Friday, January 11, 2013

Preparations for a spam campaign

We have discussed a number of spam and malware campaigns on this blog. This time, I'll show what happens in the days and weeks before the campaign starts. I've found two examples that show the steps that are taken by the spammers in preparation of their campaign.

First step: hijack websites

The spammers need to ensure that its spam e-mails or messages are not quickly flagged as spam. One technique to avoid spam filters it to use existing websites with a good reputation to redirect users. These domains would not be part of any blacklists and should already be known and categorized by vendors. This is a better alternative to the free hosting and DNS providers, which may not have a good reputation like .co.cc and .tk.

Unfortunately, hacking legitimate websites in large numbers is quite easy these days. Popular open-source platforms, like WordPress, Joomla and Drupal, contain a lot of security vulnerabilities (in the core software and the plugins), which attackers can take advantage of.

The first campaign I spotted was hijacking German Joomla! sites. All the hijacked sites seem to be running Joomla 1.7. I'm not sure if the attacker used the privilege escalation issue, the XSS vulnerability or one of the 23 other vulnerabilities found in 2013.

The other campaign targeted WordPress sites, an open-source platform loved by webmasters and attackers.

Step 2: hide the malicious page before the campaign.

Rather than modifying the exiting page, new pages are added to the hijacked sites. The attackers often put these files in hidden directories (starting with a dot), temporary folders, or plugin folders.

The Joomla sites were having malicious files put in /tmp/, such as:
  • hxxp://www.original-ettaler.de/tmp/gmmsxlibort.php
  • hxxp://www.neumann-arbeitsbuehnenvermietung.de/tmp/gmmsxlibort.php
  • hxxp://www.myatrium.de/tmp/gmmsxlibort.php
  • hxxp://www.optik-boysen.de/tmp/gmmsxlibort.php
  • http://www.onepos.de/tmp/gmmsxlibort.php
  • etc.
For the WordPress sites, the attackers hid the malicious files in folders used by common WordPress plugins and themes:
  • http://gv-global.com/components/com_ag_google_analytics2/gmmsx.html
  • http://www.highontheheart.com/wp-content/themes/twentytwelve/gmmsx.html
  • http://dreamzinfrabangalore.org/wp-content/themes/twentytwelve/gmmsx.html
  • http://jivakafoundation.org/components/com_ag_google_analytics2/gmmsx.html
  • http://agg-systems.eu/components/com_ag_google_analytics2/gmmsx.html
  • http://vacationrentalbusiness.net/wp-content/themes/twentytwelve/gmmsx.html
  • etc.

Step 3: keep out security scanners

Attackers don't want security tools to flag their redirection pages as malicious before the campaign. One common technique involves making the pages redirect all visitors to a random website, like http://www.google.com/ until the campaign is ready to start.

When the campaign is running, the redirection pages will still try to separate legitimate users from security scanners. They can check the IP address of the visitor, use Flash or JavaScript to make the redirection and use cookies or IP addresses to track visitors and allow them to visit once only, etc.

Step 4: open the curtains

Once the spammer has gathered enough legitimate sites and e-mails or messages are being sent out, the redirection pages point users to the malicious site.

For the Joomla campaign, the final spam page is hxxp://www.dailynews.com.2012.fashion.italy.moda.trends.luxurynws.com/. As often is these type of scams, the page looks like an official news paper article extolling the merits of some product or work from home scheme. In this case, the products are replicas of luxurious watches.

Fake news article about replica watches
The second spam campaign redirect to the usual Work from Home scam at hxxp://newsmarket3nextgenonline.com/?12/2. This site is currently down.

Example of Work From Home scam
Now you know what goes on before these spam e-mails hit your mailbox.

No comments: