December 25, 2009
Malware writers vying to violate virgin computers

"Look, Igor! Fresh meat!"

Yes, it's that time of year when millions of new computers come out of the box and onto the internet. And what will the proud owners do first -- update the trial antivirus software, or check their email?

I know which way the scammers think things will go, because they've spent Christmas eve bombarding inboxes with new malware and phishing spams. Here are some examples. Avoid all of them -- some of these links were still alive at the time of posting here:

(If you're wondering how they knew your Visa card number starts with 4 -- it's because they all do.)

There's a recent pattern of abuse of Belgium's .be TLD. They don't accept abuse reports. They make you report it to Belgian law enforcement, giving the scammers crucial extra time to infect computers and collect identity data before their domains are taken off line.

Checking via nameservers (and how obvious is a nameserver called, "ns1.misusefine.com?") shows lots of other domain names that are used interchangeably in these URLs. Assume there will be a continuous flow of more as these are shut down:

New computers are fun, but keep your computer as clean as it was out of the box -- update the AV first, and use your head before you click on any links or open any attachments.

December 24, 2009
Fake security scan spamming Skype users

If you use Skype and accept messages from people not already on your friends list, you probably get spam messages regularly. This one showed up Dec. 24 from user "update.notice.bop17:"

If you check out the site, you see an image trying to pretend it is a Windows directory on your computer:

It's especially fun to do that if you don't have Windows, or if you have changed your Windows color scheme to something other than the usual blue theme. (That's a useful way to catch less obvious versions of this trick, by the way.)

It's a common scam. Make the users think their own computers are reporting malware, so they'll be scared enough to download something to fix the problem. Needless to say, anyone who needs to do this to convince you to download their product is not trustworthy. And you should never download anything from someone who isn't trustworthy.

But wait, there's more. It leads you to a checkout page for a product called Repair Registry 2008. (At least Windows Antivirus 2010 keeps updating their name.) They actually want you to pay to have your computer infected with their product. So they can put what is probably malware on your computer, then get your credit card number, too. They're actually using a secure page on a third party payment processing site, secureorderstore.com, which may or may not know what type of spammers they're doing business with. The seals from McAfee and GeoTrust are endorsing the security certificate of the payment site, not the software they're selling.

What kind of malware could you get from people like this? It could be anything. (I'm obviously not going to pay to find out.) Common types are "scareware" (programs that find nonexistent viruses and trojans, then make you pay for removal) and "hostageware" (programs that, once installed on your computer, won't stop creating popups or other annoyances until you pay to get them uninstalled). Others simply claim to be security software, but don't really detect anything worth paying for. That's often apparent when they are installed on Macintosh machines and proceed to find Windows problems that can't actually exist, or because the size of the file is far too small for what they claim to be able to do.

In any case, you don't actually need to know the details. Advertised in spam, using deceptive sales tactics -- run away as fast as you can.

And report the spam, too.

December 9, 2009
Google scammers take aim at Barack Obama

Google made news on December 8 by filing a lawsuit against the perpetrators of the "Google Adworks" scam, a heavily spammed series of domains that claim one can make thousands of dollars a month from "working for Google." The whole scheme is explained on Google's blog, with the actual lawsuit here. (It's actually pretty good reading -- they really did some good research, especially considering how clueless Google previously appeared when spammers were registering thousands of Blogger sites to host spam links.)

The spam is still arriving with new links for the same scam, so the perps aren't too deterred. The registrar for the domains, Moniker, has been taking them down quickly when reported.

Birds of a feather flock together, and there are more of the same scam domains sharing the same IP address, 213.163.84.163 (a host called Serverboost in the Netherlands on the larger network AS49544, Interactive3D):

mylocaltimes.org
localtimes2.org
thelocalnews1.org
thetimesjobs.org
mylocaltimes.org

However, you also find a set of domains with a different web page:

It's the same scam, different target. This site has nothing to do with Barack Obama's political organization, "Organizing for America." And they don't actually say they do. But they display his logo, the name of the organization, and a quote from him. They don't display any information to explain who "USARelief" is, leaving people to wrongly assume they are part of the same organization. Example domains are

realreliefusa.org
usa-relief.org
usareliefstimulus.org
myusarelief.org
usarelief.org
realreliefusa.com

Entering information leads you to

path-2-grants.com

The terms and conditions page hasn't been uploaded yet. But the names of the news organizations, the fake check and the phony testimonials look pretty similar to the Google scam pages, too.

So don't wait to hear it from hundreds of people who've already been scammed. Barack Obama has nothing to do with this. Scammers who are violating his trademark are going to be the last people on the planet who will be able to help you get government grant money.