In early August, a number of very well-known social networking websites were reported to be victims of distributed denial of service (DDoS) attacks. The attacks appear to be linked with a “Joe Job” style spam run against an anti-Russian blogger. A “Joe Job” is a spam technique that spoofs the From: email address using a real email address (i.e. an unsuspecting victim) to make it appear as though that person was responsible for the email.
The spam run, as far as MessageLabs Intelligence can determine, was estimated at less than one percent of all spam at that time and distributed from a currently unclassified botnet. The run was significantly smaller compared with some of the more recent spam runs, such as the URL-shortening attacks from Donbot.
Although it is presumed that this spam run contributed to the DDoS attacks on these social networking websites, it is unlikely that this run alone could have caused all the reported disruption, suggesting that there was something else involved. MessageLabs Intelligence suggests that a botnet was also used to conduct the DDoS attack in parallel, with compromised computers under the botnet’s control commanded to, in an automated way, open the page of the targeted social networking website.
An example of one of these messages can be seen in Figure 1, which actually originated from an IP address in Brazil, a hot spot for botnet-infected computers. The email From: address was spoofed, to appear as though it was from a company based in Ohio.
Figure 1 - Joe Job style email encouraging users to visit a blog