Hotmail Adds More Spam Blocking and Management Features

October 16, 2011

Microsoft has announced plans to introduce better spam blocking functionality by the end of the year.  Building on the series of spam-fighting technologies the Hotmail team has already rolled out this year, Microsoft says the upcoming tools will target ““gray mail” – defined as email that isn’t necessarily spam, but it is email that you personally don’t want to receive.

New features include:

Changes to the Sweep feature. Sweep gave users the ability to move messages in bulk from one mailbox to another based on preset criteria. Now, you can schedule clean-ups and mass delete messages.

Better newsletter filtering.   A new filtering feature will automatically identify inbound newsletters and put them into a folder which can be deleted. Users can also leverage this feature to get removed from mailing lists and block additional newsletters by selecting Unsubscribe which triggers a Hotmail notification to the company asking them to remove you from their email list.

Enhanced folder management.  This feature will allow users to create and apply their own categories to individual email messages inline as opposed to the current two step process. Users will be able to right-click on a message to rename, delete, empty or mark as “unread.”

Better Housekeeping. Users will be able to set auto delete parameters on old emails  – like after 10, 20 or 30 days, and they will be able to choose whether to keep a whole thread of emails, or just the last message from the sender.

Keep high priority emails on top.  You will be able to flag messages and have them stay at the top of your inbox no matter how many new emails come in.

Make real-time choices. You will also be able to see buttons for common email tasks when you hover over a message. This allows you to delete, flag, sort, etc. in one step rather than two.  You will also be able to customize the buttons you see, or turn of the ‘Instant Action’ feature.

“Back in the day, Hotmail was the number one. But we lost our way a little bit. Gmail came on board, and suddenly we were getting things like storage all wrong, and not really focusing on users as much as we should, piping quite a few advertisements into Hotmail and not putting good enough controls around spam. We really are [now] focusing heavily on making the fundamentals — the non-glamorous stuff like spam protection, privacy, security and performance — are all best in class,” said Mark West, Microsoft product marketing manager for Windows Live, told ZDNet UK.

There’s something to look forward to.



Commtouch’s Internet Threats Q2 Trend Report Another Sobering Read

July 22, 2011

Bad news always outweighs the good when talking about online security, and a new report from Commtouch just underscores this point.

The good news is that spam volumes are down nearly 30%, to a measly 113 billion a day, thanks to the takedown of the Rustock botnet.

That includes a downturn in pharmacy spam though this category still represents 24% of all spam.

The bad news on the spam front is that spammers are now using compromised email accounts – so expect more spam coming from friends and family’s accounts.

Additionally, the report found that zombie activity skyrocketed with an average turnover of 377,000 new zombies per day targeted at sending malware and spam. This represents a 68% increase over zombie volumes in the first quarter of the year. India remains the top zombie producing country now hosting 17% of the global population, followed by Brazil and Vietnam.

Whether or not you think of pornography as ‘dirty’ the websites hosting porn really are dirty. Pornography and sexually explicit content sites rank highest in the most-likely-to-contain-malware contest, followed by parked domains and portals.

Education websites interestingly enough come in fourth place for categories infected with malware ahead of entertainment and business. This may be because scammers are smart enough to suspect users will be less cautious on educational sites, or the reason may be that educational sites aren’t very well protected and make easy targets.

The bottom line

Criminals continue to increase the number and creativity of their exploits; letting your guard down for even a moment increases the likelihood that you’ll be their next target.


Responding to Spam Volumes, Hotmail Adds “My Friend’s been Hacked” Feature

July 21, 2011

Sending spam from legitimate user’s email accounts has become rampant as spammers switch from using botnets. This week alone, I’ve received spam sent via my mother’s and two friend’s email accounts – and received frantic calls asking how to fix the problem. Read more on fixing the problem later in this blog.

To address the nearly 30% of Hotmail generated through compromised accounts, Microsoft has launched a new feature in Hotmail. Called “my friend’s been hacked” and found under the “Mark as” dropdown, a simple click allows friends to report compromised accounts directly to Hotmail.

Microsoft’s Dick Craddock explains that “when you report that your friend’s account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked. It turns out that the report that comes from you can be one of the strongest “signals” to the detection engine, since you may be the first to notice the compromise.”

Once Hotmail has marked the account as compromised, two steps are taken:

  • The account can no longer be used by the spammer
  • You (or your compromised friend) are put through an account recovery flow that helps them take back control of their account.

What’s really cool about the work the Hotmail team has done is that it can be used to report problems with accounts hosted by other email providers as well. So for example, Yahoo! or Gmail receives a notice from Hotmail if one of their user’s accounts has been compromised and can take action.

Additionally, the Hotmail team has recognized that weak passwords are a large part of the problem – it’s just too easy for spammers to hack flimsy passwords. To address this, the service will soon roll out a new feature requiring stronger passwords. If you’re currently using a common password, you may be asked to strengthen it in the future.

Changing spam tactics

The takedown of the Rustock botnet dealt a telling blow to spammers and dropped spam volumes by almost 30% overnight (see Kudos to MSFT for Strangling the Rustock Spambot) and highlights a vulnerability in the botnet approach. Not only did spammers have to pay to rent the botnets, their distribution method could be shut off in one well-researched swoop.

A report out this month by Commtouch explains this shift in tactics sayingThe move away from botnet spam can be attributed to the use of IP reputation mechanisms that have been increasingly successful in blacklisting zombie IP addresses and therefore blocking botnet spam.

The blocking of spam from compromised accounts based on IP address is more difficult for many anti-spam technologies, since these accounts exist within whitelisted IP address ranges (such as Hotmail or Gmail).

One of the primary aims of the larger malware outbreaks and phishing attacks of this quarter is therefore to acquire enough compromised accounts to make spamming viable. The catch for spammers: While spam from compromised accounts is less likely to get blocked by IP reputation systems, the volumes that can be sent are lower due to the thresholds imposed on these accounts. This at least partially accounts for the lower spam volumes seen this quarter.”

What to do if your email account is hacked

  1. Check your security. Most hackers collect passwords using malware that has been installed on your computer or mobile phone. Be sure your anti-virus and anti-malware programs are up to date.  Also be sure that any operating system updates are installed. See my blog Are You a Malware Magnet? 4 simple steps can make all the difference
  2. Change your password and make it stronger after your anti-virus and anti-malware programs are updated. Learn how to create stronger passwords in my blog Safe passwords don’t have to be hard to create; just hard to guess.
  3. Practice greater safety online.
    1. Learn to spot spam and scams
    2. Secure your home’s wireless network
    3. Avoid logging into accounts when using public wireless networks – you don’t know if these are safe or compromised. See my blog Like Lambs to the Slaughter? Firesheep Lets Anyone be a Hacker
    4. Validate the legitimacy of any program/game/app before downloading it.  See my blogs Windows Getting Safer, but Study Finds that 1 of Every 14 Programs Downloaded is Later Confirmed as Malware


Will Spam Volumes Drop as Cybercrooks move to Targeted Attacks?

July 18, 2011

A new Cisco report highlights shifting patterns in cybercriminal exploits as crooks hone their tools and hone in on you.

The good news? Unsophisticated mass spam exploits are receding. According to the report, daily mass spam volumes dropped by 80%; from 300 billion messages in June 2010 to 40 billion last month. Unfortunately, this is not due to prophecies of eradication through technical solutions being fulfilled, it’s because the financial returns from mass spam/e-mail attacks declined by over 50 percent from $1.1 billion in June 2010 to $500 million in June 2011.

In other words mass spam is an outdated business model and state-of-the-art criminal businesses have adapted to focus on greater returns for their investments.

Today, the real money is in targeted, personalized attacks.  The report found that in the last 12 months, spear phishing attacks have increased threefold; personalized scams, malicious and targeted attacks have all risen fourfold, and a good phishing campaign can net at least 10 times the profit of a mass spam attack.

This spam vs. spear phishing table makes it easy to see why targeted attacks carry a much higher return on investment, particularly as law enforcement agencies and large email carriers are coordinating their focus on mass spammers.

