Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2011
04:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Unusual Spam Surge Under Way

Malware-laden spam jumps to 24 percent of all spam this week

Spam overall has remained relatively flat in the wake of major botnet takedowns during the past few months. But malicious spam suddenly began surging during the past two weeks, jumping from 13 percent of all spam to 24 percent yesterday.

The 13 percent hike was unusual, according to researchers at M86 Technologies, which spotted the trend. According to M86, this spike is more than the firm has seen in two years.

"If you look at spam overall, it's still down from October of last year," says Ed Rowley, product manager for M86 Security. "In the last 12 months, we've seen takedowns of Spamit and others, and high-profile arrests ... It all had a real impact on spam."

Now it appears the spammers are trying to beef up their botnet armies, especially with many users on vacation and therefore more vulnerable to getting infected by malicious attachments from their home machines, for instance, he says. Much of these newest scams are pushing fake antivirus, too.

"Spammers look like they are trying to recruit more bots for their armies, and the quickest way is to send out [lots of] emails with malicious attachments. They are also trying to make money at the same time," Rowley says.

M86 has spotted three main botnets that appear to be driving this malicious spam surge: Cutwail with the bulk of the attacks, followed by Festi and Asprox. Cutwail is using some old spam campaigns, such as FedEx, credit card, changelogs, and invoices. "The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself," M86's Rodel Mendrez wrote in a blog post.

Festi is using UPS as its lure, and sending with it the Chepvil Trojan downloader that installs Fake AV, while Asprox is using hotel transaction spam messages that include a password stealer and fake AV.

There are also signs that spammers are setting the stage for future campaigns in these initial attacks, Rowley says.

But the big news is the rapid uptick in these spam campaigns lately. "This is an epic amount of malicious spam," Mendrez said in his blog. "It seems spammers have returned from a holiday break and are enthusiastically back to work."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17610
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.
CVE-2019-17611
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.