Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spammers Prefer Compromised Accounts To Botnets

CmdrTaco posted about 3 years ago | from the i-prefer-pie-to-cake dept.

Botnet 53

Orome1 writes "Spammers today favor compromised accounts for sending spam, gradually shifting distribution away from botnets, according to Commtouch. The changed tactic has emerged as spam levels dropped dramatically, following several high-profile botnet takedowns. Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks."

cancel ×

53 comments

I believe it. (2)

Krojack (575051) | about 3 years ago | (#36735308)

Even with the small amount if email accounts on my mail server (~6000) I'm having to deal with 1-2 of these compromised accounts a week on average. Most of the time they use squirrelmail to send out the spam.

Re:I believe it. (0)

Anonymous Coward | about 3 years ago | (#36735550)

Yep, following the Sony hack my email was compromised due to me using the same password for my contact email as was the password for the sony account. Luckily I was able to get it back under my control quickly, but the spammer had already spammed all my contacts.

Submitting as AC because I'm embarrassed that I did something that dumb.

Same issue on the web hosting side (1)

Wrexs0ul (515885) | about 3 years ago | (#36735612)

Since customers can create email accounts for other users it was a must that we run an outbound spam filter. It's picked-up on some servers, substantially. Luckily none of it sees the light of day, but the processing power required to send/receive email gets spiky.

Funny enough it tends to be the smaller accounts causing the most problems. Larger hosting packages tend to come with in-house support on the client side, and they create smarter passwords and smarter users :)

-Matt

Re:I believe it. (2)

tripleevenfall (1990004) | about 3 years ago | (#36735990)

It was funny to get an email from an ex girlfriend to whom I have not spoken in years advertising black market pharmaceutics, a subject with which she was intimately familiar...

Re:I believe it. (1)

Capt.DrumkenBum (1173011) | about 3 years ago | (#36735992)

I have seen this twice. The first was a friend of mine, smart and computer savvy enough to have a decent password, and the second was my sister, who's password was probably abc123, qwerty1, or password.
This encouraged me to begin changing all my passwords.

Re:I believe it. (1)

capnkr (1153623) | about 3 years ago | (#36737014)

I literally just had a call from a client of mine who's apparently become a victim of this. Their ISP is Time/Warner, email account password was fairly strong but guessable (initials bracketing clients DOB), and this person only uses the TW web-based interface to do their email - there is no email client or address book on the system itself at all. Yet a large block of the contacts in the account received spam originating apparently from this address. I am having one of the spams forwarded to me so I can take a look at headers and such...

Re:I believe it. - spam source (0)

Anonymous Coward | about 3 years ago | (#36737582)

The problem could very well be either the user clicked on an infection, and so the information is recorded (keylogged) or sent due to web virus (scripts identifying the site) or the password is known and being used to authenticate the message to TimeWarner for sending. This is happening more with yahoo and google ... and what seems stupid is that all they had to do was look at the message source ... an IP from the EU, when the user created the account in the US, and the account gets regular logging into, from a handful of US ip space, but then suddenly gets hits from non-US ip space? ... how could they not flag that for follow up? They are big enough that such an investment in infrastructure (log tracking) would pay off easily. Would allow them to see, tag, and review messages from uncommon log-on sources and then block that IP source accordingly. (also disabling the email account so that the real user has to come in and try to validate their use and a new password.)

Re:I believe it. - spam source (1)

Moryath (553296) | about 3 years ago | (#36738480)

Actually, Hotmail tried this for a while.

It failed horribly. A lot of legitimate users' accounts got lost in the shuffle. And since the only way to log in and get your account unblocked was either (a) go to a super secret forum that they didn't even list on the "get my account back" page or (b) give them your phone number to validate via SMS (nevermind that a good number of people still don't do SMS messages or want to give Microsoft their phone number), what they wound up instead was a "throwing out the baby with the bathwater" approach where a large number of users simply said fuck you, we're leaving.

Re:I believe it. (1)

capnkr (1153623) | about 3 years ago | (#36754382)

Received an email from the client; I had recommended they call TW when on the phone with them, as it sounded like their account was breached, that it was not something actually on the system.
TW said it was likely a password compromise, & changed the pw for the account.

Re:I believe it. (1)

fifedrum (611338) | about 3 years ago | (#36737756)

I work for an email service provider, we're catching many each day, most less than 500 emails at a time. I think about 1/2 of them are compromised PCs as they're using the same IP addresses the customers use, different HELO hostname and all that but they're still authenticating from the same place. That's the wild part. I watched a network sniff play out on screen, showed the authentication stuff, same user ID and password, different HELO hostname and headers, right along side another session where the user was sending legit email.

The other portion are clearly phished accounts, customer in Boise, connection from China for example.

The kicker is that we've had to turn off our internal reputation system based on the age of the email account. Used to be > 1 month old had higher limits than < 1 month old (for the love-em-then-leave-em accounts), but today, no one is trusted.

The only good thing is they seem to come in phases, where a particular campaign of the exact same email comes from dozens of accounts, for hours at a time, then switches to a new campaign later. Makes filters easier to manage.

wow slashdot comments are dead (-1)

Anonymous Coward | about 3 years ago | (#36735316)

first post!

lower overhead? (1)

BulletMagnet (600525) | about 3 years ago | (#36735322)

Botnet rental is still an expense....

gmail has a nice feature (0)

Anonymous Coward | about 3 years ago | (#36735370)

when i log in into my account from a different IP or different machine also, my phone receives a SMS with a number i need to enter so that i can access my email..
it's free and i believe it will prevent this kind of spam or other hostile takeover of my account..

Re:gmail has a nice feature (2)

Krojack (575051) | about 3 years ago | (#36735410)

That's all find and dandy, and yes a lot of people have a cell phone these days, but there are still hundreds of millions without them and others that don't have this option on their email service.

Re:gmail has a nice feature (1)

Lennie (16154) | about 3 years ago | (#36735556)

It is actually a lot more likely that people just have a cell phone and no computer.

In Africa for example, many have a simple "smart" phone and no access to a computer.

Re:gmail has a nice feature (1)

Tx (96709) | about 3 years ago | (#36735566)

That would drive me nuts.

Re:gmail has a nice feature (0)

Anonymous Coward | about 3 years ago | (#36735690)

You can check a box so that it remembers for 30 days that machine as trusted.

Re:gmail has a nice feature (1)

v1 (525388) | about 3 years ago | (#36737262)

it's more of a cookie though isn't it? nothing to do with a setting on gmail's servers.

Re:gmail has a nice feature (2)

danlock4 (1026420) | about 3 years ago | (#36737456)

If it were to drive you nuts, you would start the squirrelmail problem anew...

Re:gmail has a nice feature (1)

jank1887 (815982) | about 3 years ago | (#36737858)

not free to me and many others not paying the text message extortion... yet.

Taking advantage of trust (2)

damn_registrars (1103043) | about 3 years ago | (#36735518)

They realize that a compromised account started as an active account, and thus is less likely to be blacklisted at a border. That, and as a legitimate account the payload is more likely to go through mail servers that are commonly whitelisted (or at least, not blacklisted).

Re:Taking advantage of trust (1)

MBCook (132727) | about 3 years ago | (#36735724)

I wonder how much of this is DKIM/DomainKeys and Sender ID? Making it harder to forge things means it's easier to just use compromised accounts instead.

Re:Taking advantage of trust (0)

Anonymous Coward | about 3 years ago | (#36736824)

We get spam from yahoo accounts all the time that is domain keys signed. Our policy now is mark it as spam if a mismatch, but ignore it if it is a good signing. Same policy for SPF.

Doesn't really add much to our anti-spam efforts.

But, trust does factor. Schools and such where these phished accounts come from are unlikely to be on RBLs, at least during the the initial portion of a spam campaign. A botnet PC starts out on, at least, "dial up" RBLs.

Re:Taking advantage of trust (1)

hedwards (940851) | about 3 years ago | (#36737860)

Hotmail used to be a serious problem because of the amount of spam coming from there, it was too big of a domain for most folks to block, but there was a significant amount of spam originating there. That seems to have changed in recent years though.

Re:Taking advantage of trust (1)

gl4ss (559668) | about 3 years ago | (#36736588)

with compromised account you don't have to deal with av or the person reinstalling or just plain leaving his computer off. however, I can't but imagine that botnets would be the prime way to mine for those accounts.

Funny Link! (0)

Anonymous Coward | about 3 years ago | (#36735560)

Compromised accounts = compromised contacts. Click this funny link!

