Several thousand spam bots incorporated quotations from a Star Wars novel into the attack messages they sent out to their targets.
The assault began on 10 October 2017. 33 unrelated domains on security CDN Incapsula’s network received approximately 275,000 WinHTTP POST requests leading up to 16 October. The next week, those numbers jumped up to 60 apparent targets and nearly one million requests.
The provider of website security and distributed denial-of-service (DDoS) protection services ultimately attributed these requests to 6,915 devices acting as spam bots. 98.9% were located in China.
These POST requests consisted of messages attackers had crafted by abusing the send-to-a-friend form that many companies enable so visitors can share in-site content with their friends. Emails sent through this type of delivery method bypass filters by originating from a company with a clean record. They also avoid the costs of sending emails via Necurs or another spam botnet whose services attackers advertise on underground markets.
This campaign’s form messages were especially interesting, however. Not only did they include links to gambling sites in the comments section. They also included quotations from Star Wars – Darth Bane – Path to Destruction by Drew Karpyshyn. Here’s one example:
… propertyId=XXXXXX&unitId= XXXXXX &systemId=vrbo&toEmail=XXXXXX@XXXXXX&share Comments= … [spam link] there's no reason for us to move so soon," Des replied, struggling to remain calm. "If they start at dusk, it's going to take at least three hours &referrer=[website targeted by form-filler bots] …
Incapsula has a theory for why the bots included this content:
“Most likely, however, the spammers were trying to add some uniqueness to their emails, and further hinder detection by filtering mechanisms scanning for content patterns. In the process of doing so, the culprits probably also decided to pay homage to one of their passions.”
As of this writing, the campaign is ongoing. Those responsible for the spam messages have since abandoned quotations from Star Wars novels. They’ve instead switched to sourcing material from Charlotte Brontë’s Jane Eyre and from Edgar Allan Poe’s works.
Regardless of what content is used, these types of attacks pose a serious threat to those companies whose send-to-a-friend forms the bots abuse. Incapsula elaborates:
“For these unprotected targets, the repercussions of an attack could be dire, as they are at risk of being blacklisted by major email service providers. This can have a severe impact on the day-to-day of an online business—not only hampering email marketing campaigns but also preventing any sort of reliable email communication with customers.
“For an online service that often relies on emails for billing, support and other mission-crucial activities, this immediately translates into a lot of overhead. Not to mention, plenty of headaches for everyone involved.”
With that said, companies should implement an IP-based rate-limiting mechanism and a CAPTCHA for their content sharing forms. They should also consider a bot filtering solution for more comprehensive protection.
At the same time, companies should implement security controls to protect other parts of their networks against common digital threats. To learn how Tripwire’s solutions work with one such set of controls, click here.