At Palo Alto Networks, Unit 42 analyzes threats across the spectrum – from nation state all the way down to Florida state. In this blog, I’ll be covering two aspects of multi-year affiliate marketing spam campaigns designed to deceive individuals, scam, and profit off of people’s desire to change their lives.First, I’ll provide an overview of a spam campaign sent to some customers that led me down this more than two year rabbit hole, and then dig into the inner workings. This blog covers a number of topics: data collection, analysis, and enumeration of infrastructure. These efforts allowed us to map out thousands of compromised servers and abused domains and hundreds of compromised accounts, resulting in a collaborative effort with GoDaddy to take down over 15,000 subdomains being used across these campaigns.
Unit 42 investigates how attackers were creating fake versions of some well-known and well-trusted websites, and how they were used in phishing emails to unsuspecting victims. Read the Threat Brief to learn more.
Unit 42 identifies a new malicious spam campaign using United States Postal Service themed emails redirecting to fake Microsoft Word online sites.
Unit 42 discovers malspam campaign using hosting providers to spread ransomware.
Unit 42 analyzes the Ursnif banking Trojan.
Unit 42 researchers recently observed an unusually clever spambot’s attempts to increase delivery efficacy by abusing reputation blacklist service APIs. Rather than sending spam as soon as the host is infected, the bot checks common blacklists to confirm its e-mails will actually be delivered, and if not, shuts itself down. This spambot, commonly downloaded by