The “hailstorm” spam technique has re-emerged, according to security researchers.
The Cisco Talos and Umbrella research teams, via a detection system which brings together machine learning, stream processing of DNS requests and the curated Talos email corpus, is tracking a cloudburst of hailstorm campaigns, which are sent out in very high volume over a short timespan. In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response.
Hailstorm is an evolution of traditional “snowshoe” spam campaigns, which are sent from a large number of IP addresses with a low volume of spam email per IP address. Using such techniques, snowshoe spammers intend to fly under the radar with respect to any reputation or volume-based metrics that could be applied by anti-spam systems.
The DNS query volume for a domain involved in a typical hailstorm attack might show practically no query volume, until suddenly when the DNS query volume spikes to over 75,000 queries per hour, then drops back down to nothing.
“Hailstorm spam is being sent from IP addresses located all around the globe,” researchers said in a blog. “Looking at the geo-IP distribution from recent hailstorm spam campaigns, the US, Germany, Netherlands, Great Britain and Russia lead the pack in terms of volume of hailstorm spam sent by country. Hailstorm spam also involves domains registered at a wide array of top-level domains (TLDs). In a recent sample of about 500 hailstorm-related domains, the most common TLDs were .top, .bid, .us, .win and .stream.”
Most of the campaigns initially detected advertise products comprising home-surveillance systems, flashlights, dietary supplements and all sorts of items "as seen on TV". Services as diverse as bathroom remodeling, online degrees and psychic readings are common as well. The idea is to make money from generating traffic to affiliate pages.
“Links in the original email are redirected several times before reaching the landing page, which in turn links to an order form on an affiliate page,” the researchers explained.
Another typical amortization scheme is to generate traffic on sponsored links.
“These spammers are lazy and have terrible operational security (OPSEC),” the researchers said. “In this case, the domain used in the ‘from’ address is registered to an email associated with a number of other domains participating in hailstorm spam campaigns.”
However, as expected for any method that proves effective in raising the rate of successful delivery, hailstorm campaigns are used for much more damaging purposes.
“Hailstorm tactics are also used by botnets like Necurs to spread malware,” researchers said. “[And], while these campaigns are generally more of a nuisance rather than a threat, it goes without saying that clicking spam-distributed links is risky on several fronts. Drive-by downloads are as much a possibility as business email compromise, fraud and identity theft, should any personal or financial information be disclosed by a recipient.”
Photo © Menna