Is Spam Increasing? A Look At Some New March Campaigns

Is Spam Increasing? A Look At Some New March Campaigns

Seeing more spam? You're not alone.

Global spam increased 64 percent last month, according to Cisco's IronPort Threat Operations Center. And the election of a new Pope hasn't quelled the unholy barrage of junk and malicious email. Barracuda Networks caught more than 400,000 emails purporting to be CNN news updates with salacious Pontiff-related headlines. One click, and the user is delivered to a domain that points directly to a black hole exploit kit.

Security Bistro recently caught up with Andrew Brandt, Threat Research Director at Solera Networks. He penned a blog post last week about a new spam campaign featuring URLs that direct individuals to — what appeared to be — compromised personal and small business web sites.

Since the spam business appears to be booming, we asked Brandt about the new Spring spam campaigns and why March seems to be picking up right where February left off.

“It does appear that the volume of malicious spam, which we consider to be messages with either an attached malware executable (usually zipped) or with one or more embedded URLs that lead to sites which perform browser exploits as a method of infection, significantly increased over what we saw in February,” Brandt told Security Bistro. “There was a big spam push around the end of the year. During that period, Solera Networks saw a large amount of spam between the week before Christmas and New Year's. Since then, it slowed down in January and February, and is starting to pick back up again.”

The latest ploys all seem to share a certain common characteristic, utilizing a similar fake “stock” email template. Recent examples include LinkedIn “Join My Network” messages and “Payment confirmation” spam that claims to have come from AT&T and PayPal. They're counting on the fact that many users simply don't scrutinize these messages before clicking, he wrote.

Brandt told Security Bistro that while the emails may look the same, they also shared another unique characteristic, noticing that malware delivered from two different March spam emails communicated with the same command-and-control (CnC) servers.

“Take for example the case of two different malicious email campaigns, one on March 4, the other on March 18. In the instance at the beginning of the month, the infection method used an HTML file attachment; Later in the month, the message had malicious links. Both delivered the victim's PC to the Redkit exploit kit and both delivered malware,” he said. “We infected a testbed PC in each instance, and permitted it to idle and 'phone home' over an extended period. During the time when both infected machines were engaged in CnC communications, they talked to the same servers: even when the CnC servers rotated to different IP addresses, which happened about every six to 18 hours, both infected machines switched to the new CnC server IP addresses simultaneously.”

Brandt said that enterprises must engage in an education first strategy in order to prevent these omnipresent emails from wreaking havoc on their networks.

“Users are the weak points in these attacks. When infections do, inevitably, happen, it pays to be able to identify exactly how it happened so you can reinforce the good habits — like scrutinizing links in messages, or teaching employees not to open Zip attachments from unknown sources,” he said. “IT admins should also push a policy that changes the default Windows behavior of hiding file extensions for known file types. That way, people are less likely to be fooled by malware executables that use a PDF document icon, for example.”

In the case of the latest March spam campaigns (which were sending users to compromised personal and small business web sites), Brandt is offering some additional advice. While normally he'd suggest folks simply look before they click, he is taking a different tact with these latest threats, since they point to a distinctive folder path used by a WordPress plugin.

“If you run a site based on WordPress, Joomla, or any other popular CMS, please take a few moments to check that both the CMS code itself, and any third-party plugins you may have installed, are up-to-date with the latest versions,” he added.

By employing these simple steps, the Spam freight train that's been inundating mailboxes won't impact your enterprise.