Spam hasn’t just been an IT security topic of late, it’s been the topic.

Why? Although most spam messages are harmless as long as the end-user knows how to use his or her delete button, spammers are showing quite a bit of innovation in crafting the junk email messages – more so that many virus-writers.

Lately, the most prominent trend has been spammers’ use of attachments to spread messages – mostly, in the past month, PDF attachments.

But those may now be giving way to another type: FDF files.

PDF spam, we hardly knew ye’…

Pedro Bueno, researcher at McAfee Avert Labs, has a rundown posted on the lab’s blog.

“Yes, say goodbye to the PDF spam wave and welcome the FDF stock spam wave! And yes, you will be able to open it with the regular Acrobat reader! Maybe to bypass filters based on file extension, the spam now is using the file extension .FDF, which is the format used by the data exported from a PDF form fields. The new spam will usually follow the format: -UserEmail.FDF, like GlobalTrading-pbueno.fdf.”

- Pedro Bueno, McAfee Avert Labs Blog, Aug. 10, “Goodbye PDF spam…welcome FDF!”

Eight is the magic number.

That’s how many PDF spam emails were waiting for me when I arrived at the office this morning.

So if you don’t believe the security vendors, believe me. PDF spam is spiking.

Unless, of course, those were legitimate proposals that I mistakenly deleted. In that case, I’d like to apologize to my friends Tobias C. Steele, Maximillian L. Reilly, Hugh O. Salas, Violet Clayton. Majory V. Gentry, Maude and Squad for trashing their emails.

Here’s what others had to say about recent jumps in PDF spam:

“We have received a number of reports from our readers indicating that they are receiving a large amount of pump-and-dump spam that contains no subject or body text. The emails do however contain attachments that have a .dat extension. Upon further review of the attachments, it appears that they are failed attempts at creating and sending a PDF file.

The attachments are the typical pharmacy scam spam. It is recommended that you just delete the emails. You may want to think about adding the .dat to your banned file extensions in your anti-virus programs at least until this round of spam has ended.”
- Deborah Hale, SANS Internet Storm Center, July 13, “Strange round of emails”

“Yes, PDF spams are now quite a common thing.

The easy way to recognize it is a big yellow square before the actual spam message…and the ‘Please Register this Version of PDFcrypt’ message…”
- Pedro Bueno, McAfee Avert Labs Blog, July 13, “New trend on PDF spam”

Recently we brought you stories about phishing scams claiming to be from the IRS or the Better Business Bureau.

With the phony IRS email, recipients were warned that they were under investigation for a false tax return sent to the California Franchise Tax Board.

The Better Business Bureau scam claimed that victims were on the receiving end of a complaint about their business services.

These emails are examples of spear phishing – a technique of putting off mass-spamming phishing emails in favor of targeting small groups of people with the scam messages, in this case corporate execs.

What the scammers are after is obvious. Want corporate data? Who better to target than the execs using it every day?

Joe Stewart of SecureWorks has found a Chinese connection to the two scams. The attacker behind the BBB and IRS operations has set up a new domain and server to host his or her latest scam in the People’s Republic.

Here’s Stewart’s take:
“Typically when we see malware from China, it has one of two purposes – to either steam documents related to trade secrets of companies and military/government institutions, or to steal accounts from online role-playing games. This new scam doesn’t seem to fit into either category, so it may represent the emergence of a new kind of Chinese-based cybercrime. The question is then, just what do Chinese malware authors intend to do with the vast amount of data they’ve stolen from over a thousand U.S. corporate executives?”

Security researchers may have to go another round over whether a .bank domain would cut down on the number of successful phishing attempts targeting financial organizations and their customers.

Mikko Hypponen, F-Secure’s research chief, sparked the debate earlier this month when he posted on the F-Secure blog that a .bank domain would greatly benefit the financial industry, partially because, he contended, cybercrooks wouldn’t be able to afford the large fees to register a site on it.

A number of other security bloggers took the other side of the argument, naming myriad ways fraudsters would get around the new domain name.

Mikko shot back this week. And we’ll bring you more when the debate is joined…again.

On the argument that home users would not catch on to the new domain name:

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would obviously be an improvement). The main point is that it would allow the users’ software to work better. Security software and browser toolbars would essentially have a “white list” to work with.

That cybercriminals could afford the high prices for a domain name:

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shit down quickly. The possibility of losing their investment in registering such a domain wouldn’t be worth the risk for criminals.

You can read all of Hypponnen’s arguments at the F-Secure weblog.

Mikko Hypponen, chief research officer at F-Secure, had an idea for taking the fight to financial phishers: change banks’ domain names from the common .com (in the U.S.) to a new ending, created specifically for legitimate financial institutions, such as .bank.

The price for registering on this domain would be pricey, to say the least - $50,000 was Hypponen’s suggestion – making it impossible for copycat URL-buyers to snatch up the sites at the cheap rates they do now.

“Banks would love this. They would move their existing online banks under a more secure domain in no time,” says Hypponen, citing museums as an example, on the F-Secure weblog.

Other security bloggers disagreed.

Adam at Emergent Chaos argued that money is the problem – for the legitimate bankers, not the crooks – as scammers are already investing in phishing websites. And it won’t help the people who fall for phishng scams anyway, he said.

Jeremiah Grossman was using the same logic. “The users who are getting phished are the same ones who would ignore a big red banner on the page that says, ‘THIS IS A PHISHING WEBSITE!’”

Dave G. at Matasano’s blog said the new domain won’t help phishers see the light, but will help vendors catch more phishing sites. The domain would also bring up the philosophical question of what is and is not a financial institution.

Technology news is sort of like food; if you leave it out too long, it’s only a matter of time until it goes bad.

If breaking news isn’t covered within a few days, it’s going to be passed over for the next juicy steak of a story to come along. And with ever-changing technology, and bad guys who never seem to sleep, nowhere in the media is this as clear as than with tech news.

So with that in mind, here are a few blog items to much on over the weekend.

As if they don’t have enough to worry about…
When doing business overseas, a road warrior is likely to check his or her bank account information via the web instead of running up an expensive phone bill or strolling the streets of Tokyo or London looking for a Chase Bank ATM.

So imagine being stationed in a foreign country for months on end, with few urban centers nearby to check account balances.

That’s the rationale behind a new man-in-the-middle phishing scheme that traps members of the U.S. Armed Forces into visiting a website that logs their keystrokes. F-Secure’s research team has a good description on its blog.

Warning: The scam websites, which pretend to be official Bank of America pages and require check card numbers, expiration dates and PIN numbers, look quite real.

Keep it classified
Here’s an another scary item.
Privacy blog PogoWasRight.org, named after a cartoon character famous for saying, “We have met the enemy and he is us,” (must’ve been before my time) has picked up an Associated Press story on Los Alamos workers being warned about identity theft.

Moving towards disclosure
Finally, patch distribution is a tricky business. Most months, Microsoft can’t seem to make anyone happy, no matter what it fixes or how many patches it releases.

With Oracle’s latest patch release just in the rearview mirror, Eric Maurice, the company’s manager for security in the Business Technology Unit, blogged about the latest distribution.

It’s worth reading because public disclosure about patch distributions is an even trickier business than releasing the fixes. It’s a tightrope walk above malicious users and IT pros, and both groups want as much information as possible.

It’s also worth noting that Oracle has made strides in recent months to release patches on a more selective basis and rank vulnerabilities on a clearer scale.