Skip to content

Look What I Found: Spam Campaign with Same-Day Domain Delivery

2011-10-28

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A spam campaign currently underway — but in the process of being taken down by authorities — appears to have compromised existing Web mail accounts in order to distribute the spam, which contains links to what appear to be a work-at-home scheme. Oops, fail — the domain names linked in the spam messages are, at times, so new, that they aren’t reachable: Either the DNS hadn’t yet propagated, or the Web sites aren’t even live, at the time the spam messages reach inboxes.

The messages appear to originate from owners of the compromised email accounts, and contain a link with a brief message written in punctuation-less English. The spam messages use a goofy come-on: Look what I found! was the most common subject line.

The link points to one of several servers that act as redirectors, which parse the contents of a query string and then forward the browser to a second Web site. The redirector domains, which have oddly high reputation scores, appear first in links that also contain what look like tracking codes relating to the spam campaign. The eventual destination domain, which is visible within the email, uses a name designed to resemble a URL that might be used by a news organization, such as abc24news.net and daily77reports.net. The URL always links to a page named bizopp_main.php.

The spam messages were sent from the accounts of two people I know personally, within a day of one another, to everyone in their respective address books. One affected account was hosted by Yahoo in the UK, the other by Microsoft in the US. Neither of these accounts had shown any sign of having been compromised prior to the spam messages showing up in everyone else’s inboxes.

It’s unknown at this time what, exactly, the spam campaign was doing. By the time we took a look at the URLs, since the campaign first kicked off Wednesday, all of the domains associated with the campaign appear to have been blackholed by the Center of Ukrainian Internet Names, the organization used by the spammers to register the domains.

All 70 domains and subdomains associated with the campaign shared the DNS nameservers ns1.nookok.ru and ns2.nookok.ru and ns3.nookok.ru. The nookok.ru domain is privately registered and (for the moment) remains active on 79.143.177.239. However, if you look at the complete list of domains which use these nameservers, it’s pretty obvious what’s going on here. Robtex reports more than 70 domains (more than when the screenshot was taken yesterday), but once you remove the subdomains and de-dupe them, the list is 37 domains long.

Here are (some of) the domains which seem to have been, or are, involved in the scheme:

24-jobs.net
365-jobs.net
365newsjob.net
7-jobs.net
abcdaily7.net
abcnews10.net
businessnews12.net
businessnews29.net
businessnews6.net
daily24reporter.net
daily365reporter.net
daily7-7news.net
daily77news.net
daily77reports.net
daily7reporter.net
home34solutions.net
home36solutions.net
home42solutions.net
home7jobs.net
income9.net
job-solutions.net
job24news.net
job7news.net
jobs-week.net
jobweeeknews.net
legal-week.net
newsworldtoday.net
thedaily-reporter.net
wealth-blog.net
weeknews7.net
weeknewsjob.net

And these domains had been used as nameservers, and are now blackholed:

inocas.ru
nookok.ru
oaikik.ru
poann.ru
pucas.ru
voinin.ru

In the past, spammers have used fake “business journal” work-at-home scams to commit advance fee fraud, and sometimes to recruit so-called money mules who unwittingly help criminals launder ill-gotten proceeds of crime. In this case, the authorities seem to have acted quickly to stem the threat, but it’s a fortunate rarity when this happens. The campaign seems capable of popping back into existence at any time.Solera blog stats

%d bloggers like this: