Category Archives: Spam and scams

CryptoLocker defanged at last

Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.

Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.

The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.

Brian Krebs has more.

Canada’s new anti-spam law

There’s a lot of confusion and panic about CASL, the new Canadadian Anti Spam Law, which went into effect on July 1. Like many of you, I’ve been receiving slightly panicky email from businesses, asking me to consent to receive bulk email from those businesses. In fact, asking to confirm consent is not necessary in most cases.

The rules

If you ever send email with multiple recipients in Canada, then the new law may apply to you. That said, there are numerous exceptions. For instance: personal, family, and other non-commercial email is excluded, as is most inter-business and intra-business email.

If you were already following the rules (PIPEDA), you are almost certainly fine to continue what you were doing before. The basic rules of CASL are the same, namely:

  • To send commercial email, you must have consent from all recipients;
  • email must include contact information for the sender;
  • email must include a method for unsubscribing; and
  • email must not be deceptive in any way.

Consent

Most of the confusion about CASL is related to the issue of consent. Two forms of consent come into play: explicit and implicit. The Canadian Government’s information about consent is helpful in understanding the difference. If you obtain recipient addresses by asking customers if they would like to receive business-related email from you, and only record addresses of those who agree, then you already have explicit consent; there is no need to re-obtain consent.

The deadline

Some of the panic about CASL stems from the apparent deadline of July 1, 2014. In fact, although the law came into effect on that date, you have until July 2017 to comply.

What about Twitter?

Another source of confusion is that the new law seems to cover any Internet-based service that sends messages to multiple recipients, including web forums and Twitter. While technically true, most web-based messaging services make it very easy for a recipient to identify the source of a message and to unsubscribe.

An example of what NOT to do

Microsoft recently informed recipients of its security-related emails that it would stop sending those emails. It turned out that this was an ill-informed overreaction to CASL. CASL does not apply to email containing safety or security information. Even if CASL did apply, it would only have applied to Canadian recipients.

Additional information

Gameover botnet targeted in takedown effort

An international law enforcement project to disrupt the Gameover botnet is underway.

Gameover, aka Gameover Zeus or GOZ, is currently installed on up to a million computers worldwide. The botnet is rented out for malicious purposes, including harvesting private information, sending spam email, denial of service (DoS) attacks, extortion, and distribution of various kinds of malware, including the awful CryptoLocker [1,2] ransomware.

This effort to disrupt GOZ has already been very successful: the botnet’s owners are no longer able to control clients. As for Cryptolocker, newly-infected machines can no longer communicate with their controlling servers, which means they are safe, at least for now. Infected machines that are already encrypted are not affected and must still pay the decryption ransom or lose all encrypted information.

Brian Krebs provides additional details on his Krebs on Security blog.

Update 2014Jun09: Brian Krebs has a behind-the-scenes look at what went into this takeover. To this point, the takeover seems to have been 100% effective, but the botnet developers may have more moves left.

Cryptolocker malware is getting worse

A new variant of the nasty malware known as Cryptolocker is appearing on the Internet. Cryptolocker – once it infects your computer – encrypts all your files and then demands money to decrypt them. If you fail to pay within a specified time period, your files become permanently inaccessible.

The new version of Cryptolocker can apparently spread itself via portable media such as thumb drives. It is also often disguised as a software activation program for Photoshop and Microsoft Office on file sharing sites. The original Cryptolocker typically arrived in the form of a fake PDF file.

Disguising Cryptolocker as a software activation program is a particularly devious way to spread the malware. Every day, thousands of people who can’t afford the massively overpriced Office and Photoshop look for alternative ways to use that software, and now those people are going to be risking more than the ire of Microsoft and Adobe.

More holiday scam emails

SANS reports on a holiday-themed scam email showing up in inboxes recently. This one purports to be from a major retailer such as Costco or Walmart, and tries to trick the recipient into clicking a link related to a phony undelivered package.

If you receive such an email, just delete it. If you think the message may be legitimate, don’t click the link; contact the retailer by telephone or go to their official web site and contact them using information provided there.

Two posts on the SANS ISC blog dig into the technical details of this scam.

Canada’s new anti-spam law

Canada is late to the game when it comes to anti-spam laws, but with the recent passing of the “Canadian Anti-Spam Legislation” (CASL), it’s about to get a lot harder for spammers to do their work here (yes, I’m in Canada).

As with other anti-spam laws, the focus of CASL is consent. The following activities will become illegal with the new law: sending a commercial electronic message to a recipient without the recipient’s consent; installing software on a recipient’s computing device without their consent; and altering electronic messages during transmission without the recipient’s consent.

Other activities that will become illegal with the new law include: collection of personal information through access to computing devices; and harvesting electronic addresses from the Internet through automated methods for the purposes of building bulk email recipient lists.

There is no set timeline for enforcement of CASL to begin, but it should be within a few months, and certainly by the end of 2013. Once the law becomes official (comes into force), immediate compliance is expected. However, there will be a three year transitional period during which consent may be assumed for existing relationships.

Several different agencies will be involved in enforcement of the new law: the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner.

Additional highlights:

  • Any commercial electronic message is assumed to be illegal, although there are exceptions.
  • Potential recipients of commercial electronic messages cannot be added to recipient lists automatically. Explicit consent to receive such messages must be given by the potential recipient. In other words, commercial email list subscription must be “opt-in” instead of “opt-out”.
  • Software must not be installed automatically on customer computers. This part of the law is meant to curtail the forced installation of unwanted software along with other (wanted) software.

The new law will present serious challenges to commercial organizations, so it would be wise for all such organizations to begin assessing its impact immediately. Penalties will typically take the form of very steep fines: up to ten million dollars.

An official FAQ for the new law is available.