| |
Joe Wein's blog
I have a new WordPress blog at http://www.joewein.net/blog/
Below are my older blog entries:
2005-09-22: I get fan mail
One of the encouraging things about fighting fraud and spam is the emails from nice people I get who appreciate when they find a timely warning about a scam. Naturally, the people who send spam and who try to scam other people out of their money are less than happy. Yesterday I received the third threatening email from a criminal in Spain who runs fake electronics store websites and who cheats people out of thousands of euros.
I also get similar emails from Nigeria, South Africa and Ghana:
It take it as a sign that I must be doing somthing right.
2005-06-24: HelpOnMyPC
If you know enough about computers, chances are you will often be asked for help by your friends and family with their computer problems. If you are less experienced and have trouble with your computer, you probably wish someone could sit next to you and sort things out for you. The problem is, it takes time to visit people and often the potential helper and person in need of help are far apart.
There are remote access solutions to get around the distance problem, but until now they were either difficult to set up or expensive or insecure.
A new product by Amobian Technologies is changing all of that: HelpOnMyPC gets two people up and running in under a minute, with one viewing and even driving the other's PC. Both users can share control. All data is securely encrypted with 128-bit encryption. No backdoors are left open when the product is in use. This product works really well in conjunction with internet telephony such as Skype, because you can talk about what you're doing while you both look at the same screen - even when you're thousands of kilometres apart.
2005-01-21: Japan - a money launderer's paradise
Since July 2004 there's been a scam going on that uses job offer spam in the name of a Chinese company to recruit victims for a check fraud ring in Canada and Nigeria. The victims in North America are lead to believe they are forwarding check payments from customers of their employer to their employer. The checks are actually fake, so really the "employees" are just wiring their own money to a bank account of the gang. The account used is with a small regional bank in Japan. The criminals are based in Nigeria, Canada and other countries.
According to our information an attempt to domestically contact the Japanese police about the bank account failed. They refused to accept copies of the evidence, saying the only way they could start investigating international fraud was by being contacted by police in the country where fraud took place.
2005-01-16: Tsunami frauds (II)
The Rochester Democrat and Chronicle mentions our website in an article on Tsunami scams.
2005-01-11: Tsunami frauds
USA Today published an article on online fraud taking advantage of the tsunami disaster. I was interviewed for the article and we contributed to the background research. See out page on tsunami scams.
2004-12-18: Fake Nigerian lotteries, banks and other companies
Nigerian advance fee scammers have been registering domains for corresponding with their victims in advance fee frauds. The two leading domain hosters for these scams are MSN (USA) and Rediffmail (India). Here's one really badly done example:
Click the "verify" link there to verify you are a lottery winner. It doesn't matter what you enter. For example, if you enter 419 as the "Ticket Number" and "FRAUD" as the "File Reference Number" you will be told:
VERIFIED!
Congratulations! Your win has been verified.
