Image Spam Déjà Vu
The spammers of enhancement medication have recently revitalized the use of obfuscated image attachments and are therefore reemerging as a top threat to email users. By using .jpg-formatted image attachments, these spammers are trying every trick in the book to bypass spam filters, including randomizing the subject lines with misspelled sexually suggestive catch phrases, using minimal message body content, and closing with obfuscated attached images.
Here are some examples of the kinds of message body content that has been observed:
• Canadiian policce ads pulled from gang Web sites
• Chocoholic squtirrel steals treatts from Finnish shop
• Perpetual Student Wants Onnne More Year
• The animal that stows its tongue inn its rib cage
• New Orleans R&B star begins posthumous mayoral bid
The interesting highlight of this spam trend is the manipulation of images by using geometric shapes and figures in the image background. In the past, we have encountered background color blocks, wavy text, and multi-colored blurred backgrounds. Spammers are using a combination of all of the above in this recent wave of attacks.
Below are a few examples we have tracked since image spam started reemerging this year. As you begin scrolling through the images you will notice the complexity of obfuscation spammers are using, which started around late April 2009 and continues on in the middle of June 2009.
The sample on the right shows grid lines in the background. Note that we’ve blacked out some of the rude text.
At the beginning of the month we posted a blog related to a spike in spam carrying .rtf attachments, which involved the download of an .rtf file that allowed an advertised spam domain to be displayed. On Friday, June 12, 2009, we started seeing a new breed of this attack. Spammers are using .gif-formatted image attachments with different colored backgrounds and random lines.
Twenty-four hours later on June 13, 2009, the spammers mutated the image—being more offensive with their image selection by using two cartoonish image comparisons of the male anatomy that were accompanied by an advertised website.
As always, Symantec recommends that users remain wary of any messages received that have come from an unknown or unexpected source. And remember, if you’ve received a message that is selling something that sounds to good to be true, it’s probably because it is.
Note: Thanks to the key contributors to this blog: Joe Krug, Niall O’Reilly, and Sammy Chu.