Starting in late May, Cloudmark detected a spam attack containing a ransomware loader in a fake resume. We have received reports of this type of spam from fourteen countries in five continents, but the bulk of it appears to be directed at small businesses based in the US.
Ransomware is a type of malware that encrypts the contents of the victim’s hard drive, and holds the files hostage until they pay a ransom, usually $500 or more in Bitcoin, to the criminal. Small businesses are particularly vulnerable to this sort of attack as they may have important business data on a single computer without adequate backups.
Small businesses are the engines of job creation. Companies with fewer than 500 employees have created 74% of all new jobs since the end of the last recession.1 A small business owner who is looking to hire new employees is far more likely to open an unsolicited resume than a randomly selected spam victim.
The emails themselves are simple.
They almost always use a female first name and have a zip file attached. This contains HTML that uses an IFRAME tag to download another zip file, containing a Windows executable with a .scr suffix. The .scr suffix indicates a Windows screen saver, but criminals frequently use this format to deliver malware as it arouses fewer suspicions than a .exe file.
When Cloudmark examined this attack in late June, 84% of the samples detected were from the United States. We also detected spam hitting the Netherlands, Australia, Canada, the UK, Italy, Hong Kong, Switzerland, Germany, Sweden, Denmark, Belgium, the Czech Republic, and Brazil. 60% of the spam was directed at email accounts associated with websites hosted in the US, and a further 17% at business ISP customers in the US. The remaining 23% went to various domestic and commercial ISP services worldwide.
Small businesses cannot afford to lose time and money to ransomware or other malware. Here are some simple rules to minimize the risks for anyone who has important data on their computer:
An analysis of 2 terabytes (TB) of DNS traffic from a prominent ISP reveals potentially dangerous vulnerabilities in its customers’ security strategies. In a single day of traffic, hundreds of hosts were found to be infected with old, well-known malware, which anti-malware solutions have long protected against.
For example, we found evidence of infection by the Bedep malware. We observed DNS traffic to these domains:
These names are produced by a Domain Generation Algorithm (DGA) for use with command-and-control (C&C) servers, and are known to point to Bedep C&C servers. There is also evidence that the same servers were hosting Reveton ransom pages.3 Communication with these endpoints persisted throughout the entire measurement period, meaning that no remediation action was taken for any of the infected devices.
More alarming is evidence of an infection by a virus that security experts have been aware of for years. These domains were observed in DNS traffic capture:
The Expiro virus was thoroughly investigated by researchers at Symantec4 and McAfee5 after an outbreak during the summer of 2013. Expiro attempts to connect to malicious domains to exfiltrate data and download additional malware.
The most troubling aspect of these infections is the age of the viruses. Anti-virus solutions have recognized and protected against them for months or years; finding these infections shows that individuals and enterprises are still lacking the most basic malware protection. Given the continuing vulnerability of individual hosts, it is clear that network operators need to strengthen the security measures in their DNS infrastructure, to protect their customers and themselves.
Cloudmark has detected a 79% reduction in diet pill spam since April 27th when the Federal Trade Commission obtained a temporary restraining order (TRO) to shut down Sale Slash, LLC, a California corporation. According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “Sale Slash is a fraud trifecta. The company made outlandish weight-loss claims for its diet pills using fake news sites, phony celebrity endorsements, and millions of unwanted spam emails.”6
In late 2013 Cloudmark reported the activity of a large-scale diet pill spam operation to the FTC. We believed this to be an affiliate organization, but it was likely that enough of the operation was based in the US to be worth further investigation by US law enforcement. Cloudmark was one of several organizations that requested that the FTC investigate this spam attack. We named this operation the “Com Spammers” because they often use disposable domain names of the form com-XXX.net, where XXX are three or four random characters.
FTC investigator Douglas McKenney collected several samples of the spam and followed the links. He discovered that the spammers were using a legitimate commercial click tracking service, Cake Marketing, to monitor the activities of the various affiliates who were actually sending the spam. By obtaining financial records and logs from Cake Marketing he was able to identify the individuals and corporations alleged to be running this spam campaign, as well as the amounts paid to the various affiliates. According to Cake Marketing’s records, the most successful affiliate, known only as “Winner Master” generated more than 7,000,000 clicks to diet pill landing pages, caused 140,000 sales, and earned $10,200,000 in commission. The bank statements for Sale Slash, also obtained by McKenney, include a series of wire transfers totaling over $10M to a bank account in Curacao owned by “Performance Marketing, Ltd.”7
The FTC’s investigation of the Com Spammers did not stop with tracking down the alleged organizers. They also obtained a statement from a leading nutrition and diet expert, Dr. David Levitsky, that the claims of radical weight loss made in the spam landing pages were unrealistic, and confirmed with Oprah Winfrey’s organization that she had not endorsed any diet pills in spite of the frequent use of her name and image by the spammers. 8
While technical measures can have a significant impact on keeping spam under control, this case shows that effective law enforcement action also plays a vital role in managing this problem.
In 2014, the Internet Corporation for Assigned Names and Numbers (ICANN) introduced new Top Level Domains, allowing entrepreneurs and organizations to pay for websites ending with words appropriate to their business. Originally, one was stuck with the generic .com, which stands for “commercial”, but now nearly every industry is represented with TLDs like .club, .science, .media, .marketing, even .plumbing.
The availability of these new domains also opens a new avenue for abuse. In most cases there is no qualification required to buy a domain in one of the new TLDs; spammers can simply purchase them en masse.
The Cloudmark Global Threat Network tracks the reputation of tens of millions of domains. We took a look to see what percentage of the domains in particular TLDs were associated with spam.
Among generic top level domains (gTLDs) that are open to the public, we can clearly see an inverse relationship between the cost of registering the domain and the amount of abuse. Cheap domains (under $20) are highly abused by spammers. Above that price, there is a steep drop off of abuse, and one of the most expensive domains, .jobs, experiences almost none.9
An exponential regression line shows the relationship between cost and abuse. The two outliers are .science, likely abused because it is reputable, and .xxx, likely (despite the significant cost) because it is not. Due to the rate of abuse, consideration should be given to blocking cheap new TLDs entirely.
Other gTLDs possibly of note are .diet, .healthcare, .pharmacy, and .clinic, which are not yet publicly available, although they can be pre-registered. If they are offered cheaply, we could expect them to be heavily abused by spammers, especially considering the popularity of diet pill and bootleg pharmaceutical spam.
Contrasted with generic TLDs, sponsored top level domains (sTLDs), which have existed for some time, add an extra layer of security by having additional requirements of the registrant. These requirements vary in rigor. For example, .pro requires the registrant show proof that they offer a professional service of some kind, but not much else. .mobi requires that a site be mobile friendly, which is a significant restriction. .travel, .coop, .musuem, and .edu require institutional credentials proving eligibility, whereas .gov and .mil are closely restricted by the US government and US military respectively. These increasingly rigid requirements greatly reduce the amount of abuse seen among sponsored TLDs.
Finally, an important thing to consider: despite the rate of abuse of the new TLDs, .com still outstrips everything else in terms of sheer volume.
If spammers always used the same call to action URL in all their emails, it would be easy to filter spam. So to evade detection, spammers are constantly seeking ways to generate large numbers of cheap or free call-to-action URLs which will redirect to a smaller number of landing pages, which are typically more expensive to create. Two common sources of these cheap URLs are URL shortener services and, more recently, tracking redirectors services provided by email service providers (ESPs). In both cases as soon as a provider detects the abuse of their service and implements measures to prevent it, the spammers will switch to another service with less stringent security.
While spammers can create their own shorteners, it’s preferable to exploit an existing shortener or tracking redirector service because the source domain has an established good reputation. They then use a bot to create thousands of URL shortener links that all redirect to the same malicious webpage. Because each link is used in only a fraction of the total spam, it is harder to filter.
In August 2014, we reported in the Cloudmark blog that spammers were primarily abusing Twitter’s t.co, and we documented the methods they were using. We’re happy to report that since then, Twitter appears to have made significant progress in preventing abuse, however, most of the spammers have now switched over to using bit.ly.
Most senders of legitimate bulk email use an ESP to send their messages. One service that ESPs provide is tracking links that can be embedded in an email and redirect to the sender’s landing page. These links count clicks and track exactly which message generated the click. Unfortunately, for some months now we have seen these being abused by spammers, who are setting up a free or cheap accounts with the ESP, creating redirector links by sending one email to themselves, and then re-using the redirection URLs in email messages that are not sent from the ESP’s infrastructure. Once again, we see the spammers will switch from one vendor to another as new security measures are put in place.
In the chart above, each color indicates a different ESP domain being abused by spammers. Some ESPs are slow to implement security measures following abuse and remain targets for a longer period while others respond quickly and the attacks using that domain are of limited duration.
Since the spammers are using botnets or snowshoe attacks to send their malicious emails, ESPs may not even be aware that their redirector services are being abused. Cloudmark has been extremely proactive in reaching out to ESPs over this issue, both directly and through the Mobile, Malware, and Messaging Anti Abuse Working Group (M3AAWG).
Many mobile companies offer free Email-to-SMS gateways where you just have to use the recipient’s phone number as the username in the email address. From there, it’s easy to craft a program that goes through all phone numbers sequentially. Of course, to be effective, you need to know which phone numbers belong to which providers, which phone numbers are active, and other secrets of the spamming trade. Ever since Cloudmark started tracking and blocking Email-to-SMS spam, we’ve noticed certain types targeting our customers. The goal of these attacks is to harvest personal information to support identity theft.
One ongoing Email-to-SMS phishing scam seen over the the past year deals with online classifieds, primarily Craigslist, usually abbreviated to “CL”:
The spammers either reference a specific item (vehicle, furniture, boat, motorcycle, etc.) or just “the item”, and include an email address (usually gmail or other free email provider) to reply back to. These are typically sent directly from Gmail accounts.
If you reply, you get the following response:
You may also get a response like this:
If you provide your information, you’ll recieve no response - the goal seems to be simply to harvest your information.
The next type of Email-to-SMS phishing scam claims that you’ve received a rebate from your mobile provider:
If you click on the link provided, you are presented with what looks like a logon screen for your mobile provider:
If you provide your credentials, you are presented with a page that thanks you for the information and says you will be contacted within 24 hours. You aren’t, and the last 4 digits of your SSN, an important identifier for credit card companies, are in the hands of spammers.
The last type of Email-to-SMS spam entices the recipient to contact the sender for sexual offerings:
Going to one of the URLs takes the user to an adult dating site, luring the recipient to sign up. Again, the advertisement isn’t real, and any information you provide is stolen.
This is just a small sample of the larger Email-to-SMS spam picture. As cellphone and smartphone usage has grown, and email and mobile messaging have converged, messaging abuse has grown as well — a trend we can expect to continue.
Generally the spam situation in the UK is typical for a developed country with anti-spam laws and legal sanctions against professional spammers. Neither outbound nor inbound spam are serious problems. However, there is significant room for improvement as a few hosting companies with inadequate spam filtering are making things worse for everyone.
The UK sends far more legitimate email than spam, the bulk of which goes to the UK and the US. Much of the spam from the UK goes to the US as this is the most popular target for many kinds of spam.
If we look at the sources of spam in more detail, a single source stands out as sending several times as much as any other. The Iomart Group, a Scottish hosting company, is responsible for 14% of all the spam originating in the UK. For comparison, Rackspace UK, another large cloud and hosting company, originates more than twice as much legitimate email as Iomart, and less than a quarter of the spam. The spam from Iomart comes from several affiliate marketers and is directed internationally. We have seen reports from the US, Ireland, Hong Kong, Canada, and Brazil, among others. Iomart is a company with a fine social and environmental record, and we hope their social responsibility will soon extend to more aggressive measures against spammers.
When we look at spam delivered to the UK, the US is a major source. However, the UK sees almost as much spam from Germany as from the US, and far less legitimate email. In fact, in April 2015, 56% of all the email from Germany to Cloudmark clients in the UK was spam.
Once again, just a few organizations are making a disproportionate contribution to the statistics. Of the top six ASNs (a network owned by a single organization) sending spam to the UK, three are based in Germany:
All three networks are sending similar “free gift card” spam snowshoe style (ie from a range of IPs to circumvent the blocking of individual IP addresses). The UK is not the only country to receive spam from these networks; we are also seeing reports from other European countries.
The affiliate marketers using Iomart’s services are not necessarily UK based, and the scammers exploiting these German hosting companies may not be based in Germany. Spam is an international business, and spammers will use services wherever they can get them cheaply and with the fewest questions asked. An ISP or hosting company with lax standards in one country can create problems across the world. We can only deal with spam by collaborating across international borders and adopting best practices everywhere. M3AAWG recently published a best practices document for hosting companies that is an excellent starting point.
Cloudmark は、10年余にわたる世界最大のメッセージング環境の保護経験を持つ会社です。この経験を基にCloudmark だけが、10億人の加入者からのグローバル脅威情報と各地の行動状況の追跡を結び付け、金銭的損失に加えブランドやレピュテーションの棄損につながるデータの窃盗やセキュリティの違反に対する即時保護や予測防護を行っています。