Tag Archives: phishing

Canada’s Hospital for Sick Kids stopped spamming

Canada Canada’s The Hospital for Sick Children The Hospital for Sick Children AS 46626 SICKKIDS-AS-01 dropped out of the May 2013 SpamRankings.net for world medical organizations from CBL data. In April they ranked #1 with 21,912 spam messages, April 2013 World Medical SpamRankings.net from CBL Volume and in May they dropped to #27 with only 28 messages. In April they really only spammed for one week, as you can see in the big spike in the graph. Of course, the hospital itself probably didn’t knowingly send the spam; usually they’ve been compromised by botnets or phishing or some other breach, but hospital patients and other customers won’t necessarily know that if they receive some of it. And if their security is lax enough to let in things that emit spam, what else has been compromised? This is why hospitals are quick to squelch outgoing spam and fix the underlying security problems.

-jsq

Is January’s medical spam caused by botnets?

Remember those three spamming medical organizations PSBL saw and the spike from CSHS that SpamRankings.net found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:

Even though the three three-digit-spamming medicos spam oddly coherently, we don’t find any botnets for them. This may be because most of that spam was seen by PSBL, and our botnet assignments come from CBL. CBL didn’t see any spam from those ASNs, so it didn’t have anything to assign for botnets. Maybe they’re infested by the same botnet; maybe not; can’t tell.

But it was CBL that saw that big spam spike for AS 22328 CSHS. And CBL did assign a botnet to that: Lethic. For all but two days of CSHS spam shown, CBL assigned Lethic to the total amount of spam from CSHS for that day. That may be because all that CSHS spam is coming from a single computer.

Of course, CBL’s botnet assignments are not perfect, but infosec professionals tell me CBL is about as good as it gets for that, so there’s a good chance this botnet assignment is correct.

The good news is that all of the trio of three-digit spamming medicos decreased their spam and even went to zero during the period shown.

And CSHS spam peaked at the end of January and started back down in February.

Pretty soon there may be once again little or no spam from medical organizations to rank.

-jsq

CSHS is back in January 2012 SpamRankings.net

In SpamRankings.net, January PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.

The three with more than 100 spam messages for the month were

each accounting for about a third of the total spam volume seen from medical organizations by CBL in January 2012.

Cedars-Sinai Health Systems‘ AS 22328 CSHS came in only seventh in PSBL data, with only 10 spam messages. But in CBL data, CSHS came in first, with 2,873 messages. That’s not a lot, compared to, for example, Comcast, which CBL saw spamming more than two million messages during the same month. But what patients would prefer to see from medical organizations is zero spam messages, since spam is a sneeze for infosec disease, and who wants to think their hospital’s information security or radiology computers might be infected?

Chances are CSHS will notice and clean it up pretty quick. Those other three medical orgs may have some sort of more chronic problem….

-jsq

Teachable Moment: APWG/CMU Phishing Education Landing Page program

Phishing? Fail!

When you take down a phishing domain or server, don’t just take it off the net: redirect it to this education page so victims of phishing can learn in the act of being suckered by a phisher that they should be more careful what they click on.

As someone in the audience pointed out, whatever you do don’t redirect phishing pages back to the actual sites being phished, i.e., if the phisher was pretending to be a bank, don’t take down the phisher’s redirect and replace it with a redirect to the bank itself. THat just teaches people the wrong thing, to follow a bad link.

Instead, link to the APWG/CMU landing page. Which could use a catchier name (how about Phishing: Fail!), but it’s already a really good service.

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

Debunking the Tragedy of the Commons

x7579e05.gif Interesting article here making a point that should have been obvious for forty years. When Garrett Hardin published his famous article about the “tragedy of the commons” in Science in December 1968, he cited no evidence whatsoever for his assertion that a commons would always be overgrazed; that community-owned resources would always be mismanaged. Quite a bit of evidence was already available, but he ignored it, because it said quite the opposite: villagers would band together to manage their commons, including setting limits (stints) on how many animals any villager could graze, and they would enforce those limits.

Finding evidence for Hardin’s thesis is much harder:

The only significant cases of overstocking found by the leading modern expert on the English commons involved wealthy landowners who deliberately put too many animals onto the pasture in order to weaken their much poorer neighbours’ position in disputes over the enclosure (privatisation) of common lands (Neeson 1993: 156).

Hardin assumed that peasant farmers are unable to change their behaviour in the face of certain disaster. But in the real world, small farmers, fishers and others have created their own institutions and rules for preserving resources and ensuring that the commons community survived through good years and bad.

Debunking the `Tragedy of the Commons’, By Ian Angus, Links, International Journal of Socialist Renewal, August 24, 2008

So privatization is not, as so many disciples of Hardin have argued, the cure for the non-existant tragedy of the commons. Rather, privatization can be the enemy of the common management of common resources.

What does this have to do with risk management? Well, insurance is the creation of a managed commons by pooling resources. Catastrophe bonds are another form of pooled resources, that is, a form of a commons.

On the Internet, the big problem with fighting risks like phishing, pharming, spam, and DDoS attacks is that the victims will fail if they go it alone. The Internet is a commons, and pretending that it isn’t is the problem. Most people and companies don’t abuse the Internet. But a few, such as spam herders and some extremist copyright holders (MPAA, RIAA), do. They need to be given stints by the village.

-jsq

Fast Flux Mapped

ffcrop.png Australian HoneyNet tracks Fast Flux nodes and maps them:
Below is the current locations of the storm Fast Flux hosts. This is updated every 15 minutes from our database.

I Had to change it to only show the last 6 hours of new nodes since GoogleMaps doesn't scale very well when your reaching past a few thousand markers on a map 🙂

—Fast Flux Tracking, Australian HoneyNet Project, accessed 7 Aug 2008

Fast Flux, in case you're not familiar with it, refers to various techniques used by bot herders, spammers, phishers, and the like to evade blocking by rapidly changing which IP addresses are mapped to which domain names.

-jsq