[nsp-sec] Why so much WebMail Abuse / Credential Theft? A Theory...

Dave Mitchell davem at yahoo-inc.com
Mon Mar 24 21:18:09 EDT 2008 

Gerard,
  I think Mr. Salusky from AOL might have some interesting info on this
topic. William, you passed out or alive? :)

-dave

On Mon, Mar 24, 2008 at 10:38:39PM -0230, White, Gerard wrote:
> ----------- nsp-security Confidential --------
> 
> Greetings.
> 
>  
> 
> When examining the plethora of /32s that are connecting to our WebMail
> servers using stolen credentials
> 
> to propagate spam, it becomes a rather endless task to try and blacklist
> these - as they seem to be popping out
> 
> of the IP woodwork...
> 
>  
> 
> After a bit of study, I am beginning to see a rather common pattern
> evolving from these evil /32's:
> 
>  
> 
> 1)       They appear to be attached to a P2P network
> 
> 2)       They appear to have a HTTP Proxy that is being "used" by
> members of our customer base
> 
>  
> 
> So what "appears" to be happening is these evil entities are being
> set-up/equipped with a HTTP Proxy, and appropriately named malware
> 
> that is being propagated on P2P networks under a more attractive name
> that is being grabbed by P2P users.  The malware
> 
> is tailored to turn-on a HTTP proxy option for the victim's web browser
> - thus the WebMail (and other) credentials are getting
> 
> grabbed...  Subsequently, miscreants with the collected WebMail
> credentials are using the same proxy to hit our own
> 
> WebMail front ends to do their spam runs...
> 
>  
> 
> While I acknowledge the fact that phishing runs are also being used to
> gather WebMail credentials, this "system" is working
> 
> a lot more effectively... hence even going through the motions of
> changing the Customer's WebMail credentials is failing since
> 
> the proxy-option malware is just gathering the new credentials without a
> problem...
> 
>  
> 
> It would be interesting to know if others are seeing their WebMail being
> abused by a similar zero-day system... 
> 
>  
> 
> Never a dull moment in an ISP's world...
> 
>  
> 
> GW
> 
> 855 - Aliant
> 
>  
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080324/b0ea552d/attachment-0001.sig>

More information about the nsp-security mailing list