Belarus New Spam Champ, Summer Spam Scams Take Off: Cloudmark

trophy4Summer is in full swing here in the northern hemisphere, and that means cold drinks, hot sun, barbecues, and depending on your proclivity for dangerous aesthetics, sunbathing. But it also means that the spammers, those mavens of all things ridiculous and moronic, are in full swing, hitting your email addies with arguably ingenious campaigns designed to make you lower your guard and open up your wallet.

Not ones to miss an opportunity, the spammers and scam artists haven’t missed a beat, according to security firm Cloudmark, which recently released its Global Messaging Threat Report for the second quarter of 2013. The report hones in on some of the more prominent campaigns that spammers are using to get our attention, and not surprisingly, summer themes are in full swing. Cruises and dieting top the list, and at their peak during the quarter constituted more than 20% of all the SMS spam messages being delivered to mobile devices. While the numbers reported were for SMS, it’s reasonable to infer that email spam followed the same trends.

Non-summer themes were represented by the usual cadre, with the ever-dangerous bank phishing attack coming in at just over 20%, and adult-themed spam a close second at just under 20%. Most notable, however, was that gift card spam virtually dropped off the map, and Cloudmark notes that the FTC’s action in March to target gift card spammers is the likely reason.

Diet and hacked domains

Those getting ready for that speedo or string bikini are a prime target for spammers. June saw a massive spike in diet schemes using hacked domains, Cloudmark’s research uncovered. Drawing from a large number of compromised domains allowed spammers to keep the emails fresh and thus avoid detection. Cloudmark also noticed that phishing attacks rose sharply in the second half of the quarter, but a new twist was the way phishers “diversified their attacks with efforts to steal email, mobile, and social media accounts,” which could then be used to steal sensitive personal information.

Web hosting a target

Interestingly, Cloudmark also saw a dramatic increase in the number of compromised Web hosting accounts, and the firm noted that 60% of those domains were still under the control of the spammers a month after being compromised. “The same accounts are being used by different spammers, so we believe that one or more criminals is specializing in compromising these accounts, and is renting them out as a service to a collection of miscreants.” Cloudmark notes that these hosting sites are a choice target due in no small part to the “outdated software with known vulnerabilities that are trivial to exploit.”

Cloudmark uncovers the technology behind these attacks, and it’s surprisingly easy. “Spammers do not need root access to the account in order to take advantage of it. All they need is a PHP shell, and they exploit a number of different vulnerabilities in order to obtain this access. By far the most common technique at the moment, accounting for 60% of all compromised accounts, is an SQL injection attack in Joomla 1.5, which allows a reset of the admin password. This bug was patched in 2008, but many web sites have not updated their Joomla version since then.”

My country ‘tis of spam

Perhaps the most interesting facet of Cloudmark’s report is IP blocking that Cloudmark recorded during the second quarter. Unsurprisingly, Romania and the United States remain at the top of the heap in terms of volume, with both nations hovering around three million blocked IPs during the period. But what was remarkable was the growth of blocked addresses coming out of Belarus. Although the country’s overall number is relatively low, its percentage of blocked IP addresses has shot up to more than a quarter of its total IP address space, at 27.4%. This is in contrast to January of this year, when approximately five percent of the Belarus address space was being blocked.

Speaking to PC Magazine, Cloudmark researcher Andrew Conway pointed out that because Cloudmark was “blocking so much of Romania that spammers started moving to Belarus and Russia,” and that “spammers will follow the path of least resistance.” Cloudmark did notice a revers in the trend near the end of the quarter, with Romania’s numbers increasing, while Belarus and Russia declined slightly. “It is possible that hosting companies in Russia and Belarus realized spammers were exploiting them and tightened up their security, forcing the spammers back to less selective hosting companies in Romania.”

Leave a Reply