More Than 100,000 Were Trapped by a New Spam Campaign

According to Statista, on average, we send and receive more than 280 billion emails every day. Any sort of analysis of such an astronomical amount of information would be difficult, but despite this, researchers have estimated that about half of those emails can be classified as spam.

Most of us like to believe that we have no problems distinguishing a spam email from a real one, and indeed, it's safe to say that the more experienced users have learned to ignore the messages coming from the Nigerian Prince as well as the ones promoting products and services that can reportedly improve your love life.

That being said, some spam emails are cleverer. Security researcher Bob Diachenko and TechCrunch's Zack Whittaker, for example, recently examined a spam campaign that was aimed at UK users. They found out that between March 8 and March 18, the spammers managed to fool more than 100,000 people into taking the bait and clicking through.

How do you trick 100,000 people into clicking a link in a spam email?

The really clever bit about the campaign is that it was relatively simple both from a social engineering perspective and from a technical one. Here's how it worked.

First, the spammers would use stolen login credentials to log into innocent victims' email accounts. They would then scrape some of the recently sent messages and would feed them into their own servers. An automated script would take the recipient email and the subject line and would compose a new message that looked like it was coming from the owner of the compromised account. Routing the connection through a proxy server consisting of several mobile phones connected to the internet, the spammers would once again use the stolen usernames and passwords to log into the sender's email server and would send the auto-generated message to the recipient.

A total of 3 million email accounts were compromised, and although Diachenko and Whittaker were unable to estimate the exact number of sent messages, they said that the operation outlined above was repeated "hundreds of times a second".

Diachenko and Whittaker managed to get their hands on one of the emails, and they immediately saw why so many people fell for the scam. The email was seemingly coming from a person the recipient knew, it contained their name, and the subject line suggested that this was a continuation of a previous communication. There was nothing immediately obvious to indicate that clicking the link is risky.

Thankfully, there was no nasty payload, either. A link would redirect users through several websites and would determine their geolocation. US citizens would land on a page promoting a bogus health remedy, and people from the UK would be sent to a fake BBC page that would eventually lead them to a bitcoin scam. As we mentioned already, most of the recipients were from the UK.

While it was definitely successful, we're not talking about the largest or most impactful campaign in the world. Nevertheless, the examination Bob Diachenko and Zack Whittaker did gives us a pretty good insight into what a real spam operation looks like. But how did they manage to get access to all that information?

Spammers fail to protect their own data

Regular readers of our news articles probably know who Bob Diachenko is. In September 2018, he found out that data management solutions provider Veeam had left some of its customers' data in a database accessible from anywhere in the world. In January, he found another unprotected database, this time containing the CVs of over 200 million Chinese job seekers. Several days later, Diachenko teamed up with Zack Whittaker to analyze yet another server that was facing the internet and was not locked by a password. The exposed server contained "a gold mine" of names, addresses, Social Security numbers, and credit information belonging to an unknown number of individuals.

As you can see, Bob Diachenko is something of an expert at finding database installations and servers that are put on the internet and are not protected in any way. This is how he found the spam campaign described above as well.

The spammers used an Elasticsearch database to keep track of their data, and the mechanisms were well-documented which gave Diachenko and Whittaker the chance to see how it all unfolded. There was even a dashboard that told them how many of the spam emails were delivered successfully, how many bounced back, and how many users clicked the links. In addition to this, the unprotected server held the stolen usernames and passwords that allowed the spammers to compromise more than 3 million email accounts. All that data was available to anyone who knew where to look.

The compromised credentials were given to Troy Hunt who loaded them into Have I Been Pwned. Although the breach notification service has close to 8 billion accounts, a whopping 55% of the email addresses were completely new to it. For now, at least, nobody can say how the usernames and passwords were stolen.

Sadly, when Diachenko first stumbled upon the spammers' server, the campaign had already ended. Nevertheless, the hosting provider was informed, and the server was taken offline.

Misconfigured servers and databases are a real problem for legitimate organizations tasked with handling people's data. A recent 4iQ research revealed that close to two-thirds of the exposed personal information that is traded online was pilfered from devices that were accessible to anyone with an internet connection, and Bob Diachenko's latest finding goes to show that even the crooks aren't immune from making silly mistakes.