Brian Krebs's "Spam Nation"

In Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door, Brian Krebs offers a fascinating look at the mass-scale cybercrime that underpins the spam in your inbox and provides an inside peek at a violent fight among its principle players. Cory Doctorow reviews.

Read the rest

Google Maps' enduring security holes put businesses at risk


It's been more than a year since a series of high-profile articles demonstrated that Google Maps' crowdsourcing function can be used create new listings, alter existing business listings, and even create fake Secret Service offices that real-life cops end up calling.

Read the rest

Russia's army of paid astroturfers message-bomb western coverage of Ukraine


A set of documents leaked by a group identifying itself as Russian hackers purports to be training materials for Russian psyops agents who were paid to make favorable comments about Russia's position in Ukraine on western media websites. The group of fake commenters, called the Internet Research Agency, is based in Saint Petersburg, and its operatives were ordered to maintain multiple commenter identities based on certain archetypes, and to post a minimum quota of pro-Russia messages every day. Included in the documents are per-site strategy notes for preventing moderators from erasing messages (for example, on Worldnetdaily, do not use "vulgar reactions to the political work of Barack Obama.")

These tactics are familiar ones. Rebecca MacKinnon's indispensable book Consent of the Networked describes the Chinese government's "Fifty Cent Army," each paid 0.5RMB per message pro-government postings. And of course, the 2011 HB Gary leak revealed the existence of a US Air Force RFP seeking "persona management" software that would let US psyops operatives maintain up to 20 fake identities from which to post pro-US messages on Arab-world websites.

Read the rest

Comment-spammers threaten to sabotage their victims through Google Disavow if the evidence of their vandalism isn't removed

Tim got an email from someone trying to get rid of comment spams -- ever since Google started punishing sites that left comment spam on blogs, this has been going on a lot. When Tim told the guy to buzz off, he threatened Tim with sabotage by means of Google's "Disavow" tool, growing progressively more abusive as Tim stood his ground.

Read the rest

Orange UK plumbs the depths of insulting, stupid marketing, finds a new low


I had the above-reproduced SMS exchange with a bot from my horrible mobile phone carrier, Orange UK (now called "EE" after the high-pitched noise my incipient aneurysm makes whenever I have to deal with them, and because vowels) today. They have "good news" -- I have been subscribed to "special offers" from "great brands" via SMS. And I can opt out. Except, surprise, it takes three weeks to process these opt-outs.

Not sure what I should do apropos of any "great brands" who pay Orange to spam me in the runup to Christmas: maybe just name-and-shame them here? Any other ideas?

Rise of predatory, parasitic spambooks


Charlie Stross considers the confluence of bookspam; Turing-complete, Javascript enabled ebooks, and auctorial disappointment and posits a hostile ecosystem of parasitic ebooks who go around devouring the competition.

Read the rest

The Internet Police: How Crime Went Online, and the Cops Followed


Nate Anderson is one of my favorite Ars Technica writers -- always thorough and always evenhanded, but never shrinking from venturing an opinion or trying to put individual incidents in the context of the wider Internet. His new book, The Internet Police: How Crime Went Online, and the Cops Followed, is a brisk, eminently readable, and important history of the relationship between law, law enforcement, and the net, and as you'd expect, it's excellent.

Read the rest

Where Twitter spam-accounts come from

A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).

Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley."

Read the rest

Bestiary of unimportant envelopes that look important


The Evil Mad Scientist folks have compiled an annotated bestiary of junk-mail envelopes that are camouflaged to look like important correspondence. It's a fascinating study in meatspace spam.

Often times, these envelopes are quite well done. Above is an example that might cause a genuine double take— with its “FINAL NOTICE ENCLOSED“ — and bank-PIN style tear tabs on the sides...

And then, there’s the fine print, so that you really take it seriously. A $2,000 fine or 5 years imprisonment(!) are threatened under §1702 should you fail to deliver this fine specimen of junk mail letter to its intended victim. (This penalty is true but somewhat misleading; the law refers to obstruction of mail in general, not this “final notice” in particular.)

Envelopes That Claim to be Important

Corporations are people, so the city of Seattle can't have an opt-out policy for spammy phonebooks no one wants


Jeff sez,

Seattle will spend $500,000 to settle a lawsuit it lost with phonebook companies over its sensible opt-out program for residents.

