Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Chameleon’ Spam Campaign Employs Randomized Email Headers

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

Emails sent as part of this campaign, which Trustwave security researchers refer to as Chameleon, originated from all around the world (a list of source IP addresses has been posted online).

Initially, the messages claimed to arrive from an ex-colleague and appeared to link to a “job posting” or “job offer.” New spam waves, however, included systematically different messages.

The spam messages had similar unique email header and body characteristics, suggesting that they came from the same botnet.

Despite originating from geographically distributed sources, the messages used similar unique SMTP transaction commands on connection and had a short and meaningful email subject, as well as a brief email body, although it sounded important enough to hopefully convince the victim to click on the link.

The email header in these messages had unique features too, such as the fact that fields like From, To, Message-ID, Content-Transfer-Encoding and Content-Type appeared in random order in subsequent messages, Trustwave notes.

Moreover, headers containing random text were inserted at different positions within the email header and the email body had random HTML elements at various positions, tactics meant to help evade detection from rule-based systems.

The security researchers also discovered that many of the lure URLs used in this spam campaign were linking to compromised WordPress sites, which the attackers likely used as part of their infrastructure.

The botnet’s activity involved regular bursts followed by long periods of inactivity. This suggests that the spambot was specifically designed to periodically change templates and continue activity with a different variation in an effort to evade detection.

“At this stage, we have not pinpointed the spamming malware behind these campaigns,” Trustwave says.

Some of the spam variants employed by the botnet include Google personal or private messages, email account security alerts, broken or undelivered email messages from a mail server, LinkedIn message and profile view notifications, FedEx delivery notifications, and airline booking invoices.

URLs embedded in the spam messages pointed to pages hosting the same JavaScript content, which then redirected users to other destinations, before getting them to the final landing page “greatexpert.su,” which hosts a shady “Canadian Pharmacy” site.

The site, which had an active e-commerce cart system to make purchases and receive payment and shipping information from customers, was recently created and registered to a free Gmail email address.

Some of the spam links were observed leading to fake Bitcoin purchase sites.

“This sophisticated and transient infrastructure powered by a powerful versatile and distributed spamming botnet enables the scammer to launch any campaign with minimum effort. As of now the nature of the spam is centered around pill spam and fake Bitcoin spam, however, this could potentially shift to serve phishing or even malware,” Trustwave concludes.

Related: New Spam Botnet Likely Infected 400,000 Devices

Related: The Expected Spike in Post-GDPR Spam Activity Hasn’t Happened

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack