Home / Blogs

Raspberries! Botnet Spam Just Got a Whole Lot More Dangerous

Neil Schwartzman

Many have heard of botnets, but for those that aren't certain what they are: Botnets are armies of hacked zombie computers that have malware on them, and send spam email at the command of operators anywhere in the world. They can also be told to deploy denial of service attacks, by all hitting the homepage of a given company, or attacking the DNS server or a service or country. There are a lot of ways to become infected; through malicious emails, on 'driveby infection' websites and even through search results. Once a machine is infected it continues to operate normally, but surreptitiously does malicious things behind the owner's back.

As messaging champions we are most concerned about their email activity, and that is actually pretty easy to deal with:

Blocklist services like Spamhaus' PBL (policy blocklist) allow ISPs and mailbox providers to determine what IP addresses should never-ever send email. So, for example, my ISP Comcast will announce to the world which IPs they own are dynamic, assigned to residential end users and should never send any email. My machine should never send email itself, rather, it should be using Comcast's outbound facing servers, or Gmail, or something of that sort. If email is seen coming directly from my IP address they then know something is wrong and they can safely ignore the mail.

ISPs and other receiving domains then leverage services like SURBL's domain blocklist into play, checking messages that make it past the first few layers of protection, looking at content within the message for bad domains.

So if I email from a legitimate source but include a link to criminalbank.com — SURBL will stop it from ever making it to someone's inbox. This offers recipients and mailbox providers several levels of security and methods of dealing with botnets. One is focused on identifying non-legitimate sources of mail traffic, and the other verifies the content of a message for links to malicious.

The botnet operators have begun using an old trick, which is to hack into a website (usually running a badly configured version of WordPress software) and then using a URL to a page they create in the body of spam emails, which redirects to their criminal domain; they purloin the good reputation of a small site to their own ends.

SURBL and the other domain blocklists like the DBL and URIBL have a heck of a time catching these spams, since the URLs appear to be legitimate, which means more spam in the inbox for you and me.

This past week or so, the botnet has been sending out hundreds of millions of spam with these compromised-redirect domains (they can be bought on the criminal black-market for pennies) and promoting a scam weight-loss program involving The Raspberry Ketone Diet, and using a stolen clip from the Dr. Oz Show to lend some legitimacy to their wares.

I've personally seen at least 250 different Raspberry-related domains registered recently, all of them related to this spam blast. This is the continuation of a multi-platform spam campaign that started in February — spammers, probably the same ones, were also abusing social media and skewing search results earlier this year. This is truly a second-hand spam attack.

Unfortunately there isn't much the normal user can do to protect themselves from becoming 'botted' apart from updating their software and operating system daily, and even then, with the proliferation of 'zero-day' exploits, it is always a game of catch-up. People who are running WordPress can lock down their software, that would help a lot. And, of course, never buy anything spam tries to sell you.

All of this talk of food makes me want to go eat some toast, with raspberry jam, of course!

Originally published at Message Bus – reposted with permission.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cyberattack, Cybercrime, Malware, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

DDoS Attacks in the United Kingdom: 2012 Annual Trends and Impact Survey

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

Hope is Not a Strategy: Neustar Releases 2012 Annual DDoS Attack and Impact Survey

How Neustar Technology Can Help Mitigate DDoS Attacks

Reducing the Risks of BYOD with Nominum's Security Solution

Nominum Releases New Security Intelligence Application

Mitigating DDoS Attacks: A Global Challenge

Our New Initiatives To Combat Botnets

Recent Trends and Options to Mitigate DDoS Attacks (Webcast)

MarkMonitor Releases Q2 2012 Fraud Intelligence Report

Q1 2012 Fraud Intelligence Report

How Secure is Your Mobile Network? And Does It Even Matter? (Webinar)

Sponsored Topics