Feeds

Twitter hack spawns spam and scareware scams

DDoS campaign opens Pandora's Box

Using blade systems to cut costs and sharpen efficiencies

Spam and scams have continued to flow from the fallout of last week's DDoS against Twitter.

The attack, which took the micro-blogging service offline for around two hours on Thursday, and reduced service levels for a much longer time afterwards, (see here and here), also affected Facebook, LiveJournal and other sites. The intended target of the high profile attack (according to one popular, though disputed, theory) was Cyxymu, a pro-Georgian blogger. It was allegedly timed to coincide with the anniversary of the 2008 war between Georgia and Russia, over the separatist region of South Ossetia.

Miscreants have taken advantage of the new-found fame of Cyxymu to poison search engine indexes, so that searches for the term list sites harbouring scareware, McAfee warns. Sophos reports it detected a spam run following the attacks ostensibly containing an (ungrammatical) English language apology from Cyxymu. It's far more likely the supposed apology is nothing to do with Cyxymu and is designed to further irritate recipients and alienate the blogger, Sophos notes.

In interviews with The Guardian and CNN, Cyxymu, actually a 34 year-old economics lecturer from Tiblisi, the Georgian capital, blamed the denial of service attack that affected LiveJournal, Facebook and Twitter last week on the Kremlin. "Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," Cyxymu told The Guardian.

Meanwhile, more technical details are beginning to emerge about last week's attack. McAfee said a spam campaign referencing Cyxymu blogs and Twitter account and spoofed with false sender details began at 1300 BST, several hours before a DDoS attack against Twitter, Facebook et al. The Joe Job spam campaign and the later DDoS attack came (at least in part) from the same botnet of compromised machines, according to a blog post by McAfee.

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 am EDT on Thursday, August 6 and started winding down around 11 am the same day, with the last messages being detected at 4 pm. Only the second spam run, the larger of the two, spoofed Cyxymu’s email address, while the first one randomized the senders’ email addresses.

DDoS mitigation experts Arbor Network said the DDoS attack traffic flowing last week began with a basic SYN Flood (the cyber equivalent of ringing a doorbell and running away) towards far more sophisticated attacks.

While "Joe Job" spam links may have comprised a significant portion of the attacks yesterday (as others have reported), [Arbor's] Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

The combined analysis from McAfee and Arbor suggests that Joe Job spam, spoofed to appear from Cyxymu and designed to discredit him, may have played some part in the lead up to the attack and might have placed some load on the referenced websites, but that the real damage was done later in a conventional DDoS attack. This attack increased in sophistication over time, a factor making it harder to repel, and came at least in part from the same botnet used to send the initial spam attack.

Neither analysis tells us much about who actually carried out the attack which, judging from previous high-profile DDoS campaigns, is likely to always remain something of a mystery. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.