Video Screencast Help

Increase in Hit & Run Spam

Created: 20 Mar 2012 18:41:34 GMT • Updated: 23 Jan 2014 18:16:38 GMT • Translations available: 日本語
Eric Park's picture
+3 3 Votes
Login to vote

During the past two weeks, Symantec has observed an increase in hit & run spam activities (also known as snowshoe spam) in its Global Intelligence Network. Hit & run spam messages have the following characteristics:

  • Usually originates from IP ranges with neutral reputation
  • Uses a large IP range to dilute the amount of spam sent from each IP address
  • Contains features (such as Subject line, From line, and URLs) which change quickly
  • URL is the call-to-action
  • Often uses large quantity of “throw-away” domains in a single spam campaign

Here is a breakdown of top three products or services promoted by such spam over last week:

Date

#1Spam Promo

#2 Spam Promo

#3 Spam Promo

3/11

Solar panels

Hair loss medication

Auto insurance

3/12

Hair loss medication

Non-stick pan

Home security system

3/13

Hair loss medication

Maid service

Auto insurance

3/14

Hair loss medication

Maid service

Auto insurance

3/15

Maid service

Pet medication

Backyard makeover

3/16

Non-stick pan

Pet medication

Cleaning product

3/17

Auto clearance

Refinance offer

Credit card offer

3/18

Life insurance

Auto warranty

Ink cartridges

In addition to above, there were also hit & run messages promoting the following products or services:

  • Auto warranty
  • Satellite TV
  • Learning new language
  • Floral products
  • Auto loan
  • Free credit reports
  • Online dating service
  • Work-at-home opportunities
  • LASIK service

The spammer uses varying subject lines to offer the same type of product or service. For example, here is a list of sample subject lines offering a hair loss product:

Subject: Finally a hair solution that works for Women
Subject: Attention Women: Get fuller hair risk free
Subject: See the latest trick for thinning hair
Subject: Try the newest solution to regrow hair. Risk Free
Subject: See how celebs get fuller thicker hair
Subject: Attention Women: See the latest trick to restore hair

In addition, some spammers insert hyphens at random locations to further increase their chances of successfully delivering the spam message.  Here is a list of sample subject lines offering home security:

Subject: [BRAND NAME REMOVED] De-aler $99 Install He-re to help Pro-tect You
Subject: [BRAND NAME REMOVED] monitored and Dea-ler installed
Subject: [BRAND NAME REMOVED] De-aler Installed se-curity sy-stem $99
Subject: [BRAND NAME REMOVED] De-aler Fr-ee Sys-tem Of-fer
Subject: [BRAND NAME REMOVED] Home Security is #1- Fr-ee Security Sy-stem!
Subject: [BRAND NAME REMOVED] is #1 This De-aler has a $99 Install
Subject: [BRAND NAME REMOVED] monitored se-curity from Top De-aler $99 install
Subject: [BRAND NAME REMOVED] can help pro-tect your home in 2012
Subject: [BRAND NAME REMOVED] Auth De-aler $99 install with Fr-ee S-ystem
Subject: [BRAND NAME REMOVED] De-aler $99 Of-fer Dont settle for le-ss

While the presence of URLs is not the only condition to make the message qualify as hit & run spam, the chart below shows the percentage of spam messages containing an URL increasing during the past week:

Symantec continues to monitor this trend and create additional filters to target these attacks. In addition, Symantec advises enterprises and consumers to also adapt best practices found in the Symantec Intelligence Report.