Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Prefer Compromised Accounts To Botnets

Posted by CmdrTaco on from the i-prefer-pie-to-cake dept.

Orome1 writes "Spammers today favor compromised accounts for sending spam, gradually shifting distribution away from botnets, according to Commtouch. The changed tactic has emerged as spam levels dropped dramatically, following several high-profile botnet takedowns. Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks."

53 comments

  1. I believe it. by Krojack · · Score: 2

    Even with the small amount if email accounts on my mail server (~6000) I'm having to deal with 1-2 of these compromised accounts a week on average. Most of the time they use squirrelmail to send out the spam.

    1. Re:I believe it. by Anonymous Coward · · Score: 0

      Yep, following the Sony hack my email was compromised due to me using the same password for my contact email as was the password for the sony account. Luckily I was able to get it back under my control quickly, but the spammer had already spammed all my contacts.

      Submitting as AC because I'm embarrassed that I did something that dumb.

    2. Re:I believe it. by tripleevenfall · · Score: 2

      It was funny to get an email from an ex girlfriend to whom I have not spoken in years advertising black market pharmaceutics, a subject with which she was intimately familiar...

    3. Re:I believe it. by Capt.DrumkenBum · · Score: 1

      I have seen this twice. The first was a friend of mine, smart and computer savvy enough to have a decent password, and the second was my sister, who's password was probably abc123, qwerty1, or password.
      This encouraged me to begin changing all my passwords.

      --
      If I were God, wouldn't I protect my churches from acts of me?
    4. Re:I believe it. by capnkr · · Score: 1

      I literally just had a call from a client of mine who's apparently become a victim of this. Their ISP is Time/Warner, email account password was fairly strong but guessable (initials bracketing clients DOB), and this person only uses the TW web-based interface to do their email - there is no email client or address book on the system itself at all. Yet a large block of the contacts in the account received spam originating apparently from this address. I am having one of the spams forwarded to me so I can take a look at headers and such...

      --
      "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
    5. Re:I believe it. by fifedrum · · Score: 1

      I work for an email service provider, we're catching many each day, most less than 500 emails at a time. I think about 1/2 of them are compromised PCs as they're using the same IP addresses the customers use, different HELO hostname and all that but they're still authenticating from the same place. That's the wild part. I watched a network sniff play out on screen, showed the authentication stuff, same user ID and password, different HELO hostname and headers, right along side another session where the user was sending legit email.

      The other portion are clearly phished accounts, customer in Boise, connection from China for example.

      The kicker is that we've had to turn off our internal reputation system based on the age of the email account. Used to be > 1 month old had higher limits than < 1 month old (for the love-em-then-leave-em accounts), but today, no one is trusted.

      The only good thing is they seem to come in phases, where a particular campaign of the exact same email comes from dozens of accounts, for hours at a time, then switches to a new campaign later. Makes filters easier to manage.

    6. Re:I believe it. by capnkr · · Score: 1

      Received an email from the client; I had recommended they call TW when on the phone with them, as it sounded like their account was breached, that it was not something actually on the system.
      TW said it was likely a password compromise, & changed the pw for the account.

      --
      "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
  2. lower overhead? by BulletMagnet · · Score: 1

    Botnet rental is still an expense....

  3. gmail has a nice feature by Anonymous Coward · · Score: 0

    when i log in into my account from a different IP or different machine also, my phone receives a SMS with a number i need to enter so that i can access my email..
    it's free and i believe it will prevent this kind of spam or other hostile takeover of my account..

    1. Re:gmail has a nice feature by Krojack · · Score: 2

      That's all find and dandy, and yes a lot of people have a cell phone these days, but there are still hundreds of millions without them and others that don't have this option on their email service.

    2. Re:gmail has a nice feature by Lennie · · Score: 1

      It is actually a lot more likely that people just have a cell phone and no computer.

      In Africa for example, many have a simple "smart" phone and no access to a computer.

      --
      New things are always on the horizon
    3. Re:gmail has a nice feature by Tx · · Score: 1

      That would drive me nuts.

