Part 2: Reading SPAM For Research

10Aug - by neuralsculpt - 0 - In Uncategorized

A couple weeks ago, I posted a blog that is a follow up of an article I published in Information Security Magazine. In that post I wrote about collecting phishing samples and identifying domain squatters that might be looking to harvest information from their target. This is the final blog entry derived from that article and I’ll be discussing a phenomenon that has been dominating the media recently – Fake News.

Fake News Sites

These are always fun, to see what ridiculous eye catching headlines these guys have come up with.  Again, my interest is where are these sites being hosed and are they counterfeiting Akamai customer sites.   Is the domain they’re being hosted on compromised? I will notify our customer of the fake site so they can take appropriate action to have it removed. In most cases the sites hosting these types of fake news pages are running on a VPS (Virtual Private System) and the domain has been registered using a low cost registrar.

SPAM1.jpg

 

The above site advertises an all natural recipe for weight loss, purportedly used by many celebrities.  Here is an advertisement for a tiny pill that gave Republican Presidential Nominee Donald Trump the stamina to run for office.

SPAM2.jpg

Main stream media is not alone in being counterfeited, even large social media companies are targeted:

SPAM3.jpg

Fake news sites are usually advertisements for some product and can even contradict one another depending on what is being sold.

SPAM4.jpgSPAM5.jpg

In the above example worldwidehomeincome.com is hosted by Digital Ocean, the server is www.worldwidehomeincome.com returns a 404 page while offer.worldwidehomeincome.com serves our fake news page above.  This could be because this site is using virtual hosting and possibly being setup to serve other fake news pages. It could also be security through obscurity preventing web crawlers from indexing the site.  I thought perhaps I would find a page where I could sign up for this amazing program it would attempt to steal my credit card info.

Digging around the site however, I couldn’t find any evidence of fraud as all of the links pointed back to the original domain.  

Most spam emails are advertisements while others are politically motivated.

Screen Shot 2017-08-09 at 3.47.44 PM.png

Screen Shot 2017-08-09 at 3.47.53 PM.png

This spam uses the political unrest here in the US as click bait to sell you health supplements. This specific campaign is actually covered by snopes http://www.snopes.com/sour-honey-cure-cancer/ as mostly false.  The snopes entry states after a $74 membership you can download their free book.  In the end, it was just another advertisement.

 

SPAM6.jpg

SPAM8.jpg

Conclusion

With all the active threats arriving in our inboxes everyday I thought perhaps I could repurpose this attack traffic for good use.  Perhaps one day the current spam filter system could be augmented to use spam email for threat intelligence. Where spam filters not only use heuristics to block spam but also create alerts for active phishing and malware campaigns. At the least I hope readers understand what threats are waiting in their inbox everyday and examine links and attachments with extreme prejudice.