DETAILS
==============================================
Ticket Number: 412 7543176 657
Winning category: 3rd
Cash Prize: €1,000,000
==============================================
Here are a few other domains registered by 419 scammers over the last year:
abmohd.com,
agentmario.org,
asiamails.net,
atlanticinsuranceinc.com,
atlantico-seguidad.com,
barrjenkinschambers.com,
brodbictravels.com,
businessinvestmentworld.net,
californianotifications.com,
camelotpromo.org,
camelotpromos.net,
capitalmailservice.net,
capitalpost.net,
cashchange-uklimited.net,
deric.org,
easylinks.org,
elgordospanishworldlotto.net,
euro-americaninternational.com,
fcl-international.org,
fortunecity-lottery.com,
fortunecity-lottery.org,
george-wilson.com,
gizmooos.org,
guranteetrustbank.com,
heritage-finance-ltd.net,
heritage-finance-security.net,
heritage-financeltd.org,
heritagefinancesecurity.org,
ishayaaku.com,
k-b-f.org,
khamachambers.org,
legaldatachambers.com,
lottowinning.org,
lucccyss.com,
luckydays.org,
lyloyd.net,
matsepe.com,
moha-online.org,
nationwidelotto-uk.com,
oceanblue-7p.com,
officelineworld.com,
orientalworld.net,
peakchambers.com,
peterschambers.com,
pinnacle-finance-solutions.net,
primelotterypromo.com,
princefayad.com,
pustin.com,
raymondassociates.net,
rhinoimportandexport.com,
richardbiz.com,
richardbrimly.com,
roymantu.com,
rswafa.com,
sermail.net,
southtrustltd.com,
stjames-s5.com,
strikegoldlotto.com,
thebigfatonepromousa.com,
topperse.com,
transworldlink.com,
uklotteryuk.net,
uknatlottery.com,
universallot.zzn.com,
virtualworldbiz.net,
winners-lottery.com,
world-widecashchange.net,
world-widecashchangeltd.net,
worldsweepstakes.org,
worldwinninglottery.org
2004-09-04: Nigerian scammers masquerading as USA Aid Agency recruiters
The latest twist on the by now familiar 419 scam perpetrated mostly by criminals in Nigeria is a job offer on behalf of the USA Aid Agency. The job offer was sent via an ISP in Lagos, Nigeria and uses a mailbox at Yahoo, India for applicants to reply to. A phone number given uses a Washington state area code. No doubt any job applicants will be asked to make some downpayments before their application can be processed...
Read more here...
2004-08-12: The Mihama nuclear power station accident
An exploding steam pipe killed four people and forced a shutdown of a nuclear power station in Japan. The pipe had not been inspected in over 27 years, even though a contracter had notified the company months ago and similar pipes had been replaced in other plants run by the same company. Read more about it here...
2004-08-04: Spam blacklist becomes available in ws.surbl.org
ws.surbl.org is a realtime blacklist server for URIs that appear in the message body of spam emails. It can be used by Spamassassin 2.63, 2.64 and 3.0 and several mail servers. Starting from today, all our listings will be included in this zone.
2004-07-01: Spam and virus counts decreasing second month in a row
We recorded 14.7% less spam sent to our mailboxes in June compared to May. This confirms a trend established by a 7,5% fall in May compared to April. February to March and March to April had seen a rise of 13.7 and 9.4%, respectively. The number of viruses fell by 28.6% in June compared to May, after a decrease of 4,3% in May compared to April, which had still seen an increase of 4.5%. In the first three months of the year virus numbers experienced double or triple digit growth, with 109.1%, 47.3% and 102.8%. That puts spam numbers for June on a level with February and virus figures somewhere between February and March.
Please not however that we aggressively pursued viruses, reporting every virus source coming to our attention since March. The overall number of viruses out there may well still be increasing, even as we are cleaning up our neighborhood.
2004-06-16: Racist spam spread by virus author
Sober.G, an email worm circulating worldwide for several months, has turned out to be a vehicle for racist propaganda. On the mroning of June 10, 2004 distribution of Sober.G virus mails virtually stopped, being replaced by a flood of German language extremist propaganda. The spam originated from computers previously infected by Sober.G and shared many characteristics of its predecessor. Read more about it here:
2004-06-01: Spam stopped growing
The number of spam emails sent to our mailboxes (and stopped by our spam filter) has stopped growing and is in fact decreasing. Only one of six mailboxes we track received more spam than in April, all others received less, by as much as 20%. The overall number for May was similar to March, some 10% below the figure for April. While that's good news, the total of 16,552 spams still comes to more than 3 times the figure for last July (4656).
For two months in a row, the number of virus emails has remained essentially flat from the month before.
2004-05-19: Japanese humanitarian aid - the $600 hammer
According to the Japanese 2003 and 2004 fiscal budgets, Japanese taxpayers footed a ¥ 40.3 billion ($360 million) bill so far for the deployment of Japanese troops of the Self Defense Forces (SDF) on a humanitarian mission to Iraq, reported an article by NAO SHIMOYACHI in The Japan Times on May 16, 2004. This includes ¥ 6 billion ($55 million) for the construction of a camp to house the troops.
The declared objective of the mission is to supply 80,000 litres of water a day to 16,000 people. Helping Iraqi civilians is a noble purpose. However, if you do the math, then over the next year Iraqi water for Iraqi villagers will cost $360 million / 29.2 million lites. Litre for litre, that's more expensive than Perrier mineral water shipped in bottles all the way from France to Japan. Don't get me wrong here, I am not against humanitarian aid. I'm against wasting money on inefficient humanitarian aid, because the same money could go much further and aid more people, if it came without political strings attached.
It could be argued that water in Iraq will be expensive because of difficult local conditions. Here's an other piece of information: On April 20 the Foreign Ministry announced, that it had given $353,000 (¥ 39 Million) to a Paris-based aid agency. The NGO will use these funds to rent 35 water trucks to deliver water from an existing purification plant to 63 villages in Iraq, supplying 64,000 people with 530,000 litres of safe drinking water per day. The NGO project in Iraq will be run by Iraqis, creating local jobs. It will provide six times more water to four times more people. And it will do that at a total budget of one fifteenth the cost of providing housing for the SDF soldiers alone.
As a humanitarian project, the SDF deployment makes no sense. Iraq has a relatively well-educated population. It has a limited need for foreign staff, but after decades of wars and sanctions, its infrastructure lacks repairs, parts, equipment and construction materials. Japan could deliver these or the money to pay for them, at a fraction of the cost that it takes to deploy troops. To say that the security situation in Iraq is not good enough for civilians to work there ignores the fact that foreign troops are the Number One target for any insurgent forces. In other words, by using foreign troops instead of Iraqis to do the job, the risk of casualties is maximized, not minimized. Every foreign soldier is a walking target. So why are SDF troops really in Samawah?
- Screw the constitution. After WW2 the US imposed a war-denouncing constitution on Japan. Article 9 effectively prohibits Japan from maintaining military forces. Since the end of the Korean war this prohibition has been ignored, but Japanese troops were in effect prevented from being deployed abroad. Politicians who would like to get rid of the confines of Article 9 are working on gradually eroding it by streching the limits little by little. The mission to Samawah is but the latest step along that road. It is the closest yet that Japan has come to deploying troops into a war since August 1945. It is by no means clear where this road leads, because no one is openly talking about that.
- The guy in the White House wants it so. In the Second Gulf War (1990-91) Japan was critisized by the US for only sending cash but no troops. Then Japan, Kuwait and Saudi-Arabia footed about 2/3 of the US cost of the war. Americans felt this was too little, given US troops provide security for Japan. In early 2003, after the US government found itself largely deserted by major allies on its march to war, Japanese support became particularly important. SDF troops potentially in harm's way in Iraq are a token gesture to the US: "Here, we support you, don't leave us alone either." However, I suspect that since the beginning of the cold war, the Korean and the Indochina wars, the US military needed Japan far more than Japan needed US troops. Japan has been like a huge aircraft carrier which defends US strategic interests in the region, extending from Southeast Asia via Taiwan to the Russian far east. US troops would not leave Japan unless Japan pushed the US to do so. Just look how difficult it has been to reduce US military presence in Okinawa. The US don't want to leave, unless they can find an equivalent location nearby. As long as the current regime remains in place in North Korea, South Korea is too vulnerable. Taiwan is a no-no, since the US needs China's cooperation. That leaves no alternative to Japanese bases for US troops in East Asia.
- It's a PR exercise for the SDF. Humanitarian work may improve the image held of the Japanese military amongst the Japanese population, again, in order to losen the shackles imposed after the war.
A few people are getting screwed on this deal, though:
- First, there are the Iraqis who get a fraction of the water and later had the government not picked such a politically sensitive tool, a choice that caused unnecessary delays to the aid project.
- Second, there are the SDF troops themselves, who have had mortars dropped and explode just outside their base more than once already. We can be lucky if all of the SDF members deployed will return alive and with a full set of limbs.
- Third, there are the Japanese taxpayers, who have been paying 1000 times the amount given to the far more efficient NGO and who may get stung for even more money in future adventures abroad that will come as Japanese politicians strive to turn Japan into a "normal" country.
Why is there so much resistance to Japanese "normalisation"? A major reason is that while Germany was denazified and later dealt with its own history in an adult way, Japan is still dodging its past. The imperial system and emperor Hirohito himself were left in place after Japan's surrender. There was never a complete break with the past. It is simply unthinkable that a German prime minister would visit the grave of Nazi war criminal Rudolf Hess, the way Japanese prime ministers have visited Yasukuni shrine, a bastion of Japanese militarism where the souls of convicted Class A war criminals are enshrined. The tactical games played out in Iraq will not address these unsolved questions.
Though most Japanese today reject the values of the militaristic past, it can not be said yet that Japan as a whole has learnt from its past and matured enough so that its politicians can be trusted by Japan's neighbours or even by its own citizens.
Notes:
Most people in the west think of the 1990-91 war as the first Gulf war as it was the first involving US troops. They ignore the devastating 1980-1988 war that not only lasted longer than WW2 and costed hundreds of thousands of lives. It was fought with western support for Saddam Hussein's regime, who had started it as a land grab against revolutionary Iran.
2004-05-03: British pictures fake?
Simon Treselyan, a retired military intelligence officer and Eamonn McCabe, the Guardian's former picture editor, raise some question about the authenticity of pictures in the 'Mirror' allegedly showing prisoner abuse by British soldiers in Iraq:
Guardian: The alleged torture pictures
2004-05-01: 19,947 spams and 1149 viruses in April
Spams increased by 20% from last month, while viruses went up only 5 percent, to a daily average of 665 and 38 respectively. The virus increase would have been considerably higher, had I not reported over 500 viruses to abuse addresses of the respective providers with the virus-reporting tool of my spam filter.
An 22 April I put up a page reporting about the "ShareYourExperiences" scam that had also targeted on of my mailboxes. Over the last five days the page received over 700 hits, which makes it the sixth most frequently listed page on all my websites. I can only guess how many people this spammer must be hitting and annoying.
2004-04-27: The country where Teddy Bears are illegal
In December of 2003, the Interior Ministry of the Kindom of Saudi Arabia issued a decree that banned all imports of dolls and stuffed animals, giving merchants until March to dispose of their stocks. Since then Teddy Bears and other toy animal have been illegal to sell in the whole country. The kingdom bases its laws and regulations on an extremist interpretation of Islam known as Wahhabism, named after Muhammad ibn Abdel-Wahhab, an 18th century cleric.
Since the 1930s the United States have been allied with the royal Saud family, the abolute rulers of this Middle Eastern kingdom. Both shared a dislike for socialist rhethoric of secular Arab Nationalists such as Nasser in Egypt and the Baath Party in Syria and Iraq. It can be said that the only major disagreement between Saudi Arabia and the USA has been about US support for Israel. In other areas the US and the medieval kingdom have been politically very close. In the 1980s both collaborated on nurturing 'mujahedeen' warriors in Afghanistan to drive out the Soviet Army. One young Saudi who went to Afghanistan then was from a wealthy family, the Bin Ladens. His ideology is that of Wahhabism, the state ideology of Saudi Arabia. The regime of the fundamentalist Taliban of Mullah Omar that he eventually teamed up with was recognized by only three countries worldwide – Saudi Arabia, the United Arab Emirates and Pakistan. All three are US allies.
Saudi Arabia practises a medieval form of Islamic justice, in which people convicted of theft have their hands amputated. People convicted for a wide range of crimes against morality, such as drinking beer, are publicly flogged. Torture is common practice. Homosexuals or people convicted of drug law violations are executed by beheading by the sword.
For a quarter of a century Iran has been the most consistent bogey man of US foreign policy in the Middle East, but compared to Washington's Saudi friends, the theocrats in Tehran are a bunch of bleeding heart liberals. In Iran, women are still discriminated against, but at least they are allowed to vote. In Saudi Arabia, there's not even a parliament to vote for. It's a medieval kingdom, after all. Women may not drive a car. Foreign female vistors arriving by plane may not leave the airport unless accompanied by a male relative. Women may not go to a restaurant without a male relative.
