me from all the evil in the email world.
the only permanence in existence, is the impermanence of existence.
This is an old trick used by the spammers. The same thing happened last year with the Super Bowl, the same with the IRS phishing e-mails (some of them e-mailed late after the filing season, some even before the filing season).
You're telling me Google (Postini?) took more than a year to discover this, some of these social engineering attacks (especially the malware e-mails focussed on special events) have been around since 2006 as far as I can recall (refer to the links below).
Special Event Malware SpamIRS Phishing Scams
www.cybertopcops.com
Whenever I mentioned spam a few years ago all the geeks would tell me that Bayesian Filters would totally solve the problem.
What happened?
No sig today...
Soon we will have /. phishing e-mails like "Cmdr. Malda wants to know your password so he can test something with your account!"
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I have currently for 40domains about 200mails a day (what is normal for working clients)
But I need to block 12000mails a day on spam
That is a rate of more then 98% a day of spam
when will thay learn that i just drop those mails
So who would benefit from the effects of Spam?
Those wanting to reduce our performance as a nation.
Those wanting to occupy or divert the attention of the people from real issues.
Those wanting to create a reason to regulate and control the Internet.
Those who sell anit-spam anti-virus software
Those wanting to disrupt (clog up) the free flow of valuable information on the Internet.
Anyone think of any other reasons?
"an infinite player that has lost his finite mind" ~Infinite Play the Movie (it blends with reality)
The sun will, in fact, rise tommorrow. And, An adjustment to the title of this thread to "Google Says Spam, Virus Attacks to Get More Cleverer"
The outcome of any serious research can only be to make two questions grow where only one grew before. - Thorstein
They found the biggest security weakness of every single company... The Pointy Haired Ones.
I HAVE a Macintosh!
wait... ? Maybe I have a LINUX!
In any event, I don't have one of those silly WINDOZE machines!
I AM SAFE, you stoopid WINDOZE users!
- Ecsad Essemal
The Hexadecimal TV-REMOTE!
It's not the viruses that are magically getting more clever, it's the virus and spam authors.
...of course, how you do that without actually educating the less-than-savvy Common User is a daunting question, so we're probably screwed anyway. (Or at least, they are.)
It's not as trivial a distinction as it seems. The article's comments are obvious when you look at it that way -- it's already well-known that organized crime and other crooks-who-know-what-they're-doing are getting involved. We've seen increasing numbers of very well-written, highly targeted attacks. It's not just Nigerian business deals any more.
This distinction goes to the core of how you fight spam and assorted malware. We're used to fighting the broadcast attack. For the targeted stuff, it's going to be doubly important to secure the computer that receives the messages or gets infected by the virus, and to decrease the amount of information that makes up the potential payoff. This is both for to prevent the crime, but also to reduce the incentive for this kind of attack in general.
Freedom isn't free; its price is the well-being of others.