Let’s take a look at the way malicious emails are distributed.
Let’s step behind the curtain now, away from the types of emails or the payloads, and take a look at the way malicious emails are distributed. There are two primary methods that scammers use to launch spam campaigns: botnets and bulk email toolkits.
Spam botnets are by far being used as the main culprits for the majority of spam being sent today. The following are some of the key players in the spam botnet landscape.
The Necurs botnet first emerged in 2012 and has spread a variety of threats, ranging from Zeus to ransomware. While its activity has received far more attention in the past, Necurs appears to have faded into the background, at least in terms of press coverage. However, this botnet is still very much active. In fact, the Necurs botnet is the primary distribution vehicle for a variety of scams, including digital extortion.
For more on Necurs, check out the analysis, The Many Tentacles of the Necurs Botnet, carried out by Cisco Talos.
Much of the spam sent by Emotet falls into the packaging and invoice category. Emotet is modular malware and includes a spambot plugin. Given how the actors behind Emotet make money by using it as a distribution channel for other threats, the goal of most spam sent by the spambot module is to infect more systems with Emotet, further extending the reach of the malicious distribution channel.
Because Emotet steals content from victims’ mailboxes, it is often able to craft malicious, yet realistic-looking threaded messages that appear to recipients to be part of established conversations. Emotet is also known to steal SMTP credentials, commandeering victims’ own outbound email servers as a vehicle for outbound spam.
For more on Emotet, read our previous threat report in the Cybersecurity Report Series, Defending against today’s critical threats.
Jacquelyn Hemmerich, Security Officer, City of Sarasota, FL
The Gamut botnet has been busy sending out dating and intimate relations spam, primarily around the premise of meeting people in your area. In other campaigns, the actors behind the botnet send out messages hawking pharmaceuticals or job opportunities (see Figure 10).
They have registered a variety of domains, though the infrastructure itself seems fairly simple, with multiple subdomains under one domain, and often pointing to one IP address. While Cisco has not confirmed if the services offered are legitimate, the registration process does appear to attempt to phish personal information.
An alternative approach that many spammers take is purchasing toolkits to send out a large number of emails. Many of these tools are semi-legitimate, meaning that if you were selling your own hand made, bespoke shower curtains, you could technically use one of these toolkits to raise brand awareness via bulk email to your own opt-in mailing list. However, some of the features included in such toolkits, such as those that allow the rotation of sending IP addresses and customized rebuilding of attachments in order to generate unique hash values, are far less likely to be used in such scenarios.
Recently, Cisco Talos engineers uncovered Facebook groups where malicious actors were selling bulk email tools along with extensive email address lists, likely taken from data breaches. In these cases, the purchasers of such tools were clearly using them for nefarious purposes.
