Necurs Spammers Go All In to Find a Valentine’s Day Victim

**This blog post was written with IBM X-Force researchers Dirk Harz and Johannes Noll**

Love is in the air — or, in this case, your spam folder. IBM X-Force observed a massive uptick from the Necurs botnet that is focused on dating spam. It started in mid-January 2018 and will continue as Valentine’s Day draws near.

The Necurs botnet is notorious for its massive spam campaigns and is believed to control up to 6 million zombie bots. This botnet is best known for its ties to malware gangs that spread banking Trojans, such as Dridex and TrickBot, and ransomware such as Locky, Scarab and Jaff.

But Necurs is not only about malware. Its operators dabble in distributing spam for other fraud endeavors as well, which brings to light this recent romance scam campaign.

In 2017, X-Force observed Necurs sending mass amounts of pump-and-dump stock scams designed to make recipients believe a penny stock was about to rise in value. Once enough people buy the stock and it actually rises in value, the scammers sell off their shares to make a profit. The penny stock then drops back to its real market value, and those who bought it are often left with nothing but losses. In early 2018, the botnet was part of large cryptocurrency scams, and this latest bout of dating spam is yet another major campaign linking Necurs to shady online activity.

Massive Spam in Season

Preying on seasonal trends is probably the top characteristic of email spam. The first quarter of the year typically plagues email recipients with tax season spam and romance scams that start arriving in January leading up to Valentine’s Day.

The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts.

Want to see the statistics? Check out this blog on Security Intelligence.com.