Old nemesis spam becoming significant way for attackers to subvert data

IBM’s X-Force Threat Intelligence group warns of increasing spam threats

IBM-Cisco-old-nemesis-spam-becoming-significant-way-for-attackers-to-subvert-data
Credit: Cisco Security Research

Spam is once again raising its ugly head as a chief way for attackers to grab protected data.

IBM’s X-Force Threat Intelligence group said today that one of the key findings from its forthcoming Threat Intelligence Index for 2017 is that spam volume grew dramatically throughout 2016, bringing with its host of new malicious attachments harboring banking Trojans and ransomware.

+More on Network World: IBM technology moves even closer to human speech recognition parity+

“Attackers are not limited to a single set of tools, however. The ongoing expansion of domain name choices has added another instrument to the spammer’s toolbox: enticing recipients to click through to malicious sites, ultimately allowing attackers to infiltrate their networks,” wrote Ralf Iffert, Manager, X-Force Content Security in a blog about the spam findings. “More than 35% of the URLs found in spam sent in 2016 used traditional, generic top-level domains (gTLD) .com and .info. Surprisingly, over 20% of the URLs used the .ru country code top-level domain (ccTLD), helped mainly by the large number of spam emails containing the .ru ccTLD.”

Iffert continued: Even the lesser known domains are already well-established in spammers’ business model. Of the top 20 TLDs used in spam emails, X-Force observed seven new gTLDs in the top 10 ranks of the overall list: .click, .top, .xyz, .link, .club, .space and .site.

+More on Network World: Cisco’s Jasper deal – one year, 18 million new IoT devices later, challenges remain+

The new, generic top-level domains let spammers vary their domain URLs and thus bypass spam filters and some new gTLDs can cost as little as $1 to register, making them more lucrative to spammers who can automate the registration of hundreds of domains a day, Iffert wrote.

“We have some predictions about the use of specific gTLDs in 2017 and expect the previous gTLD usage trend to continue this year. For 2017, the use of the .xyz gTLD in spam emails appears set to continue on the same track. Over 6 million domains have already been registered using this gTLD, almost half of which provide only private/proxy WhoIs information on their registrants, an indicator of potentially dubious use of the domain,” Iffert wrote.

Cisco’s 2017 Annual Cybersecurity Report also recently said spam is making a resurgent threat to corporate security and becoming a more significant carrier of attacks as varied as spear phishing, ransomware and bots.

The problem is that 8% of that spam is malicious, but with the total volume roughly tripling over the course of 2016, that 8% represents a significant increase in total attempts. That’s something that might fly under the radar of CISOs unless they look for it or CIOs point it out, Cisco stated.

When end users fall for these attempts and click on a malicious link or attachment, “It almost always works on the workstation because the end user is executing the binary,” said says Franc Artes, an architect for Cisco’s security business group in a Network World report. Clicking on attachments or links can turn those endpoints into bots nearly instantaneously, he says, or could lead to ransomware infections.

Last September Cisco Talos wrote that spam was back in a big way – levels that have not been seen since 2010 in fact. Cisco Talos stated the main culprit of the increase is largely the handiwork of the Necurs botnet, stated the blog’s author Jaeson Schultz.

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks. This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again. At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs,” he wrote.

Talos noted that Necurs recently switched from sending largely “Russian dating and stock pump-n-dump spam, to sending malicious attachment-based spam. This was the first time we'd seen Necurs send attachments. The malicious attachments were propagating either Dridex, a well-known strain of banking malware, or Locky, a prolific ransomware variant.”

Last June security researchers at Proofpoint stated they “detected a large Locky campaign with zip attachments containing JavaScript code. If opened, these attachments would download and install Locky with an Affiliate ID of "1" and DGA seed of 7743. The messages in this campaign had the subjects "Re:” with the attachment "services_[name]_[6 random digits].zip", “[name]_addition_[6 random digits].zip”  or "[name]_invoice_[6 random digits].zip". The zip files contained JavaScript files named "addition-[random digits].js."

“Unfortunately, there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be critical to an organization's survival. Restoration plans need to be regularly reviewed and tested to ensure no mistakes have been made and that items have not been overlooked,” Talos wrote.

Check out these other hot stories:

Cisco issues critical warning around Apache Struts2 vulnerability

IBM technology moves even closer to human speech recognition parity

Juniper product development chief resigns, company resets engineering makeup

Cisco Talos warns of new Cryptolocker ransomware campaigns

Extreme grabs Avaya’s networking business for $100M

Cisco reinforces HyperFlex hyperconvergence system with power, management features

U.S. Marshals warn against dual phone scams

Avaya wants out of S.F. stadium suite, not too impressed with 49ers either

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10