For too long America has turned a blind eye to one of the most un-American regimes that supported US geopolitical strategies while nurturing extremist ideologies. It was no coincidence that 15 of the 19 alleged hijackers were Saudi subjects.
2004-04-01: 16,836 spams and 1099 viruses in March
I received more viruses and virus warning spam in March than in December, January and February combined. Virus warning spam, i.e. messages sent by virus filters to addresses unrelated to sending the virus, is a still small but increasing fraction of all virus-related traffic. The virus figure doubled from February to March and and is triple of what it was in January. On average I was sent 35 viruses and warning spams a day.
Spam mail counts increased for every one of my mailboxes. The two busiest averaged around 150 a day. The counts for the three least busy mailboxes increased by between 25 and 30 percent, with even the least busy mailbox now attracting more than 40 spams a day.
2004-03-24: I received 542 virus emails in February
In January it was only 369, compared to 176 in December. Between March 1 and March 24 my spam filter already caught 810 virus mails. At the current rate I will exceed 1000 virus mails by the end of March, a six fold increase over three months.
Welcome to cyberwar. Virus authors have realized they can make money, lots of money, by renting out trojaned broadband PCs to spammers who then use them to spread junk mail without obvious trace back to the culprit. Spammers are taking over hundreds of thousands of PCs. With these remote controlled zombie armies they can not only send out spam with impunity, they can also use them to shut down any website or other server they chose. Currently there is no viable defense against Denial-of-Service attacks, i.e. a constant flood of requests from thousands of machine, such as those attacks that put four major DNS-blacklist servers permanently out of business last summer. The more machines get infected, the bigger the threat.
What is to be done? Certainly, computer users need to be made aware of the problem, for example getting them to install virus filtering software and the latest Windows patches or at least teaching them not to click on any file from an unknown or unusual source. But that is not enough. ISPs will have to do their part and put in place technical safeguards to prevent broadband connections from being hijacked. Any dial-up or broadband user that establishes an unusally high number of outgoing SMTP-connections (typical for but not limitted to spamming and virus-spewing activity) should automatically be blocked from making such connections and investigated. Filtering on incoming mail at the ISP level also makes sense and can help the ISP conserve a lot of traffic, if obvious viruses are rejected at an early stage.
Even though I advocate virus filtering at the mail server level, much of the software available for that job today is either badly written or misconfigured. Every major virus written over the last three years has used fake sender addresses. If you receive a virus today, you can be almost certain that the computer of the person whose address is listed in the From: statement of the mail header is not infected with a virus, because it's simply an address found in an address book or the browser cache on the machine that really sent the virus. So if someone visits website X or receives an order confirmation by company Y and then – possibly months later – opens a virus infected email attachment, chances are some of the new virus mails that result will list company X or Y as the sender, even though they are totally innocent. Not only will these innocent parties receive bounce notifications for all virus mails that turn out to be undeliverable (for example, because the sender address has become invalid or a mailbox is full). Badly written virus filter software will also send them emails complaining that their machines are infected with Netsky, MyDoom, Swen or some other virus, even though these viruses are known to fake every sender address. It would be pure coincidence if the machine listed as the sender by the virus was really infected.
You would have thought that any software smart enought to recognize the Netsky virus should be smart enough to know that Netsky fakes the From-address. Apparently not. Until that changes, virus warnings will have to be treated the same way as other spam and viruses: By filtering them.
2004-02-24: Is Ryze.com recruiting members via spam?
Today I received an invitation from a person I never heard of to join Ryze.com, a service I had never heard of either. Apparently it is a business networking tool created by engineers who wrote Napster, the file sharing tool. A quick search for phrases used in the invitation mail showed that someone had tried to invite mailing lists to join this service, including the "debian-devel" mailing list. This typically happens when someone uses address harvesting software to scan websites for any and all email addresses mentioned in them and then uses software to send bulk email to all those addresses. In this case however, it appears the invitation comes from the Ryze.com server. Does that mean that Ryze itself is spamming to get lots of subscribers quickly? I sure would like to know.
