Spammer’s Leaky Backup Exposes Massive Empire

A massive spam operation that sent out more than one billion messages a day was exposed by researchers who called the operation “illegal” and a “tangible threat to online privacy and security.”

A massive spam operation that sent more than one billion messages a day was exposed by researchers who credit a poorly configured remote synchronization backup for tipping them off to what they say is a “tangible threat to online privacy and security.”

The faulty backup publicly exposed data belonging to the U.S.-based firm River City Media. A subsequent investigation by researchers at MacKeeper Security Research Center and The Spamhaus Project explained how the company and a web of affiliated businesses created a massive spam empire that appeared to use many illegal techniques, according to the research.

“There was already a sense that this company was engaged in this type of spamming. But, we were shocked to discover how extensive the operation was and the numbers of players involved,” said Chris Vickery, security researcher at MacKeeper.

Most alarming to researchers was that the spam operation had amassed 1.4 billion identities that tied together real names, email address and IP addresses. “Normally the police have to go through a subpoena process to get that level of detail about someone’s email address,” Vickery said. “This company used every trick in the book to build their own databases.”

Researchers said in most cases spam recipients were duped into agreeing to be part of the various spam campaigns. “Well-informed individuals did not choose to sign up for bulk advertisements over a billion times,” wrote MacKeeper in a blog post explaining the research. “The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the ‘Submit’ or ‘I agree’ box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.”

Researchers also allege that River City Media used scripts to exploit vulnerabilities against Microsoft’s Hotmail servers and Google’s Gmail servers, Vickery said.

One of the questionable scripting techniques was described as a “warm-up” method used by the company. The technique leveraged tens of thousands Gmail, AOL, Hotmail, and Yahoo email accounts created by River City Media. The company used the “warm up” accounts to send spam from one of 100,000 domains under the company’s control. Test messages determined what domains and IP addresses were not blocked to increase the odds messages sent from those domains would not be identified as spam.

Researchers contend in their report the company was engaged in “illegal hacking due to the presence of scripts and logs enumerating the groups’ many missions to probe and exploit vulnerable mail servers.”

In one example found in a chat log that was part of the company’s faulty backup, River City Media staff members admit to exploitative behavior against Google’s email service.

“What was legal and illegal isn’t for me to decide,” said Vickery. “But there are plenty of logs where they discus illegal scripts and research into basically attacking mail servers and tricking the mail servers into doing things that would be against the law.”

Anti-spamming organization Spamhaus said as a result of this investigation it will be taking action on all of the IP addresses and other elements connected with spamming abuses.

The faulty rsync backup revealed everything from Hipchat logs and domain registration records, to accounting details, infrastructure planning and production notes, scripts and business affiliations. According to Vickery, the company was not hacked, rather River City Media suffered from a data breach that the company itself was directly responsible for.

Researchers linked River City Media to more than 20 businesses partners using 30 aliases. It claims, at River City Media’s core, only 12 people were behind the massive spamming operations.

Publicly exposed backups of the company are from December 2016 to January 2017. “Between October 2016 and January 2017, RCM collected $937,451.21 USD for their campaigns from various affiliate networks, including AdDemand, W4, AD1 Media (Flex), and Union Square Media. RCM campaign logs show business relationships with some of these companies dating back to July of 2015,” according to CSOOnline.

As part of its investigation researchers informed law enforcement. Threatpost attempted to reach out to River City Media via several emails listed for the company, but did not get a response back in time for this report.

Suggested articles