Joe Job: bluesecurity.com and carmelventures.com

Not every spam that's sent is designed to sell something or defraud you. Another insidious form of spam is the "Joe Job", in which a disgruntled third party impersonates someone with the intention of generating backlash against that party. I've been on the receiving end of this myself.

At the moment, a company called "Blue Security" is on the receiving end of a lot of flak from an irate spammer, and the spammer is using all the sleazy tactics common to spammers -- including "Joe Jobs" -- to wreak his revenge. I found an instance of this "Joe Job" spam in my junk folder today. There's absolutely no evidence that it originates from Blue Security, and plenty of circumstantial evidence that it is the work of the spammer called "PharmaMaster" who is currently harassing them.

How do you identify a Joe Job like this? The most telling sign is the abundance of contact information. Spamming is old hat by now, and spammers have known for ten years or more that providing accurate contact information is a sure way to get bombarded with complaints. In this case, that's the intention: PharmaMaster wants Blue Secutiry to get bombarded with those complaints, and preferably for their service providers to throw them off due to complaints.

Also note that although the message has a fairly straight-laced "press release" kind of feel to it, it advertises the use of a "botnet" to simulate "DDoS" attacks. One of the allegations PharmaMaster has been spreading is that Blue Security is using their "Blue Frog" download to create a "botnet". It's true that downloading and executing software like "Blue Frog" is a very trusting action (and I want to make it clear that I don't endorse or recommend "Blue Frog"), and Blue Security could in theory use Blue Frog downloads to create a "botnet", but the suggestion that they are doing so is rather incredible because it would be like committing a crime in broad daylight on a busy street. Thus, I conclude that this is PharmaMaster manufacturing evidence to bolster his self-serving and outlandish claims.

This particular spam was received from a host inside the netrange 24.80.0.0/13 (controlled by Shaw Communications, Canada) -- probably a compromised PC, and thus probably part of a botnet controlled by PharmaMaster himself. It was sent to a legacy address that's been on spammer lists for years. The text of the Joe Job follows.

Skybox Security Solutions

Simulated DDoS Network Attacks and Network Intrusions

Customer Challenge:
Large corporations often hire consultants to conduct quarterly penetration (DDoS)
testing on specific segments of their corporate network. This testing can cost over
hundreds of thousands of dollars, and also exposes the network to many potential
disruptions. These disruptions are the result of the intense DDoS attacks testers
can impose on live networks in order to isolate vulnerabilities and weaknesses.
Since the network is constantly changing, and DDoS attacks are rarely dispersed
from a centralized location, the penetration test results often become nullified and
end up being limited to a small portion of the total network.

The Skybox Solution:
Skybox Security performs accurate and non-intrusive DDoS attacks across a larger
portion of the corporate network. The tests are modeled and analyzed through an
automated process via our large botnet network rather than manually performed on a
live network. As a result, the tests are repeated rigorously on a scheduled basis
without any fear of network disruption. Through DDoS attack and access simulation,
vulnerability exposures as well as security control weaknesses are revealed instantly.
DDoS attack simulation discovers all possible attack scenarios and reveals the step
by step process that an attacker or worm may follow. It illustrates specific vulnerabilities
to be exploited and network access traversed for each exploitable path. Access simulation
calculates network access privileges determined by firewall and routing configuration.
Our botnet helps characterize the interconnectivity between any two given points, reporting
not just whether access is possible, but also the detailed path to reach a final destination.
Based on these combined results, security personnel are able to determine what additional
DDoS attacks are necessary and where to deploy our organizations penetration testers.

Awards:
Info Security - Info Security Hot Companies 2006
The Wall Street Journal - One of the most innovative companies in 2005
Information Security Magazine - Product of the year
Network Magazine - Most Visionary Security Product
Network Magazine - Best of the Best in all categories
Secure Enterprise Magazine - Editor's Choice
Gartner - " Cool Vendor " in the security & privacy space
SC Magazine Awards 2006 Winner - The Best Security Solution for Financial Services
IM2005 Award finalist - Information Security and Product of the Year

Company Profile:
Eran Reshef
Founder, Chairman & CEO of Blue Security ( www.bluesecurity.com )

A serial entrepreneur, Eran is currently the founder, chairman & CEO of Blue Security,
the do-not-disturb registry pioneer. Prior to Blue, Eran co-founded Skybox Security and
served as its Chairman. Prior to Skybox Eran founded and managed Sanctum (acquired
by WatchFire), the leader in web application security. Eran holds a variety of security-
related patents that are based on his inventions.

Rina Shainski
General Partner at Carmel Ventures ( www.carmelventures.com )

Following a successful career leading business development and R&D operations in
high-growth software companies, Rina has been investing in software companies ever since.
Before joining Carmel she served as the VP Business Development at Clal Industries and
Investments where she was responsible for software investments. From 1989 to 1996, Rina
held several managerial positions in Tecnomatix including VP Business Development and
R&D Director. Rina serves on the boards of Followap Communications, Skybox Security,
mFormation and Silicon Design Systems. Rina holds a B.Sc. degree in Physics from Tel
Aviv University and a Master of Science degree in Computer Science from Weizmann Institute.

Contact Information:
2077 Gateway Place, Suite 550
San Jose, California 95110 USA
Phone: 866-6SKYBOX
Phone: 408 441 8060
Fax: 408 441 8068

Regional Offices (Israel)
60 Medinat Hayehudim St.
P.O.Box 4109
Herzliya Pituach 46140 Israel
Phone: +972-9-9545922
Fax: +972-9-9545933