Personalized Spam Rising Sharply, Study Finds

designperfection9 writes "A new study by Cisco Systems Inc. found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use."

30% of all Web traffic?

[alain94040]

From the article:

The latest study was based in part on [Cisco's] ability to monitor 30 percent of all Web and e-mail traffic

I hope the journalist misunderstood something, otherwise all my fears about the NSA just got crunched.

--
iPhone Apps review site looking for bilingual testers

Re:30% of all Web traffic?

[morgan_greywolf]

Not to worry. The NSA monitors 100% of all Web and e-mail traffic! Thanks to The New AT&T: Your World, Delivered. To the NSA.

Anti-spam Legislation

[unlametheweak]

It's a good thing there is anti-spam legislation.

Re:Anti-spam Legislation

[oldspewey]

Your response demonstrates a ...

[ ] clueless
[x] sarcasm-based
[ ] battlescarred
[ ] well informed

... approach to interpreting spam stories ...

Re: Anti-spam Legislation

[Progman3K]

Except the 'anti-spam' legislation, legitimizes spam, provides for safe harbor and prevents the endusers suing the ISPS for fowling their inboxes ..

As if regular spam wasn't enough, now I have to worry about 'em jamming chickens into my inbox.

What bothers me more is

[rolfwind]

the rise in "security questions" which are essentially weaker passwords. This personalized spam proves getting to much of that info is easy. But now, so often, when I register an account, in addition to a password, there is always a "security password" to null and void that password and get back in easier.

Some of the better services let you choose your own security password, but others only have a short list of really lame ones (1st car, pet, place of birth) which is not secure at all. I make sure to put in a nonsensical random string as an extra security measure. And this just proves it fallible.

Re:What bothers me more is

[unlametheweak]

The real problem is people visiting Web sites through email links, and replying to unsolicited email (from companies they recognize or not). Banks don't conduct business through yahoo email addresses. The real issue is educating consumers, or having consumers educate themselves. One does not drive a car without knowing the rules of the road (despite what people may think of cliched analogies), and email clients shouldn't be Web 2.0 browsers.

Re:What bothers me more is

[zappepcs]

What you are saying is true, but it can't be legislated. It can, however, become a vocation. Yes, for just 3 easy payments of $19.99 we'll teach you how to be safe on the Internet.... blah blah

An internet driver's license seems like a good idea till you think about all the absolutely retarded drivers you saw on the way home from work recently. Then it sinks in: some people are NOT trainable.

If you think of the Internet as a huge data warehouse and spend some time with a scripter it will not take long to find out that you can personalize millions of spam emails with little to no effort other than writing a script or two. All you need is for 1-2% of those to reply and enter logon details and you have a profitable business plan, albeit illegal.

When so little return can still make you profitable, it's hard to discourage spammers. Internet driving licenses would not prevent that 2-5% of the population that can't be taught to tie their shoes from answering unsolicited emails. There is a base or root value where crooks and con artists will always be able to find prey, whether they are selling gilt edged bibles or offering better sex or longer life. Hell, there are those that are flogging lame do-nothing anti-spyware software in an effort to fleece them of their money.

As long as there are humans and an Internet there will be spam problems. You could even set up a business as an online retailer clearing house where people would send you money to pay for things for them, trusting you to tell them when it is a con job. There are those would would pay for it... say $2.50 per event to be sure they didn't get conned. How's that for a scam?

See... this problem won't go away anytime soon. Washington? Are you listening? New laws will only make this situation WORSE, not make it go away.

Re:What bothers me more is

[xaxa]

A bigger problem is when you can't provide a decent, random string for the "security question". I opened a bank account online last week, but had to go to a branch to prove my identity (fair enough). The banker didn't like where her PC said I'd put "438@@/arcCHK" as my mother's maiden name, and asked for a real name. I'm waiting for the online banking activation codes to come through, I hope it doesn't depend on this value.

Re:What bothers me more is

[zappepcs]

That's the problem. When people delete .dll files from a system directory, do you think that somewhere in their mind is the thought "hmmm, maybe I should get someone who is qualified to look at this?"

To you and I, this makes sense, but to the great unwashed masses looking at files and configurations inside their PC is about as daunting as trying to fix their tv when the sound stops working. They open up the case, and with screwdriver in hand, start poking around looking at various bits inside the tv. Yes, I'm aware that is a bad analogy, but here's the kicker: if you had to have a screwdriver to get inside your computer's system files perhaps more people would take it to a professional to get it fixed.

Sidenote: This is one of the things that I think Ubuntu has done right. They made it as easy as possible to be a new user, to install and start using. They also have done what can be done to hide the internals from that user, and to try to prevent that user from having too easy of access to things they really don't need to be messing around with.

