I was talking with our PR firm today with regards to the importance (or lack thereof) of the Robert Soloway arrest. Since it seems as if everyone has an opinion about the topic, myself included (I'm not typically known for lacking an opinion on something, for better or worse), I figured that I would make mine known.

Before I get labeled as a naysayer, let me first say that anytime a spammer is arrested, particularly one that was responsible for as much spam and fraud that he was responsible for, it is a good day. Soloway operated in a manner where he didn't make great strides to hide who he was or what he did. He is widely known throughout the industry both for his "business model" as well as his arrogance and confidence that he would never be caught. So much for that.

The bigger question at hand though is whether or not the arrest of Soloway will make any real difference in the amount of spam that is on the internet? My opinion is that it won't. If it does, it will only be a short term blip on the radar. There are certainly enough other people out there ready, willing, and able to pick up the slack in Soloway's absence. There are more people jumping into the spamming fray on a daily basis, not to mention that Soloway wasn't the biggest spammer out there anyway. Yes, he was a big fish in the pond, but there are certainly bigger fish still out there.

The spam fight is by no way over. This is a great victory, but is only one small battle in the overall picture. Hopefully we will see more of these arrests coming in the near future because a big part of the spammer bravado is the feeling that they cannot and will not be caught. Until more of the big fish are taken offline there is little to deter more little fish from jumping into the pond with the same arrogance.

Perhaps you have heard a bit about the malware spam that started late last week purporting to be an email from the Better Business Bureau? The scammer who crafted the message went to great lengths to ensure that the message looked as legitimate as possible. The subject line of the email typically started with "BBB Complaint for " with a case number, and the message body also referenced the targetted company by name. The from address varied, but was always from the bbb.org domain.

This attack is a perfect example of something that I (and many others) have been talking about for a while in that malware/spam attacks will continue to become more targetted in nature and distributed on a much smaller scale in an attempt to fly under the radar of most service providers.

Message volume in this attack was pretty low, but it was the method of targetting its victims that made this particular malware attack interesting. The message was sent primarily to executive level company managers. When infected a keylogger was installed which would defeat SSL capabilities of web sites because the keystrokes were captured directly from the users keyboard, not from the for elements in the SSL encrypted session.

One of the data repositories for this attack has been found (there is a great writeup over at the SecureWorks website), and according to them as of a couple of days ago more than 1,400 people have been confirmed as victims. That number has likely increased as targets who took time off for a long holiday weekend come back to their inboxes and find the scam waiting for them.

It'll be interesting to see whether or not we see some morphs of this attack over the coming days using other government agencies as social engineering vehicles in an attempt to get more users infected.

A couple of weeks ago we saw a one or two day surge in stock pump and dump scams that were touting German stocks. They were your typical run of the mill image based stock pump and dump where the body of the message contained either no text or a bunch of random, meaningless text at the bottom of the message, but with a twist. These images, instead of being attached to the message itself, were being hosted by a legitimate image hosting site, imageshack.us.

Linking to the image as opposed to including it within the message payload is certainly not a new tactic, and was primarily how image spam used to be sent about 3 years ago.

The Internet Storm Center posted an interesting perspective on this, however. Their speculation is that perhaps some of the moves being made by the SEC (Blogged about back on March 13th. Read the original entry here) to shut down trading on stocks being targetted for scams might be bearing some fruit.

Perhaps this is true, but I see it more as a widening of the market to a more global level. Perhaps I am simply being a pessimist as to how effective I think the SECs efforts are going to be because I am more of a results driven kind of person.

I'll be more than happy to state that I was wrong when I see results, but I truly see this move less of a change of tactics as a result of the SEC (although I concede that it may certainly be part of it) and more an attempt to play other markets and determine what the uptake on these scams will be in other countries.

In the end, the intent is to primarily target the largest market to get the biggest bang for your buck (pun not intended) and the United States is that market. Depending on how other countries react to the penetration of these types of scams into their markets we will likely start to also see further evolutions of the measures that the SEC has already implemented in other countries, which will assist the SEC in further bolstering their own policies.

We are seeing an interesting contradiction in spam and botnet trends recently.

Over the past 3-4 months our observed spam levels have dropped between 35-40%. We aren't the only ones seeing this drop either. Many ISPs across the industry are reporting the same or similar drops in volume. Although none of us mind the decreased bandwidth usage for junk mail, it is counterintuitive because of the astronomical increases in volume seen during most of 2006.

The folks over at the Shadowserver Organization, however are reporting that the number of infected machines (bots) in the internet has tripled over recent weeks!

Huh?! Triple the bots with one third less spam? How can that be?

