Monday, April 29, 2013

Spam Part II - The Different Actors

In part I, we went over a few things regarding the landing page and the way the requests flow between the different sites. Let's have a look at the various sites, the IPs and the countries involved.

Name IP Country
---------------------------------------------------------------- US DE SE FR DE NL DE UY NL UY CA NL DE DE US US US FR SE UY DE CA DE UY US DE DE DE US 
(Alias for US US US US US US

The majority of servers are hosted in the US and Germany. We can breakdown the hosting companies for these two countries.


The situation for Germany is interesting, due to the only 2 providers involved. Furthermore the upstream provider for "TT Internationl d.o.o." is ... "Hetzner." It seems highly unlikely that a single hoster/provider  is unlucky enough to be the only one to serve the spam. A quick search on Google reports that several of their servers are known to distribute malware. SpamHaus goes even further and write down the two "TT International d.o.o.o" networks seen as dirty.

Given the number of hosts returned for "", it could be a number of compromised servers, possibly members of a botnet. Another interesting point of view is who registered what name.
The last 3 are US based registrars. The first one is Ukrainian based.

The "" is load-balanced across various servers on the Amazon EC cloud. The name is resolved with a TTL of 60 seconds between:,,, or are some of the IPs returned.

Conclusion ...

After discussing with my friend, she told me her account was hacked into and she had to change her password. The account was used to send an e-mail to all her contacts.

The front-end URL was most likely hacked into and a script is present that redirects only browsers based on the user agent. That way, if a search engine hits the page, it doesn't notice the redirection and ultimately the spam content.

The number of machines suggests this is not an amateur campaign, but rather an organization is behind it, and that the system can be extended to accommodate for further "products". The Amazon EC is leveraged to provide core redirection, which can ensure persistence should some parts of the chain be cleaned or turned off.

Lastly, it also seems that some of the servers are from less-than-reputable hosting companies known to harbor malware and criminal activities, reinforcing the idea that a criminal organization is behind it.