Google Says Spammers Rallying from McColo Shutdown

Spammers are officially back in full force five months after the shutdown of Web hosting company McColo.

According to Google, spammers have fully recovered from the death of the notorious Web hosting firm. By the second half of this March, the seven-day spam volume was the same as before McColo shutdown. Symantec’s MessageLabs said spammers actually got their groove back in February, and noted in its quarterly intelligence report that one in every 1.32 e-mails is spam.

Either way, it seems botnet operators may have wised up since November and changed tactics.

“It’s difficult to ascertain exactly how spammers have rebuilt in the wake of McColo, but data suggests they’re adopting new strategies to avoid a McColo-type takedown from occurring again,” blogged Amanda Kleha of the Google security and archiving team. “Specifically, the recent upward trajectory of spam could indicate that spammers are building botnets that are more robust but send less volume-or at least that they haven’t enabled their botnets to run at full capacity because they’re wary of exposing a new ISP as a target.”

According to Google, overall spam volume jumped an average of 1.2 percent per day during the first quarter of 2009, and increasingly spammers are adding geolocation capabilities into the mix. Waledac has been no small part of this, as the botnet blasted out e-mails earlier in March that falsely claimed the recipient’s city or area was victimized by a terrorist attack. In that case, the e-mails provided a link to a fake Reuters news site with malware. The attack customized the location by determining the geolocation of the IP address of the victim’s machine.

“Location-based spam is the latest technique being used by ‘bad guys’ to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message,” explained Tal Golan, president and CTO of e-mail security company Sendio. “This new methodology is the next salvo in the spam arms race, but is really just an extension of the ‘social engineering’ threat vector that has become so popular and effective in the last three years.”

Officials at Webroot said while true location targeting is difficult to do well, it has shown itself to be an effective method of attack.

“What we are dealing with here is a blended threat combining the use of Web and e-mail to carry out a sophisticated attack,” said Gerhard Eschelbeck, CTO of Webroot Software. “The concept of customizing relevance is quite familiar from the ‘spear phishing’ attacks from recent years, and has proven an effective method to increase success rates of attacks.”