For the spammers, the entire attack strategy includes more than registering email accounts using Anti-CAPTCHA operations; sending mass emails over the Internet; infecting thousands of user machines; and stealing information. In addition, spammers want to increase the overall time a spam campaign survives online and make it increasingly difficult to trace the campaign back. To this end, they use randomized, complex networks, through which they advertise their products and services.

To achieve success, spammers have been using a combination of tactics at different levels in their attacks.

This combination of tactics can be conceptualized in three different stages.

Stage 1: Spammers using Anti-CAPTCHA registered accounts for mass-mailing purposes

Anti-CAPTCHA registrations of Microsoft Windows Live Mail, Microsoft Windows Live Hotmail, Google’s Gmail, and Yahoo Mail accounts have already brought a certain level of success to spammers. To some extent, spammers can defeat Antispam filters that rely heavily on Reputation-based detection by using these Anti-CAPTCHA accounts for spamming from their corresponding (well-reputed) email service providers.

Stage 2: Spammers’ tactics in advertising their products and services

Spammers’ next tactic in this strategy comprises advertising their content using sophisticated techniques. Spammers are creating visual social engineering attacks, consisting of accounts registered at free Web space providers, by adopting the CAPTCHA breaking process, and then using these accounts as redirectors or doorway pages to advertise products and services (See Figure 3.2: Redirection or doorway page to actual spam domain). An illustration of this spammer tactic was reported by Websense recently where Google’s Blogger Anti-CAPTCHA operations were carried out for SPAM runs.

Stage 3: Spammers’ tactics to protect their advertising infrastructure online

With a certain degree of success so far, spammers’ next significant tactic in their 3-stage strategy is to increase the overall time their spam domains and advertising networks remain online, and make it increasingly harder to trace them back, because of their randomized and complex networks. This ensures that they remain virtually impossible to shut down.

Websense has observed that spammers have increased their use of multiple fast-flux networks to advertise their products, as a part of this attack strategy. The fast-flux concept provides spammers with a scalable, robust, and multi-layered network structure. The layered structure and the complex behavior of the network provide protection to spammers’ domains, thereby making it difficult to trace them back.

Read full story