Single massive spam campaigns replace high volume spam runs

This conclusion came from an analysis that showed multiple overlapping similarities and characteristics in what appeared at first to be separate spam runs. The spam runs were all based on a standard infection methodology. An email provides a lure to persuade the recipient to click an included link. The link goes to a compromised, probably legitimate, web page; which then covertly redirects the user to the malware site. In this case the malware was the Blackhole exploit kit which checked the user for an exploitable vulnerability – and infected the PC. The infection was usually a variant of either the Zeus or Cridex banking trojans.

The sheer size of the campaign is impressive. Trend tracked 45 separate runs pretending to come from 17 separate organizations in April, 66 from 21 organizations in May, and 134 from 40 in June. The ultimate figure for July is anyone’s guess. Also impressive is the sophistication of the campaign. The emails all purport to come from major organizations with trusted relationships: from banks such American Express and Citibank, from telecomms companies such as AT&T and Verizon, and social networks including Facebook and LinkedIn. 

Its sophistication is also impressive. Filtering the spam in this campaign is difficult because it uses modified versions of legitimate emails. Tracking the source is difficult because the sending botnets are in constant flux, with nodes added and removed regularly. And blocking the compromised URLs is difficult because of the scale. “The attack on May 17, for instance,” notes Trend, “used at least 1,960 distinct URLs on 291 compromised legitimate domains.” But it was commonalities in the spam itself that led Trend to conclude that it was a single campaign rather than multiple spam runs. The email links, for example, all tended to have one of just three specific formats (such s http://<compromised domain>/<8 alphanumeric characters>/index.html), while the redirected landing pages had one of just two URL formats (for example, http://literalIP/page.php?p=<16-digit-hex-number>).

Trend believes that the operation is run by just two or three individuals, probably located in Eastern Europe, and entirely focused on spreading financial malware. Rik Ferguson, Trend’s EMEA director of security research & communications told Infosecurity that it is likely “in today's ‘cybercrime as a service’ economy that it was a botnet-for-hire, acting as a software distribution mechanism” for separate criminals. It indicates just how professional and organized modern cybercrime has become.

What’s Hot on Infosecurity Magazine?