Since the hosting provider pulled the spammer’s server offline, several of their fake sites and domains associated with the spam campaign no longer load.īut given the spread of domains and servers propping up the campaign, we suspect the sunken server is only a single casualty in an otherwise ongoing spam campaign. Only 45 percent of emails were already in Have I Been Pwned, ruling out the possibility that all of the passwords were stolen from credential stuffing. “This was a resold box and the customer already responded to the abuse forward saying it was supposed to have been terminated long ago,” said Awknet’s Justin Robertson in an email to TechCrunch.Īnd we still can’t figure out where the email addresses and passwords came from used to send the spam. Of the domains we found, all were registered with fake names and addresses.Īs for the server itself, the provider said it was possibly hacked. We found several other associated spamming domains using data collected by RiskIQ, a cyberthreat intelligence firm, which scours the web for information. The language settings in the Kibana instance suggested the spammer may be based in Belgium.
#Online spam bot how to#
What’s clear is that the spammer knows how to cover their tracks. “This shows us - again! - how important a proper cyber hygiene should be.” “This case reminds me on several other occasions I reported at some points in the past - when malicious actors create a sophisticated system of proxying and logging, leaving so much tracks to identify their patterns for authorities in the investigations to come,” Diachenko told TechCrunch. It’s not the first time we’ve seen a spam operation in action, but it’s rare to see how successful it is.
In all, some 5.1 million emails were sent during the 10-day campaign - between March 8 and March 18, with some 162,980 people clicking on the spam email, according to the data on the dashboard. That helps the spammer home in on the most valuable logins in the future, allowing them to send more spam for lower bandwidth and server costs. The dashboard also contained other information related to the spam campaign, such as how many emails were successfully sent and how many bounced. The greater number of clicks, the more likelihood of its spam going through - allowing the spammer to target specific email domains in the future. That can also indicate how an email provider’s spam filter acts. In bulk, that allows the spammer to figure out which email domain - like or users - is more likely to click on a spam email. (Screenshot: TechCrunch)Įach spam email includes a tracker in the link that fed information back to the spammer. The spammer’s Kibana dashboard, displaying the operation at a glance. Two replied - but only one still had a copy of the email. We reached out to dozens of people to ask about the email they received. The one thing we didn’t have was the spam email itself. Anyone can now check breach notification site Have I Been Pwned to see if their email was misused.īut the dormant server - while it was still active - offered a rare opportunity to understand how a spam operation works. TechCrunch provided a copy of the database to Troy Hunt. Within a few hours of making contact, the provider nullrouted the server, forcing all its network traffic into a sinkhole. With no contact information for the spammer - surprise, surprise - we asked the hosting provider, Awknet, to pull the server offline. Given there were more than three million unique exposed credentials sitting on this spammer’s server - hosted on, we wanted to secure the data as soon as possible. But the server was primed to start spamming again. It had done its job, and the spammer had likely moved onto another server - likely in an effort to avoid getting blacklisted by anti-spam providers.
At the time of the discovery, the spammer’s rig was no longer running. Security researcher Bob Diachenko found the leaking data and with help from TechCrunch analyzed the server. The spammer had forgotten to set a password. We know this because a security researcher found the server leaking the entire operation.
0 kommentar(er)
