With the best anti-spam systems being able to catch upwards of 99.9% of all spam email passing through them these days, spammers have been forced to constantly adapt and evolve their tactics. Researchers at Cisco Talos this week have an alert on the newest one.
The method is dubbed "hailstorm" and builds on an existing tactic favored by spammers called "snowshoe."
In snowshoe campaigns, spammers try to evade spam filters by sending bulk email from a very large number of IP addresses while ensuring that the volume of spam from each address itself is low. The goal with the approach is to try and stay under the radar of volume-based anti-spam systems by distributing the bulk email sending over a large network of computers.
Hailstorm spam also gets sent via a large network of sender IP addresses. The difference is that instead of sending a low volume of spam from each IP device, spammers send a very high volume in a short burst. "In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response," Cisco Talos researchers Jakob Dohrmann, David Rodriguez, and Jaeson Schultz wrote in the alert posted today.
The DNS query volumes associated with each method highlight the difference between a typical snowshoe campaign and a typical hailstorm attack, the researchers said.
For instance, the maximum query volume for a domain involved in a snowshoe campaign that the researchers analyzed was just 35 queries per hour. In contrast, when the researches looked at the DNS query volume for a domain caught up in a hailstorm campaign, they noticed practically no query volume for a period of time. Then they saw a sudden brief volume spike to over 75,000 queries per hour, and then back again to almost nothing. The initial spike in volume was caused by mail server activity associated with a sudden influx of emails, the researchers said.
“Hailstorm spammers are exploiting the tiny window of time from when the spam campaign begins and the anti-spam coverage is in place,” says Jaeson Schultz, technical leader, Cisco Talos. “During this window of time, they are able to land their mail into the inbox.”
Unlike snowshoe spammers who try to stay low, Hailstorm spammers do not appear interested in maintaining their cover for long. “The goal of hailstorm spam, rather, is to send as much email as possible as quickly as possible,” he says.
Analysis shows that spammers are using IP addresses around the world to propagate hailstorm spam. A bulk of the spam email however appears to be coming from IP addresses based in five countries—the US, Germany, Great Britain, Netherlands, and Russia.
As with most bulk email, hailstorm spam campaigns are more of a nuisance for end users rather than a threat. But the success that spammers appear to be having with hailstorm is prompting interest in the use of the technique for other, more dangerous, purposes as well. For instance, botnets such as Necurs have begun using hailstorm tactics to distribute malware, the Cisco Talos reearchers said.
Attacks from Necurs, for example, are largely distributing Dridex banking malware and Locky ransomware. “Evidently, this criminal activity is profitable enough to sustain these types of spam campaigns,” Schultz says.
From an adversary standpoint, the snowshoe method is better suited for spammers selling products because it gives them a way to remain hidden for longer from anti-spam systems.
Cybercrime activities such as distributing malware, meanwhile, tend to attract vastly more attention than spam, so for cybercriminals, hailstorm spam is a better choice, Schutz says. “Hailstorm campaigns will be caught rather quickly, but they will still manage to compromise enough victims to turn a profit.”