With the 2010 tax deadline looming, IRS scam emails are on the rise. These emails typically claim to be coming from the IRS and offer any number of things: an unclaimed tax refund, an expedited refund, a request for further information in regards to an already filed return.

In one particular strain, reported by MX Logic at the end of last month, victims who click on any of the links within a given spam message will be infected with the Zeus Trojan. This dangerous piece of malware allows cyber criminals to turn normally safe websites into phishing sites while gathering personal data off of the infected computer.

Other variations of attack simply ask for personal information in order to steal your identity or obtain cash directly from you.

The IRS is reminding tax payers that it does not communication with people via email. A full guide to the IRS’ policy on email communications, scams and phishing attacks can be found here.

Check out sample IRS phishing messages here and here (courtesy of the IRS).

Immediately following the announcement of the iPad in late January Apple-related spam shot up by more than 30%, but with the release now imminent and quantities limited scams have taken on a life of their own over the last few days.

The BBB warns of a Facebook page 3,500 fans strong under the title “iPad Researchers Wanted—Get an iPad Early and Keep It” – selling a cell phone service that will charge users $10/month.

GeekSugar.com has warned consumers of spam emails that are pushing users to a site called TestitandKeepIt.com that promises a free iPad and requests your email address and password to “tell your friends.” RED FLAG. 

The caveat for all of these “offers” is that they require you to make a purchase prior to receiving your “free” iPad or they require credit card information/personal information of some sort – and at the end of the day you will NOT be getting a free iPad.

As always: if you don’t know the source, never supply personal information or money of any sort.

…Joshua Perrymon being the CEO of PacketFocus who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from "Bill Gates" in October of ‘09 – and “names” exactly which email security products and services failed to stop it.

The situation, according to an article published by DarkReading yesterday is:

“Perrymon sent his spoofed LinkedIn email -- which looked a lot like a real LinkedIn invite, except it spelled the social network "LinkedIN" in the "from" field of the message -- to a variety of users in different organizations who had agreed to participate in a test. The message read: "Bill Gates has indicated you are a fellow group member of Microsoft Security. I'd like to add you to my professional network on LinkedIn. - B. Gates."

He was able to get his spoofed message through to the recipients 100 percent of the time, and across a wide range of major email products and services in addition to the Microsoft and Cisco products, including users with GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's Email Security appliance, LinuxMail with greylisting, Opera Mail, and Mozilla Thunderbird, according to a report that he will post online this week.”

A full report will be published on Perrymon’s site later this week.

In our book, this is insanity!  In a world where 87% of all email is spam, how have we not figured out a way to address these kinds of messages?  Why are email users still at the mercy of guessing machines?

Or, perhaps the better question is, why have we not adopted the technologies that do address these attacks?? More to come as this develops.

Sender Validation has officially gone mainstream. We received a phone call about a week ago from a guy named Rich whose colleague had received the following message:

His friend forwarded the message onto him, and he googled the second sentence “we have implemented Sender Address Verification.” Sendio popped up in the search results – a similar variation of this exists in the community invitation Sendio users send out. He picked up the phone, gave us a call, and agreed to send the message over so we could take a look.

Curious, we did a little bit of googling on our end and found that this phishing attack had been floating around all summer - targeting Verizon email users.

However, if you did happen to receive this message – hopefully you were able to pretty rapidly identify it as a phishing attempt.  HUGE red flags here included:

• The numerous grammatical mistakes (The “Verizon Internet Team” most definitely DID NOT write this message)
• The call to action: responding to an email with your username and password!? Never provide private contact information in the body of an email message.  In any situation where this is required, you will be taken to a secure login page.  Even in these situations, be wary of the url, is it really a valid Verizon page?
• The ultimatum: “Failure to do this will immediately render your email address deactivated from our database.”  Sounds pretty serious.  However, if you take a moment to really think this through – as a best business practice Verizon would NEVER do something like this.  (And if they were, the email community would surely be buzzing about it).

If any of these points snuck past you, there are a number of great articles out there that can get you up-to-speed quickly on latest phishing tactics, how to spot them, and how to avoid them.

Or for a pretty fun, tactile way to digest these same points, check out SonicWALL’s phishing IQ quiz: http://www.sonicwall.com/phishing/index.html (less than 8% of test takers could spot a phish 100% of the time!)

In an ideal world, where we focused on whether the sender of a message can be trusted, these messages would never hit an email user’s inbox – but until then, we’ll be keeping our eyes and ears to the ground.

And while it may not be the cover of Rolling Stone, this shout-out to Sender Validation feels pretty good. Spammers thrive on latest IT, culture and political trends (think “Obama” spam circa January ’08 or the Valentine’s day attacks that hit every year in February).  And we’re just a little pleased they’re finally hopping on the Sender Validation bandwagon.

As one of our team members put it, imitation IS the sincerest form of flattery. 

I just read the following on the MSNBC web site:
(http://tinyurl.com/msnbc-phishing-swine-flu)

Phishing with Swine Flu as bait

Phishers and spammers have caught Swine Flu fever and are exploiting fears around the outbreak to try to sell pharmaceutical products or steal information, security experts said Tuesday.

The e-mail scams have a subject line related to the Swine Flu and typically contain either a link to a phishing Web site or an attachment that contains malicious code, the US-CERT said in an advisory. (Read More…)

Stuff like this reminds me how evil some people can be, and how ubiquitous email has become. Let’s be clear, these types of attacks always happen through email. Not through websites. Not through your fax machine. Not via instant messaging (IM), or SMS. These attacks don’t reach you via your cell phone, and these attacks don’t arrive via FedEx or UPS. Its ALWAYS via email.

For the last decade companies like Microsoft, Cisco, Symantec, Google, McAfee, Trend Micro, Sonic Wall, Barracuda Networks, etc. have made (and spent) billions of dollars trying to convince us they know what they are doing when it comes to the security of our email. How much longer, and how many more exploits like this one, is it going to take before people realize that email, the original social networking application, deserves to be secured the same way Facebook, Twitter, LinkedIn, AIM, and Plaxo are secured?

Isn’t it time, once and for all, for authenticated email to take the main stage? What is everyone so afraid of? Threat free email is available, today, and is currently in use by millions of people and thousands of companies around the world.

It is time to stop the insanity. Continuing to do what you’ve always done (filtering your email) will always yield the mediocre results you are seeing today.

An article that caught my attention this morning by Brian Prince of eWeek (http://www.eweek.com/c/a/Security/Malicious-Sites-With-Fake-Obama-News-Trying-to-Build-Botnet/) details the latest in e-mail security attacks:

“Spammers are luring victims to a malicious site with false reports by President-elect Barack Obama. The spam is being sent out by the Waledac botnet, which security researchers say is a reincarnation of the infamous Storm botnet.”

These types of attacks are bound to increase until people realize, once and for all, that unauthenticated e-mail = unsafe e-mail. I feel badly for people that are falling victim to these sorts of attacks, however, the bad guys will continue to exploit the instant gratification mentality so prevalent today that causes people to open/read e-mails before they look to see from whom they are sent. Under no circumstances should anyone ever open an email from an un-authenticated sender. Until organizations and service providers, large and small, realize this fact and implement systems to enforce true person-to-person e-mail authentications we should expect to read an ever increasing number of stories much like this one.