Graham Cluley’s blog

Last week, the High Court in Auckland, New Zealand, sentenced a hacker to three years in jail after finding him guilty of blackmail, document and computer fraud.

22-year-old Thomasz Grygoruk attracted the attention of the FBI after stealing personal information from thousands of people over the web in a five year spree.   The court heard that Grygoruk, from Howick, Manukau City, used a combination of Trojan horses and fake banking websites to steal information such as credit card numbers and PINs from unsuspecting internet users.

Having stolen information, the hacker would then create ATM cards and stole up to NZ $300,000 (US $233,000) from cash machines.

According to media reports, Grygoruk also attempted to blackmail an American teacher in Pennsylvania to the tune of NZ $13,000 (US $10,000) by threatening to tell his local newspaper and police that he was a paedophile who was involved in an inappropriate romantic relationship with a student.  (A claim which transpired to be incorrect).

Five years of online identity theft earnt Thomasz Grygoruk a considerable amount of cash but a life-changing spell in a prison cell.  It also means that he has spent almost a quarter of his life committing computer crimes.  There must be something wrong with the way we are educating young people about how to use computers and the internet responsibly if we keep seeing youngsters ruining their lives like this.

By the way, this is the second case of a young New Zealand hacker who had a run-in with the FBI to make the headlines recently.  Last month, Sophos reported on the conviction of 18-year-old hacker Owen Thor Walker - also known as “Akill”.  Walker, who admitted his role in an international botnet, was due to have been sentenced on Wednesday, but according to the New Zealand Herald has had his day in court postponed due to “procedural reasons”.

Yesterday a report from Experian revealed that incidents of identity theft in the United Kingdom have risen 66 percent in the last year, with most victims living in London.

According to Experian, residents in College Gardens in Tooting, south London, were almost five times more likely to fall victim to identity thieves than average.  Other hotzones - which saw more than four times the usual level of reported ID fraud according  to Experian - were scattered across the country. Great Cambourne near Cambridge, the village of Far Cotton, Northampton and the large housing estate of Ingleby Barwick, Stockton-on-Tees were singled out for attention.

The fact is, however, that cybercriminals looking to steal information for financial gain will take whatever they can get their hands on, and that users everywhere should ensure their identities are protected online and that their computer security is up to date.  This includes ensuring no personal information is posted on social networking sites, software is patched and up to date, and PCs are running effective anti-malware and anti-spam solutions.

While young professionals living in Kensington are likely to be attractive targets for cybercriminals, the reality is that British computers from Lands End to John o’Groats are at risk - hackers will steal identities from anyone who leaves their personal information open to snooping crooks.

What’s more, fraudsters are increasingly turning to corporate identity theft - the rewards can be much greater and often the effort is the same.  Home workers using their own PCs are often the weakest link in corporate defences, so businesses and consumers alike mustn’t get complacent and must ensure all vectors of attack are protected, including ensuring remote workers’ PCs meet company security settings.

So whether you live in Tooting or Timbuktu, make sure you’re making life for the identity thieves as hard as possible by properly defending your personal information.

The first ever can of SPAM® was produced in 1937 by Hormel Foods in Austin, Minnesota, and they’re still going strong.

Hormel’s latest set of financial results, show that SPAM® continues to sell well seventy years later, and for most of that time they didn’t have to spend any effort making clear they weren’t connected with unsolicited junk email.

It’s important to make the distinction between spam and SPAM®.  That’s one of the reasons why you’ll always find we never write “spam” in capitals when we’re talking about unsolicited commercial email.  Another reason is that we’d hate companies to think we were somehow protecting their email gateways from canned precooked meat.

I think the people who probably suffer most from this naming confusion are the marketing guys at Hormel.  They must spend so much time googling the web, trying to find out what customers, analysts and journalists are saying about their product and keep uncovering complaints about spammed email instead.

No-one would expect Hormel to change the name of their most famous product though.  Apparently, according to their SPAM® FAQ, the name was dreamt up by a chap called Ken who received a $100 prize for his efforts.  Hormel says that we have to thank him that we’re not all eating Crinkycrinky or Canned Flappertanknibbles.

And just imagine that.  Defending your email systems with an anti-flappertanknibble solution from Sophos.. No, that just sounds silly.

It’s a bit tricky after 30 years of spam to get the world to adopt a new word for unsolicited junk emails though.  The word has become too widely accepted, and the chances of successfully getting a new word into circulation is zero.

Nevertheless, it could be fun to hear what you think a better word for spam would be.  Leave a comment if you have any ideas on what  an appropriate alternative word for email spam would be.

Vkontakte is the most popular social-networking website in Russia with over 12 million users, and is said to be the most popular Russian website full stop in terms of visitors (yes, even beating their home grown search engines).

It’s sadly no surprise then to discover that the criminal underground have attempted to take advantage of the site - which bears an uncanny resemblance to Facebook - by spreading a worm.

The W32/VKon-A worm executes its payload at 10am on the 25th of any month, wiping all files on the user’s C: drive.  The guys in SophosLabs added specific detection for it yesterday, but Sophos products were already capable of detecting it proactively as Mal/Generic-A.

