Background: Spamnet Tracking
A year or so ago, as we were talking about malnets one day, it occurred to us that there was probably a lot of similarity between the networks run by the Bad Guys to infect victims with malware, and the networks used by spammers to run their spam campaigns. In fact, we were already aware that some of the big malnets also included traditional spam as a side business, but we hadn't ever specifically focused much on spam, since spam filtering isn't really a core Blue Coat business.
As we discussed how typical large-scale spam operations are run, it quickly became obvious that our Malnet Tracker module could probably track spamnets just as easily. In a typical spam campaign, the spammer rotates through a large number of what we call "leaf and twig" sites — the sites that supposedly sent the spam, and the initial link in the spam. These are quickly identified and blocked by the e-mail filter companies, so they have a very short shelf life. They exist only to relay traffic into what we call the "branch and trunk" sites — the actual spam/scam destination sites, and the internal relay/tracker sites that coordinate the spam campaign and track its success.
So we looked for spam activity in our logs, identified the "branch and trunk" infrastructure, and told the Malnet Tracker to follow those servers and rate any domains that showed up on them.
Sure enough, we found that this part of the infrastructure had a much longer shelf life than the "leaf and twig" sites. And, while we still focus most of our work on malicious activity (including malware-focused spam), as we run across "normal" spam activity, we feed the site data into the Malnet Tracker.
You Too Can Make a Fortune Working from Home (Even in Brazil)
Earlier this week, I came across a new sample from a long-running "work at home" spam/scam network, and noticed an interesting development in the on-going campaign: the Bad Guys are also targeting Brazilian users…
This campaign generally uses hacked e-mail accounts to send their spam, and victims who click the link in the spam are taken to a simple relay page (which is typically hosted on a hacked site). The relay page then sends them on to the actual "work at home" host domain. In this case, when I followed the link, I ended up at easyworkathomeonline.com.
Plugging that domain name into nslookup yielded a bunch of IP addresses:
46.249.199.75
85.234.148.207
92.48.125.252
94.242.203.41
178.208.137.67
178.208.137.229
178.208.138.65
178.208.138.66
178.208.138.230
178.208.138.234
216.245.205.229
217.23.6.137
217.199.212.102
217.199.212.110
217.199.214.226
217.199.214.227
These are typically grouped into small clusters, with one server running on 2, 3, or 4 different IPs. Many of these servers were already on file in the Malnet Tracker, but some were new, so I set about adding them.
In the course of this process, I did a quick check of the list of domains on each server, as part of verifying that it was indeed part of the network, and one server reported the following domains:
real-workathome-online.com
comotrabalheemcasa.com
trabalheemcasaguide.com
At first glance, the second two appeared to not be part of the network. Then I looked closer, and a couple of words in the Portuguese domain names looked familiar: "trabal" ("job/work") and "casa" ("home/house")… And sure enough, a short Google Translate session later, "como trabalhe em casa (.com)" becomes "how to work at home (.com)". So these weren't innocent domains at all.
It's interesting to compare the two campaigns. First, the English version:
Which leads to this site if you click one of the links to learn about their "system":
The Brazilian version is a bit different:
(I didn't have room to fit the whole picture of "Maria Carolina" and her baby into the screen capture, but I'm pretty sure I've seen her before — several times — on English versions of this scam. I'm also pretty sure that she's not Brazilian…)
Here's the actual offer site, once you've accepted the bait from the fake-news site above:
(In comparing the two "offer" pages, I thought it was interesting that these Bad Guys seem to like the number "87" — as in "$87 an hour" and "R$ 187 por hora". I guess it's sufficiently large to be desirable, and sufficiently random-looking to look realistic.)
I didn't bother to grab screenshots for the English version of the "nag box" that pops up if you try to close the window or otherwise leave the site, but here's the Brazilian version, from the second (weblucros.com) page, begging you not to go:
But, I didn't think that a 51% discount was enough, so I clicked OK anyway to leave, and got the second-level "Are you sure?" prompt:
Anyway, WebPulse will continue to automatically track these mini-spamnets, and we'll continue to add new ones to the tracker's database as we come across them. This means that while your e-mail filter continues to do battle with the ever-changing list of current "Level One" spam sites — the "leaf and twig" sites — WebPulse will function as a "Level Two" spam filter, blocking the "branch and trunk" sites that coordinate the spam.
Malware remains our main focus, but we like blocking spam, too.
–C.L.
@bc_malware_guy
Leave a reply
