Intense ‘spam bursts’ replenish botnets, target company online accounts
Posted on | September 17, 2009 | 2 comments
Sudden, intense bursts of viral spam messages keying off headlines, like the Kanye West or Serena Williams outbursts, or using trickery such as IRS warnings or FedEx or UPS shipping notices, are inundating email systems across America.
If you use an email system with strong filtering, you may be spared from most of it. But the bad guys, nonetheless, are flooding the Internet with generically addressed spam to infect your PC, as I just reported in this USA Today news story.
“Spammers have moved away from longer, more drawn out attacks that sustain themselves with high volumes over several days or a couple of weeks,” says Sam Masiello, researcher at McAfee MXLogic. “They’ve moved to short, high volume burst attacks that die off quickly. The point of these is to hit hard and fast, infect as many machines as possible then move on, as the defense mechanisms catch up.”
Spiky attacks delivering diverse payloads
While botnet replenishing may be a prime directive, attackers are also sprinkling in the usual payloads, such as fake antivirus promotions and banking Trojans. And they are even mixing in highly-viral, highly-targeted spam attacks.
Richard Cox, CIO of antispam consortium, The Spamhaus Project, says that the “spiky pattern of botnet recruitment spam” has been a consistent part of the email environment for several years.
“Other spam, too, has very spiky delivery patterns,” says Cox. “We see it routinely as various botnets come and go, advance and recede and are rented out to various spam operations.”
Patrick Taylor, CEO of Oversight Systems, tells LastWatchdog that he received a particularly nasty variant of the generic faked-IRS spam last week: it was addressed specifically to him and accused one of his best employees of underreporting the company’s income. He suspects the spammer/botmaster got his and his employee’s names from Linked In.
“They used one of my employees who I know is a great guy,” says Taylor. “If it was an employee with lots of personal and financial problems it may have been more tempting.”
The message asked Taylor to click on a link to begin resolving the discrepancy. But since Oversight is in the fraud monitoring business, Taylor was suspicious; he quarantined the email and asked SecureWorks researcher Joe Stewart to reverse engineer it.
Stewart says the email Taylor received was trip-wired to install the ZeuS banking Trojan, which, along with the Clampi banking Trojan, is widely used by cyber gangs to to access and wire funds out of small business banking accounts.
If your company must do online banking . . .
Taylor is taking Stewart’s advice and setting up a PC dedicated solely to conduct online banking transactions. This should greatly reduce the risk of clicking on any malicious links, which infest the Web.
“Given the prevalence and seriousness of the various banking Trojans, it is a good idea for businesses that carry out online financial transactions to isolate workstations where these activities are carried out,” says Stewart.
The optimum set up: dedicate a PC for accessing financial accounts that is isolated from the rest of the local network — and the Internet — except for the specific financial sites required to do online banking. Also, disable USB ports, since worms like Conficker, can spread through corrupted thumb drives.
“The pattern of short-lived spam campaigns is a byproduct of both anti-spam technology’s effectiveness at blocking messages — and the media’s effectiveness at alerting the public to cyber threats,” opines Cisco security researcher Henry Stern. “There is little point to continuing a spam or virus campaign once the alarm bells have been rung.”
If recent history is any indication, upcoming spam bursts will key off major sporting events, swine flu, hurricane alerts, Middle East war news and celebrity deaths. And as McAfee MXLogix just reported, the recently deceased actor Patrick Swayze, is no exception.
Comments
2 Comments »
RSS feed for comments on this post.
Great story, really ties it all together. Thanks!
Comment by Troy Gill — 9/17/2009 @ 3:17 pm
Nice…,just keep up the good work and i’ll keep reading, thanks!
Comment by antivirus express — 10/20/2009 @ 8:20 am