WhaleTech: Spam Storm brewing

2342Unsolicited emails, or SPAM, have been flowing past the usually clever anti-SPAM measures of many email systems, including those of Google.

The scary part is that they appear to be accessing the address book.

As incredible as that sounds, similar stories are being reported from other corners of the Internet

Kiwi internet users are complaining of hundreds of spam emails being sent out from servers overnight.

The issue appears to affect yahoo and xtra accounts.

Emails containing spam links have been sent to people on users’ address lists.

ONE News has received dozens of the emails, and people have reported similar problems on message boards and Twitter.

This is a massive push using some very smart email address matching technology.  Early analysis seems to show that they are able to match addresses that are likely to be known to each other.  It then sends you a spam email with about half a dozen addresses in the To field, and with some luck, one of them matches someone you know.

This has organised crime written all over it.  

The next step is that the links in the spam emails point to compromised web servers.  Those subsequently redirect you to another compromised web server.

As I said, this is a massive push with quite a significant amount of effort behind it.

At the moment, the next destination for the emails analysed point here:

asdad

 

As you can see, it’s dynamically personalised using your IP to look up your likely location.

This example uses a stolen CNBC page, with all the links pointing back to itself, except for this one:

 

dsfdf

From that page, it appears stolen web pages from other major news organisations are also in play.  These are obviously used to provide an air of legitimacy to the offer.

You finally arrive at the bit that they want

xsxs

Once you submit that form you get to sign up for real.

For what exactly?

Here’s the two-pronged attack

  1. They take your credit card details
  2. They recruit you to start posting spam links on their behalf (genius!)

We finally arrive at the money shot

xxx

Only USD$99 to join, and look at all that free “Value” you are getting.

For obvious reasons, I didn’t get past that part of the process – not going to throw money away and then have to cancel my credit card.

But this is kind of funny – if you try to close the page, up to two times, it will give you discounts for not leaving yet

sasd

sadsd

Anyway, it’s annoying. ¬†Nothing new there.

The appearance that they managed to access your address book is initially disconcerting, but the idea that they hacked GMail as well as several local ISPs is pretty unlikely.

Where they have stepped things up is the tech where they are matching likely email addresses with others, hoping to match one that really is in your address book – thereby dropping the guard on any spam protection measures you may be using.

Next, they have a number of compromised web servers, so as soon as the current one is shut down, the next wave of emails with the next server will be deployed, keeping it all going.

They’re harvesting names, email addresses and contact phone numbers before you even get to the credit card page, and if you’re dumb enough to fill that in, you also give up your full address, more phone numbers and your credit card details, including the security verification value.

The trick will be to shut down workinghomedigit.com, and it’s associated domains.

sdfsf

Good luck with that.

 

  • Richard McGrath

    Thanks, Cam. I received one of these spam mails yesterday.

    • Jester

      $9000 a week and getting to stay at home?

      This has the Labour Parties fingerprints all over it!

  • GregM

    I will try not to use my xtra account, they can’t seem to be able to apply patches without fucking it up so this one could be a problem.

  • unitedtribes

    Getting the same scam on both xtra and gmail. Will resist the $9000 per week.

  • SJ00

    Its malware on the users computer. Its sending emails to people in your contact list. I’ve received emails from friends and customers. Its got nothing to do with mail servers being hacked. And typically the pages are located on web servers and redirecting to the ones above (and thats most likely because of a hole in the web servers software, I used to get this sites put on my website quite often until I ended up changing companies to site that regularly updated their software).
    The reason they are getting through spam fitlers is because they are coming from a trusted source, someone in your contact list (or you are in their contact list).
    Nothing new here, although there is a rash of it coming in today and yesterday. So most likely some new malware is doing the rounds.

    • WiredEarp

      No, actually its not, although that was my first guess when a friend asked me for help with the issue.

      Its nothing to do with the local PC. I know 3 people affected, none of who use client based email, just web based xtra email, and the emails spammed from their account are all harvested from their old emails, NOT the Yahoo contacts list. It appears to go through your emails, looking for email addresses to send to.
      All of the people I know who have had the issue have said they did not click on the link. If it was one, and if they were idiots, I wouldn’t believe them, but it appears they have done nothing ‘wrong’ in this case.
      On a side note, I had my own yahoo account (a 10yo throwaway I used very rarely) hacked (password changed etc) last month, thought it was brute forced until I started reading up on Yahoo’s recent security issues.

  • Terri Jagermeister

    Having received numerous examples of this spam over the weekend, I’m pretty sure there is not much ‘address matching’ going on here. Our Xtra accounts have only been used in testing capacities to/from our internal domains; given the spam we’ve received, sent from ‘ourselves’, it’s sent to every recipient address in Xtramail, cut into alphabetical groups. Looking a lot like a large scale compromise of Xtramail accounts.

    • Thom H

      I agree. I haven’t used my xtra.co.nz account for about 5 years and we’ve received emails to internal only accounts dating from that era (those accounts are no longer in use).

      The worrying part is that these addresses are not in my xtra/yahoo account mailbox. The only place these addresses could be would be old Xtra/yahoo MTA logs. Serious security breach anyone or are the xtra/yahoo admins complicit (or just incompetent?)

      • Martin

        The worrying part is that these addresses are not in my xtra/yahoo account “mailbox. “Are you talking about on your computer or those on line when you sign in there

        • Thom H

          I was referring to the my contacts in my xtra/yahoo account ie. online. My contacts list is empty so they couldn’t possibly have harvested it out of some online repository. I have previously emailed those addresses (back in 2008 when were testing) but not for a long time and they *don’t* appear in any contacts list etc. Hence my comment that they could only have pulled those addresses out of (old) log files.

          • Martin

            so your sent folder was empty too?

            When mine was used, it seems to of only used email addresses in my contacts list online as it was sent to my other email address, so when reading the cc list it showed that it was limited only to my address book online and not any older log file.

          • Thom H

            OK, so I checked my “Sent” folder on my Yahoo!Xtra mailbox and yep there are 2 emails in there from 2008 when we were testing. The sammers/spammers have definitely harvested those 2 addresses and sent spam to them.

            So that explains where they got the addresses from.

            But the XSS explanation doesn’t meld with my experience. I haven’t logged into this mailbox for about 5 years and yet they were able to get my password somehow? I find this extremely unlikely and it looks like (based on other reports out there) that it’s relatively trivial for crackers to exploit a known bug in Yahoo!’s (mobile?) API.

            This would theoretically allow a cracker to then “login” and send email as the victim, without actually guessing the user’s password.

            So, come on Yahoo! and Telecom, time to fix your gaping security holes before you lose (what’s left of) your credibility!

          • WiredEarp

            Do a search in your yahoo box for one of the emails, you’ll probably find it in a header etc on an old item in inbox or sent items. Thats where it is getting them from IMHO. I did a search on an infected mailbox and found ALL the emails sent out were pulled out of the emails available in the online folders (inbox, sent items, etc).

  • Martin

    This talk of a phishing spam by xtra is only 1% of the story. Somehow there has being an intrusion into peoples xtra email account address books online and its also allowed access to use these peoples emails with the user doing nothing like clicking on a malware link. So it is a lie for them to call it a phishing scam, they were busted wide open without us idiots customers doing anything wrong

  • Mark D

    Having tracked one of these messages back it originated from a US based IP address and a webmail connection to a Yahoo mail server. So either Yahoo’s mail was broken in that it allowed someone to send an email with a different users from address (which would normally be blocked). Or they actually logged in with the users email credentials (they managed to hack large numbers of email accounts). I guess it’s possible an initial phishing attack was used to obtain the email address and password which were then used in the subsequent spam attack. But I’m not convinced this is malware on a users PC.

    • Martin

      I think they hacked into the system without using passwords which is whats concerning me a lot.

  • TeacherUnionsRscum

    Stuff referenced your blog post:

    Apparently there are more then one Whale oil blogs:

    http://www.stuff.co.nz/technology/digital-living/8287236/Spam-attack-on-Kiwi-email

  • betternews

    both my UK based yahoo addresses have no issues. its purely a NZ thing, so if your email ends in a “.co.nz” then youre in trouble. my mum clicked on one of the links ( i call her the random clicker, she always clicks on links without reading them) and ive scanned her pc with antivirus and malware bytes with nothing found.

29%