Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
September 6, 2016, William MacArthur
There’s a lot more to spam than meets the eye.
If you were to invite a bunch of random people to a party that you were hosting, you’d probably expect that the vast majority of them wouldn’t show up. However, you may get a few curious party-goers who are always down for a good rager, and a few more who may be unaware—or simply don’t care—that showing up to a stranger’s house is weird. Of course, the probability of more people showing up increases the more invitations you send out, especially if you happen to be famous or include an enticing hook in your invite (FREE BEER!).
It’s a silly analogy, but it’s the premise on which most spam email campaigns capitalize: Big numbers and popular brand names. Often, spam is a sheer numbers game. In 2013 it was estimated that there were nearly 100 billion spam emails sent every day. Even if only .0001% of those were opened and clicked, you’re still talking about 100,000 people showing up to the party.
According to Spamhaus, up to 80% of spam targeted at internet users around the world is generated by an extremely active and extremely savvy group of around 100 known persistent spam gangs. Many of these gangs execute their campaigns with botnet zombies, which may use spam payloads hosted offshore. Some of these gangs even hijack IP address space from companies, giving them more firepower with which to spam.
Spam comes with a $20 billion price tag for society at large, and spam management costs U.S. businesses more than $71 billion annually in lost productivity — around $712 per employee. I based the following post on some actual spam I received in my personal junk folder. It’s worth noting that the examples you’re about to see employ a very common—and particularly lucrative—way threat actors can turn a profit.
Below, I’ll cover some giant red flags that will identify spam, as well as how to use these red flags to uncover the true extent of a spam gang’s infrastructure. Let’s dive in!
Friendly names, malicious emails
The first email I’ll investigate is from CVS, one of the businesses that I frequent on a pretty regular basis. Overall, the spam messages I’m showing come from stores that I, and probably a majority of you, often visit. This is no surprise—the brands this spam gang is abusing are ubiquitous.
Red flag alert: The first thing anyone should notice about this spam email is the email addresses of the sender, located in the “Reply-To” section. It’s utilizing a known abusive gTLD (others include .top, .xyz, .win, .gdn).
Fig-1 A trustworthy brand; a suspicious TLD
The second thing that jumps out is the type of brands the sender is targeting. The spammers are leveraging well-known and trusted brands to trick recipients into reading their emails (because Walgreens, Kohls, or Walmart would never send spam, right?). In other words, this type of spam has a clear purpose: getting the recipient’s brain to say something like “I’m a loyal shopper at this store, so maybe they’re being nice and gave me a gift to reward that loyalty.”
But not your brain. Not today.
I took a peek inside RiskIQ’s threat research tool, PassiveTotal, to get some more information by pivoting off key internet datasets. I started with the email domain that was used for Reply-To in the email message (@pop404line[.]top).
Fig-2 In PassiveTotal, we can see the registrant info
Now that we have the domain let’s pivot on the WHOIS dataset to get the IP.
Fig-3 The IP address of “BCNCPA@Outlook.com” inside PassiveTotal
The domain points to a Russian IP address, which, in InfoSec, usually means that the domain we’re examining won’t be the only one that’s spamming. If you click on the email address inside of PassiveTotal, the spammer’s infrastructure will start to reveal itself in the form of an extensive list of associated domains—almost 30,000 in all!
Fig-4 A list of spammy domains associated with the domain
The results here have already been tagged as spam by SURBL, and were added to the RiskIQ blacklist as well.
Here are some other spam messages I received that you can tell are from the same spam gang:
Fig-5 Maybe your pharmacy of choice is Walgreens
Fig-6 Even their spam emails come in bulk!
Stay safe out there
If you wanted more detailed, proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—you will still want to query RiskIQ’s global blacklist, or zlist, APIs, for threat intel enrichment data.
Questions? Feedback? Email email@example.com to contact our research team..