To put it another way, novice skydivers should not pack their own chutes. New drivers should probably never be asked to change a distributor. Novice computer users should not be asked to be administrators. In my home I'm the sysadmin and everyone else are just users who don't have access to much except using the computer. They can't install anything, can't change system settings, nothing. For all that effort, they ask me for something maybe 1-2 times every two months. Most recent was login problems due to disk quota being reached by one user. I had notifications setup incorrectly so didn't get warnings. Click click, problem gone. I really want to figure out how to run a business based on this. A business where normal end users can contract out a sysadmin at reasonable cost.

Re:What bothers me more is

[oldspewey]

Internet driving licenses would not prevent that 2-5% of the population that can't be taught to tie their shoes from answering unsolicited emails.

That's why we need to get proactive. We need some kind of white hat agency that sends out trojan-riddled spam to everybody on the planet. Those who are sufficiently stupid or gullible will open and act on the spam, which will immediately reconfigure their computer: my recommendation is that it irrevocably turn their machine into a slightly more advanced equivalent of a Fisher Price Activity Center, with lots of shiny buttons and spinning graphics the users can click on but no network connectivity of any kind.

Re:What bothers me more is

[inviolet]

The real problem is people visiting Web sites through email links, and replying to unsolicited email (from companies they recognize or not). Banks don't conduct business through yahoo email addresses. The real issue is educating consumers, or having consumers educate themselves. One does not drive a car without knowing the rules of the road (despite what people may think of cliched analogies), and email clients shouldn't be Web 2.0 browsers.

In real life this "don't talk to strangers" / "don't buy from some guy in a back alley" issue is solved with our eyes and our sense of context. There is no context or visual aid when browsing to a website or reading an email... hence, people will click anything. They are still subconsciously relying on their vision ("a normal-looking email message") and context ("here safe in my home") to judge the safety of interacting.

So let's stop trying to fix people, rowing upstream as such, and instead go with the flow. Write a web browser and an email client that change their appearance based on trust chains or certificates or whatever we use to authenticate known-good entities. When reading an email from a stranger, or an email from bankofamerica.com that lacks the proper signature, the email window turns black and gets covered in spikes. Same with the web browser.

Or bring back clippy, and have him appear as a shady-looking guy in an overcoat, standing next to the email, and he opens his coat to sell you something if your mouse hovers over a link. Or whatever. Point is, work *with* humans' natural authentication mechanisms, rather than whine about how users are clueless.

The real cluelessness is us programmers who ignored our knowledge of existing human authentication systems when we wrote email clients and web browsers. Gee, "let's make all web pages appear equally clean and safe, and then expect users to not click the mean ones!"

Re:What bothers me more is

[sootman]

Are you of the Boston 438@@/arcCHKs?

Re:What bothers me more is

[Opportunist]

No, the ones from UnK)z5qs.

I have no idea what the town was called before the earthquake, sorry.

Personalized, but not personal.

[Boogaroo]

Really, at this point, who is falling for this stuff?
Even with personalization, I am getting the same "custom" messages from 15+ "female" names.When you get your forula spam message, does anyone click on them anymore?

Is there still money in spam, other than the money from selling the spam lists and spam network?

Re:Personalized, but not personal.

[gstoddart]

Really, at this point, who is falling for this stuff?

Seriously? There's a lot of people coming onto the web who have never been there. I was stunned last year when my retired (not computer literate) parents bought a laptop and got a broadband connection.

Increasingly everyone is being told that if you're not on line you're missing out on something. Unfortunately, the sophistication and knowledge required to do this safely belies the ease with which people can connect and then if they don't know anything about such things, they're at risk. People just aren't being made aware of the danger, and don't really understand all of the ways that they can get into trouble.

When my parents first went on-line, I gave them a fairly stern lecture telling them of what to be wary of -- specifically I said don't ever give any identifying information to a site you don't know and trust, and trust almost nothing which comes into your inbox, especially if it's claims to be from a bank or the government. So far, a healthy dose of skepticism about the truth of what's in their inbox has probably served them fairly well.

The world hasn't exhausted its supply of people who just don't know all of the risks and dodgy areas they need to watch out for, and the tools they're using may not be nearly as safe as we'd like. The fact that it's being marketed as easy to do without explaining some of the danger is a contributing factor.

Is there still money in spam, other than the money from selling the spam lists and spam network?

Of course there is, otherwise you wouldn't see it. It only has to have a very small hit rate to be hugely profitable. When you're sending a couple of million emails at a time, the 1% of people who fall for it are plenty enough.

Cheers

Just a coincidence

[sunking2]

Cisco will soon be introducing a product to address this exact problem!

Pretty scary

[spyrochaete]

I received one spam email this year which was addressed to me, using my proper first, middle, and last name, as well as my old address back from when I used to live with my parents. The only place I would have volunteered this information online was the Monster job website several years back. I emailed Monster, rather furious at how lax their privacy was. They confirmed that this was their fault but were completely unapologetic.

