In an effort to get past anti-spam and anti-malware systems and put their garbage in front of potential victims, some spammers are avoiding the traditional strategy of sending huge volumes of mail for long periods of time in favor of sending large bursts of spam in a very short timeframe.
This technique, known as hailstorm spam, uses a large number of IP addresses to send spam, much of which is used to push diet pills, flashlights, and other junk products. Researchers at Cisco have been tracking some recent hailstorm campaigns and found that they often use sending addresses from multiple countries and many different top-level domains.
“Hailstorm spam is being sent from IP addresses located all around the globe. Looking at the geo-ip distribution from recent hailstorm spam campaigns, the US, Germany, Netherlands, Great Britain and Russia lead the pack in terms of volume of hailstorm spam sent by country. Hailstorm spam also involves domains registered at a wide array of Top Level Domains (TLDs). In a recent sample of ~500 hailstorm-related domains, the most common TLDs were .top, .bid, .us, .win and .stream,” Jaeson Schultz of Cisco’s Talos research team said in a post.
Like many other spam campaigns, hailstorm runs often are used not just to sell cheap products and generate traffic for sponsored links, but also to send malware. Schultz said some of the hailstorm campaigns are being used to push banking Trojans such as Dyre. One such campaign has been sending emails purporting to come from a U.K. government agency and carrying a malicious Word document.
“The message claims to be generated in response to a complaint filed with the United Kingdom’s Companies House and tries to lure the recipient into opening an attached word document. The From address of the message is [email protected] while the legitimate government agency has their web presence at companieshouse.gov.uk. The attached Complaint.doc contains a macro that downloads and executes a Dyre/TheTrick Banking Trojan,” Schultz said.
These hailstorm campaigns will generate large volumes of DNS queries as the spam messages hit mail servers around the world. That’s one of the methods that researchers are using to track the operations, and Schultz said Cisco’s data shows that some campaigns will generate more than 100,000 DNS queries per hour and hit as much as four percent of mail servers.
“Hailstorm campaigns are correlated with bursts in DNS queries with an intensity of 9,000+ queries per hour at their peak(s). The initial spike in a hailstorm campaign stems from mail server activity caused by an influx of emails,” Schultz said.
Image: Dirk Haun, CC By license.