Malware and Spam: Why Do They Exist?
Philosophers have pondered the nature of evil for ages. Perhaps you also have wondered how a medium meant for information sharing has become a minefield of privacy and security risks. Spam, viruses, ransomware, identity theft, data breaches, phishing, malicious links and other cybercrimes have become commonplace. Who does this stuff, and what the heck is wrong with them? Let's take a look at what motivates the miscreants who menace millions on the Internet...
Hackers, Spammers and Cybercriminals
Not long ago, I got a letter in the mail advising me of a “data security incident” at a website where I made an online purchase. I was advised that the person(s) responsible for this data breach likely gained access to my name, address, phone number, email address, credit card number, CVV code, and expiration date. The company recommended that I “remain vigilant to protect against potential fraud” by carefully reviewing my account statements and credit reports.
I sighed and tossed the letter in the trash. I knew already that all of that information, along with my social security number, shoe size, and my dog’s name was for sale on the dark web. And yours is too.
TechRadar published a list of the top data breaches and cyber attacks of 2022. Among them are the theft of software source code from Microsoft, a cyberattack on the Red Cross, and a breach at Cash App, which compromised the accounts of 8 million users of the popular mobile payment tool. In addition, 2022 data breaches involving hotels, health insurance companies, and cryptocurrency exchanges have exposed the personal information of millions of customers, and resulted in losses totaling hundreds of millions of dollars.
Have you ever wondered why there's so much spam, so many computer viruses, rampant identity theft, and other perils of using the Internet? Perhaps it boils down to the ancient philosophical question, “Why is there evil in the world?”
Greed is the most common motivation for cybercrimes, as it is in the real world. There are big bucks to be made in malware that steals credit card, bank account, and identity details, corporate secrets, and other valuable data. The gullible will readily give money in exchange for counterfeit goods or just the false promise of goods. Some people will pay good money to damage the reputation of business competitors. Ransomware affects the entire spectrum of the online world, from large companies to home users. Most of the online damage is done for money.
Hatred is another ugly motivator. Often, it is disguised as heroism, a noble fight against a perceived evil enemy, which may be an individual, organization, corporation or government. But it’s hatred, none the less. Examples of this include those who spread disinformation or maliciously deface the websites of organizations with whom they disagree. Or it could be a "hacktivist" group that perpetrates denial of service attacks against their philosophical enemies.
Egotism is a third motivation. The desire to show the world how good your skills are, to do what others have failed to do, to make yourself look smart by making others look stupid, are all very satisfying to insecure egos. Some hacking groups have done this by breaking into websites, stealing embarrassing or confidential information, and publishing it online.
Grab That Cash With Both Hands and Make a Stash...
How do cybercrooks make money? The answer has changed over time. But mostly, it’s All About the Money. (Hat tips to Pink Floyd and Travis Tritt.)
Sanford Wallace was the original self-styled “Spam King.” In the 1990's, he had an ostensibly legitimate advertising business, sending out millions of unsolicited emails that advertise products or services for sale. He got paid a pittance for each email he sent, and a commission for each sale consummated in response to an email. According to “Spamford,” he made millions of dollars providing a perfectly legal service to merchants and consumers.
But eventually, spam stopped paying so well. Spam filters improved, and consumers became more wary of unsolicited offers. Spammers increasingly switched from selling things in annoying but legitimate ways to deliberately trying to defraud people. (More on the fate of Spamford below.)
That accounts for the rapid rise of ransomware and high-profile data breaches. By exploiting human error and security vulnerabilities, even low-skilled hackers can lock up the files of a single user or an entire company, and demand that a ransom be paid to restore access. Massive data breaches make the news regularly, compromising millions of usernames, passwords, credit cards, social security numbers, and other private information. These valuable troves of data are sold in the dark corners of the Internet, and the information is used to perpetrate fraud and identity theft.
Then there are the low-volume, high-value cybercrooks. They include so-called Nigerian "419 scammers" who find affluent and gullible victims to milk for thousands of dollars. I wrote about the 419 Scam back in 2006, and it's still going strong today. Similarly, so-called spear phishing attacks target wealthy or influential people via social engineering.
Cybercrime and (occasionally) Punishment
Relatively few online crooks are caught and punished. It’s very difficult to investigate and prove such crimes because the criminal activity is hard to trace and often spans international borders. The double-edged sword of encryption protects both the innocent and the guilty. The few successful prosecutions we read about tend to be very large cases that are worth the trouble and expense to prosecutors.
"Spamford" Wallace continued with a string of fraudulent enterprises for a dozen years, was eventually fined several hundred thousand dollars, and sentenced to 20 months in prison. He was released in May 2018. Oleg Nikolaenko was a Russian “spam king” in the who allegedly ran a botnet that churned out over 10 billion spam emails every day, an estimated one-third of all spam in the late 2000s. He served three years in prison on charges of violating the U.S. CAN-SPAM Act. The FBI is still busy putting online crooks in custody. See the FBI Cyber Crime news and press releases.
There is no end in sight to the war on cybercrime. It’s an arms race in which the players on both sides are necessarily becoming more and more sophisticated. The anonymous nature of digital currencies like Bitcoin makes it difficult to "follow the money". The best that YOU can do is try to avoid becoming a victim. Keep your malware and anti-spam defenses up. Be wary of email phishing attempts. And Monitor your credit reports and bank accounts for unauthorized transactions.
Your thoughts on this topic are welcome! Post your comment or question below...
This article was posted by Bob Rankin on 21 Oct 2022
|For Fun: Buy Bob a Snickers.|
[TIPS] Start Taking Better Smartphone Pictures
The Top Twenty
Hacker Defense: Your SEVEN Point Tuneup
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Malware and Spam: Why Do They Exist? (Posted: 21 Oct 2022)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Malware and Spam: Why Do They Exist?"
21 Oct 2022
I also fell fr a PC scam 2 years ago.Cost me $500.00 but the lesson was learned. I have RoboBlock on my phone and have 379 numbers blocked in just the last 6 months. Thanks Bob for the info and caution.
21 Oct 2022
So, Bob, since you say the dark web already has all our information for sale, what do we do to protect ourselves from the stealing from any of our banking and investing accounts? A lot of two factor authentication options I have seen don't seem that failsafe from being discovered/figured out.
Ernest N. Wilcox Jr.
21 Oct 2022
I agree with Bob, malware is essentially the result of greed and ego. One part of the answer to the rise of malware is cyber-forensics technology. In other words, malware will flourish until law enforcement decides that finding and prosecuting everyone involved in the development/use of these tools is worth the effort, as monumental a task as that may be.
At the same time, we, the common users have a role to play too. It starts with a very skeptical attitude about everything we see/hear/read. I'm sure we have all heard of the Zero Trust paradigm, but most of us do not understand what it is. Essentially, it is the adoption of a very skeptical attitude regarding everything. We must take nothing at face value (not even what I write here). Instead, we must evaluate each and every tidbit we see/hear/read, especially if it confirms/advances/amplifies our existing beliefs. When accessing the Internet, be very skeptical about any hyperlink, not only on webpages, but in emails too. You can hover your mouse over a hyperlink to see the URL it will take you to. If the URL doesn't match the label displayed on the link, DON'T click! If in doubt - DON'T click! Instead, use your web browser to perform an Internet search for the purported destination website. If you see a message telling you that your computer has become infected with malware, don't click anything on the notice. Instead, use your installed antimalware software to scan for any infections. I use Microsoft Defender here, so I also run an off-line scan. If your antimalware includes such a feature, use it too. Additionally, we should all use that same skeptical attitude about anything we get in the mail or on the phone. If you did not request the contact, don't trust it.
Another, equally important part of our role is to take care to keep all of our connected devices (and all the software installed on them) as up to date as possible. I use Windows 11 version 2022 here, and I have retained to default setting to enable all updates. I have gone through all the security features in the Windows Security dashboard (accessible from the shield icon in the notification area) to make sure everything available is enabled. Further, I have installed a software update monitor. I was using SUMo, but it does not pop-up notifications when an update is available (or I could not find the setting to enable that feature). Today I switched to Patch my PC. The user interface looks like it came from Windows XP, but it seems to work very well (I found it with an Internet search that took me to a LifeWire post 'https://www.lifewire.com/free-software-updater-programs-2625200' and my past experiences tell me I can trust LifeWire - YMMV). There are several good ones available, and many are free for personal use. Do your research, then decide which one will work best for you.
Note: I have absolutely no affiliation with KC Software's SUMo or with the developers of Patch My PC, and I get no compensation for mentioning them. Any information I have provided here comes from my own experience/research.
The bottom line of all this is:
1. Be very skeptical about everything.
2. Question everything you see/hear/read on the Internet/social media/email.
3. Keep all your devices and all installed software up to date.
4. If it doesn't come from a trusted source, or if it doesn't make sense, DON'T trust/click it.
I hope this helps someone,
Ernest N. Wilcox Jr.
21 Oct 2022
The great thing about 2FA is that you install an app on your phone (Google, Microsoft, and LastPass all offer one, you can decide which you trust the most, or search the Internet) so you use your password (something you know) and your phone (something you have) to validate that you are who you are. If you prefer to avoid any authenticator apps, get a YubiKey. It can be used for 2FA too.
If you are notified that some account you own has been compromised, reset your password, ASAP!
I hope this helps,
Marc de Piolenc
22 Oct 2022
The real question is "how CAN they exist?" The sad truth is that hardware builders and software publishers, particularly operating system publishers, deliberately place vulnerabilities in their products to allow them to intrude on users. Naturally, other criminals also take advantage...
EDITOR'S NOTE: Please post an authoritative source for a claim such as this. Clearly, it could not apply to an open source OS like Linux. Which hardware and software vendors do you think would do this?
22 Oct 2022
There are two vectors that Identity theft can can ruin your whole day, or even longer. The first is by the individual user of the computer at home, the majority of us, being sloppy with AV protection/updates or even by being conned, and the second is by some corporation or business, to whom we have been required to hand over our personal data/information, does not take adequate steps to safeguard that information. It is the second vector that is the disturbing one. No matter how vigilant you are with your home PC's protection, it seems to be a weekly event that some organisation has been hacked and millions of people's data has been sold on the dark web. for myself, I am as protected as I possibly can be. I have found 2 real time anti virus programs that play nicely with each other, and I have a disk imaging program that runs a full image backup one a week and incremental backups each night. That means, I am fully protected against ransomware, and my protection against malware is probably as good as it can be. The only thing I am a bit wary of is my password manager. I have mostly 16 random digit passwords, which I am reliably told, would take a century or so to be cracked by the best of computers. BUT, what are the chances of hackers getting into the online storage that these companies use, and steal in bulk. Surely, this must be the holy grail to hackers wanting a list of passwords. I have yet to be convinced that keeping a physical list of my passwords somewhere safe, or as safe as can be found, would provide more security than some of these businesses who are falling to hackers almost daily.
In the last fortnight, I've had my medical insurance company, and my Telco hacked with thousands of people's data stolen, including full credit card details. It really is about time governments and law enforcement agencies got on top of this. I refuse to believe they haven't got the ability or tools to do it.
22 Oct 2022
I almost fell for a legitimate looking email from an acquaintance which turned out to be a request for an expensive gift card. By the 3rd email, I was highly suspicious and called the acquaintance. Her email was hacked.
Brian Krebs said to not use 2FA that uses your cell phone number. Once they have your cell phone number, they have access to everything.
22 Oct 2022
I don't think we have reached "the late 2000s" yet. We are still above water and below 125F.