Feeds

Twitter hack spawns spam and scareware scams

DDoS campaign opens Pandora's Box

Secure remote control for conventional and virtual desktops

Spam and scams have continued to flow from the fallout of last week's DDoS against Twitter.

The attack, which took the micro-blogging service offline for around two hours on Thursday, and reduced service levels for a much longer time afterwards, (see here and here), also affected Facebook, LiveJournal and other sites. The intended target of the high profile attack (according to one popular, though disputed, theory) was Cyxymu, a pro-Georgian blogger. It was allegedly timed to coincide with the anniversary of the 2008 war between Georgia and Russia, over the separatist region of South Ossetia.

Miscreants have taken advantage of the new-found fame of Cyxymu to poison search engine indexes, so that searches for the term list sites harbouring scareware, McAfee warns. Sophos reports it detected a spam run following the attacks ostensibly containing an (ungrammatical) English language apology from Cyxymu. It's far more likely the supposed apology is nothing to do with Cyxymu and is designed to further irritate recipients and alienate the blogger, Sophos notes.

In interviews with The Guardian and CNN, Cyxymu, actually a 34 year-old economics lecturer from Tiblisi, the Georgian capital, blamed the denial of service attack that affected LiveJournal, Facebook and Twitter last week on the Kremlin. "Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," Cyxymu told The Guardian.

Meanwhile, more technical details are beginning to emerge about last week's attack. McAfee said a spam campaign referencing Cyxymu blogs and Twitter account and spoofed with false sender details began at 1300 BST, several hours before a DDoS attack against Twitter, Facebook et al. The Joe Job spam campaign and the later DDoS attack came (at least in part) from the same botnet of compromised machines, according to a blog post by McAfee.

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 am EDT on Thursday, August 6 and started winding down around 11 am the same day, with the last messages being detected at 4 pm. Only the second spam run, the larger of the two, spoofed Cyxymu’s email address, while the first one randomized the senders’ email addresses.

DDoS mitigation experts Arbor Network said the DDoS attack traffic flowing last week began with a basic SYN Flood (the cyber equivalent of ringing a doorbell and running away) towards far more sophisticated attacks.

While "Joe Job" spam links may have comprised a significant portion of the attacks yesterday (as others have reported), [Arbor's] Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

The combined analysis from McAfee and Arbor suggests that Joe Job spam, spoofed to appear from Cyxymu and designed to discredit him, may have played some part in the lead up to the attack and might have placed some load on the referenced websites, but that the real damage was done later in a conventional DDoS attack. This attack increased in sophistication over time, a factor making it harder to repel, and came at least in part from the same botnet used to send the initial spam attack.

Neither analysis tells us much about who actually carried out the attack which, judging from previous high-profile DDoS campaigns, is likely to always remain something of a mystery. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.