2004-02-03: Spam generated by Anti-Virus software
Most viruses circulating for the last three years send themselves using fake sender addresses. Nevertheless, numerous anti-virus products on the market insist on "warning" the innocent victims whose addresses are abused in this way – in some cases even mailing a copy of the virus for good measure. They do this even after they have identified the type of virus, i.e. when they know they are dealing with a virus that arrioves with fake sender addresses. Here is a good writeup about this problem:
http://www.attrition.org/security/rant/av-spammers.html
2004-01-06: I received over 11,000 spams in December
My four main mailboxes would have been clogged with over 11,000 spams last month, had it not been for my spam filter. That's over 350 junk mails a day. On top of that I received about 180 virus-infected mails, including SOBER.C which has been making its rounds since just before Xmas. Since jwSpamSpy (my spam filter) investigates all domains advertised in spams sent to me and lets me add those to a blocklist, I have decided to make the daily additions to that blocklist available for free.
One email per day will contain all domains added to the list (or much rarely, removed from the list), as well as the senders of "419' aka "Nigerian Scam" emails, of which I received about 350 last month alone. See my domain blacklist for info on how to subscribe to automatically receive a daily update.
2003-12-30: Plextor DVD+/-RW drive
I am not usually an early adopter of new hardware. Leading edge is bleeding edge, as they say. Also, always being the first kid on the block with new toys is an expensive habit. I prefer others to stumble across nasty bugs first, while I carry on with my work using proven technology. But every now and then I have no choice but to spend on new hardware in order to maintain a productive environment.
For a few years I've been backing up data and burning CD-Audio using a an external SCSI 4X CD-R drive, a Plextor PlexWriter PX-R412X, which has been extremely reliable. Whilst I have not yet purchased or rented any DVDs, we already had three DVD-capable computers in the household. One is a DVD-ROM/CD-RW combo drive in Shigeko's notebook, the others were plain DVD-ROM drives.
Recently a machine failure alerted me to just how important it is to have proper data backup. I had to admit to myself that my old CD-R drive and its software (which supports only 650 MB per disk) was no longer up to the job of backing up the 40, 60 and 120 GB disk drives I use these days. Hence my lastest gadget: The Plextor PX-708UF, an external DVD burner that supports all DVD format except DVD-RAM. It attaches via either USB-2 or IEEE-1394 (FireWire). Initially I considered cheaper ATAPI-drives but finally chose the external version because I can also use it with the three notebooks we own. I picked the Plextor over the Sony, which was also in the race, because of Plextor's first class reputation and my own positive experiences with the earlier drive by this maker from Belgium.
The drive came bundled with Nero 5.5. Just like Plextor's procucts, Ahead Software's Nero has a very solid reputation and so far my impressions of it have been very positive. I've burnt a CD-Audio disk and a data DVD+RW with 4.2 GB on it. The software was easy to use and performed as expected. The drive is very fast. The DVD+RW is readable in my wife's DVD-ROM/CD-RW combo drive (Matsushita UJDA720 DVD/CDRW). Sadly, my two older DVD-ROM drives (a Samsung DVD-ROM SD-604 and an LG DRD 8080B) don't seem to recognize DVD+RW media. Next I'll try some DVD+R media, which is about 30% cheaper than the rewritable version and said to be more compatible with older DVD-ROM drives.
2003-12-19: Joe Job against joewein.de
On 16 December someone sent spam to thousands of recipients that was made to look like it came from my personal domain, joewein.de, except that its sender addresses were bogus and the mails were sent from Argentina and Hong Kong instead of Japan, where I live. Three days later, an even nastier job was launched, this time designed to get my web hoster to pull my site. The spammer sent this spam using abuse@schlund.de as the sender address, i.e. the abuse reporting mailbox of the company that hosts my website. Based on the contents of that latter spam, it seems obvious that the motivation for the joe job was the fact that on my site I regularly publish domain names advertised in spam caught by my spam filter.
More about the "Joe jobs" against joewein.de here...
|