SecurityWatch asked the security experts at Cloudmark to flag and analyze an ongoing spam campaign. We take a look at the type of messages being sent and the infrastructure behind the operation used. This month, we look at an operation called “Com Spammers.”
The Com Spammer Operation
The Com Spammer operation specializes in work-from-home schemes, diet pills, and recently, a miracle anti-aging skin cream. The gang monetizes the email and SMS spam campaigns through victims who sign up to buy one of these products. In the case of the diet pills, which are mailed from a suburb of Atlanta, Georiga, victims are likely to find recurring two- or three-figure charges on their credit cards each month.
The Federal Trade Commission was able to shut down parts of the multi-million dollar work-from-home scam in mid-February, “but they are now back at their old tricks,” said Andrew Conway, a research analyst at Cloudmark. The gang had redirected the older work-from-home links to promote diet pills after the FTC action, but this side of the business appears to be back in action.
How the Operation Functions
This operation uses different domains as landing pages, which is not so unusual among spammers, but it’s worth noting that many of the domains begin with com_. This prefix makes it difficult for an average user to tell at a first glance if the domain is fake. For example, the link foxnews.com_ab12.net/new_diet.php looks as if it is a foxnews.com URL when it’s actually a com_ab12.net URL.
The spammers are registering these sites at the rate of twenty or more a day.
While the messages may include the actual URL of the landing page, many of them rely on an intermediate link. That could mean a link from a URL shortener such as bit.ly, or a link to a website that would redirect the user on to the landing page. The group has over 4,300 compromised Web servers used to redirect users to the main landing pages, Cloudmark said.
An Affiliate Program Structure
Com Spammer is structured as an affiliate program, with tiers of individuals dedicated to specific tasks. The first level has independent spammers who send out spam messages, often via botnets. The next level includes those responsible for setting up and maintaining the landing pages, which may look like news or magazine sites. The third tier consists of the people whose job it is to extract as much money as possible from the victims who visit the landing pages.
“It looks like someone had picked up the slack in monetizing this spam. We hope that people are now more aware of this and don’t fall victim to it,” Conway said.
SecurityWatch will be working with Cloudmark on a monthly basis to analyze more spam and phishing campaigns. Next month, we look at mobile spam.
Via Flickr user Jerry Pank