Just in time for Valentine’s Day, the Necurs botnet has mounted a massive spam campaign focused on dating lures.
The uptick started in mid-January 2018 and continues as time draws near for Valentine’s Day on February 14, according to IBM X-Force.
The campaign delivers short email blurbs from supposed Russian women living in the US. While typical spam email is notorious for bad spelling and grammar, these samples are rather well worded, IBM X-Force found. Many of the messages indicated that the recipient had a profile on Facebook or on Badoo, which is a Russian dating-focused social network. Badoo is the third-most popular dating app in Russia but is available internationally.
The Necurs botnet is notorious for its massive spam campaigns, believed to control more than 6 million zombie bots. This latest romance-themed effort has been responsible for more than 230 million spam messages in the last two weeks, with average volumes in excess of 30 million emails per day. The spammers are constantly shuffling the resources they leverage in campaigns, and the originating IPs logged in one campaign are not likely to be used in the next one to avoid blacklists and blocking.
Each spam email comes from a disposable email address carrying the alleged writer’s name; it then asks the recipient to contact the writer using another email address with another person’s name on it.
“Romance scams and spam featuring messages from supposed interested women is an old ploy. Such emails usually feature nothing more than some basic text and are not very likely to lure many people in,” X-Force researchers said. “However, when it comes to spam, mass volume makes for a numbers game, and fraudsters only need a small percentage of recipients to reply. Those behind this campaign will likely lure their victims to share revealing photos and extort them, ask for money to come visit, or end up infecting them with malware.”
Necurs is most known for its ties to malware gangs that spread banking Trojans, like Dridex and TrickBot, as well as ransomware, like Locky, Scarab and Jaff. But IBM X-Force said that its operators dabble in distributing spam for other fraud endeavors as well. In 2017 for instance, Necurs was sending mass amounts of “pump and dump” stock scams designed to make recipients believe a penny stock was about to rise in value. Once enough people buy the stock and it actually rises in value, the scammers sell off their shares, at which point they make a profit. The penny stock then drops back to its real market value, and those who bought it can easily be left with nothing but losses.
“Preying on seasonal trends is probably the top characteristic of email spam. The first quarter of the year typically plagues email recipients with tax season spam and romance scams that start arriving in January, leading up to Valentine’s Day,” researchers said, adding that users can protect themselves by remaining wary of unsolicited email.