On the trail of spammers


[17 Feb edit: updated the information and added in the link to the spreadsheet]

One of my weird(er) interests is to collect spam samples, not all spam though, the specific ones that were sent from friends’ email accounts. I’ve even asked for people to send me samples of such spam to me back in 2011 (the call for samples still stands though. More spam! More spam!).

What these spammers do with compromised email accounts is to send out spam using their email identities, in the hopes that someone would click through, and you know the rest.  What’s not very effective of such spam campaigns though, is that these spam would only contain a single URL in the body with no subject line at all.  Good for circumventing spam filters, not so good for getting even the careless to click through.  Lucky for us.

This type of spam has been sent since pre-2011
This type of spam has been sent since pre-2011 days

While the volume of such spam mails have been coming in at a trickle’s pace, they have always been coming in all these years.  The situation changed all of a sudden since yesterday:

influx of spam 14 feb 2013
Open the (spam) floodgates!

While there have been Yahoo! Webmail XSS vulnerabilities publicly known, and even sold in underground markets granting illegal access to Yahoo! Webmail accounts, this is still weird: Why would these accounts be used to send so much spam all of a sudden?  Did somebody accidentally dispatch a massive spam job through all the Yahoo accounts they had control over?

(If you have a Yahoo! Webmail account, it is highly recommended that you change your password (to a good one), and make sure that no one else has any way of regaining access to your webmail identity.)

After some digging around, the trail (all the redirected requests triggered AV alerts) becomes pretty obvious.  Looks like someone got greedy (or careless) here, because all the trails end at the same point…

Here’re some of the findings in spreadsheet form (last update 17 Feb 2013).  The links sent in the spam emails are all for .de (German) websites, which in turn redirect to what appears to be a site for work-from-home schemes.

An example trail: (URLs have been sanitized)

Sent 02/14/13
Sender IP
Sender Country ME, Montenegro
URL hxxp://www.miro-wilms.de/xpt/5rmosqw98fkz.u?quv3n9bmckdkey
Hostname IP
Hostname Country DE, Germany
Redirect hxxp://homeworkfreehere8.nl/?12/205
Hostname IP
Hostname Country LV, Latvia

For those who have networks to protect, the lists of details as follows:

Actual exploit-serving webhosts (DNS hostnames and IP addresses):

It would be a good idea to blacklist variants of the observed domains:

  1. homeworkfreehere[0-9]\.(com|net|nl)
  2. nextfreeworkhome[0-9]\.com
  3. workathomefreedigital[0-9]\.net

Observed domains so far:

  1. homeworkfreehere9.com
  2. homeworkfreehere3.net
  3. homeworkfreehere6.net
  4. homeworkfreehere7.net
  5. homeworkfreehere5.nl
  6. homeworkfreehere7.nl
  7. homeworkfreehere8.nl
  8. homeworkfreehere9.nl
  9. nextfreeworkhome1.com
  10. nextfreeworkhome9.com
  11. workathomefreedigital6.net

These domains generally have resolved to one IP address as of the time of analysis:

Hostname IP Hostname Country LV, Latvia US, United States

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s