We have discussed a number of spam
and malware campaigns
on this blog. This time, I'll show what happens in the days and weeks before the campaign starts. I've found two examples that show the steps that are taken by the spammers in preparation of their campaign.
First step: hijack websites
The spammers need to ensure that its spam e-mails or messages are not quickly flagged as spam. One technique to avoid spam filters it to use existing websites with a good reputation to redirect users. These domains would not be part of any denylists and should already be known and categorized by vendors. This is a better alternative to the free hosting and DNS providers, which may not have a good reputation like .co.cc
Unfortunately, hacking legitimate websites in large numbers is quite easy these days. Popular open-source platforms, like WordPress, Joomla and Drupal, contain a lot of security vulnerabilities
(in the core software and the plugins), which attackers can take advantage of.
The first campaign I spotted was hijacking German Joomla! sites. All the hijacked sites seem to be running Joomla 1.7. I'm not sure if the attacker used the privilege escalation
issue, the XSS vulnerability
or one of the 23 other vulnerabilities
found in 2013.
The other campaign targeted WordPress sites, an open-source platform loved by webmasters and attackers
Step 2: hide the malicious page before the campaign.
Rather than modifying the exiting page, new pages are added to the hijacked sites. The attackers often put these files in hidden directories (starting with a dot), temporary folders, or plugin folders.
The Joomla sites were having malicious files put in /tmp/, such as:
For the WordPress sites, the attackers hid the malicious files in folders used by common WordPress plugins and themes:
Step 3: keep out security scanners
Attackers don't want security tools to flag their redirection pages as malicious before the campaign. One common technique involves making the pages redirect all visitors to a random website, like http://www.google.com/ until the campaign is ready to start.
Step 4: open the curtains
Once the spammer has gathered enough legitimate sites and e-mails or messages are being sent out, the redirection pages point users to the malicious site.
For the Joomla campaign, the final spam page is hxxp://www.dailynews.com.2012.fashion.italy.moda.trends.luxurynws.com/
. As often is these type of scams, the page looks like an official news paper article extolling the merits of some product or work from home scheme. In this case, the products are replicas of luxurious watches.
|Fake news article about replica watches
The second spam campaign redirect to the usual Work from Home scam
at hxxp://newsmarket3nextgenonline.com/?12/2. This site is currently down.
|Example of Work From Home scam
Now you know what goes on before these spam emails hit your mailbox.