Segmented Russian “spam leads” offered for sale


By Dancho Danchev

What is the Russian underground up to when it comes to ‘spear phishing’ attacks? How prevalent is the tactic among Russian cybercriminals? What “data acquisition tactics” do they rely on, and just how sophisticated are their “data mining” capabilities?

Let’s find out by emphasizing on a recent underground market advertisement offering access to data which can greatly improve the click-through rate for a spear phishing campaign. The irony? It’s being pitched as “spam leads”.

More details:

Sample screenshot of the Russian “spam leads” offered for sale:

Russian_Spam_Leads_Segmented_Harvested

Second screenshot of the Russian “spam leads” offered for sale:

Russian_Spam_Leads_Segmented_Harvested_01

Third screenshot of the Russian “spam leads” offered for sale:

Russian_Spam_Leads_Segmented_Harvested_02

The “spam leads” include market sector, market segment, type of company, city, full name of the company, postal address, fax, phone number, email, Skype, web site, as well as the GPS coordinates.

While the seller is (thankfully) not aware of the true underground market potential of their harvested/compromised/fraudulent opt-in type of data, others are, and will definitely take advantage of the fact that such a database is currently offered for sale. It’s also worth discussing some of the most popular “data acquisition tactics” that cybercriminals rely on when selling such type of data.

There are several tactics a cybercriminal can leverage to gain access to this type of data:

  • Fraudulent opt-in offers – this concept is fairly simple – your company receives an email about possible inclusion in a fake business directory, but must either pay for it first (advance fee fraud element) or sign a contract which allows the scammers to legally re-bill the company. Cybercriminals behind these attacks leverage collected data to launch spear-phishing attacks, targeting thousands of companies across the globe.
  • Hacked databases – in terms of quality data nothing compares to the “value” of a hacked database. Users entrust sensitive and personal details to the service maintaining it, and it is therefore a gold mine for potential spear phishing campaigns if compromised.
  • Harvest publicly obtainable data by outsourcing the CAPTCHA-solving process – In 2013, CAPTCHA is dead! Low-waged CAPTCHA solvers in developing countries killed it. Keeping this in mind, it shouldn’t be surprising that money mule recruiters actively harvest data from job/career web sites; and other cybercriminals are doing exactly the same while targeting legitimate Web properties that exclusively rely on CAPTCHA to prevent such types of automatic abuse.

We advise users to be extra cautions before trusting an email offer that knows too much about you. This includes emails sent from trusted friends. Protect yourself by following up through alerting your friends and/or the abused service or company if you suspect foul play.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

2 thoughts on “Segmented Russian “spam leads” offered for sale

  1. Pingback: Cybercriminals selling valid ‘business cards’ data of company executives across multiple verticals | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  2. Pingback: One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s