Several thousand spam bots incorporated quotations from a Star Wars novel into the attack messages they sent out to their targets.

The assault began on 10 October 2017. 33 unrelated domains on security CDN Incapsula’s network received approximately 275,000 WinHTTP POST requests leading up to 16 October. The next week, those numbers jumped up to 60 apparent targets and nearly one million requests.

Number of attacks requests blocked per day. (Source: Incapsula)

The provider of website security and distributed denial-of-service (DDoS) protection services ultimately attributed these requests to 6,915 devices acting as spam bots. 98.9% were located in China.

These POST requests consisted of messages attackers had crafted by abusing the send-to-a-friend form that many companies enable so visitors can share in-site content with their friends. Emails sent through this type of delivery method bypass filters by originating from a company with a clean record. They also avoid the costs of sending emails via Necurs or another spam botnet whose services attackers advertise on underground markets.

A spam botnet advertisement on the dark web. (Source: Bleeping Computer)

This campaign’s form messages were especially interesting, however. Not only did they include links to gambling sites in the comments section. They also included quotations from Star Wars – Darth Bane – Path to Destruction by Drew Karpyshyn. Here’s one example:

 propertyId=XXXXXX&unitId= XXXXXX &systemId=vrbo&toEmail=XXXXXX@XXXXXX&share
 Comments= … [spam link] there's no reason for us to move so soon," Des replied,
 struggling to remain calm. "If they start at dusk, it's going to take at least three hours
 &referrer=[website targeted by form-filler bots]

Incapsula has a theory for why the bots included this content:

“Most likely, however, the spammers were trying to add some uniqueness to their emails, and further hinder detection by filtering mechanisms scanning for content patterns. In the process (Read more...)