Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
There’s a lot more to spam than meets the eye.
If you were to invite a bunch of random people to a party that you were hosting, you’d probably expect that the vast majority of them wouldn’t show up. However, you may get a few curious party-goers who are always down for a good rager, and a few more who may be unaware—or simply don’t care—that showing up to a stranger’s house is weird. Of course, the probability of more people showing up increases the more invitations you send out, especially if you happen to be famous or include an enticing hook in your invite (FREE BEER!).
It’s a silly analogy, but it’s the premise on which most spam email campaigns capitalize: Big numbers and popular brand names. Often, spam is a sheer numbers game. In 2013 it was estimated that there were nearly 100 billion spam emails sent every day. Even if only .0001% of those were opened and clicked, you’re still talking about 100,000 people showing up to the party.
According to Spamhaus, up to 80% of spam targeted at internet users around the world is generated by an extremely active and extremely savvy group of around 100 known persistent spam gangs. Many of these gangs execute their campaigns with botnet zombies, which may use spam payloads hosted offshore. Some of these gangs even hijack IP address space from companies, giving them more firepower with which to spam.
Spam comes with a $20 billion price tag for society at large, and spam management costs U.S. businesses more than $71 billion annually in lost productivity — around $712 per employee. I based the following post on some actual spam I received in my personal junk folder. It’s worth noting that the examples you’re about to see employ a very common—and particularly lucrative—way cyber threat actors can turn a profit.
Below, I’ll cover some giant red flags that will identify spam, as well as how to use these red flags to uncover the true extent of a spam gang’s infrastructure. Let’s dive in!
Friendly names, malicious emails
The first email I’ll investigate is from CVS, one of the businesses that I frequent on a pretty regular basis. Overall, the spam messages I’m showing come from stores that I, and probably a majority of you, often visit. This is no surprise—the brands this spam gang is abusing are ubiquitous.
Red flag alert: The first thing anyone should notice about this spam email is the email addresses of the sender, located in the “Reply-To” section. It’s utilizing a known abusive gTLD (others include .top, .xyz, .win, .gdn).
Fig-1 A trustworthy brand; a suspicious TLD
The second thing that jumps out is the type of brands the sender is targeting. The spammers are leveraging well-known and trusted brands to trick recipients into reading their emails (because Walgreens, Kohls, or Walmart would never send spam, right?). In other words, this type of spam has a clear purpose: getting the recipient’s brain to say something like “I’m a loyal shopper at this store, so maybe they’re being nice and gave me a gift to reward that loyalty.”
But not your brain. Not today.
I took a peek inside RiskIQ’s cyber threat research tool, PassiveTotal, to get some more information by pivoting off key internet datasets. I started with the email domain that was used for Reply-To in the email message (@pop404line[.]top).
Fig-2 In PassiveTotal, we can see the registrant info
Now that we have the domain let’s pivot on the WHOIS dataset to get the IP.
Fig-3 The IP address of “BCNCPA@Outlook.com” inside PassiveTotal
The domain points to a Russian IP address, which, in InfoSec, usually means that the domain we’re examining won’t be the only one that’s spamming. If you click on the email address inside of PassiveTotal, the spammer’s infrastructure will start to reveal itself in the form of an extensive list of associated domains—almost 30,000 in all!
Fig-4 A list of spammy domains associated with the domain
The results here have already been tagged as spam by SURBL, and were added to the RiskIQ blacklist as well.
Here are some other spam messages I received that you can tell are from the same spam gang:
Fig-5 Maybe your pharmacy of choice is Walgreens
Fig-6 Even their spam emails come in bulk!
Stay safe out there
If you wanted more detailed, proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—you will still want to query RiskIQ’s global blacklist, or zlist, APIs, for threat intel enrichment data.
Questions? Feedback? Email email@example.com to contact our research team..
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK