Submit Search
Upload
Henry stern - turning point on war on spam - atlseccon2011
•
1 like
•
524 views
Atlantic Security Conference
Follow
Henry stern - turning point on war on spam - atlseccon2011
Read less
Read more
Technology
Report
Share
Report
Share
1 of 60
Download now
Download to read offline
Recommended
Mariposa Botnet
Mariposa Botnet
Sean-Paul Correll
Oracle tech db-02-hacking-neum-15.04.2010
Oracle tech db-02-hacking-neum-15.04.2010
Oracle BH
DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implement...
DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implement...
DevOpsDays Riga
Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only
Topsec Technology
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Paubox, Inc.
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PROIDEA
Recommended
Mariposa Botnet
Mariposa Botnet
Sean-Paul Correll
Oracle tech db-02-hacking-neum-15.04.2010
Oracle tech db-02-hacking-neum-15.04.2010
Oracle BH
DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implement...
DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implement...
DevOpsDays Riga
Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only
Topsec Technology
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Anatomy of a Ransomware Attack - Paubox SECURE Conference 2017
Paubox, Inc.
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PROIDEA
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solution
xKinAnx
Cyber threat trends
Cyber threat trends
Stephen Richards
U ottawa e mba_mba_bcomm keynote _lina arseneault jan 2011
U ottawa e mba_mba_bcomm keynote _lina arseneault jan 2011
Lina Arseneault
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Carl Blume
Leverage the Network
Leverage the Network
Cisco Canada
Arrott Htcia St Johns 101020
Arrott Htcia St Johns 101020
Anthony Arrott
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
United Technology Group (UTG)
En CCNA Security v11_ch01
En CCNA Security v11_ch01
Ajith Pathirana
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
NoNameCon
Iron Mountain Training 3
Iron Mountain Training 3
Al Ewers
Cyber Security Seminar
Cyber Security Seminar
Jeremy Quadri
It’s time to boost VoIP network security
It’s time to boost VoIP network security
Bev Robb
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
APNIC
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Nancy Nimmegeers
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
Presentation cisco iron port email & web security
Presentation cisco iron port email & web security
xKinAnx
Unearthing and Dissecting Internet Fraud
Unearthing and Dissecting Internet Fraud
Internet Law Center
NCSC Speaker
NCSC Speaker
Royal United Services Institute for Defence and Security Studies
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Cisco Canada
Operating Systems: Computer Security
Operating Systems: Computer Security
Damian T. Gordon
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
Atlantic Security Conference
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
Atlantic Security Conference
More Related Content
Similar to Henry stern - turning point on war on spam - atlseccon2011
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solution
xKinAnx
Cyber threat trends
Cyber threat trends
Stephen Richards
U ottawa e mba_mba_bcomm keynote _lina arseneault jan 2011
U ottawa e mba_mba_bcomm keynote _lina arseneault jan 2011
Lina Arseneault
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Carl Blume
Leverage the Network
Leverage the Network
Cisco Canada
Arrott Htcia St Johns 101020
Arrott Htcia St Johns 101020
Anthony Arrott
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
United Technology Group (UTG)
En CCNA Security v11_ch01
En CCNA Security v11_ch01
Ajith Pathirana
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
NoNameCon
Iron Mountain Training 3
Iron Mountain Training 3
Al Ewers
Cyber Security Seminar
Cyber Security Seminar
Jeremy Quadri
It’s time to boost VoIP network security
It’s time to boost VoIP network security
Bev Robb
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
APNIC
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Nancy Nimmegeers
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
Presentation cisco iron port email & web security
Presentation cisco iron port email & web security
xKinAnx
Unearthing and Dissecting Internet Fraud
Unearthing and Dissecting Internet Fraud
Internet Law Center
NCSC Speaker
NCSC Speaker
Royal United Services Institute for Defence and Security Studies
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Cisco Canada
Operating Systems: Computer Security
Operating Systems: Computer Security
Damian T. Gordon
Similar to Henry stern - turning point on war on spam - atlseccon2011
(20)
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solution
Cyber threat trends
Cyber threat trends
U ottawa e mba_mba_bcomm keynote _lina arseneault jan 2011
U ottawa e mba_mba_bcomm keynote _lina arseneault jan 2011
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Leverage the Network
Leverage the Network
Arrott Htcia St Johns 101020
Arrott Htcia St Johns 101020
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
En CCNA Security v11_ch01
En CCNA Security v11_ch01
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Iron Mountain Training 3
Iron Mountain Training 3
Cyber Security Seminar
Cyber Security Seminar
It’s time to boost VoIP network security
It’s time to boost VoIP network security
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Presentation cisco iron port email & web security
Presentation cisco iron port email & web security
Unearthing and Dissecting Internet Fraud
Unearthing and Dissecting Internet Fraud
NCSC Speaker
NCSC Speaker
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Operating Systems: Computer Security
Operating Systems: Computer Security
More from Atlantic Security Conference
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
Atlantic Security Conference
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
Atlantic Security Conference
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011
Atlantic Security Conference
Joe power - managing risk through compliance - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011
Atlantic Security Conference
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
Atlantic Security Conference
Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011
Atlantic Security Conference
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
Atlantic Security Conference
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011
Atlantic Security Conference
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011
Atlantic Security Conference
Larry fermi generic nac overview-expanded - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011
Atlantic Security Conference
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Atlantic Security Conference
More from Atlantic Security Conference
(13)
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Recently uploaded
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
LoriGlavin3
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
Ingrid Airi González
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Nikki Chapple
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
Ravi Sanghani
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
Neo4j
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Knoldus Inc.
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
LoriGlavin3
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
Aarwolf Industries LLC
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
UiPathCommunity
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
LoriGlavin3
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
LoriGlavin3
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
marketing932765
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Jeffrey Haguewood
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
Farhan Tariq
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
Inflectra
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Kaya Weers
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
fnnc6jmgwh
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
itnewsafrica
A Framework for Development in the AI Age
A Framework for Development in the AI Age
Cprime
Recently uploaded
(20)
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
A Framework for Development in the AI Age
A Framework for Development in the AI Age
Henry stern - turning point on war on spam - atlseccon2011
1.
Cisco Confidential 1©
2010 Cisco and/or its affiliates. All rights reserved. Spam after “My Canadian Pharmacy” Henry Stern, Senior Security Researcher
2.
Cisco Confidential 2©
2010 Cisco and/or its affiliates. All rights reserved.
3.
Cisco Confidential 3©
2010 Cisco and/or its affiliates. All rights reserved.
4.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 4 Source: SenderBase.org 0.0 50.0 100.0 150.0 200.0 250.0 300.0 350.0 400.0 450.0
5.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 5 • Leading pharmaceutical affiliate program, SpamIt.com, shuts down abruptly. Rustock botnet simultaneously ceases activity. • “Al Capone”-style takedown by Russian police. • Kommersant: Despmedia netted $120m since 2007. Owner, Gusev, received $2m in revenues. The New York Times, “E-Mail Spam Falls After Russian Crackdown.” October 26, 2010.
6.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 6 • Spammers Botnets: Reactor Mailer, Rustock, Storm/Waledac, Mega-D, Grum, Lethic Deliver messages to massive address lists. Purchase domain names and host landing pages. • Affiliate Programs GlavMed (SpamIt.com), RX-Promotion (Chronopay), SanCash, Bulker.biz Host back-end order processing systems. Provide customer support. Pay high commissions to spammers. • Fulfillment Based in India and China. Mail fake or generic pills to customers.
7.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 7 Bulker.biz - MyCanadianPharmacy • This investigation begins with a massive spam attack for “MyCanadianPharmacy” and tracks the spam back through the pharma supply chain GlavMed - Storm Botnet and SpamIt.com This investigation begins with the Storm botnet and its “Canadian Pharmacy” spam and traces the botnet and spam back to GlavMed, the supply chain organization. Bonus: Reactor Mailer Botnet The largest capacity spam botnet ever.
8.
Cisco Confidential 8©
2010 Cisco and/or its affiliates. All rights reserved.
9.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 9
10.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 10 “Advertisement” Call to Action URL Advertising Pharmaceutical Web Site “Hashbuster” text
11.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 11 • 20 Billion Spam Attack in Two Weeks 1.5 billion messages per day • Spam Trickery 2000 unique spam content mutations New Content every 12 minutes 1500 unique domains used New “Call to Action” domain every 15 minutes
12.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 12 Rank Network Owner CountryCount% 1 Telefonica de Espana Spain 6.7% 2 France Telecom France 4.3% 3 Proxad France 3.4% 4 Telecom Italia Italy 2.6% 5 Deutsche Telekom AG Germany 2.2% 6 Cableuropa - ONO Spain 2.2% 7 Telemar Norte Leste S.A. Brazil 1.8% 8 Wanadoo France France 1.7% 9 Telefonica de Espana SAU Spain 1.7% 10 TELECOMUNICACOES DE SAO PAULO S.A.Brazil 1.7% Zombie Population by Country Zombie Population by Network Top 10: 28% of spam Top 25: 50% of spam
13.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 13 • Pharma Sites (9) My Canadian Pharmacy International Legal RX US Drugs Super Viagra Viagra Pro Generic Viagra Cialis Soft Tabs Viagra Soft Tabs Maxaman Other Sites (6) Virility Patch Super HGH (flash) SpermaMax My Replica Rolex Exclusive Caviar Online Double Your Dating
14.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 14
15.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 15
16.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 16
17.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 17
18.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 18 1592 Wilson Avenue Toronto, ON M3L 1A6
19.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 19 18 more fraudulent elements including Fake Certificate "All orders are received via a secure server” - No HTTPS Fake Verisign Logo Fake BBB Logo Fake Pharmacy Checker Rating Fake Canadian International Pharmacy (CIPA) License Number Fake “Verified by Visa” Logo
20.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 20 DNSstuff.com Mastercard Latin American and Caribbean IP address Regional Registry New World Network University of CA San Diego Compass Communications, Inc. Korax Online Inc. Verizon Internet Services Inc. IronPort Systems, Inc. SuperNews The Internet Channel MOREnet CrystalTech Web Hosting Inc. HickoryTech Corporation AT&T WorldNet Services VISA INTERNATIONAL Level 3 Communications, Inc. US Dept of Justice NTT America, Inc. FBI Criminal Justice Information Systems FBI Academy XO Communications Pfizer Inc. Level 3 Communications, Inc. Savvis American Digital Network Drug Enforcement Administration (DEA) Health and Human Services (FDA)
21.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 21 1. Registered domain bigamousetract.info Registered with 1-877namebid.com Registered by Tobyann Ellis in Longview, WA +68 phone number dublin.com email 2. DNS servers „NS‟ Records point to DNS servers in Taiwan, Spain, US, Brazil „A‟ Record for web server points to Korean Telecom IP 3. Web server bigamousetract.info server on Korean Telecom network Web site images from Brazil, Slovenia, France, Greece, Netherlands Spammers obfuscate web site connection using redirectors, framing, scripting, zombie proxies 4. Using “Fast Flux” IP addresses for web and DNS servers changing every five minutes
22.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 22 Sorry, but we can‟t process your credit card right now. Sales manager will contact you in 24 hours. If you don‟t want to wait for sales manager, you may try to make a purchase using another credit card. Thank you!
23.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 23
24.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 24 • Messages from hosting company Intercage.com • Intercage located at: 1955 Monument, #236 Concord, CA, USA • Long history of spam and malware support 250 domains hosting “CoolWebSearch” Exploits WMF exploit hosting Phishing support
25.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 25
26.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 26 Server located in San Jose, CA
27.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 27
28.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 28
29.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 29
30.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 30
31.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 31 “Substances found are typical tablet Matrix (i.e. Palmitic acid, Stearic acid, Etc.). No other drugs, pharmaceutical or Controlled substances found.” Note: Subsequent orders were shipped from Shanghai China and contained the active ingredient. We believe the manufacturer was replaced.