More information about this threat, including a screen capture of the cartoon it displays when it runs, can be found on the blog run by our friends at Kaspersky Lab.

Of course, this isn’t the first time that a social networking website has been struck by a malware attack.  For instance, in December 2007, Google’s Orkut site was hit by an infection which used a cross-site scripting (XSS) attack to infect hundreds of thousands of members’ profiles.

If you’re responsible for securing your business against attacks, you might want to consider once again whether you should have a policy at your web gateway controlling which users can access which websites.

Just minutes after I blogged about 419 scams exploiting the Chinese earthquake, we discovered a spammed malware campaign that is trying to infect people posing as breaking news of the disaster.

The attack comes in the form of an attached malformed Word document that takes advantage of an exploit to run malicious code.  Read “Fraudsters spam out Trojan Horse as China earthquake news story” to learn more.

It is becoming normal now for the guys in SophosLabs to keep a watch for waves of malware, spam and phishing campaigns in the hours and days after any high profile news story today.  Whether it be a tragic disaster like a natural disaster, a celebrity in the news for all the wrong reasons, or the premiere of the latest Hollywood blockbuster.

Maybe it’s time we set up a plasma screen in the labs with a rolling 24-hour TV news channel..

Actually that might not be such a daft idea, especially if you remember how the Zotob worm hit the CNN studios live on-air three years ago, disrupting their regular scheduling…

Last week’s earthquake in South West China  has resulted in an official death toll of over 40,000, with many other people still missing. The scale of the tragedy and its huge impact on the lives of hundreds of thousands of people is impossible to comprehend.

Sadly, internet scammers and cybercriminals stalk death closely and seem to have no compassion as they quickly try to take advantage of a huge disaster.  In the past we have seen hackers, phishers and 419 scammers exploit tragedies such as Hurricane Katrina, the Virginia Tech massacre, the West Virginia mining disaster, and terrorist bombings in London, to name but a few.

Yesterday, the FBI issued a timely warning about email scams pretending to come from victims of the Chinese earthquake.

Predictably enough, criminals have once again been quick to exploit other people’s misery.  Here is the text of a typical Chinese earthquake scam seen intercepted in our spamtraps:

Dear friend,I do not know your exact name. I can only guess.I ask you to read through my letter up to the end. After that you will be in the right to send my letter in a garbage basket or…….

My letter is caused by despair. I do not know to whom to address. I am compelled to ask for help any person. Mainly you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.

My name is Arnulfo. My situation enters me into depression and despair.

I will tell you shortly. I don’t even know how to express correctly my ideas. How to write you about this. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it’s stupid or incorrectly. But it is the only thing that is left to do. I just ask to understand me. I even should tell that it’s a shame to do it.

I shall continue. I do not know where you are. And I don’t know what news you saw on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it’s awful…

Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese language and culture. There I also have got acquainted with Jin It is my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.All. Everything was good. Yes, all was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not wish to describe that happened with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife’s parents. Jin was in despair.

But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one exit. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I couldn’t stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I don’t know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.

Two days have passed. Jin has called in my room in the hotel. She has told me that her parents and sisters are alive. But her two sisters have hard wounds. They were in other building when Earthquake has begun . It was awful. Also Jin has told that her city has great destructions, but their house hasn’t suffered too much. Many people have no houses and spend nights in the street. There is a Chaos everywhere. Family of my wife have dicided to remain at home. They did not think that Earthquake will repeat again.

[snip a few paragraphs!]

I have put in pawn the mobile phone. I have little money for Internet. I write a letter to you from internet-cafe. From the common e-mail.

Also some kind people who know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1000$. I have no opportunity to find such sum of money. I tried all opportunities to find the money. I don’t wish to think that money solve all in this world. I believe that the main thing is people and love. And I wish to believe that I will be able to be beside my Jin soon . We are sure shall be happy together.

Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I will understand you.I I address to you for a help. Your help is required to me. I shall tell directly that I ask you to help me with money. I will return you money later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I will see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I will return the money to you in the same way. I am ready to return you more.

I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.

I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have forced me to write this letter to you. I want  to use all variants To be near to my love.

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

I do not know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:

xxxxxxxxxxxxxxx@yahoo.com.ph

I have registered it right now. I will wait fo your answer to this e-mail. If you want to answer me

Yours faithfully Arnulfo

Our advice, as always, is to ignore scams like this and not respond.  If you do want to support the relief and recovery operations in China then it’s much better to donate to a legitimate aid agency such as The Red Cross.

Kudos to the police investigators who appear to have cracked a major international phishing operation with the charging of 38 suspected phishers.

Investigations like this aren’t easy - there’s a lot of evidence that needs to be gathered (involving careful computer forensics that need to be able to stand up in court), surveillance, and working closely with the financial authorities as well as other police forces spread across the globe.  Investigations like this don’t come cheap, so it’s good to see a high level of effort and resources being put into tracking down suspected criminals.

