Category Archives: Knowledge

spotting a scam

How to spot a scam

Recognise the signs someone is trying to scam you, and learn how to check if a message you have received is genuine.

Recognising online scams

Cyber criminals may contact you via email, text, phone call or via social media. They will often pretend to be someone (or an organisation) you trust.

It used to be easier to spot scams. They might contain bad spelling or grammar, come from an unusual email address, or feature imagery or design that feels ‘off’. But scams are getting smarter and some even fool the experts.

How to spot scam messages or calls

Scammers try to quickly gain your trust. They aim to pressure you into acting without thinking.

If a message or call makes you suspicious, stop, break the contact, and consider the language it uses. Scams often feature one or more of these tell-tale signs.


Is the message claiming to be from someone official? For example, your bank, doctor, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.


Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Criminals often threaten you with fines or other negative consequences.


Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.


Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.

Current events

Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

How to check if a message is genuine

If you have any doubts about a message, contact the organisation directly. Don’t use the numbers or address in the message – use the details from their official website.

Remember, your bank (or any other official source) will never ask you to supply personal information via email, or call and ask you to confirm your bank account details. If you suspect someone is not who they claim to be, hang up and contact the organisation directly. If you have paper statements or a credit card from the organisation, official contact details are often written on them.

Make yourself a hard target

Criminals use information about you that’s available online (including on social media sites) to make their phishing messages more convincing.

You can reduce the likelihood of being phished by thinking about what personal information you (and others) post about you, and by reviewing your privacy settings within your social media accounts.

How to report suspicious communications

If you have received a suspicious message or call, or visited a suspicious website you should report it.

Report a scam email; text message; website; phone call; advert


Crucial Facilities Companies Targeted Through Ransomware Gangs

Year of 2019 was actually an especially poor year for ransomware assaults, as well as while certainly there certainly was actually a decrease in using ransomware in 2020, assaults enhanced dramatically in 2021, along with the education and learning industry as well as federal authorities companies one of the absolute most assaulted industries, although no market industry is actually unsusceptible to assaults.

There’s expanding issue around the enhance in assaults on crucial facilities companies, which are actually an appealing aim at for ransomware gangs. Inning accordance with the information coming from the Government Bureau of Examination (FBI), the Cybersecurity as well as Facilities Safety and safety Company (CISA), as well as the Nationwide Safety and safety Company (NSA), 14 of the 16 crucial facilities industries in the Unified Conditions stated ransomware assaults in 2021, consisting of the protection commercial foundation, emergency situation solutions, health care, meals as well as farming, infotech, as well as federal authorities centers. Cybersecurity companies in the Unified Empire as well as Australia have actually likewise stated crucial facilities has actually been actually targeted.

Crucial Facilities Companies Cautioned Around AvosLocker Ransomware Assaults

Today, a cautioning has actually been actually provided due to the Government Bureau of Examination (FBI), the U.S. Division of the Treasury, as well as the U.S. Treasury Monetary Criminal offenses Administration System (FinCEN) around ransomware assaults utilizing AvosLocker ransomware.

AvosLocker wased initially determined as a risk in behind time June 2021 as well as in spite of being actually a fairly brand-brand new risk, positions a considerable danger. Assaults utilizing the ransomware enhanced in the last fifty percent of 2021, along with spikes in assaults happening in Nov as well as December. Variations of AvosLocker ransomware have actually currently been actually industrialized towards assault Linux in addition to Home windows bodies.

As is actually currently typical, the assailants participate in dual extortion as well as need resettlement for the secrets towards decrypt data as well as to avoid the launch of taken information. The gang runs an information leakage webinternet web site where an example of taken information is actually submitted as well as created available towards the general public. The gang states it after that offers the taken information towards cybercriminals if resettlement isn’t created. AvosLocker is among a handful of ransomware procedures that likewise creates exposure to sufferers through telephone towards motivate all of them towards pay out the ransom money. The gang is actually understood towards problem risks of Dispersed Rejection of Solution (DDoS) towards additional stress sufferers right in to paying out the ransom money.

AvosLocker is actually a ransomware-as-a-service procedure where affiliates are actually hired towards carry out assaults for a portion of any type of ransom money resettlements they produce. As a result, the assault vectors utilized in assaults depend upon the skillsets of the affiliates. Typical susceptabilities are actually understood to become made use of towards increase preliminary accessibility towards systems, consisting of susceptabilities connected with Proxy Covering as well as unpatched susceptabilities in on-premises Microsoft Trade Web hosting servers. Nevertheless, over recent year, spam e-mail projects have actually been actually a main assault vector.

E-mail Filtering System Important for Protecting Versus Ransomware Assaults

Spam e-mail is actually a typical assault vector utilized through ransomware gangs. Spam e-mail projects work as well as offer inexpensive accessibility towards sufferer systems. Phishing as well as spam projects either utilize harmful accessories or even installed hyperlinks in e-mails, together with social design methods towards persuade point individuals towards available the accessories or even click on the web links.

The main protection versus these assaults is actually e-mail filterings system. E-mail filterings system check all of incoming e-mails as well as accessories as well as avoid harmful notifications coming from being actually provided towards inboxes. Because cyber stars are actually continuously altering their lures, social design techniques, as well as techniques towards bypass e-mail safety and safety services, it is actually important towards have actually an e-mail safety and safety service in position that can easily react to altering strategies.

