Feeds

Twitter hack spawns spam and scareware scams

DDoS campaign opens Pandora's Box

High performance access to file storage

Spam and scams have continued to flow from the fallout of last week's DDoS against Twitter.

The attack, which took the micro-blogging service offline for around two hours on Thursday, and reduced service levels for a much longer time afterwards, (see here and here), also affected Facebook, LiveJournal and other sites. The intended target of the high profile attack (according to one popular, though disputed, theory) was Cyxymu, a pro-Georgian blogger. It was allegedly timed to coincide with the anniversary of the 2008 war between Georgia and Russia, over the separatist region of South Ossetia.

Miscreants have taken advantage of the new-found fame of Cyxymu to poison search engine indexes, so that searches for the term list sites harbouring scareware, McAfee warns. Sophos reports it detected a spam run following the attacks ostensibly containing an (ungrammatical) English language apology from Cyxymu. It's far more likely the supposed apology is nothing to do with Cyxymu and is designed to further irritate recipients and alienate the blogger, Sophos notes.

In interviews with The Guardian and CNN, Cyxymu, actually a 34 year-old economics lecturer from Tiblisi, the Georgian capital, blamed the denial of service attack that affected LiveJournal, Facebook and Twitter last week on the Kremlin. "Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," Cyxymu told The Guardian.

Meanwhile, more technical details are beginning to emerge about last week's attack. McAfee said a spam campaign referencing Cyxymu blogs and Twitter account and spoofed with false sender details began at 1300 BST, several hours before a DDoS attack against Twitter, Facebook et al. The Joe Job spam campaign and the later DDoS attack came (at least in part) from the same botnet of compromised machines, according to a blog post by McAfee.

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 am EDT on Thursday, August 6 and started winding down around 11 am the same day, with the last messages being detected at 4 pm. Only the second spam run, the larger of the two, spoofed Cyxymu’s email address, while the first one randomized the senders’ email addresses.

DDoS mitigation experts Arbor Network said the DDoS attack traffic flowing last week began with a basic SYN Flood (the cyber equivalent of ringing a doorbell and running away) towards far more sophisticated attacks.

While "Joe Job" spam links may have comprised a significant portion of the attacks yesterday (as others have reported), [Arbor's] Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

The combined analysis from McAfee and Arbor suggests that Joe Job spam, spoofed to appear from Cyxymu and designed to discredit him, may have played some part in the lead up to the attack and might have placed some load on the referenced websites, but that the real damage was done later in a conventional DDoS attack. This attack increased in sophistication over time, a factor making it harder to repel, and came at least in part from the same botnet used to send the initial spam attack.

Neither analysis tells us much about who actually carried out the attack which, judging from previous high-profile DDoS campaigns, is likely to always remain something of a mystery. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.