[Olpc-sysadmin] Spam targeting of Robert Fadel?

[Chris Leonard]

I noticed a new sysadmin queue ticket opened by Robert Fadel.
http://rt.laptop.org/Ticket/Display.html?id=20714

I didn't want to reply on the ticket directly, but it may be important that
he be cautioned about handling these messages.

What he is seeing seems to be an example of "backscatter spam".
http://spamlinks.net/prevent-secure-backscatter.htm

Essentially, the spammer forges the mail headers and sends a spam message
(sometimes even to an invalid address) so that a bounce message is generated
by a system other than the spammer's.  This ricochets the spam messasge off
of one server and then sends it back (in the form of a bounce message) to
the real target (the forged address).  This is an attempt to defeat
trust-based filtering mechanisms.

Robert should be very careful with these messages.  Increasingly these
days the point of spam messages is as a malware infection attempt.  An
attempt is made to trick the user into taking an action (clicking on
embedded link or opening attached file) that will lead to a malware
infection by exploiting one af many common vulnerabilities.  Backscatter
spam is a somewhat more advanced form of "social engineering" because even
users that are savvy enough not to take such actions when a message comes
from an unknown address can be confused by the familar or trusted names of
the servers generating the bounce messages.

Robert in particular needs to exercise caution because as someone publically
associated with the finance function, he is a prime target for a
"spear-phishing" attack, There is even a special term for a spear-phishing
attack targetting exeecutives, they are called "whaling attacks", these
attacks tend to be even more sophisticated than the usual malware efforts
and oftern deliver keylogging trojans in hopes of getting
identity-theft-enabling information from a high-net-worth individual.
Furthermore, the malware writers seem to be saving their best effrots for
this sort of attack, sometimes using new malware programs for the first time
ever in such attacks.

http://www.theregister.co.uk/2008/04/16/whaling_expedition_continues/

I have personal experience with exactly this sort of whaling attack, the
CFO of my NASDAQ-listed company was targetted (what appeared to be an IRS or
tax-related message with an attachment) and tricked into infecting his
laptop with malware that was so new that TrendMicro did not yet have a
profile to scan for it.  Fortunately, he quickly realized something was
amiss and we isolated his laptop from the network, isolated the malware
itself (which was not detected by his antivirus software!) and by the end of
the day we had a brand-new profile from our antivirus vendor.

The issue of spam is rapidly moving from inconvenience to major security
threat and educating users is an important element of the defensive network,
please feel free to pass this message along ot Robert Fadel.  It may be that
the MIT Media Lab (OLPC's "ISP") should reviw the anti-spam situation, it's
been commented on with regards to the RT queue (in various other tickets),
I made a switch several years ago to a signifiacantly improved anti-spam
solution that I am very happy with, I'd be happy to share my experience with
OLPC.

Chris Leonard (cjl)
OLPC Support Volunteer and veteran of the Spam Wars.
cjlhomeaddress at gmail.com


aka

Chris Leonard, Ph.D.
Chris.Leonard at memorypharma.com
Director, Translational Research & Technology
Memory Pharmaceuticals Corp.
100 Philips Parkway
Montvale, New Jersey 07645
Phone (201) 802-7263
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/olpc-sysadmin/attachments/20080915/90cbfed7/attachment.htm