Today, I'm seeing a lot of phishing and malware-infected emails in my personal spam traps spoofing Facebook's login system. There are at least three variations on this (probably many more) that I've spotted. All of them have "from" lines using "facebookmail.com" as the domain. (Note that Proofpoint's anti-spam and anti-virus features block all of these messages.)

First up, there's a message with subject line "Facebook updated account agreement" that also features a zip attachment that is surely some sort of malware. As is usual for phishing/malware email attacks, this message encourages the user to urgently "submit a new, updated account agreement", otherwise, your account will be "restricted." (Click the thumbnail at left for a full-size jpeg sample of this email. Need I stress that you should not download, unzip and run that attachment?

Similarly, I'm seeing phishing emails that have malicious links as their destination. Two different variations depicted in the thumbnails at left (again, you can click to show a full-size jpeg sample). One uses the subject line "Facebook Update Tool", the other is "new login system."

 Both emails use similar body copy that includes the following text:

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Please click on the link below to update your account online now:

[malicious URL deleted]

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team 

The URLs in these messages link to fraudulent sites, of course, Recipients are advised never to click on links in email.

I sat down recently with Dave Champine, Proofpoint's product manager for our SaaS email security solutions for an extensive interview about the security of cloud computing-based solutions and the issues enterprises should consider when moving security functions "to the cloud." I'll be posting excerpts from that discussion over the next few days.

First up, Dave had some really interesting things to say about specific features that enterprises need to look for when buying "in the cloud" security solutions (or any other type of SaaS solution, for that matter). As Dave notes in this video, large enterprises have different concerns that, say, small businesses or consumers when they are looking at deploying a cloud computing-based (or SaaS) solution.

To summarize the main points that Dave discusses in the video, there are four interrelated characteristics of an enterprise-quality cloud. He describes them as:

Isolation: Look for solutions that offer both physical and logical separation of your data and the application itself from other customers. This helps to ensure that your enterprise's capacity and performance needs being met, regardless of what's going on with other customers of the same solution.

Flexibility: Look for solutions that can support the high level of complexity found in the large enterprise. For example, in the email world, large enterprises can have very complex policy environments due to regulatory requirements, best practices for data protection and corporate governance concerns. So that means being able to do things like set and enforce different email disposition policies for different business units, support secure transmission to business partners, support policy-based encryption, etc. Flexibility also means having flexibility in terms of how things are deployed (e.g., could I deploy some things "in the cloud" but leave other features on-premises).

Control:Large enterprises need SaaS solutions that let them maintain the same level of control as they would get with an on-premises solution. That includes having what Dave calls "transparency of operations," including visibility into logging, auditing and alerts so administrators can ensure that systems are operating as expected.

Distribution:Enterprises should look for cloud-based solutions that use distributed components. For example, make sure that the architecture includes geographically distributed datacenters, redundant components, etc. The goal is to go beyond the usual "five nines" availability goal and ensure 100% availability if possible. Dave suggests that enterprises should think not just about disaster recovery, but about disaster avoidance as well.

If you're interested in this topic, you'll also be interested in the next Proofpoint live web seminar, happening on Wednesday, November 18th. We'll be discussing the pros and cons of Security-as-a-Service and how next-generation SaaS solutions can actually deliver superior security, better performance and lower costs compared to on-premises approaches. To register, please visit the link below:

Like so many enterprises today, when it came time to re-evaluate its email security solution, Dakota Growers opted for a SaaS (Software-as-a-Service) solution for stopping email spam and malware. Using Proofpoint PROTECT, one of our SaaS email security solutions, provided a more better performing, more cost-efficient way for the company to deal with email secuirty issues. Dakota Growers's director of IT, Jeffrey Strang, says:

"We wanted a solution that resided outside of our own network, as we've had issues in the past with email security software impacting our hardware assets. Proofpoint PROTECT was our first experience with a SaaS solution of any kind, but given the positive results we've achieved with Proofpoint, we're actually moving to hosted solutions in other areas of our business."

As I've noted before, moving inbound email security features to the cloudis pretty much a "no-brainer" for companies of any size. By deploying Proofpoint PROTECT, Dakota Growers has radically reduced the volume of spam and virus-infected email entering its network, making employees more productive and reducing the time that IT staff spends on email security-related administration and helpdesk tasks to near zero.

If you'd like to learn more about using cloud computing to solve your organization's email security challenges, attend our next live web seminar, Wednesday, November 18th. To register, please visit the link below:

And here's a little bonus for reading this far: Apparently, the other type of spam (the canned meat product) makes a fine addition to any sort of pasta. Here's a recipe for angelhair pasta with spam cream sauce. Enjoy.

The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.

The subject line of the e-mail states: “check your Bank Deposit Insurance Coverage.” The e-mail tells recipients that, "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.”

The e-mail then asks recipients to “visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage” (a fraudulent link is provided). It then instructs recipients to “download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage.”

This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft.

The FDIC does not issue unsolicited e-mails to consumers. Financial institutions and consumers should NOT follow the link in the fraudulent e-mail.

Good advice, of course! I took a quick look in Proofpoint's spam traps today and, indeed, these emails seem to be very widespread. (Note: Proofpoint's anti-spam solution accurately identifies all variations of these as spam.)

Subject lines I have observed for these emails include:

• FDIC has officially named your bank a failed bank
• you need to check your Bank Deposit Insurance Coverage
• FDIC alert: check your Bank Deposit Insurance Coverage

The body of these messages is all very similar and reads as follows:

You have received this message because you are a holder of a FDIC-insured bank account.

Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:

Visit FDIC website: [malicious URL removed]

Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

Federal Deposit Insurance Corporation

These emails are very similar to the "IRS Notice of Underreported Income" and "Critical Update for Microsoft Outlook" emails I've noted recently and I suspect they are an attempt to install similar malware.

In the past, this type of attack against other jobs sites (such as Monster.com) has been used to gather contact information from job seekers and then hit them with highly targeted phishing attacks (aka "spear phishing") including phony job offers and even job offers that ultimately ensnare the recipient in illicit activities including wire fraud. (See my recent post regarding the Washington Post's great expose on the operation of online job scams.)

I'd expect to see the same sort of thing in this case. All online job seekers—whatever sites they use—should be aware that having your resume posted online can put you at risk for being targeted by online job scams. But they can be fairly easily avoided by following common sense and simply being aware of how such scams work.

Proofpoint offers the following advice to consumers in order to avoid being victimized by online job, "secret shopper," wire fraud and similar scams—which are often initiated via an unsolicited email message:

• Remember, first of all, that any offer presented to you that sounds too good to be true usually is—whether it's presented via email, phone or direct mail.
  
• Simply do not respond to these sorts of solicitations. Especially do not click links presented in such emails (which may lead to fraudulent websites that attempt to install malicious software on your personal computer). Note that the latest job scam emails do not include links, asking job seekers to respond to a generic webmail account (like a gmail or Yahoo mail account).
  
• Keep in mind that anyone can place an online ad, send you an email, or post a "lure" in otherwise legitimate online forums.
  
• Never pay a company to hire you. If the employment process involves sending the employer money, it's almost definitely a scam.
  
• Do not wire money (which is the same as sending cash) to individuals unknown to you or to firms that have supposedly hired you.

We've omitted some of the super-high-profile events that you're probably well aware of by now (such as the loss of Sidekick mobile phone users' data and the subsequent efforts to restore that data, and widely-reported email delays at Google's Postini email security service) in favor of some of the stories that, while not as widely reported, provide a few "teachable moments" about email security.

In no particular order, Proofpoint highlights some of this year’s email mishaps below:

1.) Trojan Horse Empties Bank Accounts

In September, it was reported that a banking Trojan horse, dubbed URLZone, had thwarted fraud detection systems, to enable software to actually steal money while users are logged in to their accounts and display a fake balance. Victims’ computers were infected either by clicking on a malicious link in an email or visiting a Website that has been compromised with hidden malware. The Trojan also kept a log of the victim's bank account login credentials, took screenshots, and snooped on the user's other Web accounts, such as PayPal, Facebook, and Gmail.

Article here »

2.) FBI Forgery

The wife of FBI Director Robert Mueller banned him from online banking after he nearly fell for a phishing scam. Mueller received a seemingly legitimate email from what he thought was his bank, which prompted him to verify some information. He even went as far as filling out some of his personal information before realizing it might not be a great idea. He said he barely caught himself in time before falling victim to the scam. As a result, he changed his passwords and tried to pass the incident off to his wife as a “teachable moment.” However, that did not stop Mrs. Mueller from sanctioning Mr. Mueller’s online activities.