And it’s not just the police who have to put effort into these cases.  The online banking institutions also have their part to play.  Obviously if phishers are apprehended and put out of business then that works in the banks’ best interests, but it can sometimes be hard to see the immediate benefit when you’re responsible for so many aspects of a financial institution’s computer security.

So, here’s my plea to online banks who are being targeted by phishers.  Gather evidence that might help the cops in future.  There is real value in recording emails, evidence of phishing websites, screenshots and HTML code, as well as what actions you had to take to defuse the problem.  If you are able to track cases of fraud which correlate with the phishing attack then even better.

The authorities’ best chance of a successful prosecution comes when there is concrete evidence that a crime has been committed, and that innocent people and companies have suffered as a result.

# The monkeys stand for honesty, giraffes are insincere, and the elephants are kindly but they’re dumb  #

First it was Dublin, then Houston, and I’ve heard rumours about Milwaukee too. Now, a zoo in Brownsville, Texas, has been on the wrong end of a bizarre mobile phone spam campaign that has resulted in hundreds of people flooding its switchboard.

The Gladys Porter Zoo was reported to have been thrown into chaos last week after cryptic SMS text messages were sent to thousands of people saying things like

• Call now someone is looking for you.
• Call now and we will settle this.

and telling them to call a number.. the number of the Gladys Porter Zoo switchboard.

It sounds funny at first hearing - but pity poor Rachel, Gladys Porter Zoo’s receptionist, who has to answer all the calls and weed out the general inquirers from the curious mobile phone owners.  Is this just mischief-making or does someone have a grudge against these zoos?

For your interest, Gladys Porter Zoo is said to be the first zoo to have successfully bred the vulnerable Jentink’s Duiker.  No, I didn’t know what it was either.  Other animals they exhibit include the greater kudu, bontebok and bongo.

How marvellous it must be to have the job of naming animal species.  Forget the malware taxonomy the guys at SophosLabs have to do, anyone who can come up with a name for an animal like the bontebok or bongo is having real fun.

* Image source: wedding_planner04’s Flickr photostream (Creative Commons 2.0)

Bahrain telecoms company Batelco has issued a press release warning cellphone users not to forward an SMS text message that has been doing the rounds in the kingdom.

“Today is BATELCO Wireless 50th Anniversary Celebration Ceremony. Transfer this SMS to 10 Batelco Customers & get BD 5 Talk time free.”

Sound familiar?  It should do, because this is simply a variant of a myriad of email chain letters we have seen over the years offering Applebees gift certificates, a share of Bill Gates’ fortune, a free Ericsson mobile phone or free flights with British Airways.

Batelco have confirmed that they the campaign is fake, and that users will not receive any free talk time for forwarding the message.  According to Batelco spokesperson Ahmed Al Janahi Batelco’s engineers have now blocked the message from being sent via their network.  “We wanted to notify customers who have [already] received it that it is spam,”  he said.

With so many call plans today including hundreds of free SMS texts bundled in with the price, many people may feel that even if the offer sounds potentially bogus that it is still worth forwarding “just in case.”  A large proportion of people probably wouldn’t even consider that the offer sounds unlikely.

What makes this hoax chain letter unusual is that it has spread via mobile phones rather than email.  Maybe this is a foretaste of things to come?

Aside from chain letters and hoaxes being spread via cellphones, we are also seeing the phenomenon extend into the world of Web 2.0.  Anyone who has ventured onto Facebook, for instance, is likely to find that their “Funwall” has been jammed with bogus warnings from well-meaning friends alongside the avalanche of Panda sneezing videos.

Of course, just like email hoaxes and chain letters, a fake SMS campaign like this and Facebook chain letters waste time and bandwidth.  Best to nip it in the bud by deleting the message upon its arrival in your inbox, before you embarrass yourself in front of your friends and family by forwarding it on.

In these days of one new malware-infected website being discovered every five seconds, it’s easy to forget that not all web hacking is done for financial gain.

This weekend, Spanish police arrested five teenagers suspected of hacking and defacing thousands of websites. Victims are said to have included government agencies in the USA, Latin America and Asia.

According to the Spanish authorities, the suspects - two of whom are just 16 years old - are members of the “D.O.M Team”, a prolific gang which has been blamed with planting messages on third party hacked websites.

The gang, most of whom originate from Latin America, are said to have been investigated following an attack earlier this year on a website belonging to political party Izquierda Unida in the aftermath of the Spanish general election.

Media reports indicate that the five alleged hackers claim that they were only trying to highlight security weaknesses in websites.

It’s terribly old-fashioned to be breaking into websites simply to plant offensive messages about politicians. In many ways it’s like graffiti on the side of buildings and across advertising hoardings. But even though money doesn’t appear to have been the motivation behind these attacks they still cost money for the organizations who need to work quickly to clean-up their sites and secure them better in future.

Other young computer fanatics might do well to learn a lesson from this case - just because you aren’t aiming to commit identity theft or launch denial-of-service attacks there’s no excuse for hacking into someone else’s website. If you do find a vulnerability don’t exploit it by hacking in and planting messages - instead contact the company concerned and work with them to solve the problem.

* Image source: kamshot’s Flickr photostream (Creative Commons 2.0)