Meet “Hailstorm,” the Latest Email Spamming Technique

Published on: December 23rd, 2016

A new technique for sending email spam has become very popular with cyber-criminals, said Cisco this week, following an investigation from its Talos and OpenDNS Umbrella security teams.

In the early days of the Internet, when cyber-criminals wanted to send annoying emails, they just fired up their cannons and kept them online around the clock.

As time went by, email providers got smarter and added spam filters, and security firms started creating email security systems that could pick up abnormal email flows.

Spammers didn’t stand idle, and their email sending techniques evolved across time, mostly to avoid spam filters, email security systems, and spam source blacklists.

From snowshoe spamming to hailstorm floods
These days, the most popular and efficient spamming technique is called “snowshoe spamming,” which relies on spreading the source of the spam emails over a large number of IPs, with the spam flood unfolding over days or weeks.

Snowshoe spamming is sustained via spam botnets, either using infected home computers, compromised servers, or hacked websites that host mailer scripts.

With snowshoe spamming, no single bot sends more than a few requests during a spam flood, which nicely blends in with regular server email activity.

But snowshoe spamming has been around for some time now, and security firms have slowly started to build a database of infected hosts. As such, there’s a need to find new ways to deliver the spam, before snowshoe spamming efficiency deeps too low.

The solution that spammers came up with is a technique called “hailstorm spamming,” which relies on sending the entire spam campaign in a very short timeframe.

Instead of drawing out a spam flood over weeks, a hailstorm spam is over before you know what happened.

“In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response,” the Cisco team highlights.

Spammers appear to be acting on the premise that spam and phishing campaigns are most effective in their first hour.

They don’t seem as interested in protecting the integrity of their botnet anymore, as they are with delivering their spam with the highest efficiency. Most likely, the proliferation of IoT botnets made up of smart devices has helped.

Hailstorm spam generates a massive amount of DNS queries per hour
In the hailstorm spam wave Cisco detected over the last month, the company says that crooks sent out spam that generated around 75,000 DNS queries per hour for the spammed domain.

For comparison, a previous snowshoe spam campaign triggered only a maximum of 35 DNS queries per hour for its spammed domain.

The difference is astounding and only comes to highlight the need for a faster response from spam detection and email security systems.