Forces of the dark side are hijacking send-to-a-friend modules to send spam.
Forces of the dark side are hijacking send-to-a-friend modules to send spam.

Forces of the dark side are hijacking send-to-a-friend, a.k.a. share-with-a-friend, social sharing modules to send random Star Wars quotes and malicious links.  

Imperva researchers spotted what they dubbed as “Sith Spam Bots” or bots exploiting the modules commonly found on commercial websites that allow users to email the details of a product/service with their friends, according to a Nov. 15 blog post.

Spammers typically target the modules for several purposes including for IP obfuscation, spam link obfuscation, or to avoid fees associated with sending emails en masse.

Once a target is found the spammers use a host of form-filler bots on the send-to-a-friend form to send thousands of emails with embedded malicious links to sites offering a selection of gambling apps. The emails also included random texts from Star Wars themed sources including Path of Destruction, a Star War Legends novel.

Between October 10 and October 16 researchers spotted 33 unrelated domains on their network hit by over 275,000 attack requests using these methods and a week later, the number of targets had increased to 60, and the volume of the attack had almost tripled—reaching a total of over a million requests.

Researchers speculate the spammers were trying to add some uniqueness to their emails with the quotes, and further fly under the radars of filtering mechanisms scanning for content patterns.

The use of Stars Wars quotes, or any other non-randomized content, could be an effective way to bypass content-based email filters that protect recipients from spam, Imperva Incapsula Director Igal Zeifman said.

“All of the emails pointed to a mirrored version of the same site, which was peddling a selection of gambling apps,” Zeifman said. “The site was hosted in Honk Kong and the majority of botnet traffic (nearly 99%) originated from China. This makes us think that the owners of these sites were behind the attacks, or at least paid someone to launch it for them.” 

To prevent these sort of attacks, researchers recommend developers and operators recognize the security risks that come with having an email sharing option on their service and take steps to prevent it from being abused by form-filler bots. In addition, they said sites that implement the modules should include a rate-limiting mechanism that will prevent an IP address from issuing unreasonable numbers of requests over a specific period of time.