Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 11/14/07

Wednesday, November 14, 2007

Popular Spammers Strategies and Tactics

It's been a while since I last participated with an article for WindowSecurity.com, so here it goes - Popular Spammers Strategies and Tactics :

"During 2007, spammers on a worldwide basis demonstrated their adaptability to the ongoing efforts anti-spam vendors put into ensuring their customers enjoy the benefits of having a spam-free inbox. What strategies do spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verify their validity, ensure they reach the highest number of receipts as possible in the shortest time span achievable, while making sure their spam campaigns remain virtually impossible to shut down?"

The article covers strategies and tactics such as : Redirectors/doorway pages; Rapid tactical warfare; Verification/confirmation of delivery; Consolidation; Outsourcing; and Affiliation based models.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Electronic Jihad's Targets List

Despite the fact that the Electronic Jihad 3.0 campaign was a futile attempt right from the very beginning, given the domains that were supposed to synchronize the targets to be attacked were down, it's interesting to try finding out who were they targeting at the first place? In the first campaigns, the URLs of the targets, not the victims since they couldn't scale enough to cause even partial damage, were obtainable via the web, compared to the third one where they were about to get synchronized. And since the synchronization URLs were down before we could take a peek, here are the targets URLs from the first two campaigns.

First campaign's targets list :
gov.il
keshmesh.net
meca-love4all.com
love4all.us

Second campaign's targets list :
love4all.us
islameyat.com
aldalil-walborhan.com
rapsaweyat.com
investigateislam.com
meca-me.org
ladeeni.net
meca-love4all.com

The attached table is the classificaton of the attacks, as site to be attacked, reason for the attack, importance, the results, and the site's status after tha attack, namely is it up and running or shut down completely, and how shutting it down would please God.

There's a saying that a person is judged by the type of enemies he has. If we apply it in this situation, you would see a bunch of inspired wannabe cyber jihadists whose biggest enemy is their idiocity at the first place. So, if these are the cyber jihadist enemies of yours - lucky you, and your critical infrastructure's integrity.

Dancho Danchev

Scammy Ecosystem

In this example of a scammy ecosystem, you have a single IP (88.255.90.50) hosting the now, retro WebAttacker exploitation kit (inn2coming.com/income/index.php), a viagra scam (pctabletshop.hk) on the second parked domain, and an investment banking scams on another two - progold-inv.biz; cfinancialservice.com. Now, all they're missing is a Rock Phish kit hosted on it and it would have made it an even more interesting operation to monitor. Of course putting more personal efforsts into everything pays off. The same netblock is also hosting such popular downloader's update locations and live exploit URLs such as stat1count.net; all1count.net; and the recently appeared on the radar mediacount.net (88.255.90.253).

Dancho Danchev