Weight loss spam? Seen it. Spam from hacked email accounts? Seen it. Redirects hosted on legitimate web sites? Seen it. Nothing new here then, move along.
If all this is such old hat why have we seen such a flurry of activity from these spam campaigns in recent weeks?
Just yesterday, I received a couple of spam messages sent to my personal email address from a friend. The messages were somewhat sparse, with no subject line and only a single URL within the message body.
Immediately I knew there would be plenty more. I happen to be on several mailing lists with the same individual. Sure enough, spam messages started coming through that list.
The link in the message body points to a page hosted on a legitimate website that has been compromised. This page displays a "You are here because one of your friends..." message to the user. This message is becoming rather familiar now, having been used in these campaigns for several months.
Behind this message is a meta redirect that bounces the user along to the target spam site.
The spam website has most likely changed during the course of this campaign, but recently it has been pushing weight loss meds.
Sophos products block the redirect page as Troj/Redir-O. This allows us to get visibility into how widespread these campaigns are. Clearly there are many people receiving the spam messages - over the past week, Troj/Redir-O is:
- the 4th most prevalent web threat blocked on computers running Sophos Anti-Virus
- the 2nd most prevalent web threat blocked by Sophos web appliances
Given the lack of effort that has been put into the social engineering in this campaign, this success may be surprising. Perhaps it simply reflects how people generally trust messages they receive from friends and colleagues?
They shouldn't. Maybe getting redirected to a meds site is considered harmless, but historically these same campaigns have been used to redirect users to exploit sites as well.
Hoards of different legitimate sites have been hacked and used to host the redirects in these campaigns. The sites are hosted globally, at a variety of providers.
There are some important lessons we should learn from these type of campaigns:
- hacked email accounts are gold dust to attackers
- hacked web sites are gold dust to attackers
- there are many people who blindly click on links they receive in email (even without social engineering tricks!)
For individuals whose email accounts have been hacked:
- change your password, ensuring you choose a suitable one (see here for additional advice for GMail users)
- take care with where you log into your personal email account. Do not sign in on untrusted, public computers.
- Check out the settings available to you to lock down and monitor the account (for example 2-factor sign-in, displaying last login IP etc)
For site owners whose web sites have been compromised:
- change passwords (FTP, admin)
- clean up (remove) added redirect pages
- review options available to lock down site (disable FTP, only enable sFTP when required etc)
- additional advice regarding securing websites can be found in our technical paper
on the subject.