Re:Funny Link! (1)

DarenN (411219) | about 3 years ago | (#36735694)

Where's the link?!!?!?!!one

"low-volume spam outbreaks" (1)

mapkinase (958129) | about 3 years ago | (#36735588)

that sounds like oxymoron

Woot! (1)

earls (1367951) | about 3 years ago | (#36735666)

90,000 email addresses later, and now major.payne@usmc.mil is offering Viagra at a discount!

That's because of reputation (3, Insightful)

jader3rd (2222716) | about 3 years ago | (#36735682)

All of the major spam filters use reputation as a metric. And stealing reputation is easier than building it.

Re:That's because of reputation (0)

Anonymous Coward | about 3 years ago | (#36736690)

Only the crappy ones.

But for me to say more would be astroturfing :-/

iam borrowing this account (2)

Konster (252488) | about 3 years ago | (#36735716)

Can I interest anyone in a set of steak knives and viagra? www.steaknivesandviagra.com for best price, leading customer support and free shipping to you.

Re:iam borrowing this account (1)

khr (708262) | about 3 years ago | (#36735840)

Is that combination endorsed by John and Lorena Bobbitt?

Re:iam borrowing this account (0)

Anonymous Coward | about 3 years ago | (#36736214)

Is that combination endorsed by John and Lorena Bobbitt?

Mostly Lorena, I would think.

Re:iam borrowing this account (1)

dkleinsc (563838) | about 3 years ago | (#36739830)

No, but it is endorsed by Anthony Wiener.

Re:iam borrowing this account (0)

Anonymous Coward | about 3 years ago | (#36737474)

your domain name sampling period has expired.

Biggest source of spam is salesforce (0)

Anonymous Coward | about 3 years ago | (#36735972)

I find that salesforce, jigsaw, and similar systems are the biggest source of spam that I'm currently receiving.

One of these scumbag marketers got a hold of my info & sold it to them.

Fortunately, blacklisting salesforce & jigsaw is easy...

Unblockable servers (1)

gmuslera (3436) | about 3 years ago | (#36736014)

You can use gray/blacklists/rbls to get rid most of the noise caused by botnets and similar, but you shouldnt block gmail/yahoo/hotmail or other big mail servers.

Re:Unblockable servers (1)

Animats (122034) | about 3 years ago | (#36736556)

shouldnt block gmail/yahoo/hotmail or other big mail servers.

It's useful to have a penalty in your spam filter for free email services. Google's inbound spam filtering is good. Outbound spam filtering, not so much.

Related to this, the use of free hosting services as spam targets continues. Google spreadsheets, of all things, are widely used to support phishing scams. Here's a Microsoft Webmail Activation Form" embedded in a Google spreadsheet. [phishtank.com] Because the related phishing emails contain a Google URL, they tend not to be tagged as spam by spam filters. The strange thing about that example (one of 124 such in PhishTank today) is that Google's spam blocking, as used by Firefox, knows that's a phishing page. The anti-phishing part of Google isn't talking to their own abuse department.

We've been tracking this [sitetruth.com] at SiteTruth for years. The Google spreadsheet scam is less than a year old, and is now the most popular attack we see. Some free hosting services (mostly "t35.com", "piczo.com", "webs.com") still get hit, but Google is now #1.

Basic truth: if you offer free hosting or free URL redirection, you must have an automatic cross-check with phishing data sources like PhishTank and the APWG, or you will be pwned by phishers. Free hosting includes spreadsheets, forms, and polls. If the user can put HTML into it, it can be used for phishing.

Surprised it took so long (1)

Kelson (129150) | about 3 years ago | (#36736144)

I predicted spammers would shift to using stolen login credentials way back in 2005 [hyperborea.org] .

Thank you, LulzSec (2)

arcctgx (607542) | about 3 years ago | (#36736196)

Thanks for releasing stolen passwords for 62000 email accounts. Spammers must be very happy now.

So, Private Botnets != Botnets???? (1)

malakai (136531) | about 3 years ago | (#36736252)

"Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks"

So, they are making their own botnets, rather than leasing one from some Russian or Chinese hacking group.

6 of one, 0.5 dozen of another....

Re:So, Private Botnets != Botnets???? (1)

Anonymous Coward | about 3 years ago | (#36737994)

No, it's not a botnet, it's nothing like a botnet. RTFA

Re:So, Private Botnets != Botnets???? (0)

Anonymous Coward | about 3 years ago | (#36741694)

Or even just the summary.

This needs to be addressed by the mail hosts (1)

im_thatoneguy (819432) | about 3 years ago | (#36736488)

I already had my Hotmail account somehow compromised this year. It sent an email to everyone in my contact list alphabetically. I wish I could set a pin for emails with more than 5 recipients in less than 30 minutes. And that watched for unusual volumes of outgoing mail to alert another email address.

Obviously these settings would be pin accessible to ensure the compromised account didn't go crazy.

I wouldn't even mind a separate highly irregular password for IMAP or POP3 access.

This *shouldn't* be a problem with some very basic options for account holders. Hell, I wouldn't mind changing my old Hotmail so that it's incapable of sending emails at all for instance.

Why you need to report your spam (1)

utkonos (2104836) | about 3 years ago | (#36736922)

This is why you need to scrub your email address from the spam and forward the scrubbed mail to the abuse@ address for the address that spammed you. I've gotten numerous accounts closed by ISPs this way. If you don't want to do it manually (which can be a endless tedium) you can use a free service such as spamcop.net which scrubs your identifying info from the spam, forwards it to abuse@, and proxies the replies back to the address you have registered with them.

Also, when you "report" spam in gmail you are _not_ doing the above. All you are doing is having google use the contents of that spam to modify your spam filter slightly and make the filter more effective. It is not reporting the spam to abuse@.

Appears spammers & phishers prefer LAMP (-1)

Anonymous Coward | about 3 years ago | (#36736970)

LAMP is the favored attack for phishers:

---

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

* Well, well... will wonders NEVER cease!

APK

P.S.=> Please - don't even try the "std. 'spin-master' b.s." of saying phishing &/or spamming aren't the same - because they both utilize emails to do their "dirty work"... & The bottom-line here IS that a Linux, MySQL, Apache, & PHP system setup is their FAV. target to exploit, & for all these years I've been coming around here (since early 2003) All I ever heard around here was "how secure Linux is", lol - what a crock of CRAP!

... apk

Hahaha: Best U got's an effete "mod down" (0)

Anonymous Coward | about 3 years ago | (#36738484)

Watch the Little Penguins RUN w/ feathers all "ruffled", & best they have's a mod-down "hit-N-run" w/ NO technical justifications whatsoever... lame, & WEAK!

APK

P.S.=> LMAO @ the "Pro-*NIX" noobz around here, as usual...

... apk

Yup. (2)

sootman (158191) | about 3 years ago | (#36737022)

In the last year I've gotten spam from accounts belonging to nearly a dozen people I personally know--nearly a dozen hotmail, yahoo, and gmail accounts compromised. Including one of my own. Strong passwords, everyone! Letters, numbers, punctuation. Even something like "Help?1234" is infinitely* better than a dictionary word or common name. Grouping characters by type makes it easier to remember and makes it easier to work with on soft keyboards on mobile devices--letter letter letter letter, shift to "numbers and punctuation" mode, number number number number.

My biggest problem now (not with spam, but with passwords in general) is financial institutions that restrict you to letters and numbers so you can punch them in on a phone keypad.

* more or less

Re:Yup. (1)

hedwards (940851) | about 3 years ago | (#36737956)

What gets me is that the treasury has super strong protections in pretty much all areas of their account management, but then uses secret questions in order to remove locks and all that. Which kind of ruins the security features that they've been using.

On top of that, it's very possible to get locked out of your account permanently due to them being unwilling to shoulder any responsibility when it comes to unlocking the account. So, if you don't have a statement on hand to show your financial institution, the institution won't issue the signature guarantee, and if you don't get the signature guarantee, the treasury won't remove the hard lock. Whereas, they could just shoulder some responsibility and accept a notarized form and spare folks the possibility of being locked out completely.

Happened to me (0)

Anonymous Coward | about 3 years ago | (#36738112)

Actually to my wife - but same thing, on comcast. Their tech support told us to change the password and everything would be fixed. Only she was unable to change the password (her email is a secondary address on the account, don't know if that matters, she should be able to manage her password) we actually had to let the techsupport change the email for us. Color me skeptical - is a password change really sufficient? We use MS security for virus protection and her laptop screened as malware free. Other than installing linux (not sure that would help, we only use the web interface for email - no clients on the machine itself) what does /. suggest as a fix?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...