Fortune 500s Unwittingly Become Spammers
The next time you receive a piece of junk e-mail touting penny stock, pimping Rolex watches, or lauding a work-at-home scam, consider investigating who really sent it. You may be surprised.
Security Fix reviewed spam samples captured in the last month and found many instances of spam sent via computers at well-known Fortune 500 companies. Among the findings were:
-- PayPal phishing scam e-mails coming from a machine at database software giant Oracle Corp.
-- Penny stock spam being relayed by a PC inside American Electric Power. A stock spam for a company called NutriOne Corp. was generated from networks owned by computer maker Hewlett-Packard. Another stock scam from ExxonMobil touted shares of China Fruits Corp.
-- Junk e-mail pushing knockoff prescription drugs, sent from a machine at IndyMac Bank. A message advertising similar goods was sent from a PC at Home Depot, and another from a computer at game company Electronic Arts. The EA machine is listed in Spamhaus.org's "Exploit Block List" (XBL), which flags Internet addresses showing signs of running spam relays, among other things.
-- Spam advertising penile enhancement pills relayed through a Dow Jones network.
-- Spam hawking costume jewelry and name-brand watches, relayed by a computer at Best Buy. This machine also is listed in the Spamhaus XBL list.
The junk e-mails listed above were gathered in traps set by Support Intelligence, a data mining company based in San Francisco. Rick Wesson, the company's chief executive, said the spam samples strongly suggest that the machines in these companies have been compromised by a virus or worm. He noted that most malicious software includes the ability to configure the infected machine for use as a relay for junk e-mail.
"Obviously, the idea that spam doesn't come from corporate America is a fallacy," Wesson said. "Take this computer at Best Buy, for instance. We've received thousands of spam from it over the past month."
Security Fix forwarded a copy of the messages and contacted the companies named. Below each spam e-mail listed in this post is information generated by looking up the Internet address and owner of the sending machine.
BestBuy spokesperson Kelly Groehler confirmed that the machine was sending spam, and said the company was "mortified" at the prospect of an internal PC spewing junk e-mail.
Groehler added that Best Buy's engineers were "fixing the problem as we speak," adding that "this is just not acceptable, and it's obviously inconsistent with how we want to run our business."
Steven Swick, an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants. The company blocked the contractor's PC from accessing the network after being contacted by Security Fix.
Swick said that due to contractual agreements, AEP was obligated to set up the contractors with Web mail, instant messaging and other communications tools that generally are not allowed inside of the company's network. "We're working with the contractor now to perhaps readdress the contract and see if there is more operationally that we can do to make sure this doesn't happen again."
A spokesperson for Hewlett-Packard declined to comment for this story.
By Brian Krebs |
March 29, 2007; 11:11 AM ET
Fraud
,
From the Bunker
,
Misc.
Previous: Enabling the Spammers |
Next: Attackers Exploit Unpatched Explorer Flaw
Posted by: Md525 | March 29, 2007 1:45 PM
I don't feel too bad for the IT depts at these companies. Why didn't they have anything in place that would have detected these bots? Didn't they notice the increased levels of mail going out of port 25? Why didn't a network virus scan pick it up? There are plenty of why's when it comes to something like this. User's bad behavior becomes a moot point when a network is operated as loosely as these companies are.
Posted by: Lurker | March 29, 2007 2:40 PM
There doesn't seem to be any suggestion that maybe one
common thread in each of these bot takovers is, again maybe,
one particular operating system? I'm not sayin' y'know, but
if all the roads are leading to Rome. Y'know...
Posted by: Mr. Pointer Outer | March 30, 2007 1:55 AM
Corporate IT departments are all Hog tied.
Posted by: George | March 30, 2007 2:53 AM
yes this article is true :( I too receive many spam mails and virus attached mails from the domain name of top companies like Oracle... I tried to report it to them, but no options to report abuse in their websites
Posted by: Shivaji | March 30, 2007 4:28 AM
I wonder why did not all of the computers go on the XBL, if they already discovered that the computer at Best Buy's sent thousends of emails !? I mean, com'on...thats a thing you notice fast.
Posted by: Anonymous | March 30, 2007 4:29 AM
Re: Lurker
Have you thought about what you said in the context of a large company? Let's assume there are 10,000 people at BestBuy HQ. Each one of them sends only 3 Internet messages a day = 30,000 / day x ~ 20 work days a month = 600,000 messages per month.
The guy said they have seen thousands of (pieces of) spam over the past month. Assuming he isn't inflating or deflating the numbers (e.g. not 1,000 or 10,000), suppose that machine sent 6,000 messages a month.
That is a 1% increase in the number of messages sent. Other than looking at the times of day when things are sent I doubt you would even notice something that small.
Also, you asked why virus scanners didn't notice the spam. That is because virus scanners lookk for viruses, not spam. For that task you need a spam scanner, and not many corporations have those installed internally.
Posted by: JustMatt | March 30, 2007 7:36 AM
The real issue in my mind, is that all these fortune 100-500 companies have been compromised. If you think all big companies have nicely segmented networks, and follow a security in depth model, you are crazy. Most have big flat internal networks. Think of all that sensitive data a smart bot master would have access to.
I would think that if we are seeing spam from those networks, then there is a good chance they have already been drained of everything the russian mob would find tasty.
kago
Posted by: Kago | March 30, 2007 9:40 AM
I feel for the security departments. The questions are
a) were they hobbled by the administration?
b) were they underfunded?
c) did they have upper management backing?
The answer to these questions could easily determine the direction of the "winds of blame"
Mr. Pointer Outer:
No operating system can excuse bad security. Blaming it on an OS is lame.
Posted by: Sn00p3r | March 30, 2007 11:01 AM
Our IT department would automatically get notified within minutes if one of our computers would be spewing bot infected spam.
And we're not even locked that tight here.
Everyone's PC can be compromised. You can't account for human stupidity. To stop the bot infection from doing any damage, you gotta have some controls on your network.
Posted by: tpp | March 30, 2007 12:00 PM
The sad thing about this is that it's trivial to prevent. All they have to do is block anything going to port 25 that's not from an official internal mail server. A policy requiring only authenticated outgoing email connections (port 465) would still allow normal email traffic and would completely stop the bots from getting their messages out of the network.
Posted by: JohnM | March 30, 2007 1:01 PM
I often track down the source (usually munged) or the website link. Only twice in the last year has an ISP actually corrected the problem by shutting down the site. They were both smaller ISPs.
NONE of the big ones do more than the auto-response message, if that.
Personally, I would WANT to know if my systems became a bot, and fix it.
Posted by: garyd | March 31, 2007 6:07 AM
The comments to this entry are closed.
I feel bad for the IT professionals at these companies. YOU know they are catching all the heat when the employees online behavior is hard for them to control. It is important to also know that this is unacceptable for large companies to have. the people who narrowly avoid phishing are much more likely to click on links from actual trusted sources.