Archived Blog

Websense® Security Labs™ Threatseeker™ technology has been continually monitoring spammer strategy and related tactics following the streamlined Anti-CAPTCHA operations on Microsoft’s Live Mail, Google’s Gmail, Microsoft’s Live Hotmail, Google’s Blogger, and Yahoo Mail (as reported by InformationWeek). Websense has observed that these spammer accounts increasingly represent several execution stages of a sophisticated strategy adopted by spammers.

Websense predictions about this strategy, made originally at the time of the Anti-CAPTCHA operations, have proven to be accurate. The spammers are now using these accounts for additional, random attacks that include sophisticated new methods.

For the spammers, the entire attack strategy includes more than registering email accounts using Anti-CAPTCHA operations; sending mass emails over the Internet; infecting thousands of user machines; and stealing information. In addition, spammers want to increase the overall time a spam campaign survives online and make it increasingly difficult to trace the campaign back. To this end, they use randomized, complex networks, through which they advertise their products and services.

To achieve success, spammers have been using a combination of tactics at different levels in their attacks.

This combination of tactics can be conceptualized in three different stages.

Stage 1: Spammers using Anti-CAPTCHA registered accounts for mass-mailing purposes

Anti-CAPTCHA registrations of Microsoft Windows Live Mail, Microsoft Windows Live Hotmail, Google’s Gmail, and Yahoo Mail accounts have already brought a certain level of success to spammers. To some extent, spammers can defeat Antispam filters that rely heavily on Reputation-based detection by using these Anti-CAPTCHA accounts for spamming from their corresponding (well-reputed) email service providers. 

 


 


 


Stage 2: Spammers' tactics in advertising their products and services

Spammers' next tactic in this strategy comprises advertising their content using sophisticated techniques. Spammers are creating visual social engineering attacks, consisting of accounts registered at free Web space providers, by adopting the CAPTCHA breaking process, and then using these accounts as redirectors or doorway pages to advertise products and services (See Figure 3.2: Redirection or doorway page to actual spam domain). An illustration of this spammer tactic was reported by Websense recently where Google’s Blogger Anti-CAPTCHA operations were carried out for SPAM runs.


Stage 3: Spammers' tactics to protect their advertising infrastructure online

With a certain degree of success so far, spammers' next significant tactic in their 3-stage strategy is to increase the overall time their spam domains and advertising networks remain online, and make it increasingly harder to trace them back, because of their randomized and complex networks. This ensures that they remain virtually impossible to shut down.

Websense has observed that spammers have increased their use of multiple fast-flux networks to advertise their products, as a part of this attack strategy. The fast-flux concept provides spammers with a scalable, robust, and multi-layered network structure. The layered structure and the complex behavior of the network provide protection to spammers’ domains, thereby making it difficult to trace them back.


 
From the figure above, notice that there could be several Network 1s that might use a similar structure. In other words, random URLs are included in spam, and these are good enough to make the spam domain survive over the Internet for a longer period. Additionally, it is difficult to keep track of the activities at Network 2s and Network 3s for every single Network 1 found, which adds to their survival, enabling them to do more damage over the Internet. An increase in Network Layers increases the security (proxying) of the actual spam domain. Hence, the spam domain can survive for a longer time.

Spammers could either use newly registered domains as a dedicated part of this service or include compromised, legitimate domains. If a compromised, legitimate system is part of the fast-flux system, it gives a greater success to spammers in the entire ecosystem, further frustrating the security vendors.


Spammers have increasingly used a combination of visual social engineering attacks and the fast-flux concept to make their detection or even trace-back difficult and time-consuming. Serving the data from multiple locations per Web session is the current and ongoing technique that will be used by spammers and phishers. This prediction has been validated in recent mass spam campaigns following Anti-CAPTCHA operations.

Let's examine a recent example of some spam campaigns related to this spammer strategy and employing the types of attacks discussed above. There are several spam campaigns to choose from, including those related to Pornography, Health and Medicine, Finance and Business, Products and Services, and more.

Consider the popular scam: Health and Medicine.

 


As discussed earlier, these Blogger accounts are used as redirectors or doorway pages to actual spam domains. Notice the spam domain appearing on the browser, and spammer products and services being advertised.

 

These spam domains are part of a complex, fast-flux network designed by spammers and served from multiple locations per Web session.


Observe how these spam domains are served from different locations per session (domain lookup) or request. This makes it harder to keep track of or identify the locations from which the domains prevail. 

 


Observe spam domains associated with and served from multiple locations that are also serving several other similar, randomized spam domains, so that the whole ecosystem represents a fast-flux infrastructure.

 


Notice that all the domains belonging to this fast-flux network have the same directory structure.
 

These random domain names served from different (IP address) locations are used by spammers in multiple spam campaigns. The complex network structure makes it harder to keep track of or identify the locations and domains prevailing, thereby frustrating a range of services offered by Security vendors.

All of these tactics clearly represent the execution phases of many spammers' recent strategies. The entire ecosystem shows the spammer mindset of developing an efficient system that can be used for advertising campaigns (spamming) to reach prospective customers (targeted users) successfully.

Websense predicts that these Anti-CAPTCHA operations (both manual and automated) and Mass-mailing strategies (both manual and automated) could be carried out in large numbers by the spammers at any time for a variety of social-engineering attacks.

Websense AntiSpam technology is multi-dimensional and auto-adaptive. Therefore, it is able to continue to provide a high level of detection, even with spam of this nature, providing enhanced protection to Websense customers.

Security Researcher: Sumeet Prasad