In the past couple of months, the Freakonomics blog asked why there has been such a downturn in the familiar Viagra and Nigerian prince Spam. The author attributed this to the cost of spamming not being worth the rates of return anymore. Most commentators pointed to better spam filtering software.

While it does seem that anti-spam filtering has improved, there might be more to the reasons of the observed downturn. There are noted temporary declines whenever some of the bad guys’ ISPs get taken down, but that the general trend is toward continued spamming. Interestingly, though, anecdotal evidence (my spam filter) doesn’t suggest that the spammers are spending much time coming up with new tricks to avoid detection.

So back to the Freakonomics theory: a change in business models. From what we’ve been seeing, cyber criminals seem to be spending more time focusing on different types of attacks on your inbox. In the last year or so, we in the Information Security business have seen a dramatic rise in phishing attacks, particularly more targeted phishing attacks.

Phishing attacks in which a criminal targets smaller regional areas have been quite popular. Criminals will try to find an area where there are only a few financial institutions and then send emails, text messages and leave voice mails for victims they believe are in that area. These messages will either be of the traditional kind, asking for sensitive information over the Internet, or they will instruct the recipient to call a 1-800 number to divulge information. The criminals then charge money on credit cards and withdraw from ATMs.

In addition, criminals are targeting businesses more frequently. Using legitimate-looking emails impersonating organizations like the IRS, UPS and Better Business Bureau are common in these attacks. The goals here are less about sensitive information and more about installing malicious software to infiltrate a company. Usually here the goal is to get access to a corporate bank account and transfer money electronically.

So it seems that the Freakonomics guys were right, it does come down to simple economics and opportunity costs. Spam is cheaper and easier per email, but phishing brings in far more money. Enough money, in fact, that organized crime groups can set up processing centers to do all the work while the cyber kingpins drive around in their Maseratis in Marseilles. That beats Nigeria any day.

In the last month, SecureWorks’ Counter Threat Unit^SM (CTU) has seen a general increase in malicious email campaigns trying to infect online users with the Zeus Trojan (one of the most pervasive financial-credential stealing Trojan) on the market. In the last three weeks, the CTU has also monitored a large increase in the number of email lists being sold on the underground hacker forums, coinciding with the start of the holiday shopping season.

Online shopping always increases during the holidays and with this comes more criminal activity so consumers need to ensure that they take precautions, whenever they are making online purchases. The CTU expects to see an array of scams including those involving fake holiday gift cards, coupons, electronic greeting cards, etc. Shoppers need to be on the lookout for any type of suspicious email or online offer.

Security Tips from the Counter Threat Unit for Online Shoppers

1. Be wary of holiday gift cards and holiday coupon offers sent via e-mail-these often have malicious links within the offer which lead to downloads of info-stealing trojans or the hackers try to scam you out of your bank account information.
2. When visiting your favorite online retailer to purchase gifts, be sure to type the actual Web site address of the retailer into your browser. Do not follow links provided by e-mail offers or pop up ads. Many times these are fraudulent sites made to look like the legitimate retail sites.
3. When making online purchases, always use a credit card that limits your fraud liability. Avoid using debit cards to do online purchases when possible so as to limit your personal exposure to any possible fraudulent transactions.
4. When making online purchases, always look at your Web browser for the https (as opposed to http) protocol that proceeds a Web address. The “s” let’s you know that the Web site is providing a layer of security for transmitting your personal information over the Internet.
5. Be wary of unsolicited e-mails, even from senders that you know, that include links or attachments. Before clicking on links or attachments, ALWAYS verify that the correspondent sent you the e-mail and enclosed link or attachment.
6. Be wary of e-mails notifying you that your banking certificate or token is out of date and to download a new certificate or token. Before taking any action, verify with your financial institution by calling them on a number that is not provided in the email.
7. Online computer users should avoid using weak or default passwords for any online site.

Security researchers have had a number of victories to celebrate recently. First Atrivo and now McColo have been disconnected from the Internet. This was done not by law enforcement or other governmental action, but rather by the concerted efforts of the Internet community. The Internet is made up of privately owned networks that are voluntarily connected. The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet.

Removing those two companies from the Internet has also removed large amounts of botnet and spam infrastructure. Several sources have reported seeing spam drop as much as 60-70% following McColo’s loss of connectivity. There was a similar, but smaller drop when Atrivo was taken offline. Of course, one of the reasons that the McColo disconnect reduced spam more than Atrivo, is that some of the spammers simply moved from Atrivo to McColo.

Back in October, my colleague Joe Stewart documented the Warezov botnet moving to McColo and also predicted (quite correctly as it turned out) that disconnecting McColo would reduce spam by one-half world wide. A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo.

It’s clear that this infrastructure remains in place. Over the weekend McColo was able to temporarily find a new upstream provider. Thankfully, they were quickly shut down again. However, this did allow botnet C&C platforms in McColo to connect to their bots, updating software and rerouting the bots to new C&C servers located elsewhere. This has been seen to be happening with Srizbi, where researchers were able to register domains used as a fallback C&C mechanism.

Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?