In the third quarter of 2015, the network generating the largest amount of spam detected by Cloudmark Global Threat Network was SoftLayer Technologies Inc. SoftLayer is a Dallas-based hosting and cloud computing company that that is wholly owned by IBM. Spam levels from SoftLayer are seven times higher than they were one year ago, and 42% of all outbound email from SoftLayer in Q3 was spam.
The increase is largely due to malicious emails sent to Brazil. This is a typical example, a fake summons to attend a meeting related to a lawsuit.
The recipient is asked to open the documents for more information. They are not attachments, but links to malware hosted on the web. The attackers’ likely target is getting access to the victims’ credentials on the widely used Boleto bank payment system, either by direct phishing or by installing a Trojan. Since there are no anti-spam laws in Brazil, many of the spam emails sent there are simply unsolicited marketing, but the spam originating from SoftLayer appears to be more malicious.
SoftLayer’s outbound spam problems appear to have escalated rapidly in the past six months.
SoftLayer was one of the main pioneers of cloud computing. By automating the provisioning of virtual hardware resources, it enabled the exponential growth of other successful Internet companies. At one point it was consistently adding fifty new servers a day just to support a single client, Tumblr. However, automation in the rapid provisioning of new resources are just as valuable to criminal spammers as it is to growing social networks. SoftLayer has responded to complaints by closing down accounts used by particular spammers, but the spammers are simply coming back with new accounts.
Cloudmark will automatically blacklist any IP address that generates a large volume of spam with no legitimate email. We are currently blacklisting almost 30,000 IP addresses from SoftLayer, up from 11,000 in April. This is 1.4% of all the IP addresses that they own. When a spammer’s account is shut down, the blacklisted IP addresses they are using are returned to a common pool, and may well be reissued to a legitimate user, so the damage that spammers are doing to SoftLayer’s reputation may well impact their other customers.
Lance Crosby and a group of other former employees of hosting company The Planet founded SoftLayer in 2005. As any successful hosting company does, they learned the importance of keeping spammers and other abusers off their system. In 2013 SoftLayer was purchased by IBM for a reported $2.1 billion, and Crosby took a senior management position there. However, in January of this year Crosby resigned from IBM, and it seems that the concern for preventing abuse went with him.
It’s clear that SoftLayer needs to do a better job of screening customers to prevent repeated abuse from malicious spammers. However, they could go further than that. IBM is one of the largest high tech companies in the world and among their many assets is a legal department that famously won a thirteen year long anti-trust suit. If IBM really wants to make amends to all the Brazilians who have been spammed from their servers their legal department should work with Brazilian law enforcement to identify these criminals and bring them to justice.
For more discussion of Softlayer’s spam problem, see this post by security blogger Brian Krebs: https:// krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/
Like many developed countries, Australia recieves far more spam than it sends. Spam originating in Australia is mostly directed to Brazil, the US, and Australia itself.
Brazil has no anti-spam laws, so it is a perennial target for commercial spammers. Most of this spam is simply unsolicited marketing messages. The spammers are in most cases not Australians, but Brazilian companies who are renting servers wherever in the world they can find them most cheaply, often from large hosting companies such as Softlayer who can provide services in many countries, including Australia.
Spam traffic from Australia to the US is mostly typical botnet output such as bootleg pharmaceuticals, diet pills, adult services, phishing etc. The spam that is internal to Australia is largely graymail, that is, marketers who may be tricking people into subscribing to mailings when they complete a survey, or using the fine print in one subscription to justify sending unrelated mail.
Cloudmark blacklists IP addresses that are significant sources of spam email with little or no legitimate email originating from them. The three Australian networks that have the most blacklisted IP addresses have three different patterns. The one with the most is sending mostly botnet spam to the US. The second appears to be providing hosting services to a number of bulk mailers with poor mailing practices. Spam originating there is mostly sent to other Australian users. The third is a hosting company which is providing service to spammers sending marketing messages to Brazil.
The largest source of spam sent to Australia is the US. With a third of the world’s IPv4 addresses and inexpensive hosting with good connections to the Internet’s backbone, the US is a magnet to spammers.
Spam sent to Australia includes both marketing graymail from US based email service providers and a variety of more malicious spam from botnets and snowshoe spammers world wide.
There are a number of venues for sharing threat information within the information security community, from informal mailing lists and forums to private arrangements between companies and formal information exchanges. Cloudmark has recently started sharing information from the Cloudmark Global Threat Network on Facebook’s ThreatExchange, which is currently in beta testing.
We feel that ThreatExchange offers significant advantages over other information exchanges. Facebook is a major corporation that has a strong interest in information security but is not selling products in that space, so security companies need not feel they are providing information to a competitor. The contract gives companies a high degree of control over what happens to the information they share. It can be flagged using the US-CERT traffic light protocol 1, or even restricted so that only a specific whitelist of other ThreatExchange members have access to it.
ThreatExchange is an extension of the Facebook API, so it shares some characteristics of a social network. In particular, there is the capability to add links between threats, to build up a picture of an attack by studying the graph generated by the links.
In our initial trials, Cloudmark is sharing two types of information via ThreatExchange: compromised domains 2 and malicious URL shortener links 3. These are both cases where legitimate resources are being abused by spammers, and our goal is to reduce the time required to remediate the problem, by notifying the appropriate service providers.
We are already working with one of the major URL shortener companies to provide them with a real time feed of malicious links via ThreatExchange. Within a few minutes of that link first being used by a spammer anyone who receives it in an email and clicks on it 4 will be taken to a warning page rather than to the spammer’s landing page.
A feed of compromised domains will allow hosting companies to notify their clients that their web site has been hacked, and help them take remedial action. The M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 5 has advice on the best way of hosting companies to respond to compromise notifications. However, this may take some time, as there is a long waiting list to join ThreatExchange. Currently there are fewer than one hundred companies participating in the beta test, and around eleven thousand have expressed interest in joining.
Why is phishing growing so rapidly today? People and organizations continue to rely on email for communications, the purchase of goods and services, and other transactions that take place online. As people increase their comfort with using email for personal and business transactions, they can become complacent and fail to double check that the real sender of an email message is who they think it is. Cloudmark predict that phishing attacks are expected to continue their rapid growth rates. This report discusses the prevalence of tools to support bad actiors in setting up phishing campaigns.
Phishing is an email scam in which attackers pose as a legitimate company or even a friend or colleague, and trick an unsuspecting recipient into doing something unsafe. The attacker may try to get the recipient to install malware, either by opening a malicious attachment, or clicking a link that takes them to a malicious web site that exploits a browser vulnerability. Alternatively, they may trick them into entering personal data including credit card details, or login credentials for bank accounts, email accounts, or other company resources. Another common attack is to trick an employee into replying to what is apparently an internal email, and starting a conversation which asks for money to be urgently wired at the request of that employee’s CEO.
Phishing combines technical subterfuge and social engineering. According to the most recent data, phishing attacks have succeeded in getting into networks because large numbers of recipients respond to them. A recent report 6 found that:
The industry is also seeing an increase in state-sponsered use of phishing. Statistics gathered in 2013 reveal that phishing was associated with 95% of incidents that were attributed to state-sponsered actors. In 2013-2015, this pattern was reaffirmed with more than two-thirds of incidents that fit the cyber-espionage pattern using phishing. 7
It’s surprisingly easy to target an organization with an email phishing campaign, particularly one that targets the collection of login credentials for email accounts or other company resources. There are black hat phishing kits that can be purchased to aid in this process, and there are white hat versions of those kits that demonstrate the ease of the attack.
TrustedSec, LLC, a well-known penetration testing company, makes a product called the Social Engineering Toolkit (SET) available for anyone to download. Similar to phishing tools specifically designed for malicious purposes, it handles all steps of the attack, including reconnaissance, website forgery, phishing email composition, and credential collection, thus demonstrating how little knowledge is needed to launch a phishing campaign. These tools are used by security professionals to launch educational phishing campaigns with the goal of increasing an organization’s awareness and readiness. Like all offensive penetration testing tools, it can be used for illegal purposes as well. SET has been downloaded more than 2 million times.
The first step of any attack is reconnaissance — planning the attack.
For an email-based phishing campaign targeting an organization, attackers need email addresses of their potential victims. These email addresses can be found from public sources - such as social networking sites and through search engines - and online tools can automate this email harvesting, scraping Google using select criteria. There are also commercially available lists of corporate email addresses sold by companies catering to sales organizations.
Alternatively, the attackers may piggyback on the unforeseen publication of confidential information, such as the email addresses and credit card information in the Ashley Madison breach. 8
Once attackers have obtained potential victims’ names, email addresses, and other information, they then use the phishing tools to copy a legitimate website and create a fake version with a similar name, and to send phishing emails - emails that often include a call to action and an accompanying link to the forged website.
Those who click on the links and visit the forged copy of the website, can be tricked into revealing login usernames and passwords, credit card information, and/or other personal data.
SET and other online phishing tools handle all the steps of collecting email addresses and launching an attack. The attackers can choose whether they’d like to send a single spear phishing email or template mass phishing emails from an address list.
Using SET, Cloudmark’s research team simulated an Amazon credential phishing attack. The phishing message we created was a simple email message, that we sent to ourselves, telling the user that his or her Amazon account was being disabled. This fake message provided a link to the forged site.
We used SET to create the following email, and followed the link to the visually indistinguishable clone site the team had created earlier, also using the tools.
When a test user clicked on the link, it led to this forged site:
Once users submit their individual username and password, the submitted username and password are covertly harvested and stored for later malicious use. Then, the phishing software automatically forwards users from the forged site to the actual retailer website, so users don’t notice that anything untoward took place.
This report demonstrates how simple it is for attackers to send a credential harvesting attack and gain access to valuable, protected information - all with publicly available emails and a phishing automation tool downloaded by millions. By demonstrating the anatomy of a phishing attack, we hope to demonstrate why this popular threat is likely to grow in frequency and intensity over the near term.
Given the ease with which cyber-criminals can launch phishing attacks and users’ high open rates for phishing emails, phishing attacks present a growing threat to the security of consumers, governments, and enterprises.
As long as phishing emails continue to be delivered to the inbox, and people continue to open links and attachments in these emails, cybercriminals will continue to use this method of attack. The attackers will also improve their online tools, making them faster and easier to use. Success breeds success.
Cloudmark は、10年余にわたる世界最大のメッセージング環境の保護経験を持つ会社です。この経験を基にCloudmark だけが、10億人の加入者からのグローバル脅威情報と各地の行動状況の追跡を結び付け、金銭的損失に加えブランドやレピュテーションの棄損につながるデータの窃盗やセキュリティの違反に対する即時保護や予測防護を行っています。