E-mail safety and safety services that utilize expert system as well as artificial intelligence towards determine as well as obstruct risks outperform services that depend on anti-virus motors as well as blacklists of understood harmful IP addresses.

Do Not Overlook Safety and Safety Understanding Educating for The Labor Force

It is actually likewise essential towards offer safety and safety understanding educating towards all of participants of the labor force coming from the CEO down. The FBI as well as the U.S. Treasury Division suggested in the most recent notify towards “Concentrate on cyber safety and safety understanding as well as educating,” as well as “Routinely offer individuals along with educating on info safety and safety concepts as well as methods in addition to general arising cybersecurity dangers as well as susceptabilities (i.e., ransomware as well as phishing frauds).”

Here are the new Emotet spam campaigns hitting mailboxes worldwide

The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide.

Emotet is a malware infection that is distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or JavaScript will download the Emotet DLL and load it into memory using PowerShell.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as TrickBot or Qbot that commonly lead to ransomware infections.

Emotet spamming begins again

Last night, cybersecurity researcher Brad Duncan published a SANS Handler Diary on how the Emotet botnet had begun spamming multiple email campaigns to infect devices with the Emotet malware.

According to Duncan, the spam campaigns use replay-chain emails to lure the recipient into opening attached malicious Word, Excel, and password-protected ZIP files.

Reply-chain phishing emails are when previously stolen email threads are used with spoofed replies to distribute malware to other users.

In the samples shared by Duncan, we can see Emotet using reply-chains related to a “missing wallet,” a CyberMonday sale, canceled meetings, political donation drives, and the termination of dental insurance.

Attached to these emails are Excel or Word documents with malicious macros or a password-protected ZIP file attachment containing a malicious Word document, with examples shown below.

Excel Email

Emotet email with Excel attachment Source: Brad Duncan

Missing Wallet

There are currently two different malicious documents being distributed in the new Emotet spam campaigns.

The first is an Excel document template that states that the document will only work on desktops or laptops and that the user needs to click on ‘Enable Content’ to view the contents properly.

Excel Attachment

The malicious Word attachment is using the ‘Red Dawn’ template and says that as the document is in “Protected” mode, users must enable content and editing to view it properly.

How Emotet attachments infect devices

When you open Emotet attachments, the document template will state that previewing is not available and that you need to click on ‘Enable Editing’ and ‘Enable Content’ to view the content properly.

However, once you click on these buttons, malicious macros will be enabled that launch a PowerShell command to download the Emotet loader DLL from a compromised WordPress site and save it to the C:\ProgramData folder.

Powershell command

Once downloaded, the DLL will be launched using C:\Windows\SysWo64\rundll32.exe, which will copy the DLL to a random folder under %LocalAppData% and then reruns the DLL from that folder.

DLL folder

After some time, Emotet will configure a startup value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch the malware when Windows starts.

Registry Editor

The Emotet malware will now silently remain running in the background while waiting for commands to execute from its command and control server.

These commands could be to search for email to steal, spread to other computers, or install additional payloads, such as the TrickBot or Qbot trojans.

Emotet attack flow

At this time, BleepingComputer has not seen any additional payloads dropped by Emotet, which has also been confirmed by Duncan’s tests.

“I have only seen spambot activity from my recent Emotet-infected hosts,” Duncan told BleepingComputer. “I think Emotet is just getting re-established this week.”

“Maybe we’ll see some additional malware payloads in the coming weeks,” the researcher added.

Defending against Emotet

Malware and botnet monitoring org has released a list of 245 command and control servers that perimeter firewalls can block to prevent communication with command and control servers.

Blocking communication to C2s will also prevent Emotet from dropping further payloads on compromised devices.

An international law enforcement operation took down the Emotet botnet in January 2021, and for ten months, the malware has not been active.

However, starting Sunday night, active TrickBot infections began dropping the Emotet loader on already infected devices, rebuilding the botnet for spamming activity.

The return of Emotet is a significant event that all network admins, security professionals, and Windows admins must monitor for new developments.

In the past, Emotet was considered the most widely distributed malware and has a good chance of regaining its previous ranking.

Why phone scams are so difficult to tackle

Many of us now refuse to answer telephone calls from an unknown number, for fear that it could be a scam.

And we dread receiving a text message, purportedly from our bank or a delivery firm, again due to concerns that it might be from fraudsters.

A recent report suggests that we are right to be cautious. In the 12 months to March 2021, phone call and text message fraud across England, Wales and Northern Ireland was up 83% from the previous year, according to consumer group Which?.

Which? analysed data from Action Fraud, the UK’s national reporting centre for fraud and cyber crime, and says this was the biggest rise across all types of fraudulent attacks.

It adds that the jump was fuelled by more people getting things delivered during the pandemic, which led to a corresponding huge rise in fake parcel delivery text notifications.

In these “smishing” attacks, fraudsters send a person a message, seemingly from a legitimate number, to claim that a small payment is needed before a package can be delivered. Then when you click on the link they try to steal your banking details.

Telecom firms and authorities faces difficulties

But how exactly are the fraudsters able to do this, and why is it so difficult for telecoms firms and authorities to tackle the problem?

Matthew Gribben, a cyber security expert, says that criminals are able to make it look like their phone call or text is coming from the real telephone number of a bank or delivery firm, due to continuing vulnerabilities in the UK (and other countries’) telephone network systems.

“There’s no way for the current UK phone network to guarantee 100% that the presentation number it is being told is the actual originating number – it has to take your word for it,” says Mr Gribben, who is a former consultant to GCHQ, the UK government intelligence agency.

Protocol’s problem

The core of the problem is a telephone identification protocol called SS7, which dates back to 1975. It is a little complicated, but bear with us.

SS7 tells the telephone network what number a user is calling or texting from, known as the “presentation number”. This is crucial so that calls can be connected from one to another. The problem is that fraudsters can steal a presentation number, and then link it to their own number.

The issue affects both landlines and mobile phones, with SS7 still central to the 2G and 3G parts of mobile phone networks that continue to carry our voice calls and text messages – even if you have a 5G-enabled handset.

One theory is that the vulnerabilities of SS7 cannot be fixed because the telecoms firms need to give national security agencies access to their networks, but Mr Gribben says GCHQ (Britain’s intelligence agency) can monitor communications without using SS7 loopholes.

The problem, he says, is that SS7 is still used in telecoms networks globally. And it needs to be replaced rather than patched up.

“SS7 was developed assuming there would always be legitimate activity [and] goodwill around the use of it,” explains Katia Gonzalez, head of fraud prevention and security at BICS, a Brussels-based telecoms firm that connects and protects mobile phone networks.

personal information stolen

“There’s too much legacy technology [reliant upon it] that we can’t move away from – we’re going to have these SS7 2G/3G networks for at least another 10 years.”

Jon France, head of industry security at the GSMA, the trade organisation that represents mobile network providers around the world, says that “a lot of these problems will disappear” after 5G networks have been fully rolled out. This will mean that SS7 – and 2G and 3G – can be totally replaced.

Ms Gonzalez agrees: “It took some time to understand these flaws, and how they were exploited. Now with 5G there will be security from [the centre] of it.”

However, Mr Gribben cautions that even when SS7 is replaced by something “entirely brand new and sparkling, there will still be other vulnerabilities [that fraudsters can exploit]”.

The GSMA says that telecoms firms are putting “a large amount of effort and investment” into tackling scams.

For its part, BICS is using artificial intelligence systems to try to detect and block incoming fraudulent calls and texts.

Ms Gonzalez adds the only way to prevent text message scams is to enable telecoms firms to use AI to scan texts for links to fake websites before they are sent. Yet privacy regulators are unlikely to ever agree to that.

So instead BICS is calling for “greater collaboration between telecoms firms and governments, better relations between countries, and more effort from the companies on sharing information on the latest vulnerabilities”.

When it comes to fraudulent telephone calls, there has been a big increase in so-called “robo-calling” – automated voice calls in recent years.

Call authentication systems do exist that can help stop them, and the UK’s telecommunications regulator Ofcom says it is consulting with the telecoms industry to see what can be implemented, and how soon.

“These criminal scams are becoming more sophisticated and tackling them requires efforts from a range of bodies,” says an Ofcom spokesman.

“We’re working closely with the police, industry and organisations such as NCSC [the National Cyber Security Centre] – which is responsible for cyber-security standards in the UK – to help tackle the problem.”

New protocols developed

An international standards body, the US-based Internet Engineering Task Force (IETF) has also developed new protocols to prevent robo-calling.

In a nod to James Bond, the system is called “Stir and Shaken”. US authorities have ordered mobile operators to implement the protocols by the end of 2021, but Ofcom says UK providers can’t do so until networks are sufficiently upgraded, by 2025.

As phone and text scams are not going away anytime soon, Amanda Finch, chief executive of professional body, Chartered Institute of Information Security, says: “There’s always more that telecoms firms could do”.

“But, security is a continually moving target… basically everyone has to be vigilant,” she adds.

Meanwhile, Robert Blumofe, chief technology officer of cloud security firm Akamai, says: “I don’t think there’s a world anytime soon where we can train people not to be fooled, so the solution has to include a way to block the response the text messages are trying to elicit.”

How to report online scams

How to report online attempts to steal your money

With scams spiking during lockdown, here are some of the ones to know about – and how to get support

Fresh warnings have been issued over a new scam that claims payment is required for a package to be delivered.

The latest con involves the victim receiving a text message from “Royal Mail”, claiming that a parcel is ready for delivery, but that an additional fee of £1.99 or £2.99 is required.

A link is shared for the recipient to click through and pay the alleged fee, only to be directed to a copycat website operated by fraudsters.

One victim revealed on social media in a tweet that went viral that such a con had left her “scammed out of every penny I had” after fraudsters telephoned her pretending to be her bank and asking her to move money around.

The Chartered Trading Standards Institute (CTSI) and Royal Mail have both warned that such messages are fraudulent, with the CTSI adding that such scams have surged over the past year.

“This delivery scam is yet another example of fraudsters attempting to make money out of the unsuspecting public,” said Katherine Hart from the CTSI.

“Due to the lockdowns, many millions of people rely on product deliveries, so scammers have focused their efforts on this theme.

“If you have any suspicions, contact Royal Mail to verify before you click any links or share details,” she added.

A spokesperson for Royal Mail said the service would only ever ask for payment by email or text message if a parcel had been sent to them from overseas and a customs payment was due.

“In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item.”

But what other scams exist and what should you look out for? Here’s everything you need to know.

National Insurance

Action Fraud, the UK’s national reporting centre for fraud and cybercrime, is warning the public about a National Insurance scam after it received over 34,000 more calls last month compared with February 2020.

Victims have reported receiving an automated telephone call telling them their “National Insurance number has been compromised” and that they must “press one on their handset to be connected to the caller” in order to resolve the issue.

Once connected to the “caller”, victims are pressured into giving over their personal details in order to receive a new National Insurance number. In reality, they’ve been connected to a criminal who can now use their personal details to commit fraud.

Pauline Smith, head of Action Fraud, said: “We are asking the public to remain vigilant and be cautious of any automated calls they receive mentioning their National Insurance number becoming compromised.

“It’s important to remember if you’re contacted out the blue by someone asking for your personal or financial details, this could be a scam.

“Even confirming personal details, such as your email address, date of birth or mother’s maiden name, can be used by criminals to commit fraud. If you have any doubts about what is being asked of you, hang up the phone. No legitimate organisation will rush or pressure you.”

HMRC (tax scams)

With the end of the tax year approaching, scams relating to tax payments, bills and rebates are on the rise. Her Majesty’s Revenue & Customs (HMRC) received over 900,000 reports of HMRC scams in 2020, with more than half of these offering fake tax rebates.

Common scams include messages claiming you are owed a tax rebate, that you’ve missed an important deadline, or warning that you have an outstanding fee to pay. Scams exploiting the Covid-19 pandemic have also been reported, with people receiving texts stating that they are owed a “goodwill payment” due to the coronavirus. Others demand a £250 payment after individuals are accused of “breaching lockdown restrictions”.

HMRC has said that it will never send notifications by email about tax rebates or refunds and advise recipients not to open any attachments, click any links or share any personal or payment information. It adds that if you are unsure about the legitimacy of a message you receive by email, text message, WhatsApp, social media or telephone, you can forward the details to the National Cyber Security Council at

Genuine emails from HMRC should all end in ‘’ only. Any additional words, letters or numbers following this are likely to be fraudulent. Don’t click links contained in emails or messages claiming to be from HMRC – log in to your account, email or telephone them directly to be certain it’s safe.

You can also see examples of HMRC scams by following this government link.

Investment fraud


Investment fraud occurs when you receive a cold call from someone claiming to offer you an opportunity to invest in a scheme, service or product that is actually worthless or doesn’t even exist. It’s also known as share sale fraud, hedge fund fraud, land banking fraud or bond fraud. The majority of investment frauds are run out of offices known as boiler rooms. Victims may also be offered “special discounts”, “insider info” or “exclusive” stock tips.

Boiler room operations often contact victims out of the blue and pressure them into making rushed decisions with no time to consider the nature of the investment. Callers often sound extremely knowledgeable and professional, and may produce polished-looking websites, certificates or brochures to “prove” their authenticity.

As well as never providing bank account details or sensitive information, never accept investment offers on the spot from cold callers. Instead, look at the Financial Conduct Authority’s ScamSmart warning list which acts as a barrier between unscrupulous scammers and you.

Sadly, boiler room operations tend to target people aged 65 and older, so it’s important to talk to older family members and vulnerable people to help them spot bogus callers.


Action Fraud received over 400 reports in just one week from people reporting fake emails purporting to be from Netflix. The emails state that the recipient needs to “finish signing up” by clicking the link provided before they can use the online streaming service. Doing so, however, takes victims to phishing websites that steal your Netflix login, personal and financial information.

Netflix says that it will never ask you to enter personal information in a text or email. This includes credit or debit card numbers, bank account details and Netflix passwords. If you think your account has been compromised, Netflix advises you to contact it directly using the details on this page.

Romance fraud

Romance fraud occurs when a person you’ve met through an online dating website or app uses a fake profile to build a relationship and gain your trust before asking you for money or information to steal your identity.

Tell-tale signs include asking you lots of personal questions but disclosing very little about themselves; and exploiting your trust by inventing a reason to ask for your financial assistance, such as money to pay for a flight to visit you, or money for medical treatment for them or a family member. “Perfect” profile pictures can also be a giveaway and may have been stolen from a model or actor. Using the reverse image search tool on Google can help you find the original source of photos.

To avoid getting caught out by romance fraud, avoid revealing too many personal details when dating online, such as your date of birth or home address, which may result in your identity being stolen. Never send or receive money or share your bank details to someone you’ve met online, no matter how convincing their story is. And, if you’re online dating, choose a reputable site or app and use their messaging service, rather than switching to social media or texting, where messages can be deleted more easily.

According to Action Fraud, women are twice as likely to fall victim to romance fraud and investment fraud twice as men.

Paul Davis, retail fraud prevention director at Lloyds Bank, said: “Scammers do this for a living – they’re in it for the long game and will often spend a lot of time building up a ‘relationship’ and trust – they can invent convincing stories, waiting for the right moment to start tricking people into sending them money.

“If you’ve struck up a conversation or begun a relationship solely online and the discussion moves on to sending money, that’s the time to stop.”

Fraud recovery

As if being scammed once isn’t bad enough, data from the National Fraud Intelligence Bureau (NFIB) found that over £373 million was lost by repeat victims of fraud in the 2019/20 financial year, with the average victim losing £21,121. However, when someone reported at least one investment fraud, this figure jumped a staggering 300 per cent to £84,604.

A fraud recovery scam is when criminals contact victims pretending to be from their bank, a law enforcement agency, solicitors or “specialist recovery firm” claiming to be able to help them get their money back or compensation. Incredibly, this is often the same criminal targeting the victim again, or the victim’s personal details may have been sold on the dark web to other fraudsters. Scammers will usually ask for a fee for this “service” and may ask victims for their bank account details so they can “deposit” the recovered funds.

Mark Steward, executive director of enforcement and market oversight at the Financial Conduct Authority said: “Consumers should always be wary of cold calls and promises to recover funds lost to a scam, as these are often signs of an attempted recovery fraud taking place. If you’re under pressure to make a quick decision or a payment, there’s a very good chance you’re talking to a scammer.

“Be ScamSmart and check the FCA Register to make sure that the firm you are dealing with is authorised to perform the service they are providing for you, and use the contact details on the FCA Register.”

TV Licensing

While this particular scam was first identified by the NFIB in September 2018, scam emails purporting to be from TV Licensing resurfaced again in October 2020. Victims receive an email which states that there is a problem with their Direct Debit that needs addressing in order for them to continue watching TV legally at home.

Victims are then urged to click a link, which directs them to an authentic-looking website that prompts them to enter their home address and bank details, which are duly stolen by scammers.

TV Licensing say that in emails, it will include your name and part of your postcode, compared with scam emails which often just use your email address or “Dear customer”. All legitimate emails from TV Licensing come from (or If you think you’ve been a victim of a TV license scam, contact Action Fraud or email the government’s fraud service at

What can I do if I think I’ve been a victim of fraud?

If you think you’ve been a victim of fraud, you can contact Action Fraud for help and advice. You can also forward details of suspect scammer to the National Cyber Security Centre.

Oren Etzioni: Fighting Spam with Spam

Oren Etzioni: Fighting Spam with Spam

Even though I’m a Professor of computer science, I have failed to protect myself from the daily nuisance of unsolicited and unwanted commercial e-mail known as “spam”. It’s time to fight back. Last week, a consumer association called for new legislation to combat spam, but the legal process is cumbersome and ineffectual in this case.

Although more than ten states have enacted anti-spam laws, courts in at least two states have ruled that the laws are unconstitutional. Furthermore, spam is a global phenomenon, and much of the spam we receive originates outside the United States.

I say let’s fight spam with spam!

Spammers rely on most of us to quietly delete their unwanted e-mail and go about our daily business. They hope to lure the few who are potentially interested in their dubious propositions (“URGENT AND CONFIDENTIAL BUSINESS PROPOSAL”…”Watch Monika live”). What would happen if many of us responded to each spammed message? Unlike viruses, whose authors can hide in the shadows of the Internet, each piece of spam has to have a simple trail for recipients to follow so that the spammer can ultimately make money. Faced with hundreds of thousands of responses, the spammer would have to employ substantial resources to find genuinely responsive individuals — the cost of successful spamming would shoot up and its frequency would naturally drop. Of course, responding to spam requires more effort than merely deleting it, but fighting back is also more satisfying. More important, if doing so will result in a chilling effect on spam, the effort will pay off over time.

Spammers will inevitably cower behind walls of automation. However, anti-spammers could find a receptive ear at their payment processor be it Visa or Paypal. Also, we could contact a spammer’s ISP. Web sites could spring up that would direct anti-spammers to the appropriate contact points. In the rare cases where there is no person to contact, anti-spam activists could mount a legitimate grass roots “denial of spam” attack on spammer web sites, flooding them with requests which would grind them to a halt.

One might question whether anti-spam forces could muster large enough numbers of volunteers. But remember that the Internet community is huge, and none of us get a free pass from spam. To bolster the effort, we could build anti-spam amplifiers that take each bona-fide individual request and turn it into ten or even one hundred requests directed at the spammer. We would need safe guards to prevent the abuse of such amplifiers, but the small “volume” of the amplifier ensures that only a large group of individuals could have any real impact. This sort of approach may need further refinement, but it has a satisfying symmetry to it — any spammer can count on a powerful torrent of counter-spam directed right back.

The effort to fight spam is also justified by its growing cost.

The most immediate cost of spam is the momentary irritation of identifying and deleting it; multiplied by literally billions of e-mail readers, this cost is substantial. Spam also results in a financial burden to the companies that operate the Internet infrastructure.

Hotmail estimates that it receives over a billion spam messages per day, and that number is growing rapidly. Finally, spam has an intangible cost that arises from its negative impact on electronic discourse. For instance, people obscure their e-mail addresses, or refrain from posting their address in public forums to try and avoid spiders that collect e-mail addresses as grist for spam-spewing mills.

There are some measures already in place to fight spam. America Online, for example, enables users to elect to only receive e-mail from designated, pre-approved e-mail addresses. If you’ve tried sending a legitimate message to such a user, then you’re aware of how annoying this measure can be. Moreover, users are forced to continually update such lists and inevitably fail to receive important messages. A cottage industry has sprung up of companies attempting to filter e-mail and prevent spam from reaching its target. However, filters run the risk of inadvertently blocking desirable e-mail. As a result, the filters are conservative in blocking messages and often let spam through. Spammers have also become increasingly adept at creating spam that masquerades as ordinary e-mail.

