Malware

The 2018 M3AAWG JD Falk Award was presented October 9 during the M3AAWG 44^th General Meeting in Brooklyn, NY, USA, to:

Ronnie Tokazowski, BEC List Founder and Administrator,
Reverse Engineer, Flashpoint, @iHeartMalware

and the BEC List Members

A partial listing of companies participating in the Business Email Compromise List as of October 2018:

• Agari
• AlienVault
• Apura Cybersecurity Intelligence
• Area 1 Security
• Booz Allen Managed Threat Services
• CrowdStrike
• Cofense, previously PhishMe
• Comp.romiser
• CyberNotify.org
• Dell SecureWorks
• Duke University
• FBI, with special thanks to Los Angeles,
• New York, NCFTA, HQ
• & several field offices
• Fishtech
• Flashpoint
• Gigamon
• Google
• Internal Revenue Service/Online Fraud Detection & Prevention
• Iridium Satellite
• Itochu Corp
• Oath
• One Medical
• Orange Cyberdefense
• Palo Alto Networks, Unit 42
• Proofpoint
• Salesforce
• Scam Haters United
• ShadowDragon
• Sophos Plc.
• SpyCloud, Inc.
• Sucuri/GoDaddy
• Symantec
• ThreatStop, Inc.
• Trend Micro, Inc.
• Trustwave
• United States Secret Service Global Investigative Operations Center
• Walmart

and many other individual researchers and organizations who wished to remain anonymous

New York, October 9, 2018 – A private, sequestered email group that you probably have never heard of – but that has helped prevent millions of dollars in fraud and assisted in taking down thousands of Nigerian scheme email accounts – was honored today with the 2018 JD Falk Award from the Messaging, Malware and Mobile Anti-Abuse Working Group.  The BEC List founder and administrator, Ronnie Tokazowski, and the private email group of more than 530 members received the annual award, which recognizes an innovative project that protects online users, at the M3AAWG 44th General Meeting in Brooklyn.

The Business Email Compromise List deals with a broad assortment of criminal activity and deceptive emails, often described as “Nigerian” schemes, that use phishing and fake social media activities to attract victims. By sharing information and expertise, they have blocked spoofed emails and malware; tracked real estate, romance, IRS, W2 and lottery schemes; and identified the money “mules” used to transfer illicit funds. BEC fraud accounts for more than $12 billion in losses globally and threatens users in 150 countries, according to the FBI’s IC3 (Internet Crime Complaint Center).

The private list is managed by Tokazowski, senior malware analyst at Flashpoint, and includes cybersecurity professionals from Fortune 500 companies, leading threat research organizations, anti-virus firms, and internet infrastructure companies, many of them competitors. Law enforcement participants include the U.S. Federal Bureau of Investigation, the U.S. Internal Revenue Service Online Fraud Detection and Prevention group, the U.S. Secret Service, and other entities. While many members chose to remain anonymous, a partial list of participating organizations is available at www.m3aawg.org/FalkAwardOrgs2018 . A video describing what the group has learned about compromised email and the list’s accomplishments is at https://youtu.be/Ues_oRsTBNc.

The award also recognizes the impact a single individual can have on fighting abuse. The private group was Tokazowski’s idea and he has served as the list administrator since its inception three years ago.  Since then, dozens of organizations have cooperated on the list to protect end-users and fight fraud.

“From the start, Ronnie has diligently managed the BEC List as a trusted environment, always emphasizing the need for confidentiality and respect for members’ opinions. As a result, it has become an important anti-abuse channel where actionable information is shared throughout the day between hundreds of people. This cooperative sharing has greatly benefited end-users, even though they are not aware of its existence, as the list’s behind-the-scenes involvement has contributed to over a hundred fraud-related arrests,” said Severin Walker, M3AAWG Chairman of the Board.

In 2015, Tokazowski initially reached out to a few cybersecurity researchers and law enforcement agents to discuss the compromised emails he was seeing in his work and the list was created that December with about a hundred participants. They originally focused on conventional BEC phishing emails that impersonate a targeted CEO requesting that the company’s financial staff wire funds to a fraudulent account. But as the group studied the problem, they realized it was much more extensive and often involved malware and various online and social media ruses.

Nigerian Rappers Praise Scams

Tokazowski said, “It takes a diverse set of perspectives and expertise to address business compromise email and it’s not something researchers, law enforcement, and especially the targeted users can tackle on their own. I like to describe it as, ‘it’s not my problem, it’s not your problem, it’s a problem for everyone in the industry.’  We have to come together to fix it and understand how it works.”

This effort includes learning how the perpetuators think, according to Tokazowski. “We’re also looking to identify the criminals’ motivation and how this affects the schemes. There is a different culture in many of the countries where these crimes originate, and the deception is often justified in these regions because it’s one of the few ways to earn money. You have popular rappers in Nigeria praising the scammers efforts and their methods to ‘wire wire’ stolen money from a BEC target, but without ever acknowledging the victim’s pain,” he said.

The M3AAWG JD Falk Award is presented annually to recognize a project that helps protect the internet and embodies a spirit of volunteerism and community building. The 2018 award was presented during the M3AAWG 44th General Meeting that opened October 8 in Brooklyn, New York. Over 500 security experts, ISPs, researchers, public policy representatives and vendors are participating in the four-day meeting that features more than 50 cybersecurity and information sharing sessions. M3AAWG holds three meetings each year, including one in Europe, to develop best practices and other work that will protect online users. The next M3AAWG meeting will be February 18-21, 2019 in San Francisco. 

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: pr@m3aawg.org

M3AAWG Board of Directors and Sponsors: Adobe Systems Inc.; AT&T; Comcast; Endurance International Group; Facebook; Google, Inc.; LinkedIn; Mailchimp; Marketo, Inc.; Microsoft Corp.; Oath (Yahoo/AOL); Orange; Proofpoint; Rackspace; Return Path, Inc.; SendGrid, Inc.; Vade Secure; and VeriSign, Inc.

M3AAWG Full Members: 1&1 Internet SE; Agora, Inc.; Akamai Technologies; Campaign Monitor; Cisco Systems, Inc.; CloudFlare, Inc.; Cyren; dotmailer; eDataSource Inc; ExactTarget, Inc.; IBM, iContact; Internet Initiative Japan (IIJ); Liberty Global; Listrak; Litmus; McAfee; Mimecast; Oracle Marketing Cloud; OVH; PayPal; Spamhaus; SparkPost; Splio; Symantec; USAA; and Valimail.

A complete member list is available at /about/roster.

McKinleyville, CA and San Francisco, April 5, 2018 – Recognizing that calendar spam is a growing exploitation channel, CalConnect and the global anti-abuse association M3AAWG have joined forces to develop new methods to protect end-users from unsolicited and malicious event notices.  The new liaison between the scheduling developers’ organization and the Messaging, Malware and Mobile Anti-Abuse Working Group will accelerate industry efforts to develop techniques that block invites to fake events and other malicious notices on popular calendaring platforms.

Calendar spam is a new form of abuse that takes advantage of the application layer across multiple technologies, including scheduling, calendaring and messaging systems. For example, users have received fraudulent emails impersonating well-known brands that include calendar invites to special “discount” events.  As is the case with email spam, calendar spam can be used for malicious purposes such as phishing or to deliver malware payloads.

CalConnect (The Calendaring and Scheduling Consortium) also has established a new technical committee, TC CALSPAM, to better protect users from calendar system abuse. The committee aims to understand the current and potential use of calendar systems as a vector for delivering undesired information and will provide current information and guidelines on the topic to CalConnect and M3AAWG participants.

"Calendaring is an intimate part of everyone’s lives. Calendar spam is particularly unsettling because the abuse directly pops up on a person’s calendar.  It’s personally disruptive and especially disturbing," said Thomas Schäfer, 1&1’s Head of Technical Site Management who chairs TC CALSPAM.

Differs from Other Abuse Schemes

CalConnect and M3AAWG will develop the measures and best practices for developers and system operators to ensure legitimate usage of their platforms.  The collaborative effort is important because calendar spam is unique as an abuse vector in a number of ways:

• Calendar spam, unlike email, can be placed chronologically anywhere in a calendar – in the past or the future, not just the present – making it difficult to detect at the time of delivery.
• Spam meeting invitations can be automatically added to calendars without the users’ consent with notifications sent to all their devices. These invitations are not only difficult to find but, in some cases, there is no way for the user to remove these events short of deleting the entire calendar.
• Calendar events and meeting invitations do not yet carry the rich provenance, i.e., the detailed header information that is included in email, making it difficult to ascertain where and when events originated and where they were delivered.
• Calendar events often contain notifications or alarms that are propagated across a user’s many desktop and mobile calendaring clients, exacerbating the problem.

M3AAWG Executive Director Jerry Upton said, “Calendar spam has shown itself to be a new but rapidly maturing vector for spammers.  As we’ve seen in addressing other abuse issues in M3AAWG, cross-domain problems like this require input from experts in multiple disciplines and collaborating with CalConnect and their subject matter is the most direct route to combatting this evolving threat."

Call for Industry Participation

The reciprocal membership agreement between the two organizations became effective in February and allows the calendaring and scheduling developers, vendors and service providers in CalConnect and the messaging and email authentication experts in M3AAWG to share information and work.  CalConnect members participated in the M3AAWG 42nd General Meeting in San Francisco in February, kicking off the joint work on applicable anti-abuse methodologies.  The 43rd M3AAWG General Meeting will be held June 4-7 in Munich, Germany.

CalConnect President Rutger Geelen said, “We recognize that calendar spam is a real threat and a growing problem. First and foremost, we endeavor to protect users against such abuse. Since event and meeting invitations are often delivered via email, it makes sense to collaborate with the messaging identity and authentication experts at M3AAWG in our effort to return full control of collaboration and communications to the end users themselves."

Organizations interested in joining the CalConnect calendar spam committee should contact CalConnect Executive Director Dave Thewlis at dave.thewlis@calconnect.org or CalConnect Director of External Relations Ronald Tse at ronald.tse@calconnect.org. 

About The Calendaring and Scheduling Consortium (CalConnect)

CalConnect, The Calendaring and Scheduling Consortium, CalConnect, is a not-for-profit organization advancing the state of interoperable calendaring, scheduling and digital contacts. Founded in 2004 as a partnership between vendors and users of calendaring and scheduling tools and technologies, its membership includes some of the world’s largest software companies as well as small startups. Virtually every important calendaring-related standard since 2004 has been authored, edited, and/or co-edited by members of a CalConnect Technical Committee. http://www.calconnect.org.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy, and works to educate global policy makers on the technical and operational issues related to online abuse and messaging.

#  #  #

Media Contacts:

Ronald Tse, Director, External Relations, ronald.tse@calconnect.org, CalConnect (The Calendaring and Scheduling Consortium), https://www.calconnect.org

PR@m3aawg.org, M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), https://www.m3aawg.org