Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of...
Transcript of Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of...
![Page 1: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/1.jpg)
![Page 2: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/2.jpg)
![Page 3: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/3.jpg)
![Page 4: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/4.jpg)
![Page 5: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/5.jpg)
![Page 6: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/6.jpg)
![Page 7: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/7.jpg)
![Page 8: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/8.jpg)
![Page 9: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/9.jpg)
![Page 10: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/10.jpg)
![Page 11: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/11.jpg)
![Page 12: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/12.jpg)
![Page 13: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/13.jpg)
Marketplace Ads for Goods
![Page 14: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/14.jpg)
Marketplace Ads for Services
![Page 15: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/15.jpg)
![Page 16: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/16.jpg)
![Page 17: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/17.jpg)
![Page 18: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/18.jpg)
The Storm botnet
Overnet (UDP)Reachability check
![Page 19: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/19.jpg)
Infe
cted
mac
hine
sH
oste
d in
frast
ruct
ure
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
The Storm botnet
![Page 20: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/20.jpg)
If we controlthese …
… we can monitor &influence these
![Page 21: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/21.jpg)
![Page 22: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/22.jpg)
![Page 23: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/23.jpg)
![Page 24: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/24.jpg)
![Page 25: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/25.jpg)
Types of Storm C&C Messages
• Activation (report from bot to botmaster)• Email address harvests• Spamming instructions• Delivery reports• DDoS instructions• FastFlux instructions• HTTP proxy instructions• Sniffed passwords report• IFRAME injection/report
![Page 26: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/26.jpg)
Spam campaign mechanics
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 27: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/27.jpg)
Campaign mechanics: harvest
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
@@@@
@
@@ @
![Page 28: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/28.jpg)
![Page 29: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/29.jpg)
Campaign mechanics: spamming
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 30: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/30.jpg)
![Page 31: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/31.jpg)
![Page 32: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/32.jpg)
Campaign mechanics: spamming
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 33: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/33.jpg)
![Page 34: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/34.jpg)
Spamalytics
Who is targeted?Who is targeted?
34
• Top 20 domains• Many Web mail & broadband
providers, but very long tail• Campaigns have nearly identical
distributions• Same scammers, or target
lists sold to multiplescammers
• Also see spam campaigns sentsolely to test accounts
![Page 35: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/35.jpg)
Campaign mechanics: reporting
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 36: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/36.jpg)
![Page 37: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/37.jpg)
![Page 38: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.](https://reader034.fdocuments.us/reader034/viewer/2022050715/5e031ab0d9e2ea2f2041c6fd/html5/thumbnails/38.jpg)