Spring thundershowers and spam storms on the rise

 Blackhatzes  No Responses »
Apr 202011
 

This week has seen some truly amazing spring weather around the MadLab including everything from tornado threats and sustained high winds to flash flooding and dense fog.

April showers, as they saying goes, will bring May flowers – so we don’t mind too much as long as the power stays on and the trees don’t fall on the roof!

In cyberspace things are also picking up it seems. For about the last three weeks we’ve seen declining severity and frequency of spam storms. However this week has been different.

Beginning about 3 days ago we’ve seen a surge in new spam storms and in particular a dramatic increase in the use of hacked web sites and URL shortener abuse.

Previous 30 days of spam storms.

After 3 weeks of declining spam storms, a new surge starts this week...

There is also another notable change in the data. For several years now there has been a pretty solid 24 hour cyclical pattern to spam storms. This week we’re seeing a much more chaotic pattern. This and other anecdotal evidence seems to suggest that the new spams are being generated more automatically and at lower levels across wider bot nets.

We used to see distinct waves of modifications and responses to new filtering patterns. Now we are now seeing a much more chaotic and continuous flow of new spam storms as current campaigns are continuously modified to defeat filtering systems.

Chaotic spam storm arrival rates over the past 48 hoursThere’s no telling if these trends will continue, nor for how long, but they do seem to suggest that new strategies and technologies are coming into use in the blackhatzes camps. No doubt this is part of the response to the recent events int he anti-spam world.

Microsoft takes down Rustock spam botnet

DOJ gets court permission to attack botnet

In response to the blackhatzes changes my anti-spam team and I have developed several new protocols and modified several of our automated friends (rule-bots) to take advantage of new artifacts in the data. The result has been a dramatic increase in the creation rate of new heuristics, reduced response times, and improved preemptive captures.

Rule Activity Display shows higher rule rates and smoother hit densities

With these changes, changes in blackhatz tactics, and new sniffer engine updates coming along I’m going to be very busy watching the blinking lights to keep track of the weather outside the MadLab and in cyberspace.

 Posted by Madsci at 0917

Stormy Weather in Spam Land

 Blackhatzes  4 Responses »
Mar 042010
 

Those trixy blackhatzes are making a real mess of things these days. The last day or so in particular has been a festival of hacked servers and exploited free-hosting sites. Just look at this graph from our soon-to-be-launched Spam-Weather site:


While spammers have always enjoyed exploiting free services they have been particularly busy at it the last few days. The favorites this time around have been webstarts and doodlekits. What makes sites like these so attractive to the blackhats is that there is virtually no security on the sites. Anybody can sign up for a new account in minutes without any significant challenges. This means that the entire process can be scripted and automated by the blackhats.

After they’ve used one URL for a while (and it begins to get filtered) they simply light up another one, and so on, and so on.

Some email administrators are tempted to block all messages containing links to free hosting sites — and for some that might be an option — but for PROs like us it’s not. There are usually plenty of legitimate messages floating around with links to free-hosted web sites so blocking all such links would definitely lead to false positives (unacceptable).

At ARM we have a wide range of defenses against these messages so we’re able to block not only on specific links but also on message structures, obfuscation techniques, and other artifacts that are always part of these messages. In addition to that our tools also allow us to predict what the next round of messages might look like so that even when they do change things up we’re often ahead of them.

No mistake about it though… it’s hard work!

It would be _MUCH_ better for everyone if folks that offer free hosting and other commonly exploited services (like URL shortening, blog hosting,  and free email accounts) would do a better job keeping things secure.

 Posted by Madsci at 1739
© 2012 Life At Warp 9 Suffusion theme by Sayontan Sinha