Spam volume is back to mid-2010 heights, and Cisco Talos researchers say that the Necurs botnet is partly to blame.
“Many of the host IPs sending Necurs’ spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks,” researcher Jaeson Schultz explains.
“This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again.”
Whoever is behind the botnet has also switched from sending Russian dating and stock pump-n-dump spam to sending emails containing malicious attachments, which would ultimately deliver either the Locky ransomware or the Dridex banking Trojan.
Funnily enough, another reason for the uptick in spam is the fact that anti-spam systems have become very adept at catching them.
“In any reasonably well-designed spam campaign there will always exist a very narrow window of time between when that spam campaign begins, and when anti-spam coverage is deployed to counter that campaign. In most anti-spam systems, this ‘window of opportunity’ for spammers may be on the order of seconds or even minutes,” says Schultz.
The spammers’ reaction to this has been the mounting of high-volume spam campaigns. They send out as much email as possible and hope for the campaign not to be detected soon – but even if it is, many emails will pass the spam defenses in those crucial few minutes.