Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Jon Oliver (Senior Architect)

    11:19 am (UTC-7)   |    by

    Recently I discussed how TorrentLocker spam was using email authentication for its spam runs. At the time, I suggested that these spam runs were using email authentication to gather information about victim networks and potentially improve the ability to evade spam filters. DomainKeys Identified Mail’s (DKIM) own specification mentions the possibility of messages with from “trusted sources” and with a valid signature being whitelisted.

    Since then, we’ve received several replies that differ with our findings. One of these was Martijn Grooten at Virus Bulletin, who argued that the use of these techniques was “unlikely to bring any advantage”, and speculated that domain-based message authentication, reporting and conformance (DMARC) may have been used because of pre-configured rented infrastructure.

    While it is possible that this could be the case, we would like to explore the possibility that the usage of email authentication was deliberate.

    Grooten notes that it would be unusual for spammers to use Sender Policy Framework (SPF), and DKIM, as it would only allow spam filters “to be more confident that they are blocking the correct emails.” However, he cited one exception: low-volume spam runs that are trying to look legitimate. TorrentLocker spam runs meet this description. TorrentLocker spam is sent in smaller numbers compared to other threats, and it has a strong interest in trying to look legitimate; it meets the criteria for spam that would use SPF and DKIM. Anecdotal evidence suggests that the delivery rates of TorrentLocker spam are high – it appears to be successfully evading spam filters.

    From the point of view of a spammer, using SPF and DKIM makes perfect sense if it would increase the chances of email delivery. An automated filter based on statistics or Bayesian rules may “learn” that spam with SPF and DKIM is less likely to be spam, and thus increase the chance of delivery. [Footnote: we note that we consider a Bayesian or statistical filter that increases the chance of email delivery based on passing a SPF or DKIM check is a misapplication of email authentication technologies].

    The next issue raised is that DMARC is of little benefit, as spam campaigns will have relatively little time to fix mistakes (as the campaign will soon be over).

    However, TorrentLocker campaigns are ongoing and long-lasting. While specific spam runs may be more limited in duration, overall there is plenty of time for an attacker to learn from any DMARC feedback. A recent joint report by Deakin University and Trend Micro had looked into the ongoing nature of TorrentLocker spam runs for November and December 2014. We found that these spam runs were repetitive in nature, providing plenty of opportunities for the attackers to learn how to improve their attacks.

    In addition, the best-case scenario (from an attacker’s perspective) is that SPF/DKIM feedback can be used to determine the number of recipients of a spam message for certain ISPs. For attacks explicitly designed with heavy social engineering in mind, this information is invaluable. It provided direct feedback into the effectiveness of spam campaigns, which an attacker can then use to improve as necessary. DMARC failure reports can also be useful – for example, uncovering undisclosed list recipients. DMARC can be used to both uncover relationships and security weaknesses. (One example of feedback being sent to attackers: if an email is forwarded by a recipient to a third party, the email address of that party is sent back to the attacker.)

    One issue that is raised is that perhaps the attackers merely used infrastructure that was already set up for SPF/DKIM. However, we noticed that the DMARC policy for multiple IP addresses across different ISPs was changed at approximately the same time. This strikes us as highly unusual, and does not match the expected behavior for rented infrastructure.

    Finally, the following portion of the DMARC specification is pointed out:

    Mail Receivers are only obligated to report reject or quarantine policy actions in aggregate feedback reports that are due to DMARC policy. ... If local policy information is exposed, abusers can gain insight into the effectiveness and delivery rates of spam campaigns.

    We suspect that some local policy information is being exposed, and this is why DMARC has been enabled for these outbreaks. It’s worth noting that DMARC does have a mechanism that includes detailed feedback reports; this was intended for debugging purposes. ISPs and other organizations that implement email authentication should check that information disclosure is only to the extent needed to implement email authentication.

    In conclusion, we believe that there are potential advantages that an attacker stands to gain from using email authentication. In addition, the pattern of behavior suggests that these actions were deliberate on the part of spammers.

