Cyber-Criminals Shift to Compromised Web Mail Accounts for Spam Delivery

Spammers are resilient, switching tactics to send spam from compromised user accounts in the wake of recent botnet takedowns.

Spammers don't need botnets to send masses of spam anymore, as they switch to using legitimate Web email accounts, according to the latest quarterly report on Internet threats.

Spammers are increasingly relying on compromised Web mail accounts to push out their email messages, researchers found in Commtouch's quarterly Internet Threat Trend Report released July 12. The report is based on the analysis of data collected by the company's cloud-based GlobalView Network service during the second quarter of 2011.

After Microsoft and Department of Justice officials worked together to seize several command-and-control servers belonging to the Rustock botnet in March, global spam levels dropped 30 percent. Generally, once a botnet goes dark, spam levels drop temporarily but return to normal levels after a few weeks, according to Commtouch. Last quarter saw spam levels stay at the "relatively low levels" weeks after the takedowns occurred.

"Spammers are trying to outmaneuver IP-based spam blocking techniques as well as law enforcement that have both effectively targeted botnets," said Amir Lev, Commtouch's CTO.

Rustock was one of the largest spam botnets in operation, at one point accounting for nearly half of all spam being sent worldwide. Spammers appear to have not yet recovered from the takedown attempt but, instead of fighting back, appear to have changed tactics, Commtouch researchers found.

"The new tactic therefore calls for the use of compromised accounts to send spam as opposed to using botnets," the researchers wrote.

Email-borne malware attacks surged in the second quarter as cyber-criminals sent messages designed to steal log-in credentials, log in to email accounts and send spam from those accounts, according to the report. The preferred method appeared to be compromising a Web mail account from one of the major services, including Yahoo, Google's Gmail and Microsoft's Hotmail. In many cases, the attackers compromised a user with a weak password and then spammed all the contacts.

Criminals "are now using a combination of malware and phishing to compromise legitimate accounts," Lev said.

There were larger malware outbreaks and more phishing attacks last quarter because cyber-criminals are trying to acquire enough compromised accounts to make spamming viable. The number of compromised accounts is important because spammers face some restrictions with compromised accounts. The mail provider would notice a significant uptick in volume if the cyber-attackers tried to send out thousands of emails at once and would shut down the account, Commtouch said. Spam would still be sent, but in smaller volumes.

Overall, global spam levels declined during the second quarter, averaging 113 billion messages per day, the lowest figure recorded in three years, Commtouch said.

The move away from botnet spam can also be explained by the better IP reputation mechanisms used in anti-spam products to successfully blacklist zombie IP addresses and spam, according to Commtouch. It's harder for anti-spam technologies to stop spam originating from compromised Web mail accounts using IP reputation because the addresses exist within legitimate address ranges belonging to the providers.

However, botnet infection rate has not declined, as 377,000 zombies were activated daily during the second quarter, compared with the 258,000 zombies in the first quarter. India continued to have the most zombies last quarter, with 17 percent of all zombies worldwide.

Pharmaceutical spam was the most popular type of spam sent during the second quarter, representing 24 percent of total volume. This was a drop from the first quarter, when it accounted for 28 percent.