DSG Security Newsletter Issue 2 September 1, 2009

Email security
Email is an indispensable business tool, but one that comes with associated security risks. The
already-issued documents “Electronic Media Policy,” “Incident response policy: Discovery of full,
unencrypted payment card (credit or debit) numbers,” and “Email policy: Sending or receipt of
payment card data or other sensitive information” addressed email security in the business
context of receiving or sending inappropriate, sensitive or business-confidential material.

Unfortunately, email is also an indispensable tool for those engaged in fraudulent activities. This
issue of the DSG Security Newsletter focuses on such activities, and the threat they represent to
both DSG and personal information.

Virtually all email fraud is perpetrated by the use of spam; here’s a good definition from The
Spamhaus Project:

“Spam is an issue about consent, not content. Whether the . . . message is an advert, a
scam, porn, a begging letter or an offer of a free lunch, the content is irrelevant - if the
message was sent unsolicited and in bulk then the message is spam.”

Frequently, spammers rely on current events to capture your attention, as this article
demonstrates:

Spam trends highlighting holiday, tragedy themes

http://www.scmagazineus.com/Spam-trends-highlighting-holiday-tragedy-
themes/article/139872/

And although the overwhelming majority of spam emails are blocked or discarded, enough are
read and acted upon to make it worthwhile to the spammer, whose costs are minimal:

Booming Underground Economy Makes Spam A Hot Commodity

http://www.darkreading.com/security/antivirus/showArticle.jhtml;jsessionid=GTBIRCI1US
YDWQSNDLOSKH0CJUNN2JVN?articleID=218101457

Advance-fee fraud
An advance-fee fraud is an email-initiated scam in which the recipient is persuaded to advance
money in the hope of realizing a significantly larger gain. These are frequently referred to as
“Nigerian 419” scams, since the modern variant arose in the 1980s in Nigeria, as the country’s
economy declined, and “419” is the Nigerian Criminal Code dealing with fraud.

Here’s one I received:

“From: powerball lottery

Subject: Prize Ref No.: PBL/CN/6654/CP
OFFICIAL NOTIFICATION: 1st October 2008.

Your email won for you a prize in the on going POWERBALL LOTTERY GAMES
2008,You are therefore been approved to claim a total sum of 1,000,000.00GBP (One
Million Pounds Sterlings) in cash. To file for your claim, Please contact our FUDICIARY
AGENT with the above Coupon No. and Ref Number to enable him validate your
winning.Contact him via e-mail below . . .”

Confidential Donor Services Group Page 1 of 6

DSG Security Newsletter Issue 2 September 1, 2009

And in case you’re wondering how anyone with an IQ above room temperature could ever be
taken in by one of these scams, I recommend the following article:

The Perfect Mark - How a Massachusetts psychotherapist fell for a Nigerian e-mail
scam
http://www.newyorker.com/archive/2006/05/15/060515fa_fact

Malicious spam

Most malicious spam contains, or will lead you to, malicious software. It comes in different forms:

• A virus is a program that attaches itself to an executable file or vulnerable application

and delivers a payload that can range from annoying to extremely destructive.

• A worm is a program that makes copies of itself which are sent over networks to other
computers, disrupting networks by overloading them. A worm is similar to a virus in that it
makes copies of itself, but it differs in that it does not need to attach to particular files.

• A Trojan Horse (or simply, Trojan), is a destructive program (usually a virus or worm) that
is hidden in an attractive or innocent-looking piece of software, such as a game or
graphics program. Victims may receive a Trojan program by e-mail or on a CD or other
media (often from another unknowing victim), or may be urged to download a file from a
Web site, as in this case:

Fake e-mails to patch Outlook lead to malware

Confidential Donor Services Group Page 2 of 6

DSG Security Newsletter Issue 2 September 1, 2009

http://windowssecrets.com/2009/07/02/04-Fake-e-mails-to-patch-Outlook-lead-to-
malware

Confidential Donor Services Group Page 3 of 6

DSG Security Newsletter Issue 2 September 1, 2009

What may happen if your PC is compromised

In addition to stealing whatever they find on your PC (including your address book), and perhaps
opening you to credit card fraud or identity theft, malware operators frequently install software
which allows your PC to be remotely controlled, usually as part of a “botnet.” A botnet is a group
of compromised computers used to send spam, attack web sites, etc. The recent attacks against
social networks like Twitter were orchestrated using botnets.

There are large and well-motivated criminal organizations behind botnets, like this one:

'Golden Cash' botnet-leasing network uncovered

http://news.cnet.com/8301-1009_3-10266977-83.html

And here’s how one botnet is being used:

A Day In the Life of A Spamming Bot

http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=2184
01330

What can you do?

• Make sure you have anti-virus and anti-malware software installed, active, and
automatically updated. Although you can only have one anti-virus program installed, don’t
rely on just one program for malware detection. Here are some industry-recommended
tools that are free for personal use:

Anti-virus:

o AVG Free: http://free.avg.com/download

Anti-malware:

o Ad-Aware, from Lavasoft: http://www.lavasoft.com/index.php

o Malwarebytes’ Anti-Malware: http://www.malwarebytes.org/
o Spybot Search & Destroy, from Safer-Networking: http://www.safer-
networking.org/en/home/index.html

• Don’t click on any link in an email; either cut and paste it, or retype it into your browser’s
address field.

• Especially, don’t click on the “unsubscribe” link in a spam email. Research has
demonstrated that this is used primarily to identify to the spammers that they have
reached an active email address, and that will just increase the volume of spam you
receive.

• Don’t open any email attachment unless you are certain about where it came from and
what it contains – and even then, make sure your antivirus software is set to scan any
email attachment before it can be opened.

Confidential Donor Services Group Page 4 of 6

DSG Security Newsletter Issue 2 September 1, 2009

• If an offer in an email sounds too good to be true, it probably is, so just delete it.

Confidential Donor Services Group Page 5 of 6

DSG Security Newsletter Issue 2 September 1, 2009

• If you receive an email warning you about a security problem, or anything else that you’re
not sure about, copy the subject line and paste it into the search field at the Snopes site
(http://www.snopes.com/); they perform unbiased research on frauds, scams, and urban
legends (sorry - Bill Gates is not going to send you money for forwarding those Microsoft
emails).

Even though email is used as a vehicle for fraud and malicious activity, it is, and is likely to
remain, a necessary part of our business and private lives. And it has advantages over paper-
based mail:

Why email was invented

http://stevebass.posterous.com/why-e-mail-was-invented

Coming soon
The corporate security policy and formal security awareness training materials are in
development. The policy is expected to be distributed to all employees before the end of this
month, and training is tentatively scheduled for October. You will receive further communication
regarding both.

Have a question or comment?

Please send your feedback to Chris Geller at: chris.geller@donorservicesgroup.com

Confidential Donor Services Group Page 6 of 6