Skip to content ↓ | Skip to navigation ↓

The research teams at Cisco Talos and Umbrella have deployed a new system designed to detect hailstorm spam campaigns.

Hailstorm spam is in some respects different from snowshoe spam. With the latter, a large number of IP addresses send out a low volume of spam email over an extended period of time. Snowshoe spam works that way to avoid raising any red flags with anti-spam systems.

By contrast, hailstorm spam uses a large number of IP addresses to send out a high volume of spam email over a short time frame. Most of these campaigns end before spam filters have time to update.

Here’s an illustration of how the two types of spam differ.

image04

image03
Snowshoe spam campaign (above) and hailstorm spam campaign (below). (Source: Cisco Talos)

In some 500 campaigns analyzed by Cisco Talos, hailstorm spammers primarily promoted either sponsored links or a series of redirects leading to “as seen on TV” offerings like bathroom remodeling and dietary supplements.

Some campaigns also distributed malware, as seen in the message found below.

image07
Malicious hailstorm spam mail (Source: Cisco Talos)

As Cisco Talos explains in a blog post:

“The message claims to be generated in response to a complaint filed with the United Kingdom’s Companies House and tries to lure the recipient into opening an attached word document. The From address of the message is noreply@companieshouses.com while the legitimate government agency has their web presence at companieshouse.gov.uk. The attached Complaint.doc (SHA256: 985e9f4c5a49e26782141c7cd8f4ce87b0e0a026d078b67b006e17e12f9eb407) contains a macro that downloads and executes a Dyre/TheTrick Banking Trojan [Hyperlink added].”

A deeper dive into those campaigns reveals most of the spam content originated from the United States, Germany, the Netherlands, Great Britain, and Russia. They also saw DNS queries peak to 9,000+ queries per hour, with some evidence to suggesting the number of queries directly corresponds to the percentage of worldwide mail servers hit. Most of the campaigns’ targets were based in the United States.

screen-shot-2016-12-22-at-6-53-04-am
Location of mail servers targeted by ~500 hailstorm spam campaigns (Source: Cisco Talos)

Hailstorm spam depends on reactive anti-spam systems that take time to update. That’s why Cisco Talos and Umbrella have designed their system to be proactive. Per Cisco Talos’ write-up:

“In this collaboration, the Cisco Talos and Umbrella research teams have created a system that facilitates fast evaluation and conviction of in-the-wild hailstorm domains, then proceeds to gather predictive insights into other domains that are likely going to be used in future campaigns. As such, the system is fast in protecting customers at time-of-click in case a hailstorm message reaches an inbox. More importantly, the predictive nature of the system directly counters the hallmark of hailstorm campaigns: their rapid execution. Rather than waiting for a campaign to unfold and trying to catch up, protection against the next spam campaign is deployed ahead of time.”

While Cisco Talos and Umbrella work to detect hailstorm spam, users should remember to never click on suspicious links or email attachments. They should also install an anti-virus solution on their computers, patch their systems regularly, and install an ad-blocker on their preferred web browser.