Spample:
http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt
I removed 19 (of 20 original) email addresses out of the
To header, ST:TOS munged all remaining email addresses, and
munged the target URL to match the other mungings.
Everything else is exactly as received, immediately post-SA.
This campaign has been going on at a low but steady
rate (typically 0.2% to 0.4% of spam) since at least late May.
It uses very simple and effective social engineering which leads
the victim to a cracked legit-ish site, that redirects to a
drive-by malware site which is controlled by the miscreants.
*** Analysis:
The pattern is that the complete From.RealName is used as the
final subdir in the URL, with an underscore between each word
that was in the RealName. The original cAsEs are always used
(e.g. "Montgomery Scott" goes to "/Montgomery_Scott/" and
"leonard mccoy" goes to "/leonard_mccoy/").
There's between zero and two trailing "/".
There is always a subhost, except for the earliest instances.
There are no parameters, so the final subdir STANDS OUT well,
looking like a personal/vanity website at a free provider.
All have those "Apple-Mail" boundaries.
They're usually To multiple people (20 being the most common),
but not always (particularly the early ones).
The body text is always brief with a general upbeat tone.
The Subject is almost always "Re:" (except in the beginning).
*** The impressive part is that the From.RN is always that of a
genuine Friend/correspondent, and often (about 64%) the
To.Realname is correct (otherwise it's blank, so it's never
"wrong").
The From.Address is always "wrong"/new/unknown.
The source of the data collection appears to be Yahoo account
cracks.
I've spot checked several of the URLs (using a raw HTTP tool),
and they always 302 to pure javascript booby-trapped pages at a
different domain. I've substituted other subdir names, which
always 302 to the same (external) URL, so there's nothing
sophisticated at that end.
The original URL is usually at a legit-ish semi-dormant GoDaddy
hosted domain. I suspect GoDaddy must have a tool that makes it
easy to create subhosts, plus they're often targeted due to less
sophisticated endusers. Until recently, most were never listed
on any Domain Blocklist. Most of the redirects are eventually
taken down, though it often takes a couple of weeks.
Of the drive-by-malware sites I've checked, all have been recent
registrations (presumably by the miscreants), and typically
remain active long after the take downs of the "cracked" sites.
Today, I checked the URL in the spample, and both it and the
drive-by-malware redirect are still "live", in case any of you
would like to investigate further. :)
The very first one I spotted was only "To" me, from an old
friend. When I saw it, my first reaction was delight and
I genuinely was drawn to visit the link... even though I was
viewing it in quarantine, and quickly spotted lots of Bad Stuff
(Received IPs tour-of-the-world). It's simple yet VERY effective
social engineering, while being light-weight and so obvious it's
not. :\
I had noticed the pattern before, but had assumed the
Realnames/subdirs were random. If I hadn't been sent any myself,
I probably would NOT have recognized the effectiveness of the
pattern.
I wrote a batch regression test to find these, not in real-time
but in old data so I could verify the algorithm & datamine.
Unfortunately, I've had some :( Kobayashi Maru scale "schedule
disruptions", so have NOT been able to do much testing other
than my primary Geek domains, and partial testing by one of my
best Volunteers with a highly-IDIC corpus (I'm desperate enough
I'm going to try a hotel, so I can complete this and other
critical testing).
So far, all but one FP occurred when I matched "anywhere"
(soft match) in the URL, instead of doing a word-boundary match
on the last token. The signature is always at the very end,
without any parameters, though it would be easy for them to
obfuscate with param(s). Granted, that would (IMO) reduce the
efficacy of the social engineering. :)
The one exception was a Twitter URL. Using an existing skip
domain list eliminates that case. It's still possible to have
other FPs, so a simple match is unlikely to be a Poison Pill
candidate.
Last week, I sent John Hardin some spamples, and he very kindly
wrote & masschecked rules over the long weekend (Geek!). :)
He found a significant FP risk.
Depending on your environment (quarantines rock!), this may be
worth the risk. The non-Bayes SA killrates for these are running
in the range of 0% to 18%. :( Even with Bayes, most are getting
thru. Mine are mostly being killed by Nation-of-IPs, and a few
pre-existing specialty tests (all post-SA). I have not yet
needed to add custom rules, however I am considering it, due to
the malware risk.
I'm posting this in the hope that someone(s) will nudge GoDaddy
and other cheap hosts to scan for offsite redirects, then test
them. The drive-by-javascript at the destinations is obviously
"bad", and trivially easy to recognize.
- "Chip"