32.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 32
33.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 33
34.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 34 • Investigated credit card merchant account Unable to obtain any details $84.95 refunded to my credit card • Second order placed Received 10 Pfizer-branded pills from Shanghai, China New shipping and packing method Contained full active ingredient
35.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 35 • Estimated at $150M/year • Monitored “Zombie Proxy” and counted number of credit card transactions per hour • Comparables - Christopher Smith (rizler) profits > $20M • Confirmed with law enforcement and SpamHaus
36.
Cisco Confidential 36©
2010 Cisco and/or its affiliates. All rights reserved.
37.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 37 © 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37 Spam Engines (SMTP) Landing pages (HTTP) 3.School 5. Super Node 4. Job: Spamming 2. Storm is Born 1. Recruitment Spam
38.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 38
39.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 39 • Storm has sent a number of spam campaigns including Phishing financial institutions Mule Recruitment Spam Pump and Dump stock market manipulation image spam Pump and Dump stock market manipulation MP3 audio spam Pharma spam for Canadian Pharmacy • The vast majority of Storm spam has been for Canadian Pharmacy
40.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 40
41.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 41
42.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 42 • Many theories about the relationship between storm and pharma spam • A capacity issue unveiled the primary relationship
43.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 43 • Spamit.com service manages spam domains and fulfillment Registers spamvertized domain, creates DNS records, NS servers, websites Botnet owners using Spamit service receive feed of live spam sites • The Storm botnet retrieved a list of domains but received • Storm used this string and other website boilerplate in the spam • Proven link between Storm, SpamIt.com and Canadian Pharmacy “The system is temporary busy, try to access it later. No data can be lost.”
44.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 44
45.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 45 Documentation excerpt for configuring web sites “We take care of their entire shopping experience: fulfillment, customer service, and shipping, and we track the sales generated from your site.”
46.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 46 From Joe Stewart, SecureWorks Source: Joe Stewart, Secure Works
47.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 47 • Modeled after distributed computing. • Spam as a Service. • Web user interface made bot spamming accessible to anyone. • Responsible for 50-60% of global spam. • McColo black-hat data centre in San Jose office building. • Strong ties to SpamIt.com. • Disconnected by upstream network service providers.
48.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 48
49.
Cisco Confidential 49©
2010 Cisco and/or its affiliates. All rights reserved.
50.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 50 0 50 100 150 200 250 300 350 400 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07
51.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 51 • The botnet formerly known as Storm. • Notorious SpamIt.com affiliate. • Taken down with legal and technical measures.
52.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 52 • Database leaked to law enforcement, industry. • Ceased operations on October 1, 2010. • Russian police press charges against owner, Gusev.
53.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 53 • Ceased spamming between September 20 and 23. • Shutdown coincided with SpamIt.com shutdown notice. • Cisco SIO observed a spike in IPS events after shutdown.
54.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 54 • Operated by Georg Avanesov. • Arrested in Armenia in October 2010. • Alleged SpamIt.com affiliate and botnet reseller.
55.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 55 • Operated by Oleg Nikolaenko. • Alleged SpamIt and SanCash affiliate. • Arrested in Las Vegas on November 4, 2010. • Charged with felony CAN- SPAM violations and mail fraud. • Pled “Not Guilty” and held without bail.
56.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 56 Source: IronPort‟s Spam Collection and SenderBase.org 0 50 100 150 200 250 300 350 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 All Spam Pharma
57.
Cisco Confidential 57©
2010 Cisco and/or its affiliates. All rights reserved.
58.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 58 • 2 pharma affiliates remain. • Grum and Lethic Last two major botnets sending pharma and replica spam. • Cutwail Focused on social engineering-based viral attacks. Targets enterprise users, finance departments in particular.
59.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 59 • High-volume spam will soon end. • Delivered spam volumes will not change. • Botnets monetized in more subtle ways. • Fake anti-virus software. • Rockphish/Avalanche gang gave up phishing for Zeus. • Email attacks are becoming more targeted. • More small-scale attacks aimed at high-value targets.
60.
Thank you.
Download now