Beginning in May 2011, Seattle began allowing residents to opt out of unwanted phonebook deliveries. The program was so popular, the city reports that more than 2 million pounds of paper are saved annually as a result. The phonebook companies sued the city and lost, but won on appeal. The city has chosen not to appeal to the Supreme Court.

The phonebook companies alleged in their complaint that the phonebook ordinance, 'denies [their] rights guaranteed by the First and Fourteenth Amendments to the United States Constitution.'(free speech and due process). If not for the legal concept of 'corporate personhood', the phonebook companies wouldn't be able to sue Seattle to assert Constitutional rights originally written only for people.

Rather than ask the question, 'are the phonebook companies people?'and 'do they have the right to free speech?'the courts have focused largely on whether the content in the phonebooks (advertisements and phone listings) represent free speech which can't be regulated or commercial speech, which can be.

The companies claim, 'The First Amendment to the United States Constitution prohibits government from -- enforcing the desire of citizens to avoid communications [and] from prying into citizens' preferences regarding communications they seek to avoid.'

Corporate Personhood to Cost Seattle $500,000 to Settle Phone Book Lawsuit (Thanks, Jeff!)

(Image: Seattle Phone Book Spam, a Creative Commons Attribution (2.0) image from edkohler's photostream)

Music industry hates anti-spam laws

Michael Geist sez,

The business opposition to Canada's anti-spam and spyware legislation has added an unlikely supporter: the Canadian Recording Industry Association, now known as Music Canada. The organization has launched an advocacy campaign against the law, claiming that it "will particularly hurt indie labels, start-ups, and bands struggling to build a base and a career." Music Canada is urging people to tweet at Canadian Heritage Minister James Moore to ask him to help bands who it says will suffer from anti-spam legislation.

Yet Music Canada's specific examples mislead its members about the impact of the legislation. It wrongly claims that bands and labels won't be able to contact venues or stay in contact with fans. To top it off, the industry that introduced lawsuits against individuals for file sharing (CRIA members first commenced such actions in 2004) and brought us the Sony Rootkit debacle is now concerned with lawsuits against its own members for failing to abide by an anti-spam and spyware law.

Is the Road to Music Success Paved with Spam? Canada's Music Lobby Apparently Thinks So spam,copyfight,corruption,canada,corporatism

YouTube confiscates 2 billion views from Universal and Sony

Universal and Sony Music have both had their YouTube view-counts and channels drastically cut by YouTube. A spokesman for YouTube was cryptic about the slashing, saying "This was not a bug or a security breach. This was an enforcement of our viewcount policy." The DailyDot repeats speculation from Black Hat World ("a forum where users trade tips about unethical search engine optimization tactics") where users have suggested that the entertainment giants got their ears pinned back after they were caught buying fake "likes" and "views" from a crooked botmaster.

Sony/BMG was the second largest sufferer, dropping more than 850 million views in one day, bringing its total number of views to a mere 2.3 million. RCA, which got off scot free by comparison, dipped 159 million views. Its tally now sits more modestly at 120 million views.

In addition, each label's YouTube archives are now surprisingly thin. UMG, which had long held a heavy hand in YouTube operations, now only boasts five videos on its YouTube channel, none of which are actual songs—and none of which last more than 1:23.

Sony's page, by comparison, is currently empty. The company did not respond to the Daily Dot's request for comment.

YouTube strips Universal and Sony of 2 billion fake views [Chase Hoffberger/Daily Dot] (via Reddit)

Spam kingpin chatter

Security researcher Brian Krebs picks out some choice exchanges out of a dump from an elite Russian spammer message-board, and suggests that this contains clues to the identities of the world's most prolific spammers.

“Everything is all right with John. We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks. He got squeezed [arrested/questioned] once very badly some time ago. Now he is all clean. His friend – SP – screwed him and also is not working with stocks now. Rin is in total shit. He is going to be in jail (or he is going to be hiding) for a long time. He calls me pretty often, so he is alive so far. I am helping his wife with money from time to time.”

The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:

“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”

Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.

A Closer Look at Two Bigtime Botmasters

Kill robocalls, get paid

If you hate robocalls and love money, the FTC wants to hear from you. They're offering a $50K bounty for practical robocall-killing technology. Details at robocall.challenge.gov. Cory

Spam of the day

In reply: