14 DAY TRIAL // Nearly 1.4 billion user records were leaked by a company run by known spammers after said company unknowingly leaked a series of files full of sensitive information about its operations.
River City Media (RCM) claims to be a legitimate marketing firm, but it's actually known to be one of the largest spammers out there, featuring on Spamhaus' Register of Known Spam Operations.
The entire operation was discovered by Chris Vickery, MacKeeper researcher, who actually teased the big news on Twitter a few days ago, making the world wonder just who the target was going to be and who messed up this time, with speculations going from Facebook to WeChat, to YouTube, and more.
The situation, however, is a bit more different this time. The leaked data comes from an Rsync backup belonging to River City Media which was left unattended. The collection of information was analyzed by Vickery in collaboration with Spamhaus and CSO Online, after which they allerted law enforcement, especially since some of the unprotected files contain evidence of illegal activities. Tech giants have already been notified since this also affects them.
Vickery says that the leaked data includes financial documents, backups and chat logs. There are also 1.37 billion user records including names, email addresses, physical addresses, and IPs, making for one big mess.
They believe that all the information was collected by spammers through credit checks, education opportunities, sweepstakes, and other similar activities.
All the tricks of the trade
In a blog post, Vickery says that well-informed individuals did not choose to sign up for bulk advertisements over a billion times, and so, the most likely scenario is that they used a combination of techniques to get all this data. For instance, when clicking on "submit" or "I agree" next to the small text on a website, you might have potentially agreed to share your personal details with affiliates of the site.
There are also illegal tools put to use, which will be the downfall of this spam empire. One of the leaked files explicitly describes how the spammers leveraged a method to target Gmail servers by opening as many connections as possible between them and the target server.
“This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections,” Vickery explained. “Then, when the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels. The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails.”
The same has likely been done against Hotmail, AOL, and other email services.
“Slowloris, released in 2009, is a nothing more than a script designed to slowly consume all available connections on a server. When all connections are consumed, the server cannot process any new connections; causing a denial of service condition. Known as a ‘Layer 7’ denial of service attack, the most effective way to defeat Slowloris is to protect servers with anti-DDoS technology, that can easily detect and block a Slowloris attack,” Steve Gates, Chief Researcher Intelligence Analyst for NSFOCUS, told Softpedia.
“What is interesting here is that Slowloris was being used to help distribute as many spam emails as possible; before a victim server crashed or dropped all existing connections. Once again, this is a demonstration of the originality and persistence of spammers - that never ceases to amaze,” he continued.
If you're wondering just what type of emails this company was sending to spam your inbox, then you should know that the recorded campaigns exposed by the data breach include large brands such as Nike, Victoria's Secret, Yankee Candle, Gillette, Covergirl, AT&T, and more. Other messages featured offers for addiction help, blood sugar testing, survival blankets, cold remedies, and so on.
Expert commentary
“This is an extremely rare window into the operations of mass-spam campaigns. RCM's apparent admission that they ran denial of service attacks against Gmail servers to trick them into accepting spam is very serious. They are talking about risking the stability of some of the internet’s core mail servers for profit. It's bizarre these admissions are coming from chat logs that RCM themselves accidentally leaked,” said Chris Doman, Security Researcher at AlienVault.
“In the recent River City Media Group data leak, over 1.4 billion records may have been exposed. Not much information is being said as to the cause, but given that this was found by Chris Vickery, who often scans the internet for vulnerable Mongo DB assets and makes reference to the lack of use of passwords, one can conclude that this data leak is a result of a misconfigured Mongo DB. Open source continues to be a critical source of innovation to many organizations. In this case, being used for motivations not so noble, the lesson to be learned here is that Mongo DB continues to be an easy exploit,” said Paul Calatayud, FireMon CTO.