Starting Apr 5, about _HALF_ of our spam volume is a
new pump and dump campaign for stock symbol "RCHA".
As well as the high volume, there are several noteworthy
characteristics:
- victim account name is used as the sender/From account name
- very clean HTML
- very few hits on non-DNS/RBL SpamAssassin tests
- separate HTML-only and image-payload variants
(images are very low volume, so far)
- all HTML variants include well formed unsubscribe headers
- for the first half day the symbol was unobfuscated, then it
changed to common gappy forms (e.g. "R_C_H_A", "R*C*H*A")
- botnet seems VERY well synchronized with its C&C
- hit some Tagged accounts that were part of major data breaches
(including both LinkedIn and WellsFargo)
That last point REALLY jumped out.
Previously, almost all of my LI and WF breach spam has been
"boy parts" related.
That's how I first noticed this campaign, via a trigger that
flags all "breach" spam, even before my new-symbol-hunter runs.
Full sample (with obviously redacted email addresses):
http://puffin.net/software/spam/samples/0013_pump_and_dump.txt
I left the Message-ID and other coded headers NON redacted,
since that spample hit an unimportant spamtrap,
and those headers might be of interest.
So far, there have been some very consistent headers, which all
have changed at the same time (i.e. new template) with (so far)
no gaps, so this botnet seems VERY well synced (compared to what
I've seen in the past).
Starting today, there's two templates that are active.
*** HTML variant...
The From Realname has been one of:
iStockAdvisor
SuperStock Advisor
iStocksInformer
iGoldenStocks
iMarketWatchers
iStockMarketInsider
MarketClub Top Stocks
(listed in order of appearance)
The Subject header has been one of:
One stock Five times your principal
A biotech company that will make you big bucks
This pharmaceutical could quadruple fast
This is the opportunity of the year
The last tip I gave you tripled your principal
Top 5 Trending Stocks
Don't you deserve an edge in the market?
All contain a Reply-To, which matches the From/SMTP-Sender.
X-Mailer is:
WhatCounts
which does occur in legit ESP emails.
One of the early HTML templates contained three footer
links (About/Legal/Unsub), which use the victim account name
with dot com. I don't recall ever seeing that pattern.
Today's two HTML templates contain one footer unsub link,
with the same fake domain pattern.
*** Image variant (either GIF or JPEG)...
>From Realnames:
iBuyStock
iTopStocksPicker
iSelectedStocks
iTriplingStocks
Subjects:
The best stocktip for VICTIM-ACCOUNT-NAME
This little company could tenfold your investment, VICTIM-ACCOUNT-NAME
Dear VICTIM-ACCOUNT-NAME, Three hundred percent gains is super possible
Where "VICTIM-ACCOUNT-NAME" is the victim's email account name.
Within each template, the Image properties have been the exact
same, and appear to be the same (just eyeballing them, not
binary comparisons).
They all have a medium sized block (~2K chars) of Bayes salad.
EACH salad and image filename is completely different.
They do not contain unsubscribe links, or any "extra" headers.
The Message-ID always ends with the victim's domain name,
NOT the sender (the HTML versions contain standard botnet M-IDs).
All are getting thru SA, however most are hitting:
HTML_IMAGE_ONLY_28 or HTML_IMAGE_ONLY_32
DC_GIF_UNO_LARGO
*** Botnet prep signs:
Around mid-March, our malware attachments volume shot up to
about six times the average for 2014.
In late March, there was what looked like a standard botnet
calibration run, which was probably for this botnet.
I just re-skimmed thru some of those, and the only notable
headers were avast X-Antivirus and X-Mailer with a fake value.
*** Rules:
Originally, these were dying mostly due to Nation-of-IP and
my custom anti-stocks body word tests.
The Unsub links, X-Mailer, and fake Unsub headers, combined,
are an excellent fingerprint. They're trying to imitate
ESP/Bulk senders, but these are mainly coming from
"normal" ISP IPs. I've added rules that only score those
headers for non-ESP/Bulk IPs.
Of course, the very first thing I did was add "RCHA" to my
list of scammer symbols. :)
- "Chip"
