We found a massive spam operation — and sunk its server – TechCrunch

For ten days in March, millions were caught in the same massive spam campaign.

Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personalized emails to the recipient of that sent email with a link to a fake site pushing a weight loss pill or a bitcoin scam.

The emails were so convincing more than 100,000 people clicked through.

We know this because a security researcher found the server leaking the entire operation. The spammer had forgotten to set a password.

Security researcher Bob Diachenko found the leaking data and with help from TechCrunch analyzed the server. At the time of the discovery, the spammer’s rig was no longer running. It had done its job, and the spammer had likely moved onto another server — likely in an effort to avoid getting blacklisted by anti-spam providers. But the server was primed to start spamming again.

Given there were more than three million unique exposed credentials sitting on this spammer’s server — hosted on intelimost.com, we wanted to secure the data as soon as possible. With no contact information for the spammer — surprise, surprise — we asked the hosting provider, Awknet, to pull the server offline. Within a few hours of making contact, the provider nullrouted the server, forcing all its network traffic into a sinkhole.

TechCrunch provided a copy of the database to Troy Hunt. Anyone can now check breach notification site Have I Been Pwned to see if their email was misused.

But the dormant server — while it was still active — offered a rare opportunity to understand how a spam operation works.

The one thing we didn’t have was the spam email itself. We reached out to dozens of people to ask about the email they received. Two replied — but only one still had a copy of the email.

screenshot 1 spam ProxyEgg We found a massive spam operation — and sunk its server - TechCrunch

The email sent by the spammer. (Image: supplied)

“The same mail appeared on three occasions,” said one of the recipients in an email to TechCrunch. “The subject was related to an email I had sent previously to that person so the attacker had clearly got access to his mailbox or the mail server,” the victim said.

The email, when clicked, would direct the recipient through several websites in quick succession to determine where they were located, based off their IP address. If the recipient was in the U.S., they’d be pushed to a fake CNN site promoting a bogus health remedy. In this case, the spammer was targeting U.K. residents — and most were directed to a fake BBC page promoting a bitcoin scam.

spam page 1 ProxyEgg We found a massive spam operation — and sunk its server - TechCrunch

One of the fake page.s (Screenshot: TechCrunch)

The spammer had other servers that we had no visibility into, but the exposed server revealed many of the cogs and machinery to the operation. The server, running an Elasticsearch database, was well-documented enough that we found one of the three spam emails sent to our recipient.

This entry alone tells us a lot about how the spam operation worked.

Screen Shot 2019 03 29 at 3.38.11 PM 1 ProxyEgg We found a massive spam operation — and sunk its server - TechCrunch

A database record of one email sent by the spammer. (Screenshot: TechCrunch)

Here’s how it works. The spammer logs into a victim’s @btinternet.com email account using their stolen email address and password. The scammer pulls a recently sent email from their victim’s email server, which feeds into another server — like inbox87.host and viewmsgcs.live — tasked with generating the personalized spam email. That email incorporates the subject line of the sent email and the target recipient’s email address to make it look like it’s being sent from the real person.

Once the message is ready to send, it’s pushed through a proxy connection, designed to mask where the email has come from. The proxy server is made up of several cell phones, each connecting to the internet over their cellular connection.

Each spam message is routed through one of the phones, which occasionally rotates its IP address to prevent detection or being flagged as a spammer.

Here’s what that proxy server looks like.

phoneman 1 ProxyEgg We found a massive spam operation — and sunk its server - TechCrunch

The proxy server comprised of several cell phones with rotating IP addresses. (Screenshot: TechCrunch)

Once the spam message leaves the proxy server, the spam message is pushed through the victim’s own email provider using their email address and password, making it look like a genuine email to both the email provider and the recipient.

Now imagine that hundreds of times a second.

Not only was the spammer’s Elasticsearch database leaking, its Kibana user interface was also exposed. That gave the spammer a detailed at-a-glance look at the operation in action. It was so granular that you could see which spam-sending domains were the most efficient in tricking a recipient into clicking the link in the spam email.

dashboard ProxyEgg We found a massive spam operation — and sunk its server - TechCrunch

The spammer’s Kibana dashboard, displaying the operation at a glance. (Screenshot: TechCrunch)

Each spam email includes a tracker in the link that fed information back to the spammer. In bulk, that allows the spammer to figure out which email domain — like outlook.com or yahoo.com users — is more likely to click on a spam email. That can also indicate how an email provider’s spam filter acts. The greater number of clicks, the more likelihood of its spam going through — allowing the spammer to target specific email domains in the future.

The dashboard also contained other information related to the spam campaign, such as how many emails were successfully sent and how many bounced. That helps the spammer home in on the most valuable logins in the future, allowing them to send more spam for lower bandwidth and server costs.

In all, some 5.1 million emails were sent during the 10-day campaign — between March 8 and March 18, with some 162,980 people clicking on the spam email, according to the data on the dashboard.

It’s not the first time we’ve seen a spam operation in action, but it’s rare to see how successful it is.

“This case reminds me on several other occasions I reported at some points in the past — when malicious actors create a sophisticated system of proxying and logging, leaving so much tracks to identify their patterns for authorities in the investigations to come,” Diachenko told TechCrunch. “This shows us — again! — how important a proper cyber hygiene should be.”

What’s clear is that the spammer knows how to cover their tracks.