Article here »

3.) White House Adopts Spammer Tactics

In August, the White House emailed thousands of messages to Americans detailing its stance on the contentious issue of healthcare reform from an email account created to gather and dispel rumors, but some recipients claimed the messages were unsolicited. The White House acknowledged the unsolicited email and blamed third-party groups for the mass email.

Unfortunately, the damage was already done. Critics questioned whether the White House used address-gathering tactics similar to those employed by spammers.

Article here »

4.) Hotmail Phishing

Most recently, more than 10,000 Hotmail accounts were compromised in October and passwords were posted on several Websites where developers typically share programming code. News site Neowin reported it had seen part of the list, which has since been removed, and notified Microsoft of the issue. In this phishing scam, hackers sent out legitimate-looking emails under the letterhead of banks, eBay and other institutions, telling consumers they needed to reset online passwords to their Web sites for security purposes.

Article here »

It seems that many of the affected account holders could have used a password reset. Security researchers with copies of the exposed passwords reported that “123456” was the most commonly used among them.

Article here »

5.) Start-up Suicide

Back in September, social media advertising and applications start-up RockYou, sent out a mass email to their customers and associates announcing their new site redesign, but instead of using BCC:, they displayed the entire mailing list of over 200 email addresses in the CC: field. Not surprisingly, many of those addresses ended up on a spammer’s list.

Two months later, the start-up sent out another mass email using a mailing list. Unfortunately, the email asked contractors to provide information for their W9 tax forms. This resulted in people inadvertently sending personal information to the entire mailing list.

Email may not be as trendy as social networks, but companies still need to use both properly.

Article here »

6.) Judge Orders Gmail Account Deactivated

In August, Wyoming-based Rocky Mountain Bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address. When the bank realized the problem, it sent a message to that same address asking the recipient to contact the bank and destroy the file without opening it.

No one responded, so the bank contacted Google to ask for information about the account holder. U.S. District Court Judge James Ware in the northern district of California ordered Google to deactivate the email account and also disclose the Gmail account holder's identity and contact information. The Gmail user hasn't been accused of any wrongdoing, but someone at the Bank should be a little more careful when typing in the TO: field in an email.

Article here »

7.) Payroll Panic

Payroll processor PayChoice was the victim of a Website breach in which customers received targeted emails purporting to be from the company, but were designed to trick people into downloading malware. Workers received emails that directed them to download a browser plug-in or visit a Website to continue accessing the Onlineemployer.com PayChoice portal.

Clients were notified within hours and the site was shut down. It was later learned that the emails were sent from a Yahoo! email account and the links were hosted from servers in Poland.

Article here »

8.) UK Tax Terror

Britain’s tax authority, HM Revenue & Customs, issued a warning about a rash of scam emails that used convincing (but fake) government email address in an attempt to lure recipients into divulging their personal information to receive a tax refund. The scam messages claimed that recipients were entitled to a tax refund and asked for bank or credit card details, so that the fictitious refund could be paid out.

Like most legitimate businesses and government organizations, the HMRC stressed that it would not inform citizens of a tax rebate via email, nor would it invite them to complete an online form to receive a tax rebate.

Article here »

9.) Death, Taxes and Phish

In September, a fake email notice that purports to come from the Internal Revenue Service continued to make the rounds, widely ramping up attacks against businesses and individuals. The attacks were concealed in a bogus email containing a subject line of “Notice of Underreported Income,” according to US-CERT. The emails contained a link or an attachment that, if opened, will infect users with the Zbot/Zeus Trojan, a nasty credentials-stealing program that seeks to compromise banking login information.

Proofpoint reports that these phishing emails continued to be widely circulated as the October 15th deadline for filing extended tax returns approached.

Article here »

10.) UCSD Fake-Out

28,000 students were turned away from UC San Diego in one of the toughest college entrance seasons on record after a particularly cruel twist in the perils of instant communications. All 46,000 students in the entire freshman applicant pool received the same misfired message of acceptance, which could have led to the largest freshman class at any university globally.

The 18,000 students who were actually accepted breathed a sigh of relief. Unfortunately, the rest of the applicant pool had to march on in the grueling college application process.

Article here »

You can find Proofpoint's full press release here:

"Hallowee-mail Horrors": Proofpoint Identifies the Top 10 Terrifying Email Blunders of 2009