Major career web sites hit by spammers attack

Major career web sites hit by spammers attack

Summary: As assessment of a recently discovered in the wild email harvesting service, released for the purpose of harvesting names, email addresses, and other personal information from major career web sites, to be later on used for targeted spamming and malware campaigns.

SHARE:
TOPICS: Security
6

What is the future of spamming next to managed spamming appliances, like the ones already offered for use on demand?Job Sites Under Attack It's targeted spamming going beyond the segmentation of the already harvested emails on per country basis, and including other variables such as city of residence, employment history, education, spoken languages, to ultimately set up the perfect foundation for targeted spamming and malware campaigns.

Email harvesting has been around since the early days of spamming, when the handy point-n-click mailto made it possible for the first databases of harvested emails to appear. Nowadays, these lists either come as a commodity, namely, they're free, or as a bargain for enticing the buyer of a particular underground good or service into buying it, and receive the list as a bonus. Recently, spammers, phishers and malware authors, started diversifying their harvested databases that would be later on used as hit lists for spam and malware campaigns, from the usual emails, to instant messaging screen names, Skype usernames, and even YouTube user names. In fact, the problem of spammers diversifying their hit list building approaches is so prolific, that successful initiatives such as the Project Honeypot aiming to proactively detect such email harvesters and limit their reach, would need to diversify their distributed aggregation approaches in the long term, to include many other ways in which spammers are harvesting "contact points" on their watch list.

Job Sites Under AttackThis post will assess a recently discovered in the wild, do-it-yourself proprietary email and personal information harvesting tool, outline its functions, list the career web sites targeted, and emphasize on how this attack would ultimately result in far more successful spamming, and targeted malware campaigns.

Key summary points :

  • the personal information harvesting tool comes with a customer service, which would provide the buyer with a custom module for any other web site included for the price of $100, in between providing accounts at that site and lists of proxy/socks hosts to be used, and therefore speaks for a decent degree of customerization
  • the tool is entirely efficiency centered, namely, it allows multiple harvesting threads which in combination with several different socks/proxy hosts used can fetch and parse a huge number of pages in the shortest possible time frame
  • the service has a built-in proxy/socks functionality, allowing the spammers to forward the responsibility for the harvesting process to the owner of the proxy/socks which in most cases is a malware infected PC used as a stepping stone for committing other illegal acts
  • one of the main differentiation factors of this tool compared to the many other average email harvesters, is the customization achieved, namely the spammer can harvest only emails of people living in a certain country, city, working a specific profession, having studied in a particular school, or having worked in a particular company in the past, spoken language, possession of a security clearance, as you can see in the attached screen shots the variables for coming up with unique and highly targeted spamming lists fully match the variables for searching on a per job site basis
  • the possibilities for targeted spamming and malware attacks here are enormous given the quality of the harvested data, which compared to the plain simple email addresses spammers harvest, a situation where they have no idea about any other personal details of the email owner, in this security incident, the information in all of its authenticity and quality is provided by legitimate job seekers wanting to dazzle their future employers by providing them with as much information as possible
  • the tool relies on the already registered accounts at these sites, whenever it cannot recognize the CAPTCHA, and according to the description it can recognize the CAPTCHA of a single career site only, CAPTCHA images are parsed within the interface per session, so even if the CAPTCHA for a certain site cannot be automatically recognized, the spammer is verifying it successfully, thereby gaining access inside the portal as a legitimately authenticated job seeker
  • as it appears from the obtained log files, the tool has already been actively harvesting the job sites

Description of the do-it-yourself email harvesting tool:

"Your attention is invited to product-collector e-mails within web resources. By purchasing our product, you get free updates for life, the opportunity to use our hosting for the collection of e-mails. Many have already chosen our product and we are grateful. Product Price: $ 600 Help with the installation - for free. It is possible to write custom modules - normal price is $ 100 and the availability of the resource account for which you want to write a module. PHP Mailers for direct spamming come as a gift."

Sites targeted and included in the web application :

Ajcjobs.com; CareerBuilder.com; CareerMag.com; ComputerJobs.com; HotJobs.com; JobControlCenter.com; Jobvertise.com; MilitaryHire.com; Monster.com; Seek.com.au

With the increasing information sharing between security vendors, non-profitJob Sites Under Attack organizations and independent researchers, the pressure put on spammers, phishers and malware authors is prompting them to consolidate, and start exchanging resources and know-how. And while some of the participants will provide the infrastructure for mass mailing the phishing and spamming emails (malware authors), other would continue abusing the clean IP reputation of legitimate email services, where once they've managed to find a way to bypass the CAPTCHA authentication process, several hundred of thousands rogue email boxes would be registered. This particular scenario as a matter of fact represents the current situation, and basics of supply and demand in the underground market.

Out there right now, there's a legitimately registered user, whose access to a site is efficiently abused part of an illegal operation. It could happen at any site, at any time, not necessarily job sites only given that a custom module for any other site could be build as well. However, job sites were originally targeted in this incident because of the quality and easy to aggregate, personal information.

Here are several more related screen shots showcasing the rest of the tool's option.

A sample output in the form of full name and the associated email :

Job Sites Under Attack

The variables to set before harvesting the email addresses :

Job Sites Under Attack

Other variables for a specific career site :

Job Sites Under Attack

Sample log file of the process :

Job Sites Under Attack

The trend of obtaining high quality personal data from business social networks is only starting to take place.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Stealing data is one thing and spamming is another

    The only way to stop spam is at its orginating point.
    If ISPs were encouraged to follow a mandate for testing the validity of a source e-mail (vis-a-vis test for PGP MIME signature) all non-comformant email could get bounced or shunted to /dev/null.

    It would mean a lot of change to how email is handled, but not a lot of infrastructure change would be necessary.

    The question is what incentive is there for ISPs to provide a united front, nationally, globally?

    Making law with very high financial penalties for non-compliance is one way to have everyone reading from the same page.

    Email (S/MIME, PGP, GnuPG) with signed certificates is very hard to defeat, not to mention, the privacy and security that it would derive from enforcing a secure MIME architecture.

    If the success of corporate VPNs is any indication of how effective closing down a channel on the internet can be, then we should consider how enclosing emails in a similar vein can be accomplished expediently and efficiently for the sake of everyone's betterment.
    D T Schmitz
  • Here's something that I collected while browsing

    http://www.speedyshare.com/269575238.html
    BALTHOR
    • Oh how lovely.

      I wonder what it actually is. I am not, however, tempted to find out.
      seanferd
  • RE: Major career web sites hit by spammers attack

    Reading the article is like trying to read dianetics.
    Ashtonian
  • RE: Major career web sites hit by spammers attack

    Does the term "burying the lede" mean anything to you?
    Vesicant
  • RE: Major career web sites hit by spammers attack

    I think this is similar to cross site scripting attacks that Larry, Dancho, Nate have stated in another article about "HackerSafe":
    http://blogs.zdnet.com/security/?p=1092
    I get my share of attacks on the network even though our site doesn't have any forms or sell anything. I seen the junk from my posting at one of these job websites but I didn't at that time put more than my name, email and phone number so the most of my junk is from email.
    I see that Dice.com is not on list of websites which would be embarrassing for a tech specific job website.
    phatkat