Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Chameleon’ Spam Campaign Employs Randomized Email Headers

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

Emails sent as part of this campaign, which Trustwave security researchers refer to as Chameleon, originated from all around the world (a list of source IP addresses has been posted online).

Initially, the messages claimed to arrive from an ex-colleague and appeared to link to a “job posting” or “job offer.” New spam waves, however, included systematically different messages.

The spam messages had similar unique email header and body characteristics, suggesting that they came from the same botnet.

Despite originating from geographically distributed sources, the messages used similar unique SMTP transaction commands on connection and had a short and meaningful email subject, as well as a brief email body, although it sounded important enough to hopefully convince the victim to click on the link.

The email header in these messages had unique features too, such as the fact that fields like From, To, Message-ID, Content-Transfer-Encoding and Content-Type appeared in random order in subsequent messages, Trustwave notes.

Moreover, headers containing random text were inserted at different positions within the email header and the email body had random HTML elements at various positions, tactics meant to help evade detection from rule-based systems.

The security researchers also discovered that many of the lure URLs used in this spam campaign were linking to compromised WordPress sites, which the attackers likely used as part of their infrastructure.

Advertisement. Scroll to continue reading.

The botnet’s activity involved regular bursts followed by long periods of inactivity. This suggests that the spambot was specifically designed to periodically change templates and continue activity with a different variation in an effort to evade detection.

“At this stage, we have not pinpointed the spamming malware behind these campaigns,” Trustwave says.

Some of the spam variants employed by the botnet include Google personal or private messages, email account security alerts, broken or undelivered email messages from a mail server, LinkedIn message and profile view notifications, FedEx delivery notifications, and airline booking invoices.

URLs embedded in the spam messages pointed to pages hosting the same JavaScript content, which then redirected users to other destinations, before getting them to the final landing page “greatexpert.su,” which hosts a shady “Canadian Pharmacy” site.

The site, which had an active e-commerce cart system to make purchases and receive payment and shipping information from customers, was recently created and registered to a free Gmail email address.

Some of the spam links were observed leading to fake Bitcoin purchase sites.

“This sophisticated and transient infrastructure powered by a powerful versatile and distributed spamming botnet enables the scammer to launch any campaign with minimum effort. As of now the nature of the spam is centered around pill spam and fake Bitcoin spam, however, this could potentially shift to serve phishing or even malware,” Trustwave concludes.

Related: New Spam Botnet Likely Infected 400,000 Devices

Related: The Expected Spike in Post-GDPR Spam Activity Hasn’t Happened

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.