04:50 PM
Connect Directly

Spammers Work Up A Hailstorm

In their constant effort to evade anti-spam filters, spammers have devised a new way to deliver junk mail to your inbox.

With the best anti-spam systems being able to catch upwards of 99.9% of all spam email passing through them these days, spammers have been forced to constantly adapt and evolve their tactics. Researchers at Cisco Talos this week have an alert on the newest one.

The method is dubbed "hailstorm" and builds on an existing tactic favored by spammers called "snowshoe."

In snowshoe campaigns, spammers try to evade spam filters by sending bulk email from a very large number of IP addresses while ensuring that the volume of spam from each address itself is low. The goal with the approach is to try and stay under the radar of volume-based anti-spam systems by distributing the bulk email sending over a large network of computers.

Hailstorm spam also gets sent via a large network of sender IP addresses. The difference is that instead of sending a low volume of spam from each IP device, spammers send a very high volume in a short burst. "In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response," Cisco Talos researchers Jakob Dohrmann, David Rodriguez, and Jaeson Schultz wrote in the alert posted today.

The DNS query volumes associated with each method highlight the difference between a typical snowshoe campaign and a typical hailstorm attack, the researchers said.

For instance, the maximum query volume for a domain involved in a snowshoe campaign that the researchers analyzed was just 35 queries per hour. In contrast, when the researches looked at the DNS query volume for a domain caught up in a hailstorm campaign, they noticed practically no query volume for a period of time. Then they saw a sudden brief volume spike to over 75,000 queries per hour, and then back again to almost nothing. The initial spike in volume was caused by mail server activity associated with a sudden influx of emails, the researchers said.

“Hailstorm spammers are exploiting the tiny window of time from when the spam campaign begins and the anti-spam coverage is in place,” says Jaeson Schultz, technical leader, Cisco Talos. “During this window of time, they are able to land their mail into the inbox.”

Unlike snowshoe spammers who try to stay low, Hailstorm spammers do not appear interested in maintaining their cover for long. “The goal of hailstorm spam, rather, is to send as much email as possible as quickly as possible,” he says.

Analysis shows that spammers are using IP addresses around the world to propagate hailstorm spam. A bulk of the spam email however appears to be coming from IP addresses based in five countries—the US, Germany, Great Britain, Netherlands, and Russia.

As with most bulk email, hailstorm spam campaigns are more of a nuisance for end users rather than a threat. But the success that spammers appear to be having with hailstorm is prompting interest in the use of the technique for other, more dangerous, purposes as well. For instance, botnets such as Necurs have begun using hailstorm tactics to distribute malware, the Cisco Talos reearchers said.

Attacks from Necurs, for example, are largely distributing Dridex banking malware and Locky ransomware. “Evidently, this criminal activity is profitable enough to sustain these types of spam campaigns,” Schultz says.

From an adversary standpoint, the snowshoe method is better suited for spammers selling products because it gives them a way to remain hidden for longer from anti-spam systems.

Cybercrime activities such as distributing malware, meanwhile, tend to attract vastly more attention than spam, so for cybercriminals, hailstorm spam is a better choice, Schutz says. “Hailstorm campaigns will be caught rather quickly, but they will still manage to compromise enough victims to turn a profit.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Microsegmentation: Strong Security in Small Packages
Avishai Wool, Co-Founder and CTO at AlgoSec,  4/12/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.