Spammers never depend on fixed strategies. They cannot afford to attach themselves to a single method of mass mailing. It does happen that an old attack method is revisited—a minor change is applied to the messages, just to match the changing scenarios on the Internet or perhaps expand the spammers’ focus. During the last couple of weeks, we have again been observing spam attacks abusing the email templates of well-known brands. However, there is a small but significant difference: they are generating phishing-like emails and redirecting users to meds websites instead of phishing websites. These emails are formatted to look like receipts or alerts originating from e-commerce sites or social networking sites.
It seems as if spammers are keen to try spreading panic and then in the process advertise their pharmacy products. In this way, users may be forced at least to visit the meds website. This may not happen in the case of attacks with the usual subject lines or mail bodies that show clear signs of the health spam category. We have provided a few examples below for users to understand the types of emails observed during the recent times.
Sample 1: In this example, spammers are attempting to alert recipients that their domain registration has been suspended. Users are redirected to a meds site after they click on the supplied URL.
Sample2: This one looks like a phishing email, but the URL also redirects to a meds site. The email headers and body are spoofed to make the recipient feel that this email has come from Amazon.
Sample 3: This sample also looks like a typical phishing email, claiming to have come from Facebook. This one tries to warn recipients that they have not logged on or visited the site for some time and therefore their account is at risk of deletion. Further, it asks users to visit the provided URL to save their account.
Sample 4: This one is also similar to the above three samples. In these messages, users are required to authenticate themselves in order to stop spam.
In all of the examples we can see that the URL pattern remained the same. Also, all of the messages try their utmost to persuade users to click the link(s). At present, these messages may seem harmless because they do not attempt to steal sensitive information from users and only promote medicinal pills at cheap rates. However, we still advise users to not click URLs inside messages that are unsolicited and/or unexpected in nature. Symantec will continue updating users on this attack and keep these messages away from users’ inboxes.
Note: Thanks to Kamalesh Singh for contributed content.