Faulty backups expose River City Media’s spam operations and a database of 1.4bn email accounts

A group of investigators from MacKeeper, CSOOnline, and Spamhaus have unmasked probably one of the largest spam operations in the world. According to research^[1], a spamming organization called River City Media (RCM) inadvertently exposed their database of nearly 1.4 billion email addresses as well as full names, IP addresses and in some cases even physical addresses, which means that in terms of leaked data volume, this data breach surpasses the recent Yahoo data breach^[2]. It turns out that the indicated company, which claims to be a legitimate marketing organization, failed to configure their Rsync backups and secure them properly, and as a consequence, it was publicly exposed for more than a month. This allowed a team of researchers to find out more about daily operations led by spammers Alvin Slocombe and Matt Ferris (leaders of RCM)^[3]. Researchers not only discovered a database of unprotected data that contains information about more than 1.4 individuals that are targets of RCM’s spam campaigns but also everything about River City Media as well. Researchers got their hands on company’s infrastructure planning and production notes, HipChat logs, domain registration records, business affiliations, and more.

Chris Vickery, a researcher who was the first one to discover leaky files, says that the company managed to collect such amount of emails “through offers such as credit checks, education opportunities, and sweepstakes.^[4]” Besides, the researcher says there’s evidence that the collection was also continuously filled with information shared by similar organizations. According to information found in the leaked documents, RCM was responsible for sending out around a billion bulk messages to Gmail users per day. C. Vickery claims that “a lot of automation, years of research, and a fair bit of illegal hacking techniques” is what made this company capable of implementing such massive spam operations. The researcher also discovered that RCM had thousands of fake warm-up email accounts, which were the first ones to receive RCM’s spam. Since these emails weren’t monitored by real-life users, of course, they never generated any complaints about these spam messages. As a result, the email service provider would mark spam sender as a good sender. This way, RCM built their reputation and used it to attack real users. In some cases, RCM used aged domains, because apparently, these are more valuable and not as suspicious as newly created ones.

What is more, it has been discovered that RCM was using a hacking technique called Slowloris attack^[5], which allowed to cripple a web server instead of subverting it. Spammer tries to open as many connections to Gmail server as possible by configuring the machine to send response packets slowly, in a fragmented way, and requesting more connections at the same time. Once the Gmail server prepares to give up and drop the connections, the spammer immediately sends tons of emails through created connection tunnels. This way, the sender gets blocked, but a load of emails goes through.

RCM hasn’t officially responded to this discovery. The researchers have already notified law enforcement agencies, Spamhaus, Salted Hash, Microsoft, Apple, and other interested parties.