Cisco Talos: Spam at levels not seen since 2010

Blame largely falls at the cyber-doorstep of Necurs botnet


Spam is back in a big way – levels that have not been seen since 201o in fact. That’s according to a blog post today form Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet, stated the blog’s author Jaeson Schultz.

+More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2016 (so far!)+

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks. This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again. At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs,” he wrote.

Talos noted that Necurs recently switched from sending largely “Russian dating and stock pump-n-dump spam, to sending malicious attachment-based spam. This was the first time we'd seen Necurs send attachments. The malicious attachments were propagating either Dridex, a well-known strain of banking malware, or Locky, a prolific ransomware variant.”

In June security researchers at Proofpoint stated they “detected a large Locky campaign with zip attachments containing JavaScript code. If opened, these attachments would download and install Locky with an Affiliate ID of "1" and DGA seed of 7743. The messages in this campaign had the subjects "Re:” with the attachment "services_[name]_[6 random digits].zip", “[name]_addition_[6 random digits].zip”  or "[name]_invoice_[6 random digits].zip". The zip files contained JavaScript files named "addition-[random digits].js."

Proofpoint also noted an uptick in spam related to the upcoming presidential election:

“As we approach November in an especially sensational Presidential race, Proofpoint researchers have seen a variety of election-themed emails - everything from straightforward text-based spam with embedded links to credential phishing. In terms of our themes, our spam samples skew heavily towards lures featuring Donald Trump. The Republican nominee appears in nearly 169 times as many messages as those featuring his Democratic opponent, Hillary Clinton,” Proofpoint stated.

“Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be critical to an organization's survival. Restoration plans need to be regularly reviewed and tested to ensure no mistakes have been made and that items have not been overlooked,” Talos wrote.

Check out these other hot stories:

Cisco CEO: Spin-in technologies aren’t dead at Cisco

 Cisco discloses PIX firewall, IOS software security holes

 Small, low flying drones the target of newfangled DARPA defense system

 Brocade’s big new router is all about network size, automation

 Extreme swallows Zebra’s WLAN biz for $55 million

Cisco exec churn: Enterprise chief Soderbery out

Open source algorithm helps spot social media shams

“Guccifer” gets 52 months in prison for hacking crimes

Researchers sport system to pull rare earth materials from used hard drives

1,650lb 3D printed aircraft tool sets Guinness World Record

Cisco buys into containers with Container X acquisition

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.