A new phishing campaign that has taken a Jerry Seinfeld-like approach with its scam by making the email about nothing by not including any text in the email body, just an attachment, is also abusing web hosting providers at a prodigious rate.
Unlike almost every other phishing campaign that expends a great deal of time and effort to develop a social engineering plan to convince their victims that the email and its attachment are legitimate and safe to open, this group is simply leaving the body of the email blank, said Palo Alto Networks. The research firm, which has tagged the campaign Blank Slate, also noted that those behind the scheme have come up with an excellent system for refreshing their arsenal of genuine hosting providers enabling them to keep the scam going for months.
Palo Alto's Brad Duncan explained the theory behind leaving the message area blank.
"The short answer is because it clearly works. A blank message is cheaper and easier to make than one with social engineering text. And as our research has shown, it is effective," he told SC Media.
This particular attack requires a lot of effort on the victim's part in order to actually download the malware. This includes diligently working through many steps and at each stage ignoring an explicit warning from their system in order to download the malware, which is generally Cerber, Locky or Sage 2.0 ransomware.
“User ignores security warnings and opens the zip archive included in the malspam. User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file. User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file,” he wrote.
Once the attachment is opened the download takes place.
While the malicious actors may not have put any effort into their social engineering plan, they did give some serious thought on how to maintain the campaign. The malicious spam is spread through botnets run through hosting providers all over the world, Duncan noted. Initially more than 500 such providers were spotted, but what proved interesting was that the bad guys had a constant supply of replacement providers ready to go when one being used was taken offline.
“These domains were active for a few days before they were taken off line. Then the criminals behind Blank Slate moved to newly-registered domains, sometimes using the same hosting provider. This cycle has repeated itself over and over since July 2016,” he said.
One reason this is doable is the low cost involved in setting up an account, all that is required is an email account (free) burner phone ($30) and the accounts are often paid using stolen credit card.
“When a server is taken off-line, the criminals can easily establish another server through a new account using a different email, phone number, and stolen credit card data. The cost is relatively inexpensive,” he said.
And because of this Duncan and Palo Alto believe the scam will live on.