AOL’s DMARC change fends off Com Spammers attack, but data breach still not explainedTue, Apr 29, 2014 by Andrew Conway
In the past two weeks it’s quite possible that you received spam apparently from a friend’s AOL account, saying something like Have a nice day or People say it really works and then a link to what looks like a news magazine web site talking about diet pills. Here’s one of several that I received. Note the completely bogus footer saying the the message was scanned by Avast. That was inserted by the spammer to make it appear to be safer to click on the link.
The call to action links are actually on compromised web servers, but they redirect to a series of disposable domains. Currently many of these have the form com-XXXX.net, so we call this operation “the Com Spammers”. However, it is not a single organization. The initial redirection adds an affiliate ID as a parameter to the URL, and this is preserved via parameters or cookies right through to the final purchase. What’s more, different affiliate IDs correspond to different techniques used in sending spam, spam content, and call to action URLs.
There are also two or three different groups involved in monetization of this spam, which we believe are independent of the spammers (the people sending the messages) and landing page provider. The Com Spammers currently have three forms of monetization – diet pills, miracle skin cream, and a pernicious work from home scam that involves extracting larger and larger payments for training and services based on the promise of future riches. Similarly, if you order the diet pills, you will find yourself signed up for a monthly purchase on your credit card which is very hard to cancel. We estimate that the revenue generated by this group is millions of dollars a year. They are spending fifty to a hundred thousand dollars a year in domain registrations alone.
The advantage to a spam operation, of having multiple affiliates sending spam, is that a number of different techniques are used, and that if any one of them gets blocked, the others still operate and generate income for the landing page provider and monetizers. For instance, one affiliate may be using compromised domains as call to action URLs, another may be using URL shorteners, and another may be using disposable domains directly. We have seen members of this group spamming in SMS and on social media as well as traditional email spam. In 2012 one affiliate was data mining a major social network to obtain phone numbers and first names to send customized SMS spam. An SMS message addressed to you by name is more likely to get you to follow the link, just as a email apparently from a friend is more convincing than random spam.
It appears that recently one or more of the Com Spammers affiliates got access to information on a number of AOL accounts, including the contents of their address books. Starting about two weeks ago they started sending a high volume of spam, with the From: address of the compromised account and the recipients from that person’s address book. However, they did not have the passwords to those accounts, so they could not use AOL to send the spam. Instead they forged the headers so that the message appeared to come from AOL.
There are two standards, DKIM and SPF, which have been around for a while, by which a sender can digitally sign an email message, and guarantee that it was actually sent from the domain in the From: address. However, at that time there was no standard on what to do if the message was unsigned, or if the signature was invalid. That changed in 2012 with the publication of DMARC, which allows the owner of a domain to specify exactly how they would like unsigned or forged emails with their domain in the From: address to be treated. Not all email is tested with DMARC, but all the large email services do use it.
Initially the large webmail providers took a conservative approach to using DMARC, and requested notification rather than deletion of unsigned headers. There are legitimate reasons why someone might use a Yahoo! mail address, say, but not use Yahoo! for delivery. The most common reasons being legitimate bulk mailings by an ESP (email service provider) or traffic through mailing lists. However, there are alternative methods for dealing with both of those cases. Three weeks ago Yahoo! decided that email with forged Yahoo! headers was enough of a problem that they would change their DMARC settings to request deletion of unsigned mail with a Yahoo! from address. Since this change Cloudmark has seen a 30% reduction in spam with Yahoo! headers, compared with the prior three weeks, so it is clear that this was a good decision.
A week ago, faced with the attack from the Com Spammers, AOL made a similar decision, with even more dramatic results, as is obvious from this graph.
As you can see, the Com Spammers attack started in volume on April 15th and ended after the DMARC policy change on April 22nd. There was about a 70% drop in spam email since the DMARC change compared with the eight day period of the Com Spammer’s attack.
However, the Com Spammers are still out there, and they still have all those email addresses (including mine!) harvested from AOL address books. Those email addresses are going to get spammed for months or years to come. AOL has yet to explain how that address book information came into the hands of the spammers, though they are reported to be investigating this.
On a personal note I’d like to give a shout out to Murray Kucherawy, whose desk was right next to mine when I first joined Cloudmark two and a half years ago. Murray is the principal editor of the DMARC spec. He’s now carrying on the good work at Facebook where he is lead developer for OpenDMARC and OpenDKIM. Murray, it’s nice to see your work at Cloudmark and Facebook paying off in such a spectacular fashion.