What is the Russian underground up to when it comes to ‘spear phishing’ attacks? How prevalent is the tactic among Russian cybercriminals? What “data acquisition tactics” do they rely on, and just how sophisticated are their “data mining” capabilities?

Let’s find out by emphasizing on a recent underground market advertisement offering access to data which can greatly improve the click-through rate for a spear phishing campaign. The irony? It’s being pitched as “spam leads”.

More details:

Sample screenshot of the Russian “spam leads” offered for sale:


Second screenshot of the Russian “spam leads” offered for sale:


Third screenshot of the Russian “spam leads” offered for sale:


The “spam leads” include market sector, market segment, type of company, city, full name of the company, postal address, fax, phone number, email, Skype, web site, as well as the GPS coordinates.

While the seller is (thankfully) not aware of the true underground market potential of their harvested/compromised/fraudulent opt-in type of data, others are, and will definitely take advantage of the fact that such a database is currently offered for sale. It’s also worth discussing some of the most popular “data acquisition tactics” that cybercriminals rely on when selling such type of data.

There are several tactics a cybercriminal can leverage to gain access to this type of data:

  • Fraudulent opt-in offers – this concept is fairly simple – your company receives an email about possible inclusion in a fake business directory, but must either pay for it first (advance fee fraud element) or sign a contract which allows the scammers to legally re-bill the company. Cybercriminals behind these attacks leverage collected data to launch spear-phishing attacks, targeting thousands of companies across the globe.
  • Hacked databases – in terms of quality data nothing compares to the “value” of a hacked database. Users entrust sensitive and personal details to the service maintaining it, and it is therefore a gold mine for potential spear phishing campaigns if compromised.
  • Harvest publicly obtainable data by outsourcing the CAPTCHA-solving process – In 2013, CAPTCHA is dead! Low-waged CAPTCHA solvers in developing countries killed it. Keeping this in mind, it shouldn’t be surprising that money mule recruiters actively harvest data from job/career web sites; and other cybercriminals are doing exactly the same while targeting legitimate Web properties that exclusively rely on CAPTCHA to prevent such types of automatic abuse.

We advise users to be extra cautions before trusting an email offer that knows too much about you. This includes emails sent from trusted friends. Protect yourself by following up through alerting your friends and/or the abused service or company if you suspect foul play.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This