It's a Spam Party and You're Invited!

It’s a Spam Party

September 6, 2016, William MacArthur

mm

There’s a lot more to spam than meets the eye.

If you were to invite a bunch of random people to a party that you were hosting, you’d probably expect that the vast majority of them wouldn’t show up. However, you may get a few curious party-goers who are always down for a good rager, and a few more who may be unaware—or simply don’t care—that showing up to a stranger’s house is weird. Of course, the probability of more people showing up increases the more invitations you send out, especially if you happen to be famous or include an enticing hook in your invite (FREE BEER!).

It’s a silly analogy, but it’s the premise on which most spam email campaigns capitalize: Big numbers and popular brand names. Often, spam is a sheer numbers game. In 2013 it was estimated that there were nearly 100 billion spam emails sent every day. Even if only .0001% of those were opened and clicked, you’re still talking about 100,000 people showing up to the party.

According to Spamhaus, up to 80% of spam targeted at internet users around the world is generated by an extremely active and extremely savvy group of around 100 known persistent spam gangs. Many of these gangs execute their campaigns with botnet zombies, which may use spam payloads hosted offshore. Some of these gangs even hijack IP address space from companies, giving them more firepower with which to spam.

Spam comes with a $20 billion price tag for society at large, and spam management costs U.S. businesses more than $71 billion annually in lost productivity — around $712 per employee. I based the following post on some actual spam I received in my personal junk folder. It’s worth noting that the examples you’re about to see employ a very common—and particularly lucrative—way threat actors can turn a profit.

Below, I’ll cover some giant red flags that will identify spam, as well as how to use these red flags to uncover the true extent of a spam gang’s infrastructure. Let’s dive in!

Friendly names, malicious emails

The first email I’ll investigate is from CVS, one of the businesses that I frequent on a pretty regular basis. Overall, the spam messages I’m showing come from stores that I, and probably a majority of you, often visit. This is no surprise—the brands this spam gang is abusing are ubiquitous.

Red flag alert: The first thing anyone should notice about this spam email is the email addresses of the sender, located in the “Reply-To” section. It’s utilizing a known abusive gTLD (others include .top, .xyz, .win, .gdn).

rsz_cvs

Fig-1 A trustworthy brand; a suspicious TLD

The second thing that jumps out is the type of brands the sender is targeting. The spammers are leveraging well-known and trusted brands to trick recipients into reading their emails (because Walgreens, Kohls, or Walmart would never send spam, right?).  In other words, this type of spam has a clear purpose: getting the recipient’s brain to say something like “I’m a loyal shopper at this store, so maybe they’re being nice and gave me a gift to reward that loyalty.”

But not your brain. Not today.

I took a peek inside RiskIQ’s threat research tool, PassiveTotal, to get some more information by pivoting off key internet datasets. I started with the email domain that was used for Reply-To in the email message (@pop404line[.]top).

Screen-Shot-2016-08-31-at-10.39.56-PM

Fig-2 In PassiveTotal, we can see the registrant info

Now that we have the domain let’s pivot on the WHOIS dataset to get the IP.

Screen-Shot-2016-08-31-at-10.40.38-PM

Fig-3 The IP address of “BCNCPA@Outlook.com” inside PassiveTotal

The domain points to a Russian IP address, which, in InfoSec, usually means that the domain we’re examining won’t be the only one that’s spamming. If you click on the email address inside of PassiveTotal, the spammer’s infrastructure will start to reveal itself in the form of an extensive list of associated domains—almost 30,000 in all!

Screen-Shot-2016-08-31-at-8.26.43-PM

Fig-4 A list of spammy domains associated with the domain

The results here have already been tagged as spam by SURBL, and were added to the RiskIQ blacklist as well.

Here are some other spam messages I received that you can tell are from the same spam gang:

Walgreens

Fig-5 Maybe your pharmacy of choice is Walgreens

Costco

Fig-6 Even their spam emails come in bulk!

Stay safe out there

If you wanted more detailed, proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—you will still want to query RiskIQ’s global blacklist, or zlist, APIs, for threat intel enrichment data.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team..

Share: