Video Screencast Help
Security Response

Flash Spammer

Created: 03 Sep 2008 17:34:51 GMT • Updated: 23 Jan 2014 18:40:07 GMT
Kelly Conley's picture
0 0 Votes
Login to vote

The theme to Flash Gordon is going through my head. You can't hear it, but I can. He's the savior of the universe, king of the impossible, and he'll save ev'ry one of us.

These lyrics seem so appropriate when it comes to all of the .swf (Flash) spam that we're observing. I imagine the spammer looks upon .swf files as saving his spam by ensuring it will bypass filters. Is .swf the "king of the impossible," able to avoid detection? The answer is "no."


What we have observed are spam messages that contain a link to an .swf file. This file is hosted on a popular image hosting site. When clicked, the link redirects to various Web sites and so far we've seen medical supplement and adult-oriented sites as the destination of the redirects.

The .swf attack with the largest volume observed is the German pharmacy attack, with over 300 million instances seen. The body of this message is in German and includes a list of medications that are offered for sale along with the price and assurances that the transaction will be discreet. To order a product, you are directed to click the link of the .swf file, which then redirects you towards an online ordering site. These sites, as well as the .swf links, seem to be rotating fairly often which is a common spammer technique.

Another spam sample seen hosting a .swf link was what appeared to be a job recruitment advertisement that required "no professional skills" and instructed the recipient to click the link to fill out the job application. When clicked, the link redirected to a medical supplement site:

 

If you are interested in our job offer, please click on link and fill application form
http://imgXXX.[removed].us/imgXXX/9823/[removed].swf

Spammers are also using this technique to spam adult oriented sites. Below is the text of one message observed where the adult part of the message is directly followed by the .swf link and also some flavor text that has nothing to do with the intent of the message. Spammers insert flavor text such as this in attempts to bypass anti-spam filters:


Reality video site starring real swinging couples
http://imgXXX.[removed].us/imgXXX/5742/[removed].swf
2-4 eggs beaten (extra yolks or whites are welcome) 45 minutes. Set aside =
to cool. Note: you can also use cooked white rice. I you use for storing =
the starter!

You never can tell what the spammer will try next in their attempt to become "king of the impossible," which is mail delivery of all their spam. As always, Symantec recommends that you do not click on links of unknown origin, because you never know what evil awaits you.