Sep 9, 2010 20:16 GMT  ·  By

Traditional Web hackers are increasingly landing their services to spammers by allowing them to run advanced mass mailing tools from the compromised servers.

Such a specialized Web-based application was located by security researchers from antivirus vendor Kaspersky Lab on hacked servers in Brazil, a country where spam and phishing are amongst the top cybercriminal activities.

"During my daily analysis, I found an interesting shell for mass mailing. The code shows it was developed locally in Brazil," Dmitry Bestuzhev, a Kaspersky Lab expert, writes.

"By editing the original PHP code, the criminal can fake the 'original headers' of the messages they send," he explains.

Headers are used to identify particularities about email messages, such as the content type, the encoding, priority, the application used to send them and so on.

The small pieces of information are important for email clients and are analyzed by spam filters, but usually hidden away from regular users.

People are used to seeing spoofed "From:" headers, however, the tool analyzed by Bestuzhev also allowed spammers to fake the mailer, the originating IP address and even the spam score.

In one case the messages were crafted to appear as if they originated from iG (www.ig.com.br) , a popular Internet portal in Brazil.

"[…] There is a big probability this e-mail will be delivered usefully to the victim, bypassing anti-spam filters.

"Even the most experienced IT people can be tricked into believing that the message came from IG," the Kaspersky researcher writes.

Further investigation of the compromised server revealed that it was most likely hacked by a notorious Brazilian defacer, who attacks hundreds of websites on a weekly basis.

"In the past, we’ve seen Web defacers act only with political motivation. That has now changed. The Web defacers are being used by the online money gangs as a part of outsourced services," Bestuzhev concludes.