Trump wins by wide margin as top lure for spam campaigns

Attackers hit pay dirt when sending email that uses GOP candidate’s name

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The poll results are in from elite spam gangs as to which pres­i­den­tial can­di­date they view as the top attrac­tion to get con­sumers to open annoying—and poten­tial­ly malicious—email.

And the win­ner, by a land­slide … Don­ald Trump.

Researchers at mes­sag­ing secu­ri­ty ven­dor Proof­point have been track­ing elec­tion-themed email spam that ranges from pro­mo­tions for sketchy prod­ucts and ser­vices to out­right phish­ing scams designed to steal account user names and passwords.

Relat­ed video: Iden­ti­ty theft is a fact of life

Repub­li­can Trump is, by far, spam­mers’ go-to pitch­man appear­ing in 169 times as many sus­pect emails as Demo­c­ra­t­ic can­di­date Hillary Clinton.

Patrick Wheeler, Proofpoint director of threat intelligence
Patrick Wheel­er, Proof­point direc­tor of threat intelligence

This is a con­tentious elec­tion, so we expect­ed high vol­umes of elec­tion-relat­ed spam as threat actors cap­i­tal­ize on pub­lic atten­tion,” says Patrick Wheel­er, Proofpoint’s direc­tor of threat intel­li­gence. “What we didn’t expect was the very lop­sided use of lures relat­ed to a sin­gle candidate.”

Proof­point scanned sub­ject lines in spam mes­sages detect­ed across its cus­tomer base in June and July. Over­all, Trump appeared 270 times more often in June than Clin­ton alone, and 34 times as often as either Clin­ton or both can­di­dates. There were two par­tic­u­lar­ly large cam­paigns in June fea­tur­ing Trump-relat­ed lures.

The trend also was notice­able in July when Trump-themed lures appeared 67 times more often than Clin­ton-themed lures. Across both months, Trump-themed lures were almost 170 times as com­mon as those fea­tur­ing only Clin­ton and 33 times as com­mon as lures fea­tur­ing both can­di­dates, Wheel­er says.

Set­ting the bait

The Trump spam fol­lowed two gen­er­al themes:

  • Sur­pris­ing elec­tion news by or about Trump: These usu­al­ly had a fake send­ing alias of a major news orga­ni­za­tion like CNN or Fox News. Names and some­times brand­ing for both lib­er­al and con­ser­v­a­tive news out­lets were used in these lures.
  • Get rich / smart like Trump”: These some­times includ­ed sub­ti­tles such as “Wall Street is out­raged” and sim­i­lar mes­sages with fake send­ing alias­es that appeared to come from con­sumer finance pub­li­ca­tions like CNN Money.

Proof­point also observed phish­ing email craft­ed to entice recip­i­ents to log into Gmail to “ver­i­fy their iden­ti­ty” to par­tic­i­pate in a vot­er poll. How­ev­er, elec­tion-relat­ed phish­ing cam­paigns, so far, have been the excep­tion. More com­mon are pro­mo­tions for work-from-home schemes and sim­i­lar mar­ket­ing pitch­es, Wheel­er reports.

His­tor­i­cal­ly, spikes and shifts in spam cam­paigns have fol­lowed a pre­dictable pat­tern. Spam­mers typ­i­cal­ly stay pre­pared to pounce on a big news event, such as the death of a celebri­ty, major hol­i­days, big sport­ing events or cat­a­stroph­ic weath­er events.

Bot­nets car­ry out dirty work

As the news hits head­lines and air­waves, mas­sive waves of spam gush forth. This is made pos­si­ble by bot­nets, hun­dreds of thou­sands of infect­ed home and work­place PCs con­trolled by a sin­gle oper­a­tor. Use of the bot­nets for spam­ming pur­pos­es is typ­i­cal­ly under a lease arrange­ment to spam­ming spe­cial­ists, who han­dle mar­ket­ing col­lat­er­al and online sales.

Gar­den-vari­ety spam usu­al­ly hits in the ini­tial wave of spam tied to a news event. They can include pitch­es for non­cer­ti­fied phar­ma­ceu­ti­cal drugs, herbal reme­dies, repli­ca design­er goods, worth­less anti-virus sub­scrip­tions, and var­i­ous get-rich-quick schemes.

If the news event has shelf life—as the pres­i­den­tial elec­tion cer­tain­ly does—crime gangs who spe­cial­ize in spread­ing mali­cious soft­ware in order to infect, and take full con­trol of, vic­tims’ machines usu­al­ly come look­ing to lease spam­ming botnets.

For instance, imme­di­ate­ly after the death of Michael Jack­son in 2009, the Waledac gang began deploy­ing thou­sands of bots to spam out mil­lions of emails with web links pur­port­ed­ly lead­ing to news about Jack­son. But the links actu­al­ly redi­rect­ed recip­i­ents to web­sites affil­i­at­ed with GlavMed that sold sex­u­al-per­for­mance drugs and painkillers.

A few hours lat­er, anoth­er major bot­net gang, known as Rus­tock, also blast­ed out Jack­son-themed spam for GlavMed’s online shop­ping sites.

Then, about a week after Jackson’s death, crim­i­nals out to steal sen­si­tive data and hijack online finan­cial accounts began to move in. A major bot­net gang called Push­do launched a large-scale spam­ming cam­paign with entic­ing mes­sages includ­ing: “Who killed Michael Jack­son? Vis­it X-Files to see the answer.” A web link followed.

Click­ing on it trig­gered what’s known as a “dri­ve-by down­load.” The attack­ing bot scanned for secu­ri­ty holes in pop­u­lar appli­ca­tions such as Inter­net Explor­er, Quick­Time and Adobe Acro­bat Read­er. Upon find­ing one, it swift­ly took deep con­trol of the recipient’s machine.

Not over yet

No one should be sur­prised if a sim­i­lar accel­er­a­tion to more dam­ag­ing Trump-themed spam ramps up head­ing into the Novem­ber election.

Regard­less of the spe­cif­ic sub­jects and lures spam actors use, indi­vid­u­als and orga­ni­za­tions need to exer­cise par­tic­u­lar cau­tion in open­ing and inter­act­ing with elec­tion-relat­ed mail they receive,” Wheel­er advis­es. “ Many of these mes­sages are mere­ly annoy­ing. But oth­ers can be mali­cious, rely­ing on our curios­i­ty about the elec­tions to lead us to phish­ing pages, com­pro­mised web­sites and more.”

More elec­tion and spam relat­ed stories:
What you should know about bat­tling botnets
Nov­el rais­es ques­tion of whether elec­tion could be hacked
How hack­ers could influ­ence the pres­i­den­tial election

Posted in Cybersecurity, Featured Story