Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Are you receiving Empty or "Hi" emails? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Are you receiving Empty or "Hi" emails?

    I wanted to perform a little unscientific information gathering, I'm working with a small group who think they're being specifically targeted by these, while I think it's more widespread and opportunitistic.  If you've recently received these no content probe emails, or a simple "Hi" message, please send a simple comment below in this format:

  • Industry
  • Order of magnitued in size (e.g. <10, <100, <1000)
  • Sending domain

    Feel free to use our comment page to add extra analysis comments here: https://isc.sans.edu/contact.html

Kevin Liston

292 Posts
ISC Handler
I run a small mail server with about a dozen domains and several hundred addresses, with malware/spam attempts numbering in the thousands per day.
I have not seen any of these empty emails, but do use very aggressive filtering. If you can post some of the source IP addresses or mail headers it might be helpful. I could then check to see if any of the IP addresses have matches. I presume some others may be able to do the same.
RichH

9 Posts
We aren't seeing them now, but were about a month ago. We would see two or three a day and this continued for a couple weeks.
JeffSoh

32 Posts
I would agree with Jeff. We were getting these a few months ago, but I have not seen these types of emails for at least a month.
Groot

1 Posts
Seen them before. They would be sporadic in volumes. Sometimes a few and other times in the hundreds.
jono

7 Posts
Yes i've seen it several times so far..

industry: Consulting (even once on my personal GMAIL)
Magnitude: <10
Sending domain: GMAIL

The senders are potentially sending emails from India and the US from what i recall in the email headers.
jono
8 Posts
Adding in some from other channels

industry: Financial
Size: < 100,000

industry: financial
size: <1000
multiple domains

Industry: healthcare

Industry: healthcare
sending domain: AOL
included link
Kevin Liston

292 Posts
ISC Handler
Industry: Healthcare
Size: <50000
Speedweaver

1 Posts
We are seeing a ton of those in the last month
Chrisc

1 Posts
health science/medical devices
<10
From gmail.com
Chrisc
1 Posts
Industry: Architecture/Engineering/Construction
Size > 1000
Domains - gmail, others
Anonymous
Respond back to the email address and see if you can get them to respond back.

Protip: they should respond back with malware.
Anonymous
I see them on my work account, but not my personal account, from time to time. Had two the same day as your request for more info.

Financial Services
< 10 (two from 220.227.71.62 - India)
Sent from gmail.com
Steve

5 Posts
I have had a few "Hi friend!" empty emails coming from a Frontier address. These happened on 10/22/14.
industry: Medical
Size: < 1000
Multiple domains
Tri0x

16 Posts
Financial Services
sometime 10 sometimes around 50
almost always to IT, InfoSec, HR
almost always from Gmail (many years ago they had valid x-header info, now just load balancer ip - shame on Google)

I spent a little time on this a few years back and here is what I found.

The email always correlate to LinkedIn views from a "market analyst" or "market researcher" out of India. A few actually listed Rain King as their employer. If you have never seen or heard of Rain King just ask your friendly IT Security vendor to give you a demo. They map out companies, contacts, projects, etc.. Think Intel for Sales people.

Vendors can request contact info from Rain King, this will cause of the "analysts" to conduct a email campaign and place phone calls to validate numbers etc. Sometimes they just ask for you and hang up when you confirm name or simply say "Yes, this is BOB". Again the calls are always follow a LinkedIn visit.

Email and call volume is always higher following a industry trade show. Activity was really bad following the FALL FS-ISAC summit. I learned that FS-ISAC shared Names, and titles but not contact info with every vendor. (My altered QR code trick didn't stop the onslaught)

If you have access to Rain King or have a friend in sales, have them login and show you the interface. Have them click on the link to update the Org info, and it WILL result in these types of emails.

Better yet, respond with an email and include a falsified email signature with bogus contact details. Days later ask your friendly sales person to look you up again and you will see for yourself.

This has bothered for me years. If you management will let you, create some bogus linked in profiles (and corp email accounts) for IT and InfoSec staff, network with LIONS's and others in your company. Give them impressive titles, monitor the activity, and correlate against email. I have a strong opinion on these tatics but I will spare everyone from a even longer reply.

Thanks,
Phil
LoTTo

1 Posts
FI
<1000
@gmail.com
danrico

1 Posts

Sign Up for Free or Log In to start participating in the conversation!