Comments on: Top Spam Botnet, “Grum,” Unplugged

By: JohnAdams

JohnAdams — Wed, 08 Aug 2012 13:28:49 +0000

First of all , I’d like to thank the author of this website for doing such a great job. When I read it for the first time a few years ago, I couldn’t believe it. So I started doing my own research and I was amazed how incredibly easy available atm skimmers or their parts are on the internet. Then I thought: Obviously its possible to build a skimmer at home . But can someone actually come up with some sort of antiskimming device that would be simple , cheap to produce and would be EFFECTIVE at the same time ? I’ve read there are several good antiskimming technologies that work to some extend , but not always. Plastic antiskimmers that supposed to make it harder for crooks to install a skimming device , actually make it easier. Every time a new antiskimmer comes out , you can see skimmers that look identical to those antiskimmers. Moreover, they buy an antiskimmer and rebuild it making it a skimming device. Then of F2Fasic delta microchips and software that is made specifically to target interrupted swiping , thieves are still able to beat it. Another way is “scale” that is weighing fascia around a card reader on ATM . Supposively , if any foreign device is attached it should alarm the authorities. Well , usually crooks attach a nail or something heavy during the night hours and watch if the location is being checked up by the police. Plus with all those mini and nano skimmers that literally weigh 5-10 grams “scales” isn’t that effective. The best antiskimming technology IMO is a lazer scanner that looks like a camera and it scans the fascia around reader and other parts of ATM.if any foreign body is attached , the lazer that constantly scans the facia , alarms the authorities with a silent alarm .
To be honest this is a very interesting subject and since I read it for the first time , I’ve been on the mission to build an antiskimming device. I have a few good ideas. Maybe if Im successful , I’ll be able to share it with you in the near future .
Sincerely , John ADAMS

By: hhhobbit

hhhobbit — Mon, 30 Jul 2012 01:45:11 +0000

Thanks

I removed the blog entry.

By: voksalna

voksalna — Fri, 27 Jul 2012 09:44:10 +0000

It could be because you don’t understand how spam works (and to be fair, most people do not). This is/was hardly the only spam botnet, and comments like this will probably just rile people on (for the record, I am a security professional). Good luck to you.

By: Neo

Neo — Thu, 26 Jul 2012 21:17:37 +0000

Try now.

By: No Name

No Name — Thu, 26 Jul 2012 21:08:33 +0000

Krebs,
Do you know that the RSS feed to your website is not working. It hasn’t been for a couple of days. I assumed that maybe the feed link was changed but that doesn’t appear to be the case. clicking on https://krebsonsecurity.com/feed/
just sends the browser in to a constant connect, reconnect loop.

By: Henry Hertz Hobbit

Henry Hertz Hobbit — Wed, 25 Jul 2012 20:00:32 +0000

I forgot to add one thing. I stabilized on one file that indicates that the PeskySpammer.7z contents have changed. It is called SpamOfTheDay.txt. I take it this one lone negative vote against what I have written is from the people that are doing this that also tried to give me an anonymous phone call yesterday (2012-07-24) that I did not take. But if spammers don’t want me blocking their hosts the solution is simple – just grep out hhhobbit, henryhertzhobbit, and securemecca out of their spam sending lists.

By: Henry Hertz Hobbit

Henry Hertz Hobbit — Tue, 24 Jul 2012 19:27:24 +0000

I have proof that the people that are sending out this spam are making it look like some of it is coming from my SecureMecca.com domain. I know that they are doing it to another domain for certain and suspect they are doing it to many other domains as well. Here is my blog on it with links to the proof that is coming in with maybe a momentary lull but no end in sight:

http://securemecca.blogspot.com/2012/06/why-i-block-spam.html

They intend to keep it going forever. This is where the PeskySpammer link in the blog goes to:

http://securemecca.com/public/PeskySpammer/

This is not pointing to static data. It is ongoing and changes at least weekly. I just got a list of another 100+ hosts selling drugs that can potentially kill you or disable you for life from bounces in my email during the past 12 hours. Most of the hosts are in the Russian domain and for now are hosted in China. Do not rush to a judgement that the people doing it are in those countries. The criminals may live in the United States or Europe. I do add blocks of their hosts in my hosts file and rules in my PAC filter which feeds into some of the information stored in the PeskySpammer folder.

I would not be surprised to hear that the drugs these people are selling kill or disable people for life. When the people selling them hear that what they sold killed or disabled a person for life they would probably laugh. They are not just being nerds. They are evil criminals that don’t care who they harm.

By: nonegiven

nonegiven — Tue, 24 Jul 2012 13:44:02 +0000

I’m getting plenty of viagra spam, still.

By: Neej

Neej — Tue, 24 Jul 2012 08:24:57 +0000

>> But if not a clever marketing scheme, what’s the motive here?

I’m not speaking for the company in question but seeing as they’re a computer security firm they probably see it as their business to disrupt criminal operations which neatly dovetails with getting their name out there (ie. marketing).

I don’t really see the point of your question. Another way they could have made people aware of their brand is purchasing ad space so you have to look at it but it’s so much more legitimate when it’s done this way.

>> Do the spam bots have instructions that eventually expire

Once again an assumption on my part but I imagine all spam campaigns have expiry dates not least because the bot net may have been rented out to other spammers.

By: kurt wismer

kurt wismer — Mon, 23 Jul 2012 20:47:44 +0000

so, if i’m reading this right, russia’s CERT disavowed any knowledge of their own IP addresses? that kind of anomalous behaviour seems like something worth looking into.