04:50 PM
Connect Directly

Spammers Work Up A Hailstorm

In their constant effort to evade anti-spam filters, spammers have devised a new way to deliver junk mail to your inbox.

With the best anti-spam systems being able to catch upwards of 99.9% of all spam email passing through them these days, spammers have been forced to constantly adapt and evolve their tactics. Researchers at Cisco Talos this week have an alert on the newest one.

The method is dubbed "hailstorm" and builds on an existing tactic favored by spammers called "snowshoe."

In snowshoe campaigns, spammers try to evade spam filters by sending bulk email from a very large number of IP addresses while ensuring that the volume of spam from each address itself is low. The goal with the approach is to try and stay under the radar of volume-based anti-spam systems by distributing the bulk email sending over a large network of computers.

Hailstorm spam also gets sent via a large network of sender IP addresses. The difference is that instead of sending a low volume of spam from each IP device, spammers send a very high volume in a short burst. "In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response," Cisco Talos researchers Jakob Dohrmann, David Rodriguez, and Jaeson Schultz wrote in the alert posted today.

The DNS query volumes associated with each method highlight the difference between a typical snowshoe campaign and a typical hailstorm attack, the researchers said.

For instance, the maximum query volume for a domain involved in a snowshoe campaign that the researchers analyzed was just 35 queries per hour. In contrast, when the researches looked at the DNS query volume for a domain caught up in a hailstorm campaign, they noticed practically no query volume for a period of time. Then they saw a sudden brief volume spike to over 75,000 queries per hour, and then back again to almost nothing. The initial spike in volume was caused by mail server activity associated with a sudden influx of emails, the researchers said.

“Hailstorm spammers are exploiting the tiny window of time from when the spam campaign begins and the anti-spam coverage is in place,” says Jaeson Schultz, technical leader, Cisco Talos. “During this window of time, they are able to land their mail into the inbox.”

Unlike snowshoe spammers who try to stay low, Hailstorm spammers do not appear interested in maintaining their cover for long. “The goal of hailstorm spam, rather, is to send as much email as possible as quickly as possible,” he says.

Analysis shows that spammers are using IP addresses around the world to propagate hailstorm spam. A bulk of the spam email however appears to be coming from IP addresses based in five countries—the US, Germany, Great Britain, Netherlands, and Russia.

As with most bulk email, hailstorm spam campaigns are more of a nuisance for end users rather than a threat. But the success that spammers appear to be having with hailstorm is prompting interest in the use of the technique for other, more dangerous, purposes as well. For instance, botnets such as Necurs have begun using hailstorm tactics to distribute malware, the Cisco Talos reearchers said.

Attacks from Necurs, for example, are largely distributing Dridex banking malware and Locky ransomware. “Evidently, this criminal activity is profitable enough to sustain these types of spam campaigns,” Schultz says.

From an adversary standpoint, the snowshoe method is better suited for spammers selling products because it gives them a way to remain hidden for longer from anti-spam systems.

Cybercrime activities such as distributing malware, meanwhile, tend to attract vastly more attention than spam, so for cybercriminals, hailstorm spam is a better choice, Schutz says. “Hailstorm campaigns will be caught rather quickly, but they will still manage to compromise enough victims to turn a profit.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.