by Paul Ducklin
Spamming is a word we all know and an activity we all loathe – it’s when crooks blast out unwanted emails for products we don’t want at a price we won’t pay from from suppliers we’ll never trust.
And the word spam has given us related terms such as SPIM for spam via instant messaging; SPIT for spam via internet telephony – robocalls and fake tech support scams, for example; and SPEWS, which is our tongue-in-cheek name for spam via electronic web submissions.
SPEWS have typically gone two main ways:
Crooks use bulk HTTP posting tools to fill out online comment forms on forums and blogs. The idea is to sneak past spam filters or harried moderators to get free ads, promotional guff and bogus endorsements posted and publicly visible, at least until they’re reported and removed.
Crooks use reporting or contact forms to send phishy messages into your organisation. The idea is to trick the form processing system into generating an internal email from content that came from outside, thereby sidestepping some or all of the spam filtering that external emails would usually undergo.
Russian cybersecurity researchers at Russian outfit Dr.Web recently reminded us all of a third way that crooks can use SPEWS to do their dirty work.
They noticed spamtrap emails that actually came from genuine corporate senders, but with poisoned web links in the greeting part.
Instead of saying, Hi, Mr Ducklin, as you might expect from a genuine email from a trustworthy brand, they said something more along the lines of Hi, MONEY FOR YOU! [weblink here], but with a legitimate-looking sender.
Indeed, digging into the emails showed not only that the sender was legitimate but also that the email did originate from a server you’d expect – …
Author: Paul Ducklin