Sorry if this is already a subject here .
I am getting quite a few new spam emails from Hacked AOL accounts of Forum members.
Obviously these have been harvested and used for the criminal intent.
Any Comment about this?
I am getting Hacked AOL Email spam - lots of forum members
Moderator: Wiz Feinberg
-
George Piburn
- Posts: 2131
- Joined: 1 Jul 2003 12:01 am
- Location: The Land of Enchantment New Mexico
- Contact:
-
Wiz Feinberg
- Posts: 6103
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- Contact:
I am a long-time spam fighter. I have seen just about every tactic used to steal credentials from users, then harvest their contacts list for email accounts to send spam to. I have even looked a spambot in the eyes and stared it down, so to speak.
The spambot was installed on a Windows 2000 Server belonging to an industrial client, back in 2004 or 5. I got called in to troubleshoot why they were having trouble sending and receiving emails. After a lot of testing various computers and finding nothing amiss, I finally hooked up a monitor to the server and logged into it. At first, nothing appeared out of the ordinary, except for the network icon in the Systray indicating a lot of outgoing activity. Task Manager confirmed outgoing packets at a high rate.
I eventually found a suspicious sub-directory under the Administrator's My Documents directory. When I opened that directory I saw all the components of a spam sending program; a spambot. I terminated its processes using Task Manager, then opened up a configuration file. There I found actual spam templates that were chosen by remote command and control, along with long lists of names and email accounts to use in both the From and To fields of spam emails. These combinations were chosen by a random algorithm generator.
This spambot would randomly compose emails with a huge combination of user names and accounts, then send out thousands of messages per hour. Sometimes the To and From names, and/or email accounts chosen were the same person/account. This sometimes allowed spam messages to get though junk filters on user's computers.
Cybercriminals often steal login credentials on a regular basis by tricking people into logging into phishing pages spoofing an email provider or ISP. Or, they use fake invoices, receipts and other alleged documents to trick busy folks at work into opening an attachment, or clicking on a link that installs malware onto their computer. That malware often contains a keylogger, or searches out emails and document files for login details.
We mustn't ignore brute force password cracking tactics either. They still work. And even more effective is the current state of exploits that expose user credentials in databases on web servers. The Heartbleed bug is just the latest method hackers and crackers are using to pilfer valuable credentials from improperly secured Apache and Nginx web servers.
Today, the OP is getting spammed from compromised AOL accounts. Tomorrow it may be Hotmail/Outlook.com accounts and the day after, Yahoo accounts. Sometimes the owners of those pilfered accounts are still able to log into them and change their passwords. Other times, they find themselves locked out because the hackers have already changed their passwords. The same thing happens on social networking sites, from time to time.
I usually do three things when I get spam from the account of a friend or contact.
PS: A lot of email addresses get harvested from C.C. lists to multiple recipients! If just one recipient in a group message has a harvester installed unbeknownst to them, all of the names and email addresses in the plain text C.C. list will be added to spam databases and used in upcoming spam runs. Sometimes it takes a few hours, or days, other times weeks. But, once multiple contacts are harvested and sent home, they are added to databases and sent out to spambots as updated credential lists to spoof.
The spambot was installed on a Windows 2000 Server belonging to an industrial client, back in 2004 or 5. I got called in to troubleshoot why they were having trouble sending and receiving emails. After a lot of testing various computers and finding nothing amiss, I finally hooked up a monitor to the server and logged into it. At first, nothing appeared out of the ordinary, except for the network icon in the Systray indicating a lot of outgoing activity. Task Manager confirmed outgoing packets at a high rate.
I eventually found a suspicious sub-directory under the Administrator's My Documents directory. When I opened that directory I saw all the components of a spam sending program; a spambot. I terminated its processes using Task Manager, then opened up a configuration file. There I found actual spam templates that were chosen by remote command and control, along with long lists of names and email accounts to use in both the From and To fields of spam emails. These combinations were chosen by a random algorithm generator.
This spambot would randomly compose emails with a huge combination of user names and accounts, then send out thousands of messages per hour. Sometimes the To and From names, and/or email accounts chosen were the same person/account. This sometimes allowed spam messages to get though junk filters on user's computers.
Cybercriminals often steal login credentials on a regular basis by tricking people into logging into phishing pages spoofing an email provider or ISP. Or, they use fake invoices, receipts and other alleged documents to trick busy folks at work into opening an attachment, or clicking on a link that installs malware onto their computer. That malware often contains a keylogger, or searches out emails and document files for login details.
We mustn't ignore brute force password cracking tactics either. They still work. And even more effective is the current state of exploits that expose user credentials in databases on web servers. The Heartbleed bug is just the latest method hackers and crackers are using to pilfer valuable credentials from improperly secured Apache and Nginx web servers.
Today, the OP is getting spammed from compromised AOL accounts. Tomorrow it may be Hotmail/Outlook.com accounts and the day after, Yahoo accounts. Sometimes the owners of those pilfered accounts are still able to log into them and change their passwords. Other times, they find themselves locked out because the hackers have already changed their passwords. The same thing happens on social networking sites, from time to time.
I usually do three things when I get spam from the account of a friend or contact.
- I read the headers to determine if the From account corresponds with the Received from headers, or was just spoofed.
- If the sender was the same service as the Received lines, I report the spam to the ISP through Spamcop.
- I notify the sender that their email account has been compromised and they should attempt to change their password and notify their contacts that any previous suspicious messages were the result of a hack.
PS: A lot of email addresses get harvested from C.C. lists to multiple recipients! If just one recipient in a group message has a harvester installed unbeknownst to them, all of the names and email addresses in the plain text C.C. list will be added to spam databases and used in upcoming spam runs. Sometimes it takes a few hours, or days, other times weeks. But, once multiple contacts are harvested and sent home, they are added to databases and sent out to spambots as updated credential lists to spoof.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
-
Paul Arntson
- Posts: 1375
- Joined: 8 Jun 2004 12:01 am
- Location: Washington, USA
"A lot of email addresses get harvested from C.C. lists to multiple recipients"
Yes !!!
And it is so frustrating when people won't BCC when I ask them to that I add their email to the junk filter, even friends and relatives.
I have been getting a lot of these that seem to come from Facebook, where the
name is faked, the return email is different and it contains a content like
"Come look at this great site:" then a domain in russia or something.
Yes !!!
And it is so frustrating when people won't BCC when I ask them to that I add their email to the junk filter, even friends and relatives.
I have been getting a lot of these that seem to come from Facebook, where the
name is faked, the return email is different and it contains a content like
"Come look at this great site:" then a domain in russia or something.
Excel D10 8&4, Supro 8, Regal resonator, Peavey Powerslide, homemade lap 12(a work in progress)
-
Wiz Feinberg
- Posts: 6103
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- Contact:
This is an ongoing scam campaign; spoofing "Facebook" in the From field. All are sent from infected computers in a botnet. The payloads vary, ranging from useless herbal weight loss herbs, to counterfeit male enhancement capsules, to Russian dating sites, to malware downloaders and exploit attack sites.Paul Arntson wrote: I have been getting a lot of these that seem to come from Facebook, where the name is faked, the return email is different and it contains a content like
"Come look at this great site:" then a domain in russia or something.
There is so much danger in email spam that I became the author of plug-in spam filters for the commercial anti-spam program, MailWasher Pro.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog