Spammers exploit free email, online storage as Black Hat Vegas 2009 kicks off
Posted on | July 26, 2009 | 6 comments
Caesar’s Palace will be crawling this week with CSOs, CIOs, CTOs, CPOs and system admins seeking guidance on how to quell the rising tide of cyber intrusions at the Black Hat Vegas 2009 security conference.
Meanwhile, spammers late last week began inundating home and corporate PCs email systems with a tidal wave of spam that’s particularly difficult to filter, according to this blog posting by messaging security company AppRiver.
This very distinctive — and effective — spam attack required several steps to set in motion, says AppRiver security analyst Troy Gill.
Free accounts make robust attack tools
First, these enterprising bad guys came up with an automated way to create a large cache of new Hotmail, YahooMail and Gmail accounts. Gill estimates they created several thousand free email accounts, each using a random string of characters as the user name.
Gill agrees with LastWatchdog that the attackers then most likely routed log-ons to these new email accounts, along with lists of email addresses to spam, to the command and control server of a large botnet. The botmaster then must have used a customized attack program to commence a high-rate spam campaign with messages sent from the fresh Hotmail, YahooMail and Gmail accounts.
In parallel, the attackers also used some sort of automated process to create several thousands of free user-group accounts that enabled them to access free file storage services supplied at groups.yahoo.com, groups.google.com, and livejournal.com.
To open these free email and online storage accounts at the required scale, the criminals had to have an efficient way to solve captchas, those word puzzles designed to deter automated account creation. No problem there. They probably tapped into “captcha resolving” services like the ones described in this USA TODAY front page story, says Gill.
So the spam messages ultimately gets pushed out by a large botnet. Here is a sample:
Each botted PC appears to be carrying out instructions to log into one of the freshly-created email accounts and use it to spam out messages directing recipients to web links residing on the free user-group accounts.
Those links, in turn, redirect the user to another web site selling fake Viagra, replica watches and herbal weight-loss remedies. Here’s a screen shot of a link in YahooGroups redirecting the user to a spurious shopping page:
The criminal masterstroke is in the obfuscation. Spam filters won’t be able to easily see the IP addresses of the actual botted PCs, serving as proxy mail servers to push out the spam; nor will any filtering systems be able to summarily block the user-group domains where the slick-looking product pitch pages are hosted, says Gill.
“The attackers don’t have to expose their botnet IP address, which if it isn’t already on a blacklist, would soon be on one,” says Gill. “And you can’t block YahooGroups or you’re going to block all of the legitimate traffic.”
Here is a screen shot of one of the spurious product-pitch landing pages:
Gill notes that most of these techniques have been seen before — bad guys for instance have spread spam directing recipients to web links stored on Blogspot blogs, in Google Docs, and on free online photo storage sites try to domain filtering systems. But the efficiency and scale of this attack is unprecedented.
It is so finely tuned that at its peak late last week the bad guys were able to send out spam messages at the rate of 950,000 to 1 million per hour, or about 5 percent of all spam traffic. Early Sunday evening, the rate slowed a bit to 500,000 to 600,000 per hour — still a massive attack.
There’s no way to tell for sure, but Gill agrees with LastWatchdog that there is a good probability, given the sophistication and effectiveness of the attack, that it is being run by controllers from one of the top spamming botnets: Pushdo, Szribi, Rustock or Waledac.
Gill says there is no attempt being made to booby-trap the product-pitch landing pages to try to corrupt the visitor’s PC and turn it into a bot. So this appears to be a classic example of a botmaster making his inventory of bots available for hire as a hosted service to complete a specific criminal task: drive sales traffic to Web sites selling shady products.
“As people continue to embrace the Internet cloud and more and more free space is offered, the spammers and miscreants are also moving towards this landscape as a fresh new vector, says Gill.
He notes that AppRiver predicted as much in this recent report.
Comments
6 Comments »
RSS feed for comments on this post.
Byron, the last sentence is missing its link, but the marker is there.
Aside from that good stuff.
-Steve
Comment by Steve — 7/26/2009 @ 1:38 pm
Thanks for the copy-editing help, Steve. Always welcomed. See you in Vegas at the press room?
Comment by bacohido — 7/26/2009 @ 1:58 pm
Byron, Great post. looking forward to a full report from Black Hat Vegas 2009!
B/r,
JDL
Comment by JDL — 7/26/2009 @ 4:35 pm
Well Done! I Like it!
Comment by glasnost — 3/19/2010 @ 5:53 pm
Are Google calendar public entries worth anything in terms of link-juice? This black hat verses white hat debate is all a bit strange. I argue that black hatters have improved the quality of search just as modern wars have improved the technology of bullet proof vests.
Comment by Rob Johnson — 4/4/2010 @ 1:03 am
I find myself coming to your blog more and more often to the point where my visits are almost daily now!
Comment by sok noni — 8/29/2010 @ 8:14 pm