Though the costs of spear phishing are estimated to be five times greater per targeted user than a mass attack, cybercriminals are balancing priorities – is it better to infect more users or to keep attacks small enough to avoid notice by security vendors? By targeting high income earners and business users with corporate bank accounts cybercrooks are ensuring they see a stronger return on their lower infection rates. This is why, according to the report, the average value per victim can be 40x that of a mass attack. Balancing this against the greater acquisition cost, the profit from a single spear phishing attack can still be more than 10 times the profit of a mass attack.

Financial Impact to legitimate companies and individuals

Cisco estimates the cost of targeted attacks to organizations to be $1.29 billion annually. This cost is split into three key buckets – the actual financial loss, the cost of remediation, and the cost of repairing the company’s damaged reputation. Cisco calculates that every $1 lost due to infected users, enterprises spend an additional $2.10 for remediation and $6.40 for reputation repair. To learn more see the Cisco Cybercrime Return on Investment Matrix.

The biggest risk of victimization comes through misplaced trust

Criminals have learned that they don’t need to break down the security barriers of a company (or home), they just need to fool one person into trusting them once. One mistake. One person who followed their natural inclination to trust, who was too rushed to take the time to check the facts, or who believed the fake evidence put before them.

“Miscreants are continuing to find new and creative ways to exploit network, system, and even human vulnerabilities to steal information or do damage,” says John N. Stewart, vice president and chief security officer for Cisco. “The challenge is that we need to block their exploits 100% of the time if we are to protect our networks and information. They can be right once; we have to be right all of the time. We need to be ever vigilant in our efforts to protect our assets, information, and ourselves online.”

What this means for protecting yourself and your company

To avoid falling victim to malicious targeted attacks, every computer and smart phone used must have strong, up-to-date security software in place. This should go without saying but unfortunately, the vast majority of personal computing devices remain unprotected or their protection is not up to date.

While this lack of security would seem to only threaten individuals, many employees use their personal computers/phones to perform work tasks at least some of the time thereby exposing their companies through these devices as well.  Additionally, it’s critical to understand that security software alone will not protect you, your devices, home network, or workplace from threats you introduce by falling for a criminal’s exploit.

Every user must be trained to identify malicious links, spear phishing scams, dangerous downloads, and suspect connection points. This training has to be so well instilled that family members or employees who are rushed, focused on something else, or in some way distracted, will still make the right choices and avoid the scams. Yet as Stewart pointed out, making the right choice 95% of the time isn’t enough – a 5% failure rate is more than enough wiggle room for a cybercrook.  The right choice needs to be made 100% of the time.

What are you doing to train yourself, your family, your employees, or your students?

Criminals’ biggest advantage is that most companies (large and small) aren’t providing much in the way of training – see my blog Small Businesses Don’t Think They are Cybercrime Targets – That Puts YOU at Risk. Very few families are providing (or receiving) this level of training, and educators aren’t training our next generation of users Educators Lack Training; Don’t Teach Online Safety.

We can either continue our present course – sticking our heads in the sand and leave our rear ends exposed to whatever exploit comes along, or we can accept the fact that education and skills training are critical components of a secure online environment and fund these initiatives.  To fund these initiatives will require more than lip-flapping. Companies who are cutting back on training expenses have to reinvest. Families and individuals have to stop playing pass the buck and take the time to teach themselves, and schools whose budgets have been decimated are going to have to figure out how to teach online safety, security and privacy in a holistic, skills driven manner.

It’s a lot to swallow and requires a unified effort, but the options are even less attractive.


For more on the internet’s criminal landscape see:

  1. A good decade for cybercrime (McAfee)
  2. Identity Theft Statistics 2010
  3. How Much Does Identity Theft Cost? [INFOGRAPHIC]
  4. Cyber crime: a clear and present danger
  5. Internet security threat report (Symantec)
  6. Social Engineering Bigger Risk to Your Online Safety than Malware
  7. Windows Getting Safer, but Study Finds that 1 of Every 14 Programs Downloaded is Later Confirmed as Malware
  8. Symantec Delivers Threat Report and Excellent Tools that Explain Risks to Consumers
  9. Every 3 Seconds an Identity is Stolen – Don’t Be Next
  10. Are You Sure Your PC is Malware Free??
  11. Are You a Malware Magnet? 4 simple steps can make all the difference

Why Criminals Love Short URL’s

April 11, 2011

A newly released Symantec Internet Security Threat Report shows why the (mis)use of short URL codes has become one of criminal’s favored methods for distributing malicious code to unsuspecting consumers.

Using a compromised profile, criminals post links to malicious websites so the links will appear in their friend’s news feeds – and because these links have been shortened, it is even harder for recipients to identify the actual destination of the URL. During a three-month period in 2010, nearly two-thirds of malicious links included in news feeds observed by Symantec used shortened URLs, and 73% of these URLs were clicked on at least 11 times each. Thirty-three percent received between 11 and 50 clicks. And only 12 percent of the links were never clicked.

Learn how to avoid short URL scams by reading my blogs: Short URL Scams – Avoid the Traps, Report the Spammers and consider using the New Secure Short URL Service from McAfee.


McAfee Sets Spam to Music

April 2, 2011

In a new twist on teaching consumers how to identify spam, McAfee has just released 5 Spam-Cappella videos featuring singers using the text found in various spam as their lyrics. If it helps teach spam awareness, I’m for it – though you won’t find me singing anytime soon.

For more information on how to spot and avoid spam and scams, as well as test your skills on real examples, check out the Spot the Spam section of my website.


Kudos to MSFT for Strangling the Rustock Spambot

March 27, 2011

Microsoft’s Digital Crime Unit announced the takedown of one of the world’s largest bot networks that leveraged “approximately a million infected computers” and was capable of sending up to 30 billion spam emails per day.  Researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes – a rate of 240,000 spam mails per day.

These scams included fake Microsoft lottery scams, but it appears that the bulk of the spam sent via this botnet focused on advertising counterfeit or unapproved knock-off versions of pharmaceuticals.

The Rustock spambot was officially taken offline yesterday after a federal investigation into the criminal operators behind the bot ended. The investigation began as a result of Microsoft suing the spammers. (Don’t know what as bot is? Read my post What are Bots, Zombies, and Botnets?)

Here is an excerpt from Microsoft’s blog post:

Botnets are known to be the tool of choice for cybercriminals to conduct a variety of online attacks, using the power of thousands of malware-infected computers around the world to send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising and much more. This particular botnet is no exception.

….Spam is annoying and it can advertise potentially dangerous or illegal products. It is also significant as a symptom of greater threats to Internet health. Although Rustock’s primary use appears to have been to send spam, it’s important to note that a large botnet can be used for almost any cybercrime a bot-herder can dream up. Botnets are powerful and, with a simple command, can be switched from a spambot to a password thief or DDOS attacker.

Again, DCU’s research shows there may be close to 1 million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer’s owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a website booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life.

It’s like a gang setting up a drug den in someone’s home while they’re on vacation and coming back to do so every time the owner leaves the house, without the owner ever knowing anything is happening. Home owners can better protect themselves with good locks on their doors and security systems for their homes. Similarly, computer owners can be better protected from malware if they run up-to-date software – including up-to-date antivirus and antimalware software – on their computers.

Finally, we encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit for free information and resources to clean your computer.

What this means to you

You must protect your internet connected devices. Unlike your toaster, the internet is not a plug-it-in-and-go experience.

  • It requires installing, or turning on security software onto your devices – and then setting the software to auto-update so it keeps your safety level current.
  • It requires creating strong passwords to log-in to the computer.
  • It requires ensuring any WiFi connection is password protected.
  • It requires changing passwords periodically
  • It requires getting educated on how to avoid scams, spam, and protect your privacy.

It also requires that you step up to your civic duty of protecting others. An infected device is the digital equivalent of Typhoid Mary – you may not intend to send infected documents, or be part of a botnet spewing spam and scams, contributing to denial of service attacks, or spreading viruses, but if you haven’t taken security precautions to keep your devices clean, you are part of the problem.