      --
      Oh no... it's the future.
    4. Re:gmail has a nice feature by Anonymous Coward · · Score: 0

      You can check a box so that it remembers for 30 days that machine as trusted.

    5. Re:gmail has a nice feature by v1 · · Score: 1

      it's more of a cookie though isn't it? nothing to do with a setting on gmail's servers.

      --
      I work for the Department of Redundancy Department.
    6. Re:gmail has a nice feature by danlock4 · · Score: 2

      If it were to drive you nuts, you would start the squirrelmail problem anew...

      --
      To .sig or not to .sig, that is the question.
    7. Re:gmail has a nice feature by jank1887 · · Score: 1

      not free to me and many others not paying the text message extortion... yet.

  4. Taking advantage of trust by damn_registrars · · Score: 2

    They realize that a compromised account started as an active account, and thus is less likely to be blacklisted at a border. That, and as a legitimate account the payload is more likely to go through mail servers that are commonly whitelisted (or at least, not blacklisted).

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Taking advantage of trust by MBCook · · Score: 1

      I wonder how much of this is DKIM/DomainKeys and Sender ID? Making it harder to forge things means it's easier to just use compromised accounts instead.

      --
      Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    2. Re:Taking advantage of trust by gl4ss · · Score: 1

      with compromised account you don't have to deal with av or the person reinstalling or just plain leaving his computer off. however, I can't but imagine that botnets would be the prime way to mine for those accounts.

      --
      world was created 5 seconds before this post as it is.
    3. Re:Taking advantage of trust by Anonymous Coward · · Score: 0

      We get spam from yahoo accounts all the time that is domain keys signed. Our policy now is mark it as spam if a mismatch, but ignore it if it is a good signing. Same policy for SPF.

      Doesn't really add much to our anti-spam efforts.

      But, trust does factor. Schools and such where these phished accounts come from are unlikely to be on RBLs, at least during the the initial portion of a spam campaign. A botnet PC starts out on, at least, "dial up" RBLs.

    4. Re:Taking advantage of trust by hedwards · · Score: 1

      Hotmail used to be a serious problem because of the amount of spam coming from there, it was too big of a domain for most folks to block, but there was a significant amount of spam originating there. That seems to have changed in recent years though.

  5. Funny Link! by Anonymous Coward · · Score: 0

    Compromised accounts = compromised contacts. Click this funny link!

    1. Re:Funny Link! by DarenN · · Score: 1

      Where's the link?!!?!?!!one

      --
      Rational thought is the only true freedom
  6. "low-volume spam outbreaks" by mapkinase · · Score: 1

    that sounds like oxymoron

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  7. Same issue on the web hosting side by Wrexs0ul · · Score: 1

    Since customers can create email accounts for other users it was a must that we run an outbound spam filter. It's picked-up on some servers, substantially. Luckily none of it sees the light of day, but the processing power required to send/receive email gets spiky.

    Funny enough it tends to be the smaller accounts causing the most problems. Larger hosting packages tend to come with in-house support on the client side, and they create smarter passwords and smarter users :)

    -Matt

    --
    --- Need web hosting?
  8. Woot! by earls · · Score: 1

    90,000 email addresses later, and now major.payne@usmc.mil is offering Viagra at a discount!

  9. That's because of reputation by jader3rd · · Score: 3, Insightful

    All of the major spam filters use reputation as a metric. And stealing reputation is easier than building it.

    1. Re:That's because of reputation by Anonymous Coward · · Score: 0

      Only the crappy ones.

      But for me to say more would be astroturfing :-/

  10. iam borrowing this account by Konster · · Score: 2

    Can I interest anyone in a set of steak knives and viagra? www.steaknivesandviagra.com for best price, leading customer support and free shipping to you.

    1. Re:iam borrowing this account by khr · · Score: 1

      Is that combination endorsed by John and Lorena Bobbitt?

    2. Re:iam borrowing this account by Anonymous Coward · · Score: 0

      Is that combination endorsed by John and Lorena Bobbitt?

