Home / Blogs

Raspberries! Botnet Spam Just Got a Whole Lot More Dangerous

Neil Schwartzman

Many have heard of botnets, but for those that aren't certain what they are: Botnets are armies of hacked zombie computers that have malware on them, and send spam email at the command of operators anywhere in the world. They can also be told to deploy denial of service attacks, by all hitting the homepage of a given company, or attacking the DNS server or a service or country. There are a lot of ways to become infected; through malicious emails, on 'driveby infection' websites and even through search results. Once a machine is infected it continues to operate normally, but surreptitiously does malicious things behind the owner's back.

As messaging champions we are most concerned about their email activity, and that is actually pretty easy to deal with:

Blocklist services like Spamhaus' PBL (policy blocklist) allow ISPs and mailbox providers to determine what IP addresses should never-ever send email. So, for example, my ISP Comcast will announce to the world which IPs they own are dynamic, assigned to residential end users and should never send any email. My machine should never send email itself, rather, it should be using Comcast's outbound facing servers, or Gmail, or something of that sort. If email is seen coming directly from my IP address they then know something is wrong and they can safely ignore the mail.

ISPs and other receiving domains then leverage services like SURBL's domain blocklist into play, checking messages that make it past the first few layers of protection, looking at content within the message for bad domains.

So if I email from a legitimate source but include a link to criminalbank.com — SURBL will stop it from ever making it to someone's inbox. This offers recipients and mailbox providers several levels of security and methods of dealing with botnets. One is focused on identifying non-legitimate sources of mail traffic, and the other verifies the content of a message for links to malicious.

The botnet operators have begun using an old trick, which is to hack into a website (usually running a badly configured version of WordPress software) and then using a URL to a page they create in the body of spam emails, which redirects to their criminal domain; they purloin the good reputation of a small site to their own ends.

SURBL and the other domain blocklists like the DBL and URIBL have a heck of a time catching these spams, since the URLs appear to be legitimate, which means more spam in the inbox for you and me.

This past week or so, the botnet has been sending out hundreds of millions of spam with these compromised-redirect domains (they can be bought on the criminal black-market for pennies) and promoting a scam weight-loss program involving The Raspberry Ketone Diet, and using a stolen clip from the Dr. Oz Show to lend some legitimacy to their wares.

I've personally seen at least 250 different Raspberry-related domains registered recently, all of them related to this spam blast. This is the continuation of a multi-platform spam campaign that started in February — spammers, probably the same ones, were also abusing social media and skewing search results earlier this year. This is truly a second-hand spam attack.

Unfortunately there isn't much the normal user can do to protect themselves from becoming 'botted' apart from updating their software and operating system daily, and even then, with the proliferation of 'zero-day' exploits, it is always a game of catch-up. People who are running WordPress can lock down their software, that would help a lot. And, of course, never buy anything spam tries to sell you.

All of this talk of food makes me want to go eat some toast, with raspberry jam, of course!

Originally published at Message Bus – reposted with permission.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cyberattack, Cybercrime, Malware, Spam

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

The Deep Web and the Darknet - The Nether Regions of the Internet

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Sponsored Topics

Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Port25

Email

Sponsored by
Port25
Afilias

DNS Security

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign