Feeds

Twitter hack spawns spam and scareware scams

DDoS campaign opens Pandora's Box

The Power of One eBook: Top reasons to choose HP BladeSystem

Spam and scams have continued to flow from the fallout of last week's DDoS against Twitter.

The attack, which took the micro-blogging service offline for around two hours on Thursday, and reduced service levels for a much longer time afterwards, (see here and here), also affected Facebook, LiveJournal and other sites. The intended target of the high profile attack (according to one popular, though disputed, theory) was Cyxymu, a pro-Georgian blogger. It was allegedly timed to coincide with the anniversary of the 2008 war between Georgia and Russia, over the separatist region of South Ossetia.

Miscreants have taken advantage of the new-found fame of Cyxymu to poison search engine indexes, so that searches for the term list sites harbouring scareware, McAfee warns. Sophos reports it detected a spam run following the attacks ostensibly containing an (ungrammatical) English language apology from Cyxymu. It's far more likely the supposed apology is nothing to do with Cyxymu and is designed to further irritate recipients and alienate the blogger, Sophos notes.

In interviews with The Guardian and CNN, Cyxymu, actually a 34 year-old economics lecturer from Tiblisi, the Georgian capital, blamed the denial of service attack that affected LiveJournal, Facebook and Twitter last week on the Kremlin. "Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," Cyxymu told The Guardian.

Meanwhile, more technical details are beginning to emerge about last week's attack. McAfee said a spam campaign referencing Cyxymu blogs and Twitter account and spoofed with false sender details began at 1300 BST, several hours before a DDoS attack against Twitter, Facebook et al. The Joe Job spam campaign and the later DDoS attack came (at least in part) from the same botnet of compromised machines, according to a blog post by McAfee.

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 am EDT on Thursday, August 6 and started winding down around 11 am the same day, with the last messages being detected at 4 pm. Only the second spam run, the larger of the two, spoofed Cyxymu’s email address, while the first one randomized the senders’ email addresses.

DDoS mitigation experts Arbor Network said the DDoS attack traffic flowing last week began with a basic SYN Flood (the cyber equivalent of ringing a doorbell and running away) towards far more sophisticated attacks.

While "Joe Job" spam links may have comprised a significant portion of the attacks yesterday (as others have reported), [Arbor's] Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

The combined analysis from McAfee and Arbor suggests that Joe Job spam, spoofed to appear from Cyxymu and designed to discredit him, may have played some part in the lead up to the attack and might have placed some load on the referenced websites, but that the real damage was done later in a conventional DDoS attack. This attack increased in sophistication over time, a factor making it harder to repel, and came at least in part from the same botnet used to send the initial spam attack.

Neither analysis tells us much about who actually carried out the attack which, judging from previous high-profile DDoS campaigns, is likely to always remain something of a mystery. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.