McAfee's Global S.P.A.M. Experiment is just about over, and blog entries by participants offer some enlightening and entertaining banter about their experiences thus far. From winning the Chinese Lottery to amazing cures for snoring, their mailboxes have been filling up with thousands of empty promises and enticing come-ons. In the meantime, McAfee® Avert® Labs researchers have identified some interesting new trends in the world of spam, including scams that take advantage of people's unquestioning faith in the telephone.

A New Target: Microsoft Entourage
Traditionally, spam campaigns look like they originate from Microsoft Windows-based email applications or other mass-mailer applications. But lately, spammers are moving to Microsoft Entourage, the email program bundled with Office 2008 for the Apple Mac. Why should anyone care where the messages come from? It's an issue for anti-spam researchers because while we have a very good understanding of other email applications and mass-mailers, we're not yet too familiar with Entourage and how it behaves. This is important because we focus much of our efforts on identifying the ways in which spam differs from legitimate mail sent from legitimate sources.

Using McAfee's Name in Vain
A popular new scam promises income generation through YouTube. The message promotes a DVD that presumably has instructions about instant access to software that helps the customer generate extra income. To give the prospect a sense of security, there's a link in the email that will supposedly take the recipient to a "McAfee HACKER SAFE Secure page" where they enter their credit number and other personal information. In actuality, the link leads to a dangerous site that has been blacklisted by McAfee.

Here's an example of the content, bad grammar unchanged:

Get started in three simple steps:
Step 1. Click this link and you will be taken to a McAfee Hacker Safe Secure page to input your information. On page two you pay the $1.95 shipping for the DVD.

Step 3. This is up to YOU. Once you see how effective the program is, you can work as little or as much as you wish. Get in on a revolution: get paid with YouTube!

Vishing Makes It So
Because more users are becoming hip to the fact that emails containing a URL could be malicious in nature, Internet scammers are switching to "vishing"—short for "voice phishing," in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services

Potential victims receive a convincing email that may indicate that there is an issue with their account, but rather than being directed to a phony banking web site to resolve the pending issue, they are lured to something more credible—a phone number. When they call the "customer service" number, they are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has captured enough information to commit identity theft.

Vishing Variations
Other variants of vishing use CallerID to spoof an incoming call, so that it appears to be a 1-800 number or SMS message from a bank. A text or prerecorded voice message is then played, tricking victims into believing that their accounts have been frozen due to suspicious activity. The incoming calls display a 1-800 number from a recognized institution, creating a false sense of security about the authenticity of the message.

It's likely that vishing will flourish with advancements in VoIP technology, which enables inexpensive and anonymous Internet calling. Given the ease with which CallerID displays can be tricked into providing erroneous information, it is becoming increasingly difficult to distinguish vishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, contact the financial institution by using a telephone number obtained from your account statement, the back of your card, a telephone book, or other verifiable, genuine correspondence.

The Fifth Third Bank Makes a Comeback
Our spam traps first caught the surge of Fifth Third Bank phishing campaigns between July 2006 and October 2006, and then again between January 2007 and March 2007. You would think that spammers would give it up now that nearly everyone knows about it, but no. This phishing campaign is back in full force.

Our traps snared an occurrence of the campaign again on February 26, 2008. Even though the phishers have changed the content and are using newly registered domains, we found that the same old spam tool is being used to generate the email, so our generic phish rules catch them straight away.

Here's an example of the campaign message:

Dear Fifth Third Bank customer,
Fifth Third Customer Service requests you to complete Commercial Banking Online Form. Completing the form is mandatory and must be done as soon as possible.

Keep Fighting the Good Fight
As always, staying informed and aware of new spam scams and how they operate is half the battle. The other half is making sure your systems and networks have adequate web and email protection from the gateway to desktops that includes regularly updated anti-spam technology. Of course, we at McAfee Avert Labs are always looking out for you by keeping a constant watch on new trends in spam and other threats. Check our blog frequently for up-to-the-minute discoveries: http://www.avertlabs.com/research/blog/index.php.
Once the McAfee Global S.P.A.M. Experiment is completed and results have been gathered, the findings will undoubtedly shed more light on spamming techniques and topics. Stay tuned for more in coming issues of McAfee Security Insights.