      Mostly Lorena, I would think.

    3. Re:iam borrowing this account by Anonymous Coward · · Score: 0

      your domain name sampling period has expired.

    4. Re:iam borrowing this account by dkleinsc · · Score: 1

      No, but it is endorsed by Anthony Wiener.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
  11. Biggest source of spam is salesforce by Anonymous Coward · · Score: 0

    I find that salesforce, jigsaw, and similar systems are the biggest source of spam that I'm currently receiving.

    One of these scumbag marketers got a hold of my info & sold it to them.

    Fortunately, blacklisting salesforce & jigsaw is easy...

  12. Unblockable servers by gmuslera · · Score: 1

    You can use gray/blacklists/rbls to get rid most of the noise caused by botnets and similar, but you shouldnt block gmail/yahoo/hotmail or other big mail servers.

    1. Re:Unblockable servers by Animats · · Score: 1

      shouldnt block gmail/yahoo/hotmail or other big mail servers.

      It's useful to have a penalty in your spam filter for free email services. Google's inbound spam filtering is good. Outbound spam filtering, not so much.

      Related to this, the use of free hosting services as spam targets continues. Google spreadsheets, of all things, are widely used to support phishing scams. Here's a Microsoft Webmail Activation Form" embedded in a Google spreadsheet. Because the related phishing emails contain a Google URL, they tend not to be tagged as spam by spam filters. The strange thing about that example (one of 124 such in PhishTank today) is that Google's spam blocking, as used by Firefox, knows that's a phishing page. The anti-phishing part of Google isn't talking to their own abuse department.

      We've been tracking this at SiteTruth for years. The Google spreadsheet scam is less than a year old, and is now the most popular attack we see. Some free hosting services (mostly "t35.com", "piczo.com", "webs.com") still get hit, but Google is now #1.

      Basic truth: if you offer free hosting or free URL redirection, you must have an automatic cross-check with phishing data sources like PhishTank and the APWG, or you will be pwned by phishers. Free hosting includes spreadsheets, forms, and polls. If the user can put HTML into it, it can be used for phishing.

  13. Surprised it took so long by Kelson · · Score: 1

    I predicted spammers would shift to using stolen login credentials way back in 2005.

  14. Thank you, LulzSec by arcctgx · · Score: 2

    Thanks for releasing stolen passwords for 62000 email accounts. Spammers must be very happy now.

  15. So, Private Botnets != Botnets???? by malakai · · Score: 1

    "Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks"

    So, they are making their own botnets, rather than leasing one from some Russian or Chinese hacking group.

    6 of one, 0.5 dozen of another....

    --
    -Malakai
    A Dragon Lives in my Garage
    1. Re:So, Private Botnets != Botnets???? by Anonymous Coward · · Score: 1

      No, it's not a botnet, it's nothing like a botnet. RTFA

    2. Re:So, Private Botnets != Botnets???? by Anonymous Coward · · Score: 0

      Or even just the summary.

  16. This needs to be addressed by the mail hosts by im_thatoneguy · · Score: 1

    I already had my Hotmail account somehow compromised this year. It sent an email to everyone in my contact list alphabetically. I wish I could set a pin for emails with more than 5 recipients in less than 30 minutes. And that watched for unusual volumes of outgoing mail to alert another email address.

    Obviously these settings would be pin accessible to ensure the compromised account didn't go crazy.

    I wouldn't even mind a separate highly irregular password for IMAP or POP3 access.

    This *shouldn't* be a problem with some very basic options for account holders. Hell, I wouldn't mind changing my old Hotmail so that it's incapable of sending emails at all for instance.

  17. Figures by Trax3001BBS · · Score: 1

    Peerblock goes into action trying to read "The complete report" http://www.commtouch.com/download/2085.

  18. Why you need to report your spam by utkonos · · Score: 1

    This is why you need to scrub your email address from the spam and forward the scrubbed mail to the abuse@ address for the address that spammed you. I've gotten numerous accounts closed by ISPs this way. If you don't want to do it manually (which can be a endless tedium) you can use a free service such as spamcop.net which scrubs your identifying info from the spam, forwards it to abuse@, and proxies the replies back to the address you have registered with them.

    Also, when you "report" spam in gmail you are _not_ doing the above. All you are doing is having google use the contents of that spam to modify your spam filter slightly and make the filter more effective. It is not reporting the spam to abuse@.

  19. Yup. by sootman · · Score: 2

    In the last year I've gotten spam from accounts belonging to nearly a dozen people I personally know--nearly a dozen hotmail, yahoo, and gmail accounts compromised. Including one of my own. Strong passwords, everyone! Letters, numbers, punctuation. Even something like "Help?1234" is infinitely* better than a dictionary word or common name. Grouping characters by type makes it easier to remember and makes it easier to work with on soft keyboards on mobile devices--letter letter letter letter, shift to "numbers and punctuation" mode, number number number number.

    My biggest problem now (not with spam, but with passwords in general) is financial institutions that restrict you to letters and numbers so you can punch them in on a phone keypad.

    * more or less

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:Yup. by hedwards · · Score: 1

      What gets me is that the treasury has super strong protections in pretty much all areas of their account management, but then uses secret questions in order to remove locks and all that. Which kind of ruins the security features that they've been using.

      On top of that, it's very possible to get locked out of your account permanently due to them being unwilling to shoulder any responsibility when it comes to unlocking the account. So, if you don't have a statement on hand to show your financial institution, the institution won't issue the signature guarantee, and if you don't get the signature guarantee, the treasury won't remove the hard lock. Whereas, they could just shoulder some responsibility and accept a notarized form and spare folks the possibility of being locked out completely.

  20. Re:I believe it. - spam source by Anonymous Coward · · Score: 0

    The problem could very well be either the user clicked on an infection, and so the information is recorded (keylogged) or sent due to web virus (scripts identifying the site) or the password is known and being used to authenticate the message to TimeWarner for sending. This is happening more with yahoo and google ... and what seems stupid is that all they had to do was look at the message source ... an IP from the EU, when the user created the account in the US, and the account gets regular logging into, from a handful of US ip space, but then suddenly gets hits from non-US ip space? ... how could they not flag that for follow up? They are big enough that such an investment in infrastructure (log tracking) would pay off easily. Would allow them to see, tag, and review messages from uncommon log-on sources and then block that IP source accordingly. (also disabling the email account so that the real user has to come in and try to validate their use and a new password.)

  21. Happened to me by Anonymous Coward · · Score: 0

    Actually to my wife - but same thing, on comcast. Their tech support told us to change the password and everything would be fixed. Only she was unable to change the password (her email is a secondary address on the account, don't know if that matters, she should be able to manage her password) we actually had to let the techsupport change the email for us. Color me skeptical - is a password change really sufficient? We use MS security for virus protection and her laptop screened as malware free. Other than installing linux (not sure that would help, we only use the web interface for email - no clients on the machine itself) what does /. suggest as a fix?

  22. Re:I believe it. - spam source by Moryath · · Score: 1

    Actually, Hotmail tried this for a while.

    It failed horribly. A lot of legitimate users' accounts got lost in the shuffle. And since the only way to log in and get your account unblocked was either (a) go to a super secret forum that they didn't even list on the "get my account back" page or (b) give them your phone number to validate via SMS (nevermind that a good number of people still don't do SMS messages or want to give Microsoft their phone number), what they wound up instead was a "throwing out the baby with the bathwater" approach where a large number of users simply said fuck you, we're leaving.

  23. Hahaha: Best U got's an effete "mod down" by Anonymous Coward · · Score: 0

    Watch the Little Penguins RUN w/ feathers all "ruffled", & best they have's a mod-down "hit-N-run" w/ NO technical justifications whatsoever... lame, & WEAK!

    APK

    P.S.=> LMAO @ the "Pro-*NIX" noobz around here, as usual...

    ... apk