Month: December 2010

A post today at Shadowserver gives a heads-up on what might be the next version of Storm.

The GFI Malware Minute video is available for your viewing pleasure on the GFI Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Labs Blog, the GFI Rogue Blog and anything else we find that might be of interest.

This holiday season the operators who distribute  rogue security products were busy. We found ProtectShield2010, SpywareProtection, Personal Internet Security 2011, HDDLow,
Scanner and DiskRepair. Those are in the FakeSmoke, FakeRean, FakeVimes and FakeSysDef families.

Alex Eckelberry blogged about a spam email that appeared to be phishing for iTunes store passwords, but actually downloaded malicious scripts. Chris Boyd, our man in the UK,, wrapped up the year with a review of the high, or low, spots of malicious gaming schemes in 2010.

Tom Kelchner

Hey look, it’s a “this is what happened this year” post. Don’t worry, I won’t be making any security predictions (because unless I’m Nostradamus I can’t tell you what’s going to happen next week, never mind in six months time) and there won’t be any flying car jokes either.

With that out of the way, let’s see some of the antics that took place and caught my eye in 2010…

January: Getting the year off to a flying start, the ukfi.gov.uk website was defaced by an Albanian hacking crew who rather enjoyed making your browser fly across the desktop while pumping out bad rap music from your speakers. .gov websites are always a prime target for individuals looking to make a statement about something, even if said statement is just usually “lol haxed”.

It’s quite a stylish defacement, I suppose.

February: The Register explored the weird and wonderful world of XBox hacking, something I’ve spent a fair amount of time poking with a stick (don’t worry, I have three lives and a continue left). We also had scareware scammers taking advantage of killer whale attacks and the trusted name of VirusTotal with various fake websites and dodgy forum posts galore. There was also a fake FBI fingerprint scanner which was designed to infect the curious. As I said at the time, question the legitimacy of any fingerprint scanner that accepts pictures of dancing bananas.

Elsewhere, the UK Conservative Party suffered a number of defacements encouraging people to vote for the Labour Party. World of Warcraft authenticators also came under attack, placing budding Leeroy Jenkins fans everywhere at risk.

At least he has chicken.

March: Continuing the whole “gamers in peril” theme, phony Playstation emulators popped up on a couple of websites that infected your computer with Trojans.

Click to Enlarge

Some infected users reported Fake AV popping up after install, which doesn’t surprise me too much. I also rang the bell and yelled “Unclean! Unclean!” in an SC Magazine interview dealing with celebrity deaths and Internet shenanigans.

We also had Toolbars doing their best impression of the Elvis 68 comeback special and reminding us they can still give us a run for their money with built in phish pages.

Click to Enlarge

Mock toolbars at your peril, or something. Phishers also compromised the website of The Big Issue, directing users to fake Paypal pages. There’s low, and then there’s “more low”.

April: Oh look, iPad spam on Twitter. We’d see sporadic outbreaks of “pimping stuff” on Twitter throughout the year, and the iPad was always going to be an attractive target for both scammers and victims alike. We also had Zango installers lurking on Download.com, a website belonging to a Matrix actor hacked (he was one of the shouty guys, in case you were wondering) and a big defacement on The Telegraph website which was caused by comments made on the popular TV show Top Gear. There was also a phishing education test which was, er, blocked for phishing. As good a way as any to wrap up April, methinks.

May: Everything went a little crazy in May when I uncovered a simple (yet effective) DIY Botnet creation kit for Twitter.

Told you it was simple. As with any Twitter based Botnet, the commands have to come from a public account which means it’s relatively easy to detect accounts sending commands to Bots. As a sidenote, I did find it rather humorous when a random pr firm working for a security company I’d never heard of sent me a press release proclaiming that “A DIY Twitter Botnet creation kit has been discovered”.

Thanks for the heads up! I guess…

We also saw that Facebook users will happily cut and paste Javascript code into their browsers (no really) if asked to do so by dodgy looking websites. The old “cut and paste” method remains a constant thorn in the side of Facebook, and I doubt it’ll be going away anytime soon. Scribd put in an appearance due to over 4,500 logins being posted to a document on the site.

Click to Enlarge

June: Doctor Who became a target not once but twice in the month of June, due to a combination of the series ending and the new Doctor Who game being launched. TV shows in general are great low hanging fruit for scammers, who throw together websites promising online episodes before dumping you on surveys, more surveys and…er…surveys.

Click to Enlarge

The game thing was interesting – people in the UK pay a licence fee to get some BBC related action, but with the game being a Worldwide release anyone outside of the UK had to pay a small fee to obtain the game. Of course, people weren’t too happy about this and before long cracked versions started popping up online. Some of them contained nasty surprises.

There was even a version of the game uploaded to a site that required users in the UK to pay £10 plus network rates to download what would have been free for those users anyway.

Whoops.

Videogamers became targets yet again, as Fake AV peddlers poisoned search results related to treasure maps in Red Dead Redemption.

Taking a peek into Facebook land, we had fake “your account has been deactivated” emails doing the rounds which took users to phish pages and denied them access to games about cows. Bit of an odd month, really.

July: Special Zynga gifts ahoy! Also: here comes a phish. Elsewhere, we had some Justin Bieber chaos with Youtube being affected by an XSS flaw leading to overlays, scrolling text, porn redirects and – of course – a bunch of stupid surveys.

Everyone hates surveys, right? They were particularly popular when Toy Story 3 launched, with scammers setting up – what else? – fake “watch the movie” websites that pop surveys asking for personal info galore.

Click to Enlarge

Selecting a kids movie then plastering it with popups asking for info that someone aged 18+ would normally be required to fill in seems all kinds of wrong, but there you go.

September: I love an oddball story, and this one was right up at the top of the oddball pile. A Greasemonkey script claiming to let users “bypass surveys” sounded fine and dandy, until you tried to download it. In order to grab it, you had to fill in a survey which is a vaguely spectacular way to go about things.

There were also websites claiming to offer a “Skype upgrade”, which of course would cost the user money to obtain. As someone in the comments notes, there are a lot of similar sites offering “updates” for Adobe products too. Steer clear of the lot of them. Games testers were promised all sorts of money, and shady websites popped up asking for lots of personal information for fake “tax rebates”. We also came across a haul of around 2,500+ logins dumped on a public facing website which appeared to be for Facebook.

Click to Enlarge

Back in videogame land, the launch of Halo Reach brought a collection of horrible scams along for the ride. Flaming helmet codes, fake programs and surveys were the order of the day.

October: things seemed to be a little quiet in October, although there was a fake Twitter login page promising “new features” and pictures of semi-naked ladies all over the place. It was actually a kit designed to convince end-users to run fake Java updates and install some malware on their PCs.

Click to Enlarge

Yeah, don’t go installing those things. We also had a truly awesome example of domain name confusion.

Oh, I also gave a bunch of talks (some planned, some along the lines of “Oi, get in here and join in”) at the truly excellent HacKid conference in Boston. Designed to teach kids about the joys of computers, technology and security stuff it was a rip-roaring success and I hope to see more of these next year.

Look! A flying drone thing!

November: The Bayrob Trojan rose from the grave to try and infect people with fake Kodak galleries. Bayrob is a clever EBay scam, which directs infected users to fake auctions in an attempt to take their money and run. Nasty stuff.

Click to Enlarge

We also had fake Trojan removal kits that – oh no! – installed Trojans, Facebook death videos and the excellent IRISSCON, which I was lucky enough to take part in.No, I didn’t buy an Alan Wake coat. It just looks like one.

December: things tend to go a little quiet in December, because all the scammers are too busy having parties in castles and building gold plated yachts to spend time ripping us all off but a couple of interesting bits and pieces popped up regardless.

