Independence Day Offer: Spam Edition
As most all of us will know, the United States’ Independence Day is on the fourth of July, which is only a few days away. Independence Day is commonly associated with fireworks, parades, barbecues, fairs, ceremonies, get togethers, and various other public and private events celebrating the national holiday. Many people also utilize this time for vacation trips, especially if it’s a long July 4th weekend. However, not everyone goes out of town or participates in special events. Some people actually take advantage of the nice holiday weekend to stay at home and catch up on other activities, which may include shopping. Since sales levels are usually lower during holiday weekends, stores and online shopping sites offer lots of exciting deals. In any case, today’s technology makes it possible to shop online from anywhere—even while on a beach vacation, say!
The spammers, as always, have exploited this likelihood and are distributing spam messages promoting luxury products replicas, pharmaceuticals, and other products. Some sample From and Subject lines observed in the latest July 4th holiday spam campaigns are below:
From: Rolex.com <firstname.lastname@example.org>
From: "July 4th Sale " <email@example.com>
From: "Earle Luaces" <firstname.lastname@example.org>
Subject: email@example.com Rolex.com For You -71%
Subject: All Natural Male Enhancement Medicine Is Your Best Choice obdurate desecrate
The above screenshot shows a message from the spam campaign that is marketing luxury product replicas. If the image or any of the URL links are clicked, you are redirected to a Web page marketing various product replicas. The page also features a special Independence Day sale (screenshot below). Somewhat predictably, the “Unsubscribe” link included in the spam email also redirects to the same Web page (hxxp://xxx.rolex.com.<removed>fork.com/secure.php?cmd=home).
These Web pages are hosted on a domain that is most likely owned by the spammers—it was created recently on June 24, 2011. Many of these domains were found to be registered in Russia.
Spam email messages promoting pharmaceutical products often include random text and a URL link in the message body. URLs in these spam messages are created using URL-shortening services. When clicked, the URL is redirected to a Web page that is marketing pharmaceutical products, offering unbelievable (and largely bogus) discounts for the July 4th weekend.
The IP addresses that are involved in the above spam campaigns were traced back to Brazil and Argentina. The machines behind these IPs are likely infected with a spam-sending Trojan and are part of a botnet. The IP addresses have already been blacklisted for their past involvement in such spam campaigns.
Spam emails that are promoting popular gadgets and outdoor grilling products at a discounted rate are also being observed in yet another spam campaign. Below is a sample screenshot of a message from this particular spam campaign. Lots of people would like to fire up that grill on the upcoming 4th of July weekend, but unfortunately these spam messages don’t provide you with what they claim to be able to provide. They only redirect victims to another dubious lotto site.
The URL that is linked in the email consists of a spammer-owned domain “sonicboomdeals.com” that was created recently on June 29, 2011, and is registered in the United States. Unlike the aforementioned spam campaigns, infected botnet machines are not responsible for sending this particular product spam, but are sent by a technique that is sometimes known as “snowshoe” or “hit-and-run” spamming.
Here are some basic tips for handling spam email messages:
1. Don’t open any obvious spam email messages; in fact, just delete them.
2. Don’t click on any images or links in unsolicited email messages. Verify the validity of the message and ensure you are fully aware of who the sender of a message is.
3. Don’t click on “Unsubcribe” links in email messages that have been sent to you by an unknown or untrusted sender. Doing so may only provide spammers with more information about you and assure them that your email address is valid and is in use (and they will send more spam to you).
Note: My thanks to Saurabh Farkade and Vivek Krishnamurthi for the spam samples contributed to this blog.