Fortunately (I think) I never received a second email like this.

Just Shotgun Spamming...

[damn_registrars]

Is it really personal spamming? I've seen spam posing as bank notices for a long time. Generally, first you see them (posing to be) from the largest banks, and then over time you start seeing them (posing to be) from regional and local banks as well.

And considering how many people use online banking, it is pretty reasonable for many people to expect to see an email from their bank on occasion.

Very personalized...

[jshackles]

How did they know I was looking for penis enlargement pills and cheap viagra?!?!

Now I am going to be worried

[Chrisq]

Personalized Spam Rising Sharply

Now I am going to be worried every time I get one of those adverts for penis enlargement

....who told them?

Re:Now I am going to be worried

[jollyreaper]

Personalized Spam Rising Sharply

Now I am going to be worried every time I get one of those adverts for penis enlargement ....who told them?

Data mining. You must have ordered some of those little finger condoms people use in food service to cover up cut fingers and they just assumed it was for something other than food service. I'm still enraged that from my purchase history of metal they were able to decide Madonna's latest would be a good recommended buy for me.

Re:Now I am going to be worried

[DevConcepts]

Just got an email...
With the success of Viagra, many new performance drugs for men go into development:

--PROJECTRA: Men given this experimental new drug were far more likely to actually finish a household repair project before starting a new one.

--COMPLIMENTRA: In clinical trials, 82% of middle-aged men noticed that their wives had a new hairstyle. Currently being tested to see if its effects extend to noticing new clothing.

--BUYAGRA: Married men report a sudden urge to buy their wives gifts after taking this drug for only two days. Still to be ascertained: whether the results extend to not minding when women spend money on themselves.

--ANTI-AGRA: Promises the exact opposite effect of Viagra. Currently undergoing clinical trials on U.S. Senators.

--NOSPORTAGRA: This drug makes men want to turn off televised sports and actually converse with other family members.

--FLATULAGRA: This complex drug converts men's noxious intestinal gases into air freshener.

--FLYAGRA: This drug shows great promise in treating men with O.F.D. (Open Fly Disorder).

--LIAGRA: This drug helps men lie more successfully when asked about their sexual affairs. Will be available in Regular, Grand Jury and Political Strength versions.

Re:Suspicion runs high

[morgan_greywolf]

So that's why you never respond to my e-mails. You're fired!

Comment removed

[account_deleted]

Comment removed based on user account deletion

reunion.com

[fprintf]

My father just kicked off a flurry of spam from his inbox, and I have been helping him to reach out to his entire address book to stop it from spreading any further. According to him:

"I receieved an email from my dearest friend from England, who I have not spoken to in some time, asking me to join Reunion.com. I clicked on the button in the email and sent me to a site giving me the option to sign up for the service. Until I got your call, I had no idea that it sent out emails to everyone in my address book. It was a nicely worded email and didn't seem like spam at all.

Now that they have his email address, one that he does not want to give up, I am afraid he, and everyone on his address list, will now be the target of even more personalized spam. I hope my gmail filter catches most of everything, but I have no doubt in a few months I'll be looking for pen!s enlargement devices, v!agr@ etc.

Re:Not just them

[elrous0]

They understand it. They just don't give a shit.

Re:Not just them

[Sfing_ter]

Of course they do, it's just that if they don't do as NSA says, then they don't get to continue to rebuild their monopoly. It be Bidness, and the constitution gets in the way of Bidness.

Simple Solution

[WagonWheelsRX8]

There is a surprisingly simple solution to the SPAM problem but no one likes it. Charge to send e-mail. It doesn't have to be much (heck a penny an e-mail would probably suffice).

Re:Not just them

[jlarocco]

Maybe that's because understanding the constitution isn't the telcos job? Get pissed at the government. Defending the constitution is their fucking job, and they were the ones who telling the telcos what to do.

Don't get me wrong, I'm not happy that the telcos went along with it, but you have to place the blame where it belongs - on the government people who initiated the action in the first place.

Re:Not just them

[dmneoblade]

Telco's do, however, have a responsibility to say "Sure, as soon as you give us a court order, we'll get right on that." If they don't, then they are waiving the right to your privacy for you, and they are just as guilty.

Re:Not just them

[greg_barton]

Maybe that's because understanding the constitution isn't the telcos job?

Understanding the constitution is every American's job.

Re:Not just them

[Vakara]

The case against the telcos is based on violations of law, not constitution. The telcos violated provisions in FISA which placed specific parameters around what they are legally allowed to do (and required to obtain) in order to perform surveillance on US citizens or within US territories. The provisions are specific enough that civil damages are specified in the actual law (per incident!) to further incent the telcos to obey the law.

The government asked for something they shouldn't have, and most of the telcos (not all!) gave up something they were legally obligated to protect. As far as I'm concerned they are both fair game.