    Posted in Spam | TrackBacks (2) »

    In monitoring the ransomware TorrentLocker, we noticed a new development in its arrival vector. In previous entries, we noted that a particular wave of the crypto-ransomware was using spammed messages that were designed to evade spam filters. Our research now shows that TorrentLocker malware are using emails that are designed to pass spam filters and also collect information.

    Using SPF to DMARC

    Previous spammed messages were authorized by the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF provides a mechanism to allow receivers to check that incoming mail from a domain is being sent from a host authorized by that domain’s owner. The list of authorized IP addresses for a domain is published in the domain’s DNS records.

    The new TorrentLocker emails use Domain-based Message Authentication, Reporting and Conformance (DMARC), which is an email acceptance method. DMARC leverages SPF and DKIM, and sends reports to email senders, allowing them to:

    • Collect statistics about messages using their domain from DMARC receivers
    • See how much of this traffic is passing/failing email authentication checks
    • Request that messages using their domain that fail authentication be quarantined or rejected
    • Receive data extracted from failed messages such as header information and URIs from the message body, if the receiver provides this service

    Using DMARC Reports

    The DMARC reports are intended for senders to gain “insight into the operation of your own infrastructure, those operated on your behalf by third parties, and the attacks on your domain or brand by bad actors.” Unfortunately, cybercriminals are using the same reports for gaining insights into the operation of their malicious schemes.

    One spam campaign was sent by  We noted that the SPF and DMARC record were as follows:

    ;; ANSWER SECTION:     3600    IN      TXT     “v=spf1 ip4: a mx ~all”     3600    IN      TXT     “v=DMARC1\; p=reject\;”

    It appears that the threat actors are collecting information from “rejected” emails, emails that do not pass the acceptance process performed in spam filters.

    Note that each DMARC report contains information such as ISP information, mailbox provider name and contact details, IP addresses, SPF and DKIM authentication results.

    For cybercriminals, the information can be used as feedback for their spam runs. If a DMARC report is sent back to a domain owned by cybercriminals, they can check the number of spammed emails that passed SPF and DKIM. The report will indicate which ISPs have considered their emails as “authenticated” and gives the ability to refine future spam runs.

    A Persistent Presence

    Based on SPN data starting from November 2014, we find that Australia remains the top country affected by this malware, whose family detection is CRYPTED.

    Figure 1. Top countries affected by TorrentLocker

    Using the number of detections in November 2014 as our baseline, we find that December experienced a noticeable spike. The number of detections dropped in January this year but soon rocketed in mid-February.

    Figure 2. TorrentLocker activity since November 2014

    Protection Against Spoofed Emails

    Techniques like this show that while spam filters can help weed out junk or malicious messages, they aren’t foolproof. Cybercriminals will always try to find ways to bypass or dodge filters or authentication methods.

    We advise users to remain cautious when dealing with legitimate-looking emails; they might be well-crafted spoofed emails. Avoid clicking links or opening attachments without confirming the email in question.

    With additional insight from Doug Otis.

    Posted in Malware, Spam | Comments Off on TorrentLocker Ransomware Uses Email Authentication to Refine Spam Runs

    In the two previous parts of this series of blog posts, we discussed the kinds of threats that we’re seeing on Twitter, as well as the scope and scale of these threats. In this part, we will discuss their motivations, and what end users can do.

    The first question is: why do cybercriminals bother doing this? Social media accounts are valuable in their own right. These accounts can typically be used to make money in many ways for cybercriminals; any form of personally identifiable information (PII) can be monetized by attackers.

    One way that stolen social media accounts are used is to send spam. One reason that social media spam can be considered superior to email spam is simple: more people click on links from social media than email. The click-through rate for email spam is estimated at anywhere from 0.003% to 0.02%. How does Twitter spam fare?

    It’s difficult to exactly compare numbers for the effectiveness of Twitter spam with those for e-mail spam. One measure we can use is the number of clicks we saw for every spammed Tweet. This varies depending on the type of abuse. Some Twitter spam campaigns could be spectacularly successful: one viral campaign aimed at Japanese users had a 0.269 clicks per Tweet. However, more typical rates varied from 0.01 clicks per Tweet for Twitter-specific spam to 0.03 for malware-linked Tweets. These numbers suggest that Twitter spam is more effective than conventional email spam.

    So now we’ve established that Twitter spam is a legitimate threat. How is Twitter responding? We are happy to say that this is a problem Twitter is getting on top of. Earlier this year, they disclosed the existence of BotMaker, their anti-spam bot infrastructure which has cut the spam problem by 40%. Other social networks can study Twitter as an example in how to deal with threats on their sites.

    For users, the lessons are clearer. First of all, do not believe any claims that you can buy followers/views/likes/friends/etcetera. The numbers you buy will almost certainly come from compromised accounts. This will bring no, or even negative value, towards your own social media efforts. Your own account may also be compromised in the process. Shortcuts to social media popularity don’t exist.

    Secondly, you should already be careful about clicking on links posted on social media in general, but be particularly careful about links that say that you have to log in again because your original log in timed out. Close your browser and start again; if you see the same message it’s almost certainly a phishing page.

    Lastly, if the social media services you use support it, turn on two-factor authentication. Just about all large online services today offer some support for two-factor authentication. Turning it on makes compromising your account much harder, as an attacker has to somehow compromise your phone as well. It’s not impossible – other Trend Micro research has shown how this can be done with online banking. However, it is still a useful security precaution to take against most attacks targeting social media.

    Posted in Social, Spam | Comments Off on Investigating Twitter Abuse, Part 3

    In the previous blog post of this series, I introduced our paper titled  An In-Depth Analysis of Abuse on Twitter  that looked at the threats in the Twitter landscape, and explained the various kinds of malicious tweets we’ve seen. In this post, we look at the scope and scale of these threats.

    Malware Tweets

    Users in the United States generally click the most links that go to malicious URLs from Twitter, whether it be phishing Tweets, Tweets with shortened URLs, or traditional spam. In one category, however, this was not the case. We identified a malware outbreak which was targeting users in Middle Eastern countries. Users in Saudi Arabia, Egypt, and Sudan clicked the most links from tweets that led to malware. The United States was only fourth in this tally:

    Figure 1. Countries clicking on Tweets leading to malware

    Twitter Phishing

    Twitter phishing is a threat that is well-known to many users. After all, many users frequently complain that their accounts have been “hacked”; in many cases these could be the result of phishing attacks.

    Twitter phishing uses features of Twitter to make the scheme more effective. Imagine that Alice was phished on day one. The next day, Alice may send a phishing message to her friend Bob, that would look like:

    @Bob lol this entry by you is cool short_{malicious domain}/123465

    If Bob clicks on this message, it will say his Twitter session has logged out – and that he needs to log in again. If he enters his username and password, then he has been phished. His account will then send messages to his friends, and so on.

    This phishing scheme was particularly effective at avoiding detection by the security researchers. Some characteristics which are used by this scheme include:

    • Use of URL shorteners
    • Use of complex infection chains, similar to those used by exploit kits
    • Links sent to users via Tweets from compromised accounts

    Some of the primary tools used by security researchers include honeypots, sandboxes and web reputation. These techniques are ineffective for several reasons, including:

    • the messages are unlikely to arrive in honeypots since the phish messages are sent from one legitimate user to another legitimate user;
    • this method tricks users into giving up their credentials so sandboxes are ineffective, and;
    • the use of shortened URLs and complex infection chains makes the use of web reputation technologies less effective.

    Figure 2. Sample infection chain

    We looked into the main phishing scheme attacking Twitter for a three-month period in 2014 from the March 1 to June 1. On peak days, more than 20,000 accounts would be used to send tweets with links to more than 13,000 distinct URLs.

    Since June, however, Twitter has largely got on top of this and the volume of Twitter specific phishing has been significantly reduced. Almost half of the victims of this scheme were located in the United States:

    Figure 3. Phishing victims

    Searchable Spam

    On Twitter, there is a large number of tweets offering services of a dubious nature, many of which infringe copyright. We have termed these tweets as “searchable spam’. Typically, these tweets are in Russian and advertise free movies, hacked games and software, etcetera. Social media attacks are frequently tailored towards specific target audiences. It’s something oaf a surprise, then, how much searchable Russian spam is accessed from outside Russia.

    Since these spam Tweets are thought to advertise illegal goods, it may well be that the reputation of the Russian underground may actually give these ads some credibility in the eyes of readers from outside Russia.

    Figure 4. Traffic to Russian-language Tweets

    Some of these attacks are more easily detected by Twitter and more likely to result in suspended accounts. We identified 17 distinct groups that took part in spam campaigns during the study period. Twitter was able to suspend almost 34,000 accounts from these groups, with some of them losing more than 90% of the accounts under their control.

    We have other findings listed in the paper, but these alone should be sufficient to show that malicious Tweets do exist on Twitter. However, any social network can be abused by cybercriminals and have to deal with malicious content on their site. In the third part of this blog series, we will look at what can be done to reduce these threats.

    Posted in Bad Sites, Social | Comments Off on Investigating Twitter Abuse, Part 2

    Twitter is an important means of communication for many people, so it shouldn’t be a surprise that it has become a medium that is exploited by cybercriminals as well. Together with researchers from Deakin University, we have released an in-depth paper titled An In-Depth Analysis of Abuse on Twitter that looks at the scale of this threat.

    To gather this information, we analyzed publicly accessible Tweets from a two-week period in 2013. Many of these we discarded, as they did not have any links. The majority of malicious Tweets contain some kind of malicious links, so we opted to focus on these alone.

    We ended up gathering more than 570 million Tweets in total. Of these, we identified that more than 33 million – 5.8% of the total – had links to malicious content of some kind of another. Malicious content does not necessarily mean only malware: it can also mean links to spammed advertisements and phishing pages, among other threats. The data collection period was during a period when there was significant spam outbreak.

    In practice, we identified several types of abuse on twitter, including:

    • Spam
    • Phishing
    • Links to malware
    • Accounts being stolen and suspended.

    There are two distinct flavors of spam – traditional spam that uses hash tags, is very obvious, repetitive, and quickly gets shut down.

    The second type is what we call “searchable spam”. Searchable spammed tweets are completely different. This is what they look like:

    Figure 1. Searchable tweets

    These tweets are, in some ways, more akin to classified ads. They are typically used to promote pirated or fake copies of various items like:

    • cracked software
    • free movies
    • gadget knockoffs
    • homework solutions

    Unlike the more “traditional” tweets, they did not make heavy use of hashtags. There is a strong Eastern European connection with these tweets as well: many are written in Russian, or hosted on servers in Russia or Ukraine.

    This threat is much more low-profile than other attacks, and it shows: the probability of Twitter suspending accounts involved in this activity is lower than accounts involved in other malicious activities. All this is designed to avoid users reporting these tweets (and accounts).

    In addition, half of the traffic to the sites advertised in these tweets don’t actually come from Russia. The users finding these tweets really are interested in what they “need”, even if they need automated translation tools to understand them.

    Twitter accounts themselves are valuable targets for cybercriminals. As a result, various scams that try to get the user credentials of users are common as well. For example, compromised accounts will mention their friends in tweets (or send direct messages), that ask the user to click on a (shortened) URL. This link will eventually lead users to phishing pages that ask for the user’s Twitter account credentials.

    Another way to gain access to Twitter accounts is the well-known follower scam. These scams lure users under the promise of more followers. Instead, they give attackers access to the user’s Twitter account.

    In future posts, we will look at the regional differences in Twitter abuse, as well as possible solutions to the threat.

    This research was supported by ARC Linkage Project LP120200266.

    Posted in Social | Comments Off on Investigating Twitter Abuse, Part 1


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice