Romancing the spam folder
Love is in the air, or in this case, in your spam folder. IBM X-Force has observed a massive uptick of the Necurs botnet focused on dating spam. The uptick started in mid-January and continues as Valentine’s Day draws near.
The Necurs botnet is notorious for its massive spam campaigns, believed to control over 6 million zombie bots. This botnet is most known for its ties to malware gangs that spread banking Trojans like Dridex and TrickBot, as well as ransomware such as Locky, Scarab and Jaff.
But Necurs is not only about malware — its operators dabble in distributing spam for other fraud endeavours as well, which brings to light this recent romance scam campaign.
In 2017, X-Force observed Necurs sending mass amounts of “pump and dump” stock scams designed to make recipients believe a penny stock is about to rise in value.
Once enough people buy the stock, and it actually rises in value, the scammers sell off their shares, at which point they make a profit.
The penny stock subsequently drops back to its real market value and those who bought it can easily be left with nothing but losses.
In early 2018, the botnet was part of large cryptocurrency scams, and this latest bout of dating spam is yet another major campaign linking Necurs with shady online activity.
MASSIVE SPAM IN SEASON
Preying on seasonal trends is probably the top characteristic of email spam. The first quarter of the year typically plagues email recipients with tax season spam and romance scams that start arriving in January, leading up to Valentine’s Day.
The current campaign from Necurs has reached more than 230 million spam messages within a matter of two weeks, as the botnet spewed dozens of millions of messages in two major bouts. The first surge ran from Jan 16 through Jan 18, and the second started on Jan 27 and died down on Feb 3.
NECURS SPAMMING POWER
Overall in this vast campaign, X-Force recorded over 230 million dating spam emails from the Necurs botnet, bringing to light its current capacity to distribute very large amounts of junk email.
The spam was sent from roughly 950,000 different IP addresses. The top sender on the IP list was an address hosted via a Pakistani-based ISP. That IP address (103.255.5.117) had been reported as a spammer 655 times at the time of this writing and is currently rated as having a risk of 10 out of 10 according to the IBM X-Force Exchange.
The top senders were headed by Vietnam and India, which together hosted originating IPs of 55% of the spam in this campaign.
It’s worth noting here that spammers constantly shuffle the resources they leverage in campaigns and the originating IPs logged in one campaign are not likely to be used in the next one in order to avoid blacklists and blocking.
After the recent takedown of the Andromeda botnet, and Avalanche before it, Necurs is probably the largest spam distributor serving cybercriminals at the moment.
X-Force research and the ongoing monitoring of Necurs activity proves that its established status in the cybercrime world attracts both lower-grade spammers and elite gangs to its operators, in a quest to spread their malware and scams.
The following are tips for dealing with email spam:
With 99.999% certainty, researchers say any unsolicited e-mail looking for a love connection is nefarious. Don’t respond; hackers are just looking to infect you with malware or capture you in a catfishing scam.
Don’t unsubscribe from spam. Instead, mark it as spam or junk and keep your email address private. Spam operators look for responses so they can verify that the address is active.
Always update your operating system as soon as new updates and patches are available. Most malware takes advantage of old versions of software to infect you.
Treat unsolicited text messages and emails as spam and never open them. Never follow links, open attachments or follow instructions contained in these messages.