Star Wars botnet

In one of the weirdest things you'll hear today, a spam botnet has been randomly selecting text from a Star Wars novel and sending it to victims, alongside with download links to online gambling apps.

This was not the work of a regular email spam botnet that uses infected computers or hacked sites. Instead, this is a botnet that abuses social media sharing widgets.

While most users think of Twitter and Facebook sharing when thinking of social widgets, most of these type of services also come with a feature named "email-link-to-a-friend."

Campaign started in mid-October

It's this feature the botnet's operator has been exploiting. Starting with mid-October, this particular botnet has been sending requests from infected bots to websites that host social sharing widgets.

The bots have been programmatically filling in the link-sharing form, and in the "comments" field, where users can enter a custom message for their friends, the bot has been adding a link to one of two websites that offer various gambling apps.

Alongside the link, miscreant also included text to mask the link and help it bypass spam detection systems. The text they chose — random snippets of text from the novel "Star Wars - Darth Bane - Path to Destruction" by Drew Karpyshyn.

According to Imperva Incapsula experts, the company which discovered this campaign, botnet operators eventually got tired of spamming targets with Star Wars and later moved on to using quotes from "Jane Eyre" by Charlotte Brontë, and various works by Edgar Allan Poe.

Botnet operated out of China

Experts said that 99.8% of the 6,915 bots that were abusing social sharing widgets were Chinese IP addresses, and they targeted the social widgets hosted on 60 domains. All in all, attackers sent over 1 million HTTP requests that materialized in spam email.

Star Wars spam botnet attacks

Such attacks are dangerous because they abuse the email servers of legitimate domains that later get blacklisted on spam lists and may prevent or hinder the proper delivery of legitimate emails.

The services of such spam botnets are advertised on underground hacking forums, the Dark Web, via XMPP spam, or on sites available on the public Internet, such as the one below.

Spam advert