Spam clogs our inboxes every day with unsolicited offers for cheap pharmaceuticals and opportunities to earn money from home. While most people automatically delete their spam, digging through these types of emails can be an educational exercise for those of us in the threat intelligence industry.
From collecting malware samples and tracking phishing schemes to monitoring for domain squatters and examining fake news sites, a lot of information can be gathered from spam to influence mitigation research. It can also be used to help report new campaigns and notify site owners of problems.
Malware Samples
If you’re involved in monitoring and dissecting malware and are constantly looking for samples, take a look at the steady delivery to your inbox every day. Some of these malware samples are well known by the community, and can be verified by uploading them to Virus Total.
For malware samples that can’t be verified, you can examine the domain where the malware is hosted. In some cases it’s obvious, while in others it takes some prying as the malware is usually obfuscated, requiring programmatic steps to extract the infection code. In other instances, the domain will already exist on malware tracking websites like malwaredomainlist.com.
Looking into these malware samples can uncover undiscovered threats and enable identification that helps warn website owners that are unaware of malware infections impacting their users, subsequently doing a little bit of good with the junk sent every day.
Phishing Sites
To learn from phishing emails in your spam folder, start by looking for attacks against domains. Popular ecommerce and financial websites remain a steady target for phishing, as they all contain desirable data like emails, login credentials, personally identifiable information (PII) and credit card information to be harvested.
For example, an increase in ‘free gift card’ and other e-commerce offers emerged around Black Friday and lasted throughout the holiday shopping season. One example of these emails claimed to offer a free $50 Amazon gift card, but clicking the link within led to a bogus Amazon login phishing site designed to nab users’ login credentials.
Another example involved emails claiming “your order has shipped,” with a binary zipped file attached. The .zip file is usually some variant of ransomware or adware.
When evaluating these scams, be on the lookout for broken Transport Layer Security (TLS) lock icons and crummy URLs, both of which are a dead giveaway if you suspect a site isn’t legitimate.
Domain Squatters
Similarly, domain squatters wait for unsuspecting users to insert a random typo into a popular domain name so they can redirect them their way. They leverage this technique in spam emails as well, including links that imitate legitimate websites but are off by one character, for example. Instead of leading you to your intended domain, the link takes you to a malware download redirect for a browser adware extension.
The website checks the browser’s user-agent string to determine which executable to download. If the user-agent is cURL, Wget or a connection from Virus Total, the website doesn’t attempt the Flash player update. If you’ve already loaded the site once before, it stores a cookie indicating it and redirects you to a normal website. Similar to phishing sites, domain squatters are also typically looking to harvest information from their target.
Fake News Sites
A recent phenomenon that has been dominating the media is fake news. Fake news and fake news sites (also known as counterfeit sites) are often either out to turn a profit or attempting to change people’s views or bias.
It’s always fun to see what ridiculous and eye catching headlines spammers come up with. It’s also interesting to see where these sites are being hosted and how they are counterfeiting sites. Is the domain the sites are being hosted on compromised? If so, appropriate action can be taken on the fake site to have it removed. Site takedowns are a complex process and should include guidance from your legal team.
Commonly seen examples include sites advertising all natural recipes for weight loss, purportedly used by many celebrities. Even advertisements for a tiny pill that gave then-Republican Presidential nominee Donald Trump the stamina to run for office have been used!
Wrapping Up
While the average user doesn’t want to see, let alone read, spam emails, information pulled from these types of threats can provide a treasure trove of information to learn from and apply to future mitigation strategies.