Tracing Spam: Diet Pills from Beltway Bandits

Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities.

atballYour average spam email can contain a great deal of information about the systems used to blast junk email. If you’re lucky, it may even offer insight into the organization that owns the networked resources (computers, mobile devices) which have been hacked for use in sending or relaying junk messages.

Earlier this month, anti-spam activist and expert Ron Guilmette found himself poring over the “headers” for a spam message that set off a curious alert. “Headers” are the usually unseen addressing and routing details that accompany each message. They’re generally unseen because they’re hidden unless you know how and where to look for them.

Let’s take the headers from this particular email — from April 12, 2017 — as an example. To the uninitiated, email headers may seem like an overwhelming dump of information. But there really are only a few things we’re interested in here (Guilmette’s actual email address has been modified to “ronsdomain.example.com” in the otherwise unaltered spam message headers below):

Return-Path: <dan@gtacs.com>
X-Original-To: rfg-myspace@ronsdomain.example.com
Delivered-To: rfg-myspace@ronsdomain.example.com
Received: from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])
by subdomain.ronsdomain.example.com (Postfix) with ESMTP id 5FE083AE87
for <rfg-myspace@ronsdomain.example.com>; Wed, 12 Apr 2017 13:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gtacs.com;
s=default; h=MIME-Version:Content-Type:Date:Message-ID:Subject:To:From:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
Received: from [186.226.237.238] (port=41986 helo=[127.0.0.1])
by host.psttsxserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.87)
(envelope-from <dan@gtacs.com>)
id 1cyP1J-0004K8-OR
for rfg-myspace@ronsdomain.example.com; Wed, 12 Apr 2017 16:37:42 -0400
From: dan@gtacs.com
To: rfg-myspace@ronsdomain.example.com
Subject: Discover The Secret How Movies & Pop Stars Are Still In Shape
Message-ID: <F5E99999.A1F67C94585E5E2F@gtacs.com>
X-Priority: 3
Importance: Normal
Date: Wed, 12 Apr 2017 22:37:39 +0200
X-Original-Content-Type: multipart/alternative;
boundary=”–InfrawareEmailBoundaryDepth1_FD5E8CC5–”
MIME-Version: 1.0
X-Mailer: Infraware POLARIS Mobile Mailer v2.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – host.psttsxserver.com
X-AntiAbuse: Original Domain – ronsdomain.example.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain – gtacs.com
X-Get-Message-Sender-Via: host.psttsxserver.com: authenticated_id: dan@gtacs.com
X-Authenticated-Sender: host.psttsxserver.com: dan@gtacs.com

Celebrities always have to look good and that’s as hard as you might
{… snipped…}

In this case, the return address is dan@gtacs.com. The other bit to notice is the Internet address and domain referenced in the fourth line, after “Received,” which reads: “from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])”

Gtacs.com belongs to the Trace Systems GTACS Team Portal, a Web site explaining that GTACS is part of the Trace Systems Team, which contracts to provide “a full range of tactical communications systems, systems engineering, integration, installation and technical support services to the Department of Defense (DoD), Department of Homeland Security (DHS), and Intelligence Community customers.” The company lists some of its customers here.

The home page of Trace Systems.

The home page of Trace Systems.

Both Gtacs.com and tracesystems.com say the companies “provide Cybersecurity and Intelligence expertise in support of national security interests: “GTACS is a contract vehicle that will be used by a variety of customers within the scope of C3T systems, equipment, services and data,” the company’s site says. The “C3T” part is military speak for “Command, Control, Communications, and Tactical.”

Passive domain name system (DNS) records maintained by Farsight Security for the Internet address listed in the spam headers — 72.52.186.80 — show that gtacs.com was at one time on that same Internet address along with many domains and subdomains associated with Trace Systems.

It is true that some of an email’s header information can be forged. For example, spammers and their tools can falsify the email address in the “from:” line of the message, as well as in the “reply-to:” portion of the missive. But neither appears to have been forged in this particular piece of pharmacy spam.

The Gtacs.com home page.

The Gtacs.com home page.

I forwarded this spam message back to Dan@gtacs.com, the apparent sender. Receiving no response from Dan after several days, I grew concerned that cybercriminals might be rooting around inside the networks of this defense contractor that does communications for the U.S. military. Clumsy and not terribly bright spammers, but intruders to be sure. So I forwarded the spam message to a Linkedin contact at Trace Systems who does incident response contracting work for the company.

My Linkedin source forwarded the inquiry to a “task lead” at Trace who said he’d been informed gtacs.com wasn’t a Trace Systems domain. Seeking more information in the face of many different facts that support a different conclusion, I escalated the inquiry to Matthew Sodano, a vice president and chief information officer at Trace Systems Inc.

“The domain and site in question is hosted and maintained for us by an outside provider,” Sodano said. “We have alerted them to this issue and they are investigating. The account has been disabled.”

Presumably, the company’s “outside provider” was Power Storm Technologies, the company that apparently owns the servers which sent the unauthorized spam from Dan@gtacs.com. Power Storm did not return messages seeking comment.

According to Guilmette, whoever Dan is or was at Gtacs.com, he got his account compromised by some fairly inept spammers who evidently did not know or didn’t care that they were inside of a U.S. defense contractor which specializes in custom military-grade communications. Instead, the intruders chose to use those systems in a way almost guaranteed to call attention to the compromised account and hacked servers used to forward the junk email.

“Some…contractor who works for a Vienna, Va. based government/military ‘cybersecurity’ contractor company has apparently lost his outbound email credentials (which are probably useful also for remote login) to a spammer who, I believe, based on the available evidence, is most likely located in Romania,” Guilmette wrote in an email to this author.

Guilmette told KrebsOnSecurity that he’s been tracking this particular pill spammer for several years — since Sept. 2015, in fact. Asked why he’s so certain the same guy is responsible for this and other specific spams, Guilmette shared that the spammer composes his spam messages with the same telltale HTML “signature” in the hyperlink that forms the bulk of the message: An extremely old version of Microsoft Office.

This spammer apparently didn’t mind spamming Web-based discussion lists. For example, he even sent one of his celebrity diet pill scams to a list maintained by the American Registry for Internet Numbers (ARIN), the regional Internet registry for Canada and the United States. ARIN’s list scrubbed the HTML file that the spammer attached to the message. Clicking the included link to view the scrubbed attachment sent to the ARIN list turns up this page. And if you look near the top of that page, you’ll see something that says:

”  … xmlns:m=”http://schemas.microsoft.com/office/2004/12/omml” …”

“Of course, there are a fair number of regular people who are also still using this ancient MS Office to compose emails, but as far as I can tell, this is the only big-time spammer who is using this at the moment,” Guilmette said. “I’ve got dozens and dozens of spams, all from this same guy, stretching back about 18 months.  They all have the same style and all were composed with “/office/2004/12/”.

Guilmette claims that the same spammers who’ve been sending that ancient Office spam from defense contractors also have been spamming from compromised “Internet of Things” devices, like a hacked video conferencing system based in China. Guilmette says the spammer has been known to send out malicious links in email that use malicious JavaScript exploits to snarf credentials stored on the compromised machine, and he guesses that Dan@gtacs.com probably opened one of the booby-trapped JavaScript links.

“When and if he finds any, he uses those stolen credentials to send out yet more spam via the mail server of the ‘legit’ company,” Guilmette said. “And because the spams are now coming out of ‘legit’ mail servers belonging to ‘legit’ companies, they never get blocked, by Spamhaus or by any other blacklists.”

We can only hope that the spammer who pulled this off doesn’t ever realize the probable value of this specific set of login credentials that he has managed to make off with, among many others, Guilmette said.

“If he did realize what he has in his hands, I feel sure that the Russians and/or the Chinese would be more than happy to buy those credentials from him, probably reimbursing him more for those than any amount he could hope to make in years of spamming.”

This isn’t the first time a small email oops may have created a big problem for a Washington-area cybersecurity defense contractor. Last month, Defense Point Security — which provides cyber contracting services to the security operations center for DHS’s Immigration and Customs Enforcement (ICE) division — alerted some 200-300 current and former employees that their W-2 tax information was given away to scammers after an employee fell for a phishing scam that spoofed the boss.

Want to know more about how to find and read email headers? This site has a handy reference showing you how to reveal headers on more than two-dozen different email programs, including Outlook, Yahoo!, Hotmail and Gmail. This primer from HowToGeek.com explains what kinds of information you can find in email headers and what they all mean.