Spam Operation Laid Open, Exposing Data on 1.4 Billion

A researcher stumbled upon a massive trove of data online. It turned out to be the inner workings of a global spam ring.

In-brief: A security researcher searching the Internet for insecure data archives stumbled upon an information gold mine: 5 Terabytes of unsecured back ups belonging to one of the globe’s biggest and longest running spam e-mail operations.

The data – more than five terabytes in all – has laid open the workings of a little known firm, River City Media and suggest that the firm, which represents itself as an online marketer, is making millions of dollars a year by pumping out spam email, often using illegal hacks of servers by Google and others to do so.

In a conversation with The Security Ledger,  Vickery said he discovered the massive data dump on a publicly exposed Internet server using the search engine Shodan (shodan.io). Vickery said he stumbled upon the spammers’ data while searching for exposed backup archives for the program Rsync, a common open source backup utility for Unix and Linux systems.

“Initially, it looked like a marketing firm,” Vickery said. “But once I started going through the data, I immediately noticed things that looked criminal in nature.”

Vickery said that the backup archives in question were not protected with a password, meaning that they could be opened and viewed by anyone running the Rsync client who knew of the archives location on the Internet. After accessing one or two of the publicly exposed archives, Vickery was able to locate a number of other Rsynch repositories for River City Media (RCM), including one containing more than one billion email addresses targeted by the spammers.

Information gathered by the spammers includes email addresses, full names, IP addresses, and often physical addresses. “An active market exists for trafficking in these types of lists for illegitimate purposes,” Vickery wrote on the Mackeeper blog.

The researcher, working together with the blog Salted Hash and the anti-spam organization Spamhaus, began analyzing the content of the data. They also contacted law enforcement and technical staff at major email providers including Google, Microsoft, Apple and others.

Vickery said that the group behind the spamming operation is large and includes a number of unknown or lesser known persons. But two names: Alvin Slocombe and Matt Ferris, figure prominently in the leaked data. The two are well-known spammers who have been on the radar of organizations like Spamhaus for more than a decade. The two operate a series of shell companies in Wyoming, Washington State and in other countries, said Vickery.

According to data culled from the backups, RCM generated $3.2 million in the last year. The two claim to operate above-board online marketing companies, but Vickery said the content of the leaked files put the lie to that claim.

Among other things, chat logs backed up with other RCM data show employees discussing illegal hacking operations to probe and exploit vulnerable mail servers. Scripts and log files saved in the backup offer documentary proof of the groups’ various missions.

In one technique described in exchanges between RCM staff, the group talk about exploiting a heretofore unknown flaw in Google’s Gmail servers: slowing the response time of the sending machine they control and opening as many connections as possible between themselves and a Gmail server.

“When the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels. The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails,” he said.

That technique, referred to generically as the “slowloris” attack is well-known and is often used to disable the receiving email server. The spammers use of it to trick email servers into bulk processing email was novel, Vickery said.

He said there was also evidence of the use of IP hijacking by the group, in which spammers take over or spoof legitimate IP addresses for spam runs, coasting on the good reputation of those addresses and the companies that own them.

As for how the attackers garnered 1.4 billion names and email addresses? Vickery said that “a combination of techniques” is likely to blame. Many of the individuals on the spammers’ list may have registered with one web site, unwittingly agreeing (in the Terms of Use) to having their information sold to a third-party. Credit checks, education-related offers, sweepstakes and other enticements were the original bait for such transactions.

Comments are closed.