Series Of Convincing Spam Runs Part Of One Massive Advanced Attack Campaign

Trend Micro researchers connect multiple spam attacks as single, targeted operation aimed at stealing online financial credentials

Recent widespread spam runs posing as convincing-looking email messages from LinkedIn, Facebook, ADP, American Express, US Airways, the U.S. Postal Service, UPS, and several other high-profile organizations are all part of a single, orchestrated attack campaign using the Blackhole exploit kit and aimed at stealing victims' online financial credentials, Dark Reading has learned.

Researchers at Trend Micro say they found multiple common threads that tie the spam messages together as one effort by one cybercriminal group, or multiple groups working together. "It's one operation probably run by two to three individuals very focused on the theft of financial credentials," and likely out of Eastern Europe, says Tom Kellermann, vice president of cybersecurity at Trend Micro. The attackers are using mostly Zeus and Cridex malware variants in the attacks via the Blackhole Exploit Kit, he says.

But this is not your father's spam: The attackers blended phishing, spear-phishing, drive-by downloads, and traffic redirection all into one attack. "Spam is not the right word for this," Kellermann says. "I call this phenomenon 'blast phishing' or 'dynamite phishing.'" And the attackers have done their homework on victims, as well, he says, targeting groups that have trusted relationships with specific organizations, for example.

"They are correlating information [about you] before they target you, and they are trying to bypass security measures ... by redirecting traffic to legitimate sites that have been hosed, and then pushing you back into nefarious sites where they scan for vulnerabilities," Kellermann says. That ultimately leads them to grabbing the victim's financial credentials via the exploits, he says.

Other well-known brands they are spoofing are Microsoft, Bank of America, AT&T, Citibank, Wells Fargo, Intuit, PayPal, the Apple Store, FedEx, HP ScanJet, CareerBuilder, Verizon, NACHA, Delta Airlines, FedWire, and CenturyLink. Trend Micro closely tracked the spam runs between April and June and was able to determine some key links among the seemingly separate spam runs.

The attack works like this: A user receives the fraudulent but convincing-looking email, and if he or she visits an embedded link in the message, then the victim is directed to a known and legitimate website that the attackers have compromised. (Trend Micro would not reveal which sites were hacked). A page there redirects the user to a malicious website or the landing page. There the user's machine is scanned for potential vulnerabilities that, when found, can be exploited and infect the machine with the information-stealing malware.

Among the common characteristics in the various spam runs that led Trend to conclude the campaigns were all related was they used some of same botnets and, in many cases, the same IP address was used in the exploit kits on different days and compromised websites were reused in several attacks.

"Websites that hosted a malicious Blackhole Exploit Kit landing page rarely hosted only one such page. Websites usually hosted several landing pages used in distinct spam runs. Spam runs frequently went on until the security holes that allowed websites to be compromised were patched," according to a report on the campaign that Trend will release tomorrow.

[ Obfuscated and encoded code prevents easy customization and creation of new versions of the Blackhole Exploit Kit. See Freebie Black Hole Exploit Kit Limited By Encoding. ]

There are similar URL patterns in the spam runs and on the compromised websites, too, and the attackers used similar exploit methods -- mostly Zeus (66 percent of the attacks) and Cridex (29 percent of the attacks). "Taken together, the conclusions indicate that the series of spam runs make up a coherent campaign that is being carried out by attackers who are organized in some manner," the Trend researchers wrote in their report.

The attackers also scheduled organized runs on certain days and in various volumes. In June, for example, they executed 134 different spam runs posing as 40 different companies, while in May they ran 66 separate spam runs posing as 21 different companies. And meanwhile, the attacks are still under way.

"It's worrisome that this exploit kit and this campaign kill chain could be leveraged for something more nefarious than stealing financial credentials," Trend Micro's Kellermann says.

And still unclear is just how they targeted their victims: Did they compromise any of the organizations they spoofed, or did they hack a third party with those email addresses or customer names? Trend's Kellermann says his firm has no evidence of either scenario, but the bad guys had to have some source of intelligence for their targets. "That's the real question we have to ask ourselves," Kellermann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights