[nsp-sec] Why so much WebMail Abuse / Credential Theft? A Theory...

[White, Gerard]

Greetings.

 

When examining the plethora of /32s that are connecting to our WebMail
servers using stolen credentials

to propagate spam, it becomes a rather endless task to try and blacklist
these - as they seem to be popping out

of the IP woodwork...

 

After a bit of study, I am beginning to see a rather common pattern
evolving from these evil /32's:

 

1)       They appear to be attached to a P2P network

2)       They appear to have a HTTP Proxy that is being "used" by
members of our customer base

 

So what "appears" to be happening is these evil entities are being
set-up/equipped with a HTTP Proxy, and appropriately named malware

that is being propagated on P2P networks under a more attractive name
that is being grabbed by P2P users.  The malware

is tailored to turn-on a HTTP proxy option for the victim's web browser
- thus the WebMail (and other) credentials are getting

grabbed...  Subsequently, miscreants with the collected WebMail
credentials are using the same proxy to hit our own

WebMail front ends to do their spam runs...

 

While I acknowledge the fact that phishing runs are also being used to
gather WebMail credentials, this "system" is working

a lot more effectively... hence even going through the motions of
changing the Customer's WebMail credentials is failing since

the proxy-option malware is just gathering the new credentials without a
problem...

 

It would be interesting to know if others are seeing their WebMail being
abused by a similar zero-day system... 

 

Never a dull moment in an ISP's world...

 

GW

855 - Aliant