The language settings in the Kibana instance suggested the spammer may be based in Belgium. We found several other associated spamming domains using data collected by RiskIQ, a cyberthreat intelligence firm, which scours the web for information. Of the domains we found, all were registered with fake names and addresses.

As for the server itself, the provider said it was possibly hacked.

“This was a resold box and the customer already responded to the abuse forward saying it was supposed to have been terminated long ago,” said Awknet’s Justin Robertson in an email to TechCrunch.

And we still can’t figure out where the email addresses and passwords came from used to send the spam. Only 45 percent of emails were already in Have I Been Pwned, ruling out the possibility that all of the passwords were stolen from credential stuffing.

Since the hosting provider pulled the spammer’s server offline, several of their fake sites and domains associated with the spam campaign no longer load.

But given the spread of domains and servers propping up the campaign, we suspect the sunken server is only a single casualty in an otherwise ongoing spam campaign.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Source of this news: https://techcrunch.com/2019/04/02/inside-a-spam-operation/

Related posts:

Microsoft Extends Cloud-Native Portfolio - Container Journal
At its online Ignite 2021 conference this week, Microsoft expanded its portfolio of tools and platforms for building cloud-native applications using containers to include a preview of Azure Co...
Vbulletin Hosting: 4 Advantages with TECH dot AFRICA cash TECH dot AFRICA
The reason WordPress Hosting? Whilst truly being priced at premium rates, Live journal Hosting usually delivers reputable value due to the entire structure. Fast storage : largest compone...
Baltimore state’s attorney: A year ago, Surprisingly stopped prosecuting low-level crimes. Here’s wh...
A protester stores a sign reading End the actual Racist War on Drugs opposite Hampton Plaza. Members inside the Prisoners Solidarity Committee as well as Peoples Power Assembly placed a car carav...
The Cacophony Of Many Different Server Markets - IT Jungle
September 13, 2021 Timothy Prickett Morgan Considering how skittery the global economy is, how wonky the world’s supply chains are, and how capricious spending by the big public clouds and the...
That Do Companies Use Proxy server? - Cardiff - Wales247
Decision-making function businesses is a data-driven concern. Companies monitor their competitors’ moves and websites distinguish what they can change in their when working. They also collect dat...
'House Of Sticks' Is An Immigrant Success Story With Filial Bonds At The Core - NPR
House of Sticks: A Memoir, Ly Tran Scribner hide caption toggle caption Scribner House of Sticks: A Memoir, Ly Tran Scribner Ly Tran's memoir House of Sticks bring...
Dallas Invents: 135 Patents Granted for Week of Sept. 7 » Dallas Innovates - dallasinnovates.com
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Cuba’s blackout reveals authoritarian's limited control of the web - Quartz
The Cuban government briefly shut off the entire country’s internet on June 11 in an effort to disrupt historic nationwide protests that were being coordinated and live-streamed using the island’s na...
Online exam proctoring catches cheaters, raises concerns - Inside Higher Ed
As the number of online courses and degree programs greatly expanded during the past decade, so did the number of exams administered online. Tens of thousands of online exams now are taken ...
iOS 15 Privacy Guide: Private Relay, Hide My Email, Mail Privacy Protection, App Reports and More - ...
With every new version of iOS, Apple makes an effort to provide new privacy and security-focused features to make the iPhone and iPad more secure, and iOS 15 is no exception. It is, in fact, a huge l...
+1-888-652-8714 Fix Gmail Error 502 Easily | | laconiadailysun. com - The Laconia Daily Sun
[embedded content] There is no single cause of the Gmail 502 olvido. It can be caused by multiple disorders and the issues we provide under. A problem in the Gmail computer may prevent ...
The battle over Chinese Wikipedia is a wake-up call for the open internet - Techstory
Image: wikipediacommons On top of “infiltration fears, ” its Wikimedia Foundation has getting seven Chinese editors and as well as stripped administrator abilities by means of 12 users linked ...
Choc by WATFAQ TECHNOLOGIES PTY LTD - AppAdvice
A flexible proxy utility- Local HTTP/HTTPS/SOCKS proxy server - Multiple proxy protocol support- Built-in DNS server supports DoH/DoT upstream and fake IP.- Rules based off domains, GEOIP, IPCIDR or ...
Devart Launched New ODBC Driver for Hubspot - PR.com
Prague, Czech Republic, July 14, 2021 --(PR.com)-- Devart, a recognized vendor of connectivity solutions for various databases and cloud services, has announced the release of ODBC Driver for Hu...
Use and Use Curl via Debian 11 Bullseye Linux - H2S Media
cURL is an open-source command-line program integrated into Linux systems for a long time. It probable files to be transferred beyond or to a server while avoiding user interaction. In addition...
7 Must-Haves For Fast, Secure WordPress Shared Hosting - Search Engine Journal
Ready to build your first website? Are you shopping for affordable WordPress web hosting?There are multiple types of web hosting solutions to choose from: shared hosting, dedicated hosting, cloud hos...
"Human beings are cybersecurity's weakest link" - JAXenter
JAXenter: Considering recent security breaches, now more than ever, enterprises need to be focused on making security their first priority. What is the first action that companies should take when re...
Opponents Hijack Email Threads Generating Proxy Logon/Proxyshell Flaws among the Threatpost
The administrator of your personalised data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed details upon the processing of personal files can be found in the privacy poli...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30