Spam in 2015: Botnets, Malicious Links on the Rise

2015It’s a new year, and that’s always a good time to review security policies and threat analyses. 2014 was a year filled with big news stories about hacks, and there’s no reason to believe that things are going to get any better. Leading the news were the Apple iCloud leak, the Sony hack fiascoes (there were more than one), and a number of prominent data breaches. If these stories aren’t enough to make you revisit your network hardening, then you must have a pretty secure infrastructure and I’d like to find out how you did it.

It’s 2015, and as we look forward to the new year, we can only guess what problems hackers and spammers have in store for us, but it’s a safe bet that whatever we do to be proactive, they’re going to find a way to break it. We can look back at 2014, though, to see what trends became apparent. By understanding what happened, we can make some educated guesses about this year’s threat landscape, and it all starts with botnets.

According to the Spamhaus Botnet Summary 2014, botnet use is on the rise. It’s no surprise that Spamhaus reports “the majority of detected botnets are targeted at obtaining and exploiting banking and financial information. Botnet controllers (C&Cs) are hosted disproportionately on ISPs with understaffed abuse departments, inadequate abuse policies, or inefficient abuse detection and shutdown processes. Botnet C&C domains are registered disproportionately with registrars in locations that have lax laws or inadequate enforcement against cybercrime.” According to, “in 2014, Spamhaus detected 7,182 distinct IP addresses that hosted a botnet controller, which is an increase of 525 — or approximately eight percent — over the number recorded in 2013. C&C centers were hosted on a total of 1,183 networks.”

Interestingly enough, IP addresses hosting C&C servers are not hosted in countries typically considered to be the usual suspects. Spamhaus reports that a network in France comes in at number one with 189 C&C servers; Germany at number two with 124; and the Netherlands comes in third at 120.

On the malware side, the report identified ZeuS as the runaway leader, being found on 2,246 C&C servers. Citadel comes in at number two, with 1,127. Asprox, a spambot, was a distant third, being found on 566 server. Both ZeuS and Citadel are e-banking Trojans, so it’s pretty clear what the primary focus of spammers is. It’s all about the Benjamins, baby.

On the spam side, we’re seeing sharp rises in malicious links as spammers drift away from attachments. This makes plenty of sense, because everyone emphasizes the danger of attachments, but many people are comfortable with clicking links and don’t seem to get that links can be spoofed. And it’s a no-brainer that spam filters are looking for attachments, whereas links are more benign. According to Help Net Security, spam emails containing malicious links rose from 7 percent in October to 41 percent in November, a whopping increase over a month. That number continued to climb in December. “While many malicious emails come with an attachment, organizations can block and filter these types of messages,” a security expert tells HNS. It’s suspected that “the Cutwail botnet (Trojan.Pandex) is behind some of the recent spam messages, along with other botnets, and that attackers have resorted to using links in a bid to avoid email security products that scan for malicious attachments.”

According to, “during last few weeks, cybercriminals have been relaying out social engineered messages like emails about voicemail and fax notifications. These emails may contain information usually included in genuine fax and voicemail messages like confirmation number or caller identification but the information itself is phony.” The payload here is to be found only after the user has clicked the dirty link. “The common thread in each email is links given in emails and these links use hijacked domains having URL path which leads to a PHP landing page. Users are led to a malicious file…when they click on the links.”

Botnets and dirty links seem to be the outlook for 2015, but of course we cannot assume that it will stop there. Spammers are nothing if not multitasking. Spamhaus doesn’t see a cessation in the use of botnets, but they do offer some sage advice. “Because techniques used by criminals online are always changing, it is best to use a multi-layered defense, which should include keeping users away from dangerous resources such as the ones [in the report]. Spamhaus will continue working to protect internet users worldwide and continue helping networks and registrars to keep their assets clean.”