First off, some SEO poisoning courtesy of the findings at Mono Lake. There were also some of those Adobe scam sites, iTunes emails serving up exploits and a fake Amazon receipt generator designed to fool unwary sellers into sending out items to scammers.

Click to Enlarge

The gag here was in trying to convince a seller to take their “refunds” outside of the safety net that is the Amazon payment system, or just simply get them to send the scammer lots of free stuff. While I’d like to think people wouldn’t fall for this, there are plenty of horror stories in search engines related to sellers going outside the system and being burnt horribly.

Buyer beware! Uh, I mean seller.

Anyway, that just about wraps up this gigantic slab of War and Peace. Assuming anyone out there is still conscious I’d like to thank you for listening to me ramble on (and on) and for reading all of the blog posts / research put together by everybody on a daily basis.

Have a great (and safe) 2011, and I shall see you on the other side…

Christopher Boyd

An email making the rounds makes the innocent claim that “it is possible that your account password has been stolen”.

Expecting a phish? 

Actually, no.  The site serves a malicious script.  Nevertheless, the exploits served are six to eight months old — CVE-2010–0886 (a Java exploit) and CVE-2010-1885 (a cross-site scripting method that exploits a vulnerability in Windows Help).   Downloading the latest version of Java and insuring you’re up-to-date on Windows patches will protect against any attack.

Alex Eckelberry

 

Is it time to examine another Facebook scam?

Why yes, it is.

Located at…deep breath…99percentofgirlswouldkilltheirboyfriends(dot)info, this website takes the form of the familiar “find out who is watching you” wheeze so beloved by scammers everywhere.

Click to Enlarge

Something to note: although it claims “1,601,636 people like this”, that’s just part of the background graphic (in other words, it’s completely fake). Checking out the application page tied to this one tells us they have “15,034 monthly users” which doesn’t really tally with over a million Likes, does it?

Anyway, hitting the Login button and filling in your details will prompt you to give the “application” access to your profile:

It’ll also pop one of these, which is the main reason for the elaborate trip into Shenanigan City:

Click to Enlarge

Yep, it’s survey time.

Do yourself a favour, and steer clear of this one – there are quite a few comments posted to the “VIP Access” page stating that it doesn’t work.

Can’t say I’m surprised…

Christopher Boyd

The U.S. Federal Trade Commission has issued a press release detailing the consumer protections in the Restore Online Shoppers Confidence Act just passed by Congress.

“Congress has passed the ‘Restore Online Shoppers’ Confidence Act’ to combat deceptive online sales tactics that keep charging consumers for goods and services until they cancel their membership.  In so-called “negative option” plans, the seller interprets the consumer’s silence or failure to reject goods or services, or to cancel the sales agreement, as acceptance of the offer,” the release said.

The act, which was originally the Senate bill S 3386, spells out three protections for online consumers. It makes it illegal:

— for post-transaction third-party sellers to charge customers unless they spell out the terms of the transaction and get consent to charge their credit cards or bank accounts.

— for online sellers to transfer a consumer’s financial account number to a third party seller.

— for a seller to charge a consumer for goods or services using a negative option feature in an online transaction without disclosure, without consent from him and without providing a simple way to stop the charges.

This will give the FTC a law to use to stop the sleazy operators behind those mysterious charges that appear like magic on your credit card statement in the wake of some online purchases.

Tom Kelchner

The  “alarming variety” of chemicals includes rat poison (the blood thinner warfarin)

The U.S. Food and Drug Administration has sent a letter to manufacturers and trade groups seeking their help in preventing distribution of tainted drugs in the U.S.

Although the letter does not mention Internet sources, it’s  clear that the concerns in the letter can be extended to penis pill, diet pill and Canadian pharmacy (which are really not in Canada) web sites.

The letter lists adulterants that should be enough to scare any sensible human from EVER considering buying the stuff advertised in that flood of spam email that seems to wash over all of us:

“FDA laboratory tests have revealed an alarming variety of undeclared active ingredients in products marketed as dietary supplements, including anticoagulants (e.g., warfarin), anticonvulsants (e.g., phenytoin), HMG-CoA reductase inhibitors (e.g., lovastatin), phosphodiesterase type 5 inhibitors (e.g., sildenafil), nonsteroidal anti-inflammatory drugs (NSAIDs) (e.g., indomethacin), and beta blockers (e.g., propranolol). FDA has also identified products marketed as dietary supplements that contain active pharmaceutical ingredients removed from the market for safety reasons (e.g., fenfluramine), as well as new chemical ingredients of unknown safety. Some products marketed as dietary supplements have been found to contain controlled substances (e.g., benzodiazepines and anabolic steroids).”
According to the letter, the FDA investigations have also resulted in criminal prosecutions and nearly 200 recalls:

“Where FDA investigations have discovered products marketed as dietary supplements that contain the same active ingredients as in FDA-approved drug products, analogs of such drug ingredients, or other compounds of concern, such as novel synthetic steroids, FDA has issued warning letters and conducted seizures and criminal prosecutions. FDA has also worked with industry on the recall of numerous products with such potentially harmful ingredients, including more than 70 products marketed for sexual enhancement, more than 40 products marketed for weight loss, and more than 80 products marketed for body building. The Agency has also issued consumer alerts and press announcements to warn consumers about such products.”

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI-Rogue Blog and anything else we think might be of interest.

This week we found a new look in rogue security products — they’re now impersonating hard drive utilities rather than anti-virus products, the new look on the GFI Labs Blog and a warning about giving permissions for scammers to access  your Facebook account.

Tom Kelchner

New trend in rogue security products

Since last week the  rogue security products (also called scareware) that we’ve posted on the GFI-Sunbelt Rogue Blog have had a new look. Instead of impersonating anti-virus products, these new ones are claiming to be applications that fix disk errors on a victim’s machine: HDDDiagnostic, HDDRepair, HDDRescue and HDDPlus. They’re basically clones and together they are members of a new family of rogues: FakeAV-Defrag.

Of course, they actually do nothing except throw up phony warnings and demand that the victim purchase them before they “fix” the fictional problems they warn about.

FakeAV-Defrag rogues:

 
(click on graphic to enlarge)

(click on graphic to enlarge)

(click on graphic to enlarge)

 
(click on graphic to enlarge)

Since rogues began to circulate seven or so years ago, they’ve always pretended to be anti-spyware or anti-virus products, imitating the look of many legitimate anti-virus products and even the structure of their product names. In the last two months, however, it has become clear that the rogue writers are trying something new to confuse potential victims.

Earlier in December we had: PCoptomizer, PCprotection Center and Privacy Corrector. These were intended to look like some kind of generic security product – not anti-virus lookalikes.

Rogues that imitate generic security utilities

(click on graphic to enlarge)

(click on graphic to enlarge)

 
(click on graphic to enlarge)

First of the “defraggers”

Last month we started seeing “defragger” clones that claimed to be disk utilities: UltraDefragger, ScanDisk and WinHDD. These pretended to find “HDD read/write errors.”

Defrag is a Windows utility that, at one time, substantially speeded up  a PC’s performance by putting scattered portions of files in continuous sections of a hard drive. Pieces of files were scattered because applications opened and added to them over time and the operating system put them where there was space on the drive. The defrag utility “defragmented” the entire disk, assembling the pieces of files into continuous sections so the operating system wasn’t slowed by the reassembly process when accessing the files.

Defragmenting hasn’t been as much of an issue since PCs got faster, hard drives with much larger capacities became common and newer versions of Windows (with better file handling capabilities) replaced older versions. However, many home PC users have become aware of the defrag utility.

Rogues that impersonate defrag or disk utilities

(click on graphic to enlarge)

(click on graphic to enlarge)

 
(click on graphic to enlarge)

FakeAV-Defrag family history:

11/15/2010        Ultra Defragger
11/16/2010        ScanDisk-Defragger
11/30/2010        WinHDD
12/9/2010          HDDPlus
12/12/2010        HDDRescue
12/12/2010        HDDRepair
12/13/2010        HDDDiagnostic

The Internet criminals who make money distributing these fakes are always changing their creations to evade antivirus scanners (at least for a few hours or days) and confuse their potential victims.

Unfortunately, since they’ve made the change from impersonating anti-malcode products to imitating disk utilities, they’ve taken away one source of help that Internet users could rely on: sites that list LEGITIMATE anti-malware products such as:

— Virus-Total (click on “credit” tab”)
— ICSA Labs:

Most legitimate anti-malcode products should show up on one of those lists.

To avoid being scammed by rogues with the “new look” Internet users should be suspicious of any application that:
— is advertised by spam email
— pops up dire warnings that your machine is affected my numerous problems (especially immediately after you click on a web page video to view it)
— tells you that you need to update your browser (often listing a version earlier than the one you’re running.)
— demands that you make a purchase before it will clean or fix problems in your machine

Like many things, if you investigate with a web search engine you will probably find some kind of discussion of the merits (or maliciousness) of the application in front of you.

Your anti-virus application should prevent rogues from downloading and installing, however, the rogue writers change their creations frequently to avoid detection for at least a few hours or days before the AV companies get them into their signature updates. Of course they also snag Internet users who don’t use on-access protection or who do not update their scanners.

You also can search for information on rogues by typing the application name in the search box on the upper left corner of the GFI-Sunbelt Rogue Blog.

(Big thanks to Patrick Jordan)

Tom Kelchner

We’ve begun to change the look of the GFI Labs (formerly Sunbelt) blog and we thought we’d give our alert readers some idea of what to expect.

Last June Sunbelt Software was purchased by GFI Software and today we changed the logo on top of the blog to reflect that:

Over the next few months there will be more changes too.

Dr. Newton here will be part of the new “labs” look. He was brought to life by the creative team in the GFI marketing group in our sunny Mediterranean island headquarters on Malta.

 

Stephen Chetcuti Bonavita, GFI director of marketing said: “Apart from the current tweaks to this site, we are planning new GFI LABS designs, sections and features in the months to come, focusing on continually improving our offering – so watch this space!”

Tom Kelchner

Microsoft has given advanced notification that Patch Tuesday this month will bring 17 security bulletins. The company said there will be fixes for Windows (12), Internet Explorer and Windows (1), Office (2), Sharepoint (1) and Exchange (1)

Two of the bulletins are considered “critical”, 14 are “important” and one is “moderate.”

Update:

Holly Stewart wrote on the Microsoft Malware Protection Center blog that the vulnerability in Internet Explorer that was publicized in November (CVE-2010-3962) will be patched on Tuesday.

Public exploit code became available and attacks, largely on weekends, have been reported worldwide, though mostly in China and Korea.

Tom Kelchner

GFI Sandbox will help train future security professionals

Chad Loeven, vice president of GFI’s Advanced Technology Group, this week presented an installation of the GFI Sandbox tool to the Department of Electrical and Computer Engineering at Concordia University in Quebec, Canada.

Concordia University slide show of the event

The $56,000 gift will help support graduate students conducting research in the security cluster. It will allow students to reverse engineer and safely test malware in a secure environment so they can see malicious software in action while having the reassurance that it is contained.

Loeven, who helps manage global business development and strategic direction for GFI’s partner alliances, is an alumnus of the university.

Concordia’s news release about the event: “GFI Advanced Technology Group makes major software donation to Concordia”

Tom Kelchner

Auto insurance site affiliate scam targets your Facebook friends

In Facebook, it is important to think about who you give access to. If you give permission to scammers, your account then becomes their spam tool. To illustrate, we followed one of those tiresome posts:

 
(click on graphic to enlarge)

Following the link required you to give an account named “world-news” permission to:
— post messages to your Facebook wall
— access all Facebook account data
— log in AS the Facebook account owner.

(click on graphic to enlarge)

Had you followed this (see below), here’s what would have appeared on your Facebook wall and on friends’ walls overnight: a post that appeared to be from your account “The earth is a spaceship” with a shortened link.

 
(click on graphic to enlarge)
And when friends wonder why you think the “earth is a spaceship” they see the following:

 

And clicking on them leads to auto insurance quote sites:

(click on graphic to enlarge)

(click on graphic to enlarge)

But, alas, you get no information about the girl who ”took her life” and your friends never find out why the Earth is a spaceship. But then the initial verification page was named “prank of the week.”

Although this is just a tired scam by somebody hoping that you’ll do business with an auto insurance site and they’ll get some commission as an affiliate, the same mechanism is available for much worse — posts containing links to sites that download some serious malcode to name one.

Thanks Matthew.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Sunbelt Software Blog, the GFI-Sunbelt Rogue Blog and anything else we think might be of interest.

This week we found a fraudulent receipt generator for Amazon purchases, a Facebook phishing scheme that uses a video as a lure and a “membership” site scam that uses Adobe updates as a lure.

Tom Kelchner

Above, you can see a vaguely optimistic VirusTotal user summary in relation to a file that’s been doing the rounds for about a month or two. Here is the file in question:

A “receipt generator”, I hear you ask – what do people want with one of those?

The answer, of course, is rather straightforward:

This is a particularly interesting scam, as it doesn’t target regular PC users – it targets the people who sell you things, such as the merchants on the Amazon marketplace. This is what the would-be social engineer sees when they fire up the program:

They can fill in a variety of information, including Item name, Price and the date the order was taken. Additionally, it allows them to choose between the .com, .co.uk, .fr and .ca Amazon portals. When they hit “Generate”, a html file is created in the program folder which looks like this:

Click to Enlarge

It’s a pretty good facsimile of a genuine Amazon receipt – I just logged into my Amazon account, hit the “Printable Order Summary” button on an old order and it’s identical to the above. Note the small details, such as “Total before tax”, “Sales tax” and other touches that make it as convincing as possible.

What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here is that the scammer is relying on the seller not checking the details and accepting the printout at face value. After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?

Some things to note for the wary seller: not only will you not have a record of these people buying your products, you should be able to confirm with Amazon that no purchase was ever made. Check the orange order number at the top, because those are randomly selected from a set of looping numbers every time the scammer clicks on the “Order Number” button – again, something either the seller or Amazon should be able to check. Finally, the program seems to add some random digits on the “Visa: payment method” section in payment information.

As you can see, the careful seller has little to worry about – many of the items in the fake printout are convincing as a whole, but once you start digging into the details a little bit it quickly falls apart. However, it seems this program has started a little wave of imitations, as evidenced by this screenshot lifted from a (now defunct) downloads portal:

Click to Enlarge

Oh dear.

Anyway, it’s clear that sellers will need to keep their wits about them over the coming festive season as I can see this being a particularly popular scam for the time being. If a “customer” seems a little peculiar, ensure you take a good look at their receipt – you probably don’t want to have a Homer Simpson moment after you’ve sent three Playstations to their dropoff address.

We’ve passed the files onto Amazon, and the VirusTotal detection rate is currently 1/42 – we detect this as Hacktool.Win32.Amagen.A.

Christopher Boyd (Thanks to Adam Thomas for additional research).

Search engine results have been poisoned for those looking for information about Mono Lake, the California lake where NASA researchers have found a form of bacteria that uses arsenic in its DNA in place of phosphorus when it is in the arsenic-rich environment of the lake bottom.

(click on graphic to enlarge)

After a few seconds, this page redirects to this:

 
(click on graphic to enlarge)

 (click on graphic to enlarge)

Which tries to download 2Gcash. Another link presented by the SEO poisoning, however, leads to a site that tries to download the SecurityTool rogue.

Thanks Adam.

Tom Kelchner

You might be seeing something on your Facebook wall today:

 

Sadly, it’s not a fun video.  It’s just a phish.

The link goes to apps. facebook.com/ lookatuhah, which then redirects to a phishing site:

In other words, if you’re absent-minded enough to enter your credentials again, they will be used to then send more of these stupid fake videos posts to others — or do any of a number of other rather nefarious things.

Alex Eckelberry

 

Operator of (former) 10-billion spam per day MegaD botnet charged with CAN-SPAM violation

 

Oleg Nikolaenko, 23, of Moscow, Russia, was due to face arraignment in U.S. Federal Court in Milwaukee today in the wake of his Nov. 16 indictment for violating the CAN-SPAM Act.

According to the complaint in the case filed by the FBI, Nikolaenko made hundreds of thousands of dollars by sending billions of spam emails advertising counterfeit Rolex watches, herbal remedies and counterfeit prescription medications.

The FBI said in the affidavit filed with the criminal complaint that they and investigators from the FTC were led to Nikolaenko as a result of investigations and arrests of U.S. resident Jody M. Smith and Australian resident Lance Atkinson for trafficking in the counterfeit watches and prescription medications. The investigation, in the U.S., Australia and New Zealand led to the MegaD botnet and Nikolaenko.

The botnet was taken down in November, 2009.

The Milwaukee Journal Sentinel carried a good story about the investigation and court action to date.

The details in the criminal complaint of the international investigation behind the charges are, oddly, a good read. They show the international nature of big Internet crime and what it’s going to take to bring down the organized groups and powerful individuals that have been evading the law and clogging our spam buckets for so long.

It’s taken law enforcement a long time to develop the investigative capability to handle such borderless high-tech crimes, but it looks like they’ve hit their stride.

Thanks to Brian Krebs of the Krebs on Security blog for posting the criminal complaint.

Tom Kelchner

Hey, kids: every single game for free on Steam!

Click to Enlarge

Or, to be more accurate: a free Trojan for anyone grabbing hackncrack.exe then running it on their system.

Virustotal scores are a halfway house, with 22/43 currently detecting it. Might want to warn your kids in relation to avoiding this one, as unlike most “Steam cracks” I see floating around on Youtube, this isn’t hidden behind CPA Lead surveys that need to be filled in before downloading – it’s freely available from Rapidshare, Megaupload and others. As for the Trojan itself, it seems to be a fairly typical downloader which requires large amounts of “avoiding completely”…

Christopher Boyd

Google has altered its rating algorithm in an effort to keep the web sites of bad businesses from achieving high search rankings because of widespread discussion of their offenses, according to a Google blog piece “Being bad to your customers is bad for business.”

“Bad” in this case means those online merchants who “…, provide an extremely poor user experience.”

This is significant since there is a growing industry and body of practice built around gaming search engine results to achieve the best ranking when web users search for anything vaguely related to your business. It’s called “search engine optimization.”

Google didn’t give details of the exact tweak that it made, but the blog piece, written by Google Fellow Amit Singhal, carries a great discussion of how difficult the process is.

— Blocking an individual site is easy enough to do, but doesn’t solve the larger issue.

— Google rankings for an individual site are based in large part, on the number of other sites that link to it. Customer complaint sites include “rel=nofollow” attributes in their page code so search engines don’t mistake the links on their pages for recommendations. Also, the stories on news sites about offensive or criminal sites contain neutral language, so, extensive discussion of a bad site could actually boost its rankings.

— Google has something called “Large-Scale Sentiment Analysis for News and Blogs,” but it has limits. Singhal wrote. “…if we demoted web pages that have negative comments against them, you might not be able to find information about many elected officials, not to mention a lot of important but controversial concepts.”

—   Apparently Google has considered posting user reviews and ratings next to search results. “Though still on the table, this would not demote poor quality merchants in our results and could still lead users to their websites,” Singhal wrote.

The New York Times ran a story detailing one merchant who appeared to benefit in the rankings by outrageous behavior (as well as other black-hat SEO techniques): “Google Acts to Demote Distasteful Web Sellers”

Tom Kelchner