Here are a couple of theories:

-- Spam is seasonal. Although botnets know no season this is typically the time of year when spam levels have traditionally dropped off. Since just about everyone has an online presence nowadays (and you should if you want to have any chance of success) retailers are no longer sending out their emails about holiday specials and sales (Christmas season seems to start earlier and earlier every year!) trying to lure you to their web site in the chance that you might buy something. We generally start seeing a pickup between May and July lasting through the end of the year. Last year ours and many others spam traffic increased on the order of 300-400% between May and December! This far outweighed the volume increases of any previous year.

-- The calm before the storm. The major spam gangs could be in the midst of preparing for a major spam and malware onslaught. This is the time that they are using to organize the plan of attack before their wrath is released. Not to sound insensitive to tragedies as a result of terrorism, but government agencies also reported an eery lull in the terrorist communication channels that they monitor before the attacks from September 11, 2001.

-- A changing of the guard. One of the things that I frequently speak of when asked about what changes I see coming in 2007 and beyond is the transition from the larger, spread out spam assault to the smaller, more concentrated attack. In crime related activities the key to avoiding getting caught is to stay below the radar and undetected.

An easy way to end up on the radar of the large service providers is to send out a massive spam run to a lot of unsuspecting end users. Although they are competitors, ISPs talk and they share information, particularly on spammers. Chances are that if you are a spammer and showing up on one ISPs radar and getting blocked, it won't be long before you are blocked by all of them.

This is where smaller, more localized attacks come in. Concentrated attacks against a single, or small number of targets have the possibility of yielding much better results as it could be easier to stay below the line of detection at an ISP level. My standard disclaimer here is that I am making no claims as to the ability of any ISP to detect these types of attacks. This is simply a theory as to the possible changing of tactics by bot masters.

The next couple of months will be very telling for all involved in the anti-spam fight. I, for one, am looking forward to it!

I read an interesting blog post this morning on Phishing Social Networking Sites. There have been a few of these types of interviews floating around lately with similar content, but it never ceases to amaze me just how many victims of e-crime like phishing there are out there. This particular phisher said that he phishes about thirty thousand people per day!

Now, of course the big unknown here is whether "lithium" (the handle of the phisher being interviewed) is being honest (obviously his track record for honesty since he is a criminal is immediately debatable) in his numbers or inflating his stats just to show off. Either way, even if his number is inflated by a factor of 10, that still means 3,000 people per day are being phished just by this one person! Multiply that by the number of people sending phishing scams (I tried to research this number, but couldn't find a solid figure) and the number of victims on a daily basis is astronomical!

Radicati estimates that losses as a result of cyber crime in 2007 will be approximately $75 billion. A large part of these losses will be as a result of phishing scams.

The other interesting piece of this interview is that the phisher primarily targets social networking sites like MySpace. Security experts have long since said that the weak link in the security chain is user education. What better target than younger people who may not have a solid (or any) understanding of internet security? These people are prime targets and the phishers know it!

The internet is full of people of different backgrounds, levels of naivity, and levels of technical knowledge. Anyone is considered a "mark" for a scammer. Keep yourself educated. It's too late to understand the ramifications of cyber crime after you have already become a victim!

It's certainly been an April to remember in the email filtering world. We've seen a couple new things pop up over the course of this month:

-- Several Storm Worm Variants -- New and Improved Image Spam! Now with Malware!

I've blogged previously about some of the Storm Worm variants that we had been seeing. There have actually been quite a few variants of the Storm Worm since we originally saw it back in January. The ones that seem to have had the most success are the ones that use effective social engineering tactics.

The original Storm Worm was named as such because one of its initial variants was progagated via email using a subject line of "230 dead as storm batters Europe." The reason that this was so successful was because there was a serious storm that was hitting parts of Europe at the time and was responsible for a large amount of damage which also resulted in loss of life. As such, people were interested in reading about it and watching the "video" that also came with the email. The only problem is that the video wasn't a video at all. Once opened your machine was infected and was used as a vehicle to send out more copies of the worm.

A variant that we saw this month took a bit of a different approach. It used the weaknesses of human emotion and subject lines like "A Token of My Love", "I Love You With All I Am", and "A Rose For my Love" to get unsuspecting victims to open a "greeting card" attachment. Like the "video" in the previous example, there was no love to be found from this email. This variant was somewhat akin to the "I Love You" virus from back in May, 2000 where messages with the subject line of "I love you" and a visual basic script attachment spread across the internet like wildfire. Funny how history repeats itself sometimes, eh?

A new variant of image spam is upon us as well. We are seeing variants of image spam that now also include links in them. These links, however are taking users to malicious web sites where their PCs get injected with malware (mostly keyloggers) such that after you take advantage of the great stock tip (or even if you don't) the malware author can then steal your login credentials to your bank or brokerage firm web site.

I guess it wasn't enough to just make their typical 5% return on a stock pump and dump. Why stop there when they can take every cent you have instead?

This all just goes to show that email as a malware distribution mechanism or as a vehicle to malicious web sites is still an effective tool and is not going away anytime soon.