Some thoughts about the spam attack sent through InternetOfThings (Proofpoint)

More than 750,000 Phishing and SPAM emails Launched from “Thingbots” Including Televisions, Fridge

Note: An article about this has been published by Richard Adhikari in TechNewsWorld.

A general comment on the entire story.
Security researchers usually use spamtraps (an email address that receive nothing else than
pure spam) to collect these emails and then some kind of spam trap processsing machine would
analyse the emails and extract the IP address of the sender.
In order to see that an email is coming from a certain type of device, it is required to obtain
the IP address of the sender, to get a connection to that machine and
– either perform a deep scan on that IP using various tools (like nmap) or
– to query thorough official protocols (like SNMP) information about the device.
Both these things assume that the device is freely available from the Internet.
I find understandable that a router or a NAS device are accessible from the Internet, but why
would someone allow other device to be fully accessible from the Internet?

1. So…did anyone else notice these waves of attacks?
We receive millions of emails every month and we only perform deep analysis like explained
above only we have a very strong indication that there is something suspicious going on in that
IP range or specifc IP Address.

2. If not, how could anyone have missed 300K malicious emails sent out each day for 2 weeks?
300.000 emails per day is almost nothing for some well populated spamtraps.

I don’t think that any security software producer is actually able to detect
this small amount of emails that have little no no characteristics in common (the press release
says that no more than 10 emails were sent from the same IP address.

3. If, on the other hand, Proofpoint is really saying that the attacks occurred sometime within
this 2-week period, shouldn’t it have been able to pinpoint the day much more closely?

Yes, if Proofpoint is in possession of at least a part of these emails than they should be able
to precisely say exactly when the emails were sent and from where.


4. Is it possible to actually make a spambot or a botnet out of Internet-connected devices, or
is that likely to be more trouble than it’s worth?

It depends on the device…

A router, for example, has a very basic logic in it and it can only send emails with specific
content and to specific users.
But, if a device has an operating system that allows a login via SSH (Dreambox receivers, NAS
servers, etc.) I think it is possible to use it to send emails with any content to anyone.
Most of these devices run some kind of Unix-like operating systems on very special processors
(ranging from PowerPC to Intel x86). So, somebody who wants to write a bot for these devices
must either write it in a cross platform language like Perl, Python, Ruby, Java or has to
address each device separately. I believe that the first possibility is more realistic.
Considering the fact that these days there are not so many such devices, I wonder if the effort
is worth. In the near future this situation might change, but with the data available at the moment, I
think that the only advantage this approach brings is the fact that nobody would think of these
devices would be so vulnerable.


5a. What are the implications for homeowners? That they should secure their connected devices?

The first question we must address is: how did these devices got compromised?

A home router or a NAS server might be accessible from the Internet, but I strongly doubt that
any others would be accessible from the Internet.
If this is indeed the case, then the owners did not change the default user/password
combination. But again, who would bother to identify these devices?
I think that something else happened. Some of these devices connect to some backends for
updates or to a dashboard. If these backends got compromised, then it is possible to have a
mass infection. It is usually to have just some plugin or component (which are usually written
in one of the above programming languages) infected and then the whole device is compromised.
This would also explain how exactly this kind of devices got compromised.
As a rule of thumb, they should only install extensions for these devices from a well trusted
and authorized source. However, in case of a compromised store, this can’t be achieved.

5b. If they should secure these connected devices, how should they do so?

If they have observe some kind of suspicious activity, they should disconnect the device from
the network and perform a hardware reset or a reinstallation of the default operating system.
Suspicious activity means for such devices:
– – the connect all the time to the Internet
– – they are slower than usual
– – they have a high CPU load


© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: