Spam sucks. But as Information Age stated, scammers love it — mostly because it works. Despite increasing awareness of spam email, campaigns attackers still find success, especially during popular holidays or in the wake of news-making headlines about data compromise or security failures.
But thanks to some bad data backup techniques, one prolific spammer group known as River City Media (RCM) compromised their own servers and let security researchers grab an inside look at day-to-day scam operations.
‘Legitimate’ Operations
CSO Online explained that security pros are familiar with RCM — the company bills itself as a legitimate marketing agency, but at one point was sending out more than 1 billion emails per day in an effort to grab and leverage consumer email addresses and personal data. The company uses a number of methods to obtain this information, including CoReg, which sees users signing up for a notification service or email newsletter and then having their address shared — without permission — among spam producers.
RCM also leveraged warm-up accounts, which are email addresses owned by the company that won’t report its chain of spam emails. Once they’ve sent enough messages, legitimate email service providers or affiliate programs mark them as “not spam” and provide access to the internet at large.
Another tactic? Aged domains. These older senders are naturally more trustworthy than newly created email addresses, making it easier to slip spam past filters.
To achieve their billions of emails per day mark, RCM also used a type of Slowloris attack. They opened multiple connections with a Gmail server and then sent fragmented response packets very slowly, all while requesting new connections. This stressed the server without disabling it, making it seem like the action isn’t really a spam attack.
Just Desserts for Poor Data Backup
As Computerworld noted, somebody at RCM forgot to properly lock down their data backup, in turn allowing MacKeeper security researcher Chris Vickery to infiltrate their servers and see exactly how they do business. The result was evidence of nearly 1.4 billion compromised email accounts tied to real names, IPs and even physical addresses.
Vickery discovered that despite the company only employing around a dozen people, it managed to leverage a combination of “automation, years of research and a fair bit of illegal hacking techniques” to blast out billions of emails, Computerworld reported.
In a bit of poetic justice, RCM frontman Alvin Slocombe sent out an internal email in February asking staff to change their Skype and HipChat passwords for fear that the company had been hacked. Instead, someone improperly configured their Rsync server and made it possible for Vickery to walk right in and look around.
It’s a rare case of things good right for the good guys, but it’s also a wake-up call: With less than 20 people, RCM managed to rank in the top 10 on the Register of Known Spam Operations (ROSKO) database maintained by Spamhaus. The company also used a variety of techniques to keep consumers on the hook and generate new leads.
The takeaway for companies and consumers? Don’t underestimate the power of spam. While scam operators are prone to mistakes just like everyday users, they’ve got the advantage with easy access to share, compromise and continually blast email addresses worldwide. A look behind the curtain reveals both sound and fury and it makes it patently obvious: Email remains the key battleground for solid network security.