Sophos Cloud Optix
Weight loss spam? Seen it. Spam from hacked email accounts? Seen it. Redirects hosted on legitimate web sites? Seen it. Nothing new here then, move along.
If all this is such old hat why have we seen such a flurry of activity from these spam campaigns in recent weeks?
Just yesterday, I received a couple of spam messages sent to my personal email address from a friend. The messages were somewhat sparse, with no subject line and only a single URL within the message body.
Immediately I knew there would be plenty more. I happen to be on several mailing lists with the same individual. Sure enough, spam messages started coming through that list.
The link in the message body points to a page hosted on a legitimate website that has been compromised. This page displays a “You are here because one of your friends…” message to the user. This message is becoming rather familiar now, having been used in these campaigns for several months.
Behind this message is a meta redirect that bounces the user along to the target spam site.
The spam website has most likely changed during the course of this campaign, but recently it has been pushing weight loss meds.
Sophos products block the redirect page as Troj/Redir-O. This allows us to get visibility into how widespread these campaigns are. Clearly there are many people receiving the spam messages – over the past week, Troj/Redir-O is:
– the 4th most prevalent web threat blocked on computers running Sophos Anti-Virus
– the 2nd most prevalent web threat blocked by Sophos web appliances
Given the lack of effort that has been put into the social engineering in this campaign, this success may be surprising. Perhaps it simply reflects how people generally trust messages they receive from friends and colleagues?
They shouldn’t. Maybe getting redirected to a meds site is considered harmless, but historically these same campaigns have been used to redirect users to exploit sites as well.
Hoards of different legitimate sites have been hacked and used to host the redirects in these campaigns. The sites are hosted globally, at a variety of providers.
There are some important lessons we should learn from these type of campaigns:
- hacked email accounts are gold dust to attackers
- hacked web sites are gold dust to attackers
- there are many people who blindly click on links they receive in email (even without social engineering tricks!)
For individuals whose email accounts have been hacked:
- change your password, ensuring you choose a suitable one (see here for additional advice for GMail users)
- take care with where you log into your personal email account. Do not sign in on untrusted, public computers.
- Check out the settings available to you to lock down and monitor the account (for example 2-factor sign-in, displaying last login IP etc)
For site owners whose web sites have been compromised:
- change passwords (FTP, admin)
- clean up (remove) added redirect pages
- review options available to lock down site (disable FTP, only enable sFTP when required etc)
- additional advice regarding securing websites can be found in our technical paper
on the subject.
I had a similar incedent where all my contacts were sent to a Canadian based company website selling viagra. No joke. When I went to logon to my Gmail account the password had been changed. This happened several times. What a pain in the rearend. I was already doing all the above suggestions and I was still hacked. Good luck to all.
Yup. They were using domains masquerading as Fox News, which may not be the smartest thing they ever did. Rupert has lawyers…
You know, my main email account may have been hacked. I wouldn't have noticed except that I've received similar Spam emails on occasion…sent from the same account! This one offers "fake Rolex's." LOL!
Guess I better go change my password…it needed doing anyway.
In addition to using a decent password (see previous tips) consider using an email service that lets you use two-factor authentication. Hardly any inconvenience, and means that even if your password gets compromised, attackers cannot log into your account.
Since Yahoo! Mail and AT&T merged email products, you can no longer change your password for Yahoo. The only thing you can do to limit spam is to remove everyone from your contact list.
I have annoying "bouncing" ads come up on FB, plus another one which appears when I try to click on a highlighted link, so I cannot click on it. I have run a "House call" scan, and my normal McAfee runs regularly, but nothing seems to be able to move these things.
I had one of these ads from an e-mail from my daughter, who was using a a computer at work in the NHS in the UK. I was very impressed that Sophos anti-virus quickly identified it and neutralised the threat. I realised I shouldn't have clicked on it but my daughter does often send me links. I'll ask her to me a believable message too from now on.
We were analyzing an issue where an email account (GMX) was sending an URL of a compromised wordpress website. That website redirected to a spam website.
The recipients of that mail were taken from the address book.
After several tests we had a simple question to the user: What is your password?
As the answer was 12345678 all further analysis was obsolete =)
Hi,
We observed the very same campaign here in LatinAmerica almost a month ago (http://blog.segu-info.com.ar/2012/06/spam-desde-contactos-conocidos-traves.html).
We cannot understand the mechanism used to send the spam from the compromised accounts.
Did you figured out if spammers managed to get accounts passwords or is a malware waiting to the user to open his/her webmail account?
Great article, Fraser. I had a similar situation to yours (a relative's e-mail account got hacked and started sending this spam to every contact in that person's address book). I happened to have started researching this hack/spam/fraud campaign on Tuesday night, and the next day I read your article when it was published.
I finally completed my research (or as much as I'm willing to do, anyway) and published my results in the following article on my security blog. I credited Fraser and Sophos for the great article and recommended that my readers come here to read it.
Among the highlights of my article are lists of 366 hacked sites, 76 file names, and 31 fake news/spam domains. This list was compiled by searching for only 11 of the 76 file names, so there are at least hundreds more sites out there that have been hacked.
The hacked domains I found range from churches to porn sites to government sites, and their servers are located all across the globe. Crazy stuff.
Here's my article, if anyone's interested: http://security.thejoshmeister.com/2012/07/hacked…
I hope this is not just a con to get us all to use sophos!