Blog
Spammer Multi-vector: Email, Web, and Web 2.0 Blended Attacks
09.08.2008 - 7:00 AMFor the spammers, the entire attack strategy always includes more than registering email accounts using Anti-CAPTCHA operations, sending mass emails over the Internet, infecting thousands of user machines, and stealing information. It also involves switching the attack strategy with a mindset of targeting both Email and Web space using a combination of different tactics, which could be manual as well as automated, to carry out various attacks.
Websense predictions about spammers switching their strategies to carry out different attacks, made originally at the time of the Anti-CAPTCHA operations, have proved to be accurate. The spammers are now using such operations for a variety of social-engineering attacks, a trend that has been increasingly common with various popular Web 2.0 sites.
Our HoneyJax system has received reports where the spammers are observed to be using Google’s well-known blog publishing system, Blogger, for posting random comments to blogs, wikis, guestbooks, or other publicly accessible online discussion boards for promoting their products and services, adware installations, and malware infections for stealing information.
From a spammer's perspective there are five main advantages to this strategy:
1. Adding or posting links that point to the spammer's weblog site artificially increases the site's search engine ranking. Also, Google’s Blogger is one of the most visited blog sites.
2. An increased ranking often results in the spammer's site being listed ahead of other sites for certain searches, increasing the number of potential visitors and paying customers. Hence spammers have an increased success rate with promotion of advertising, clickthroughs, adware installations, and malware infections for stealing information.
3. Spammers can use their weblog accounts or the corresponding links to launch a range of attacks using mass-mailing campaigns (email-based attacks) as well as posting them to blogs, wikis, guestbooks, or other publicly accessible online discussion boards (Web-based attacks).
4. Using Google’s Blogger service to advertise their products and services helps spammers to defeat a range of antispam and Web filtering services that rely heavily on reputation.
5. It may be hard to keep track of spammer accounts and their weblogs as millions of users worldwide are using Google’s Blogger services on a regular basis.
Here is the output from one of Websense HoneyJax logs:
When users visit the link above, they are led to the spammers' blog. Here is the screenshot of the spam blog, or 'splog', hosted on Blogger:
Spammers create such splogs using machine-generated or hijacked content with the aim of targeting unsuspecting users. Also, observe that spammers also include links in their splogs referring to legitimate sites in order to trick users. These tactics are used to increase the chances of success with their attacks.
Screenshot showing legitimate sites referenced in a splog:
It is also interesting to note the different 'labels' used by spammers in their splogs. All of the labels are linked to pages within the splog site, and essentially have the same information and code on them. The pages are designed to appear as legitimate and the content on them seems to be credit card-related text. Most of the code is standard HTML (as per Blogger styles), with stylesheet information for formatting the page, and links to other similar pages with different labels but with the same content which again helps spammers to increase the chances of success with their attacks.
Screenshot showing the different 'label' pages within the splog that have the same content:
It is also interesting to observe how spammers create such splogs using hijacked content, especially when it comes to images used in the splog. The spammers collect the images from the legitimate sites and store them on their own sites that are dedicated to the storage of hijacked images. Images in the splogs are then served from this location. The spammers adopt such tactics to save their resources (stolen from other sites) for reusability.
Screenshot showing images hijacked from other sites being stored on and served from a spammer storage site:
Observe that this Blogger site also includes malicious links. The spammers have used images hijacked from legitimate sites, and embedded malicious links in them. Some of these images act as doorways to a malicious Web site that attempts to install a rogue application on visitors’ machines, and some act as doorways to spammer Web sites to promote their products and services.These tactics clearly represent the combined efforts of spammers and malware authors to promote and target their prospective users with their products and services.
Screenshot showing the images in the splog acting as malicious and spam doorway links:
Google’s Blogger services also enable users to subscribe to the blog posts. The latest changes or updates in the blogs are reported to the subscribed users to keep them updated by means of Web feeds and emails. The spammer could also use this feature to carry out a range of attacks, in addition to promoting their products and services.
Screenshot showing the splog through Web feeds:
Many popular blogging and Web 2.0 sites also enable blog readers and visitors to post comments to different blogs or posts (depending on the options set by the blog owner). A comment might be a written remark often related to an added piece of information, or an observation or statement, or feedback. The spammers could also use this feature to target the blog owners. From a spammer's perspective it can be seen as promotion of products and services via spamming in the form of comments, which can be conceptualized as comment spamming. If the posted comments are visible (depending on the options set by the blog owner), then it gives an additional advantage to spammers, as it increases their chances of reaching or targeting all potential visitors of the blog.
Our HoneyJax system has received reports which demonstrate how blog owners can be targeted using comment spamming as a scam lure. It is interesting to observe how blog owners are targeted using various tactics. While some of the spammers are busy harvesting email addresses for spamming, others come up with ideas and elements to build content required for spamming, with a mindset of increasing their chances with their attacks, and also possibly extending them over both Web and email space.
From a spammer’s perspective, posting the comments with a view to establishing a key relationship with their target (the blog owner) is the initial success in their strategy. Observe spammers making efforts to reach blog owners with a mindset of obtaining the blog owner’s email address.
Screenshot showing the comment spam targeting a blog owner:
Once the blog owners are victimized with such tactics, the spammers' next phase is to target the blog owner’s email address with mass emails to carry out different attacks. Here are the reports received by our HoneyJax system showing the blog owner targeted by spammers with mass Nigerian or 419 scam emails.
Screenshot showing the blog owner being targeted by mass-emails:
When users are given privileges such as content creation, directly editing HTML or uploading files, and content distribution, security issues are bound to arise. This power is being abused by spammers and malware authors to carry out various attacks which pose a direct threat to Web 2.0 functionalities. While continuous efforts are made by various Web 2.0 service providers to combat the abuse of their services, the spammers, phishers and malware authors carry out various attacks over them proving their adaptability, which can be clearly seen as an iterative cycle in the Email, Web and Web 2.0 security arena.
Security Researcher: Sumeet Prasad