One of the more promising technical proposals for blocking spam is the use of mini Turing tests. Turing tests are puzzles that are intended to discriminate people from programs. Such schemes work as follows. Whenever I receive an e-mail message from an unknown recipient, my mailer automatically sends a message back politely requesting that the sender solve a simple puzzle to demonstrate that they are a person and not a spam machine. The original e-mail is transmitted to me only if the sender does indeed reply with a solution to the puzzle. In that case, the sender’s e-mail is placed on a list of approved senders so that the sender does not have to solve a puzzle every time they send a message. Nevertheless, this process is awkward, potentially insulting to the sender, and far from fool proof.

The limitations of blocking and filtering approaches have led experts to consider a range of economic remedies. Such remedies focus on the fact that the cost of sending e-mail is close to zero. Increasing that cost, by paying the recipient of a message or by introducing a post office of some sort into the Internet, would clearly “can” much of the spam we receive. The downside of such remedies is that they take a free service and attempt to charge for it. History shows that such attempts meet overwhelming resistance from people. My colleague Fernando Pereira has suggested that each Internet Service Provider (ISP) ought to compensate other ISPs for the spam that they send. Thus, if a Korean ISP sends Hotmail more spam than it receives from Hotmail (a spam surplus) then it would have to pay Hotmail, or Hotmail would refuse to receive e-mail from that ISP. This innovative proposal would incent ISPs to better police their accounts and cut down on spam, but would require multi-lateral agreements that may be difficult to achieve and enforce.

Yesterday, I created a new e-mail account, and within twenty four hours I received over twenty five pieces of spam. The Internet is drowning in spam, and it stinks! Virtually all of us simply hit the delete button on our key board. Let’s distribute software that automatically converts that single key stroke to a clear response to the spammers — stop spamming or taste your own medicine.

By Oren Etzioni

Beware of Bitcoin Investment Emails Pushing Clipboard Hijackers

A new malspam campaign is under that contains an attachment that when executed will install a Windows clipboard hijacker that attempts to steal Bitcoins from its victims.

This new campaign was discovered by security site My Online Security who received a series of Bitcoin investment related emails. These emails had subject line that included “FW: Review BTC” or “FW: Review Your New Bitcoin International Investment Update 2019” and contained a archive attachment.

Spam Email

This archive includes a JSE file, which is a JavaScript file, that contains a Base64 encoded executable stored in the file as shown below. When the JSE file is executed, it will decode the Base64 encoded file, save it to %Temp%\rewjavaef.exe, and then execute it.


Once executed, a file called Task.exe will be saved to the %AppData%\svchost.exe\ folder as shown below. This file will then be executed as well.


To make sure that the Task.exe is started every time a victim logs into Windows, a startup file called svchost.exe.vbs will be created in the user’s Startup folder.

Startup folder script

The Task.exe program is actually a clipboard hijacker malware that is based off the open source BitPing program created by a security researcher named A Shadow.

A cryptocurrency clipboard hijacker is malware that monitors the Windows Clipboard for certain data, and when detected, swaps it with different data that the attacker wants. In this particular case, Task.exe will monitor the Clipboard for bitcoin addresses, and if one is detected, will swap it for the 3MSghqkGW8QhHs6HD3UxNVp9SRpGvPkk5W address, which is owned by the attacker.

Source Code

As cryptocurrency addresses are typically long and hard to remember, attackers understand that when sending bitcoins, most people will copy an address from another page, site, or program. This malware will detect the copied address in the clipboard and replace it with their own in the hopes the victim won’t notice the swap. Then when the bitcoins are sent, they would be sent to the address under the attacker’s control rather than the intended recipient.

The best way to avoid malware like this is to not open attachments that you receive from strangers or that you are not expecting. Furthermore, you should never run attachments that could execute commands on the computer. This includes JSE, JS, VBS, CMD, PS1, .EXE, or BAT file extensions.

If Windows is not configured to display file extensions, it is strongly suggested that you enable the display of extensions so you do not open malicious documents or executables by mistake.

online phishing scam

Five smart things you should know about phishing

1. Phishing refers to the practice of sending e-mails posing as a genuine service provider and seeking to access confidential information about credit cards and bank accounts.

2. Such e-mails are designed to mislead the investor. Misaligned logos, expanded or contracted photos, or signatures with dubious designations are a giveaway.

3. Look for spelling and punctuation errors and unnecessary use of technical language. The drafts of these mails are not subject to quality checks of the original bank or institution.

4. No bank or service provider will ask you to open an attachment or click a link on a mail. Always access websites using the URL of the bank.

5. The messages that call for urgent action or dire consequences are usually spam. Banks do not send such communication through e-mails.

Spam SEO

Is SEO considered as a kind of spam activity?

Lately, we’ve been seeing a lot of SEO poisoning cases and felt it necessary to spend a little more time explaining them.

SEO (Search Engine Optimization) is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and undoubtedly have become an SEO expert. If you’re not familiar with SEO, here is your quick definition:

“SEO stands for “search engine optimization.” In simple terms, SEO means the process of improving your website to increase its visibility in Google, Microsoft Bing, and other search engines…” Source: Search Engine Land

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process. Ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc. then you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits. If you’re an ecommerce site, this equates to purchases. And if you’re a services company, this often equates to new clients. The idea is simple and highly effective. What is even better is that most search engines like Bing, Yahoo, and Google offer set criteria designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Unfortunately, you’re not the only one who knows this. Today, SEO spam is one of the top five attacks we’re seeing on the web, and it’s quickly pushing its way up to number one. SEO attacks becoming so prevalent, we felt the need to do some homework to better understand them.

In the process we found a useful video by Matt Cutts of Google in Youtube. In the video Cutts answered a interesting question about SEO in Google point of view:

Question: Does Google consider SEO to be spam?
Short answer: No

Long answer is below:

Google don’t consider SEO to be spam. Now a few really tech savvy people might get angry at that. So let me explain in a little more detail.

SEO stands for Search Engine Optimization

And essentially it just means trying to make sure that your pages are well represented within search engines. And there’s plenty of white-hat, great quality stuff that you can do as a search engine optimizer. You can do things like making sure that your pages are crawlable. So you want them to be accessible. You want people to be able to find them just by clicking on links. And in the same way, search engines can find them just by clicking on links. You want to make sure that people use the right key words. If you’re using industry jargon or lingo that not everybody else uses, then a good SEO can help you find out, oh, these are key words that you should have been thinking about. You can think about usability, and trying to make sure that the design of the site is good. That’s good for users and for search engines. You can think about how to make your site faster.

Not only does Google use site speed in our rankings as one of the many factors that we use in our search rankings. But if you can make your site run faster, that can also make it a much better experience. So there are an enormous number of things that SEOs do, everything from helping out with the initial site architecture and deciding what your site should look like, and the URL structure, and the templates, and all that sort of stuff, making sure that your site is crawlable, all the way down to helping optimize for your return on investment. So trying to figure out what are the ways that you are going to get the best bang for the buck, doing AB testing, trying to find out, OK, what is the copy that converts, all those kinds of things.

There is nothing at all wrong with all of those white hat methods

Now, are there some SEOs who go further than we would like? Sure. And are there some SEOs who actually try to employ black hat techniques, people that hack sites or that keyword stuff and just repeat things or that do sneaky things with redirects? Yeah, absolutely. But our goal is to make sure that we return the best possible search results we can. And a very wonderful way that search engine optimizers can help is by cooperating and trying to help search engines find pages better.

SEO is not spam. SEO can be enormously useful

SEO can also be abused. And it can be overdone. But it’s important to realize that we believe, in an ideal world, people wouldn’t have to worry about these issues. But search engines are not as smart as people yet. We’re working on it. We’re trying to figure out what people mean. We’re trying to figure out synonyms, and vocabulary, and stemming so that you don’t have to know exactly the right word to search for what you wanted to find. But until we get to that day, search engine optimization can be a valid way to help people find what they’re looking for via search engines.

We provide webmaster guidelines on There’s a free webmaster forum. There are free webmaster tools. There’s a ton of HTML documentation. So if you search for SEO starter guide, we’ve written a beginner guide where people can learn more about search engine optimization. But just to be very clear, there are many, many valid ways that people can make the world better with SEO. It’s not the case that, sometimes you’ll hear SEOs are criminals. SEOs are snake oil salesmen. If you find a good person, someone that you can trust, someone that will tell you exactly what they’re doing, the sort of person where you get good references, or you’ve seen their work and it’s very helpful, and they’ll explain exactly what they’re doing, they can absolutely help your website. So I just wanted to dispel that misconception. Some people think Google thinks all SEO is spam. And that’s definitely not the case. There are a lot of great SEOs out there. And I hope you find a good one to help with your website.

But.. SEO has evolved in many areas.

The challenge with that is how SEO has evolved. In our own experience, it is no longer this simple, and the majority of the SEO attacks revolve around pharmaceutical injections. A recent study actually discusses why the pharmaceutical affiliate marketing model has become so effective and highly coveted with blackhats today. If you’re wondering why, it’s because of how economically rewarding it is. That’s a post for another day though.

The good news is that principles of these SEO spams are still the same today. In 2010 Sophos described the following:

At the heart of the SEO attack is the ability to feed search engine crawlers content to index and redirect users to malicious sites.

Today that is still key, but their methods have evolved. We’re seeing highly complex malware injections that are intelligent by being able to adapt to incoming traffic. Many are targeting the search engine IPs like Bing and Google, while others are being wrapped into conditional logic that only presents itself when specific conditions are met, and yet others are being tied into Command and Control nodes that are dictating what the site should do on visit.

More and more of them however are integrating themselves into the Pharmaceutical affiliate model as described above. What is perhaps most interesting about this is that those sites are rarely distributing drive-by-download payloads. Instead they are being maintained in pristine condition with no other anomalies other than the improper redirection.

We are also seeing no real preference on the brand or traffic of the site. In fact it appears that they are more than content with low-hanging fruit than they are in penetrating a high-ranking site with a well-known brand. This we find exceptionally interesting.

Many have undoubtedly experienced the impact of these SEO attacks. They often lead to the inevitable warning by Google, “This site may be compromised!” or “Something’s not right here!” We wrote a post describing these warnings earlier this year.

Unfortunately, there is no real solution to this problem. The threat landscape in which most websites live is just too large and most website owners really don’t care about it. That’s probably today’s biggest issue.

So where does that leave things today?

If you have any questions or comments about this post please leave a your comment at our contact page.

PHP Spam Poison – Free Download


The PHP Spam Poison is a fake-page generator that simulates long lists of fake email addresses and links to more generated pages, to be harvested by spam-robots, effectively poisoning their databases with useless email addresses. This spam poisoner was inspired by the WPoison software from

Features of the PHP Spam Poison

  • It uses PHP, so no CGI access is needed.
  • Fast and lightweight.
  • Highly configurable.
  • Can be included by others PHP pages.
  • Require software available in most hosting services.
  • Doesn’t require a SQL database.
  • Works in Linux/Unix and Windows servers (with IIS or Apache).
  • GPL license (open-source).
  • Simple to install.


Required: PHP 4.1.x or higher. Your web server should be able to interpret the PHP language. It really doesn’t matter the platform (tested with GNU/Linux and Windows 2000).
Required: A web server. It should work with any web server running in your workstation or server (tested with Apache in GNU/Linux, with Apache in Windows 2000 and IIS in Windows 2000).

Download the PHP Spam Poison

The current version are available as a tar.gz package or as a zip file at

Also you can find ther the Readme (readme.txt), Changelog (version.txt), checksums (checksums.txt) and license (license.txt) files.

Installation of the PHP Spam Poison


1) Get the files
Get the files from (There are zip and tar.gz files available). Be sure to download also the wordlist.

2) Unpack

Extract the script files in a web server directory. That will create a “phpwpoison” directory with few filesinside. Then unpack the wordlist and save it in the same directory.

3) Change ownership

Change the ownership of those files and the directory “phpwpoison” to the user used by your web server (usually “nobody” in Unix/Linux). To change the ownership in Linux/Unix, you execute in a shell terminal.

chown -h -R nobody:nobody phpwpoison/

In Windows environments, using the Windows Explorer, check the Security tab of the Properties dialog of the directory, and set the permissions so that the user IUSR_servername has permissions to read and write on the “phpwpoison” directory.

If you cannot set the ownership, at least be sure to enable writting permissions in the directory.

4) Rename the directory

Rename the phpwpoison directory to a simple name. Avoid “poison”, “spam”, etc. The idea is to not give a clue to those email-harvester robots that this is a trap.

5) Rename the script

Rename the emailusers.php file to any simple name. Avoid “poison”, “spam”, etc. The idea is to not give a clue to those email-harvester robots that this is a trap.

6) Configure

Edit the renamed PHP file, changing at least the pwp_scriptname variable. If you renamed the script to “listusers.php” then set the pwp_scriptname variable to “listusers.php”. Also, check the pwp_html_postheader and pwp_html_footer variables, where you can
insert HTML so the generated pages match your website look.

7) Test

Try to open the renamed PHP file from your the browser thru the web server. (Please note that by default, the script will make a pause of up to 30 seconds before finishing rendering the page; to modify or eliminate that delay, edit the script and change the options pwp_minsleeptime and pwp_maxsleeptime).

8) You are done.

The following step is optional:

9) Create a spammer list (option available since version 1.1.0)

Maybe you already have a list of email addresses of known spammers. A list with real addresses (not fake addresses like those used by most spammers). Some spammers are just uninformed people thinking that spamming is a good business practice. Some of them will stop spamming when learn that spamming is not good for their business. But for those who don’t…

Let the phpwpoison script create fake email addresses mixed with spammers addresses. Let other spammers know what spamming is all about for the receiver.

Create a text file with each line containing an email address. Avoid using the default spammers.txt filename. Edit the phpwpoison script and change the variables pwp_use_spammer_list, pwp_spammer_file and pwp_spammer_ratio.


Always create a robots.txt file in your site, to let search engines know that they should not visit the spam trap. Email harvesters usually ignore the robots.txt file, so they will fall into the trap anyway.

For more information about the robots.txt file, visit The Web Robots pages or the Robots.txt Tutorial (from SearchEngineWorld).

For example, the robots.txt file in this website looks like this (meaning that search engines should not follow the spam trap located in the users.php webpage):

User-agent: *
Disallow: /users.php
Disallow: /users.php/

The pages generated by phpWPoison may take a few seconds to render, but it’s not because they are slow. It is because phpWPoison waits a random number of seconds before finishing sending the page. The goal is slow-down the spam-spider. You can adjust this waiting time editing the variables pwp_minsleeptime and pwp_maxsleeptime.

You can include the output of the phpWPoison script so it can be shown as part of a different webpage. Just build you hosting page (as PHP) as usual, but for the content use something like:

include_once (“thepoisondir/emailusers.php”);

Then edit the emailusers.php script and change the option pwp_scriptname to the name of the hosting script. Change the option pwp_standalone to false. Also, adjust the paths of the files set in the options pwp_word_file, pwp_cache_file and pwp_spammer_file (which are relatives to the hosting script).

NOTE: if you include the script into another, the pwp_html_preheader, pwp_html_postheader and pwp_html_footer variables are ignored. Then you should provide the meta tag ROBOTS in the head of the hosting webpage (or be sure to provide a robots.txt file in your site).