Noticed the amount of spam your organization is receiving has gone up in the past few months — particularly email with malicious attachments? It’s not just you. Spam volumes are back on the rise, according to Cisco Systems’ Talos security intelligence. And it may signal the return of the Necurs botnet, which researchers thought (hoped?) had been disarmed in June arrests of several people linked to the spread of a Russian-specific piece of malware named Lurk.
In a blog filed Wednesday, Jaeson Schultz, one of the group’s technical leaders, noted that according to numbers gained from the Composite Blocking List the last time spam volumes were this high was in mid-2010.
(Image from Composite Blocking List)
Similarly, an internal list from SpamCop shows its block list somewhere under 200,000 IP addresses pre-2016, growing to an average twice that this year and spiking to over 450K,000 IPs in August.
Anti-spam systems have been effective so far and there have been some high-profile takedowns of spam-related botnets, Schultz notes. But high-volume attacks, which try to find weaknesses within minutes before the anti-spam defences shut doors, are increasing. Last week, for example, high volume attacks were a large portion of all spam that went out — 65 per cent on Sept. 12 and 59 per cent on Sept. 13.
Talos believes the increase is largely the work of the Necurs botnet, which has switched from sending largely Russian dating and stock pump-and-dump spam to sending malicious attachment-based spam with either the Dridex banking malware or Locky ransomware. That figures: Ransomware has become a lucrative source of income to criminal groups.
Schultz notes that many of the host IPs sending Necurs’ spam have been infected for more than two years. “To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks. This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again.”
The bottom line is CISOs have to maintain vigilance for spam. Talos encourages infosec pros to build a layered set of defenses to maximize the chances of detecting and blocking these attacks. And security awareness campaigns for employees have to continue advising how to spot malicious attachments.