30 Months in Prison for Spammer

By Leave a Comment

And sometimes the news is good…

NEW YORK (Reuters) – A Brooklyn man was sentenced to 30 months in prison on Tuesday for sending spam e-mails to more than 1.2 million subscribers of America Online in a scheme that foiled the Internet company’s spam-filtering system.

Adam Vitale, 27, was sentenced in federal court in Manhattan after pleading guilty more than a year ago to breaking anti-spam laws. He was also ordered to pay $180,000 to AOL in restitution.

Vitale was caught making a deal with a government informant to send junk e-mails — known as spam — that advertised a computer security program in return for 50 percent of the product’s profits, prosecutors said.

“Spamming is serious criminal conduct; this is not a teenager engaging in child’s play,” U.S. District Judge Denny Chin told Vitale as he sentenced him. Vitale earlier apologized and said he had learned a lesson.

Prosecutors said Vitale had 22 prior convictions and had also helped run an online prostitution ring on the Web site www.craigslist.com, but he has not been criminally charged.

In the spam e-mail case, Vitale and another man, Todd Moeller, defeated AOL’s filter system by using several different computer servers to relay the e-mails and changed the e-mail header information to ensure the spam e-mails could not be traced back to them.

Moeller, of New Jersey, was sentenced last November to 27 months for his role in the scheme.

Court papers said that in less than a week in August 2005, Vitale and Moeller sent e-mails on behalf of the informant to more than 1,277,000 addresses of subscribers at AOL, the online division of Time Warner Inc.

Cory over at BoingBoing talks about another spammer bent on ruining Craigslist by bypassing the phone verification system. Cory refers to an article on Blackhatworld.

My feeling is that the only way to turn the tide is to aggressively turn the tables on spammers and make it very physically unpleasant for them.

Filed Under: spam Tagged With: , , , , , , , , ,

Why My Friends and Relatives Get My Tirades About Putting Me In Long To: and cc: Lists

By Leave a Comment
cluebat

cluebatA few years ago I began telling relatives that I would not give them technical advice if they didn’t bother to have basic antivirus software or sent me chain mail, jokes or any “look at this” email that didn’t explain in a sentence where I’d be sent, with a link. Any story, no matter how tear-jerking, if it didn’t have a link to its source, would be ignored.

I would even change political parties if my most loathed candidate from the other party would grant me the license to deny Internet access to anyone who sent out 3 debunkable hoaxes that could be found in a 4-word Google search where “Snopes” is one of the words, as in “Snopes microsoft cash

But what’s getting my goat is just how gullible most well-meaning folks are and how clueless they are about their habits. Bruce Schneier discusses social phishing, and how it is more who sends you an email than its contents that determine whether you’ll go to where it directs you, no matter how dangerous.

Phishing Studies

Two studies. The first one looks at social phishing:

Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject’s social network. The message body was comprised of the phrase “hey, check this out!” along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.

The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).

Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that’s in part because those majors fell for the control phish half the time. Science majors had the largest disparity–there were no control victims, but the phish had an 80 percent success rate in the experimental group.

Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends.

And we all know that some men are suckers for what women tell them.

Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number:

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

“People think [the phrase] ‘starting with’ is just as good as ‘ending with,’ which of course is remarkable insight,” he said.

Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in ten thousand times, but if you send enough e-mails that might be enough.

A virus that compromises my friends’ email address book compromises me. I want to take all email I get from my family and friends seriously, but if they’re sloppy and lax and add me to their To: and cc: lines in their email headers to spread around jokes and stories I last thought were funny in 1998, not only do they put me at risk, but everyone they know now has my legit email address.

Don’t be sloppy with the email addresses of your friends, relatives and business contacts.

Discover and learn to love your email’s BCC.

I really don’t want to have to say these words under oath… “And that’s when I started pummeling them with my cluebat, your honor…”

Filed Under: Internet, Security, spam

One Laptop Per Child Succumbs to the Law of Unintended Consequences

By Leave a Comment
one laptop per child - olpc

one laptop per child - olpc

When the epicenter of spam in Nigeria meets the charitable intentions of One Laptop Per Child and the nature of children to explore where they ought not comes:

Nigerian pupils browse porn on donated laptops

one laptop per child - olpcThu 19 Jul 2007, 15:34 GMT

ABUJA, July 19 (Reuters Life!) – Nigerian schoolchildren who received laptops from a U.S. aid organisation have used them to explore pornographic sites on the Internet, the official News Agency of Nigeria (NAN) reported on Thursday.

NAN said its reporter had seen pornographic images stored on several of the children’s laptops.

“Efforts to promote learning with laptops in a primary school in Abuja have gone awry as the pupils freely browse adult sites with explicit sexual materials,” NAN said.

A representative of the One Laptop Per Child aid group was quoted as saying that the computers, part of a pilot scheme, would now be fitted with filters.

Maybe “one laptop per child” got translated into “one lapdance per child”?

We should also have OLPC consider the wisdom of giving the world’s spam capital more tools to perpetuate their scams.

one laptop per child - olpc in nigeria

Filed Under: breaking news, Internet, spam
«Older Posts