As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.
The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam.
We have seen a few different variants of this type of spam type thus far. The first one is the newsletter variant, in which a PDF attachment is made to resemble a legitimate newsletter. The second variant is one in which the PDF attachment resembles the more familiar images of a pump and dump stock operation. Samples of both can be seen in the July State of Spam Report.
The most prevalent type of PDF spam that was detected in the month of June was pump and dump stock spam. Once open, the PDF file displays an image of a stock symbol and some text indicating it’s the one to buy. The image has many of the same obfuscation techniques seen in past pump and dump stock spam; color variations, font variations and pixilation.
One example of PDF pump-and-dump spam that we have seen over the past couple of weeks is German stock spam. This particular spam comes in the format of a PDF; however, instead of an obfuscated image, the PDF is formatted to more closely resemble a newsletter and is specifically hyping German stocks.
Also seen in June was a rise in scam, fraud, and phishing attacks. Some of the phishing attacks included malware attached to email and/or linked within the email. One attack actually used the PDF technique that was described above. It claimed to come from a bank and not only contained attachments "with personal account access and authorization" but also had a .exe file that delivered a virus.
Another phishing attack that was seen claimed to come from the IRS. It too contained malicious code, the Backdoor.Robofo virus. We also observed a spoof of the Microsoft Security Bulletin claiming to come from Microsoft that contained details about a vulnerability and provided a link to where an update can be downloaded. This link is spoofed and clicking it will begin a malware download onto your computer. Samples of these can also be found in the July State of Spam report.
Other spam trends noted for the month of June were:
- Father’s Day spam that peddled the usual "Dad" items such as golf clubs, cards and cigars;
- Directory harvest attacks (DHA) that took a more simplified approach to gathering legitimate email addresses;
- An attack offering free money to start a business merely by calling a phone number; and,
- Emails with subject lines regarding current affairs, as well as and bodies peddling medical spam.
This month’s regional spotlight highlights the Asia/Pacific/Japan region. This section shows the breakdown of spam categories for the region. The regional categories correspond relatively the same to percentages seen in global categories. It also highlights notable spam attacks, including one that incorporates famous names in email subject lines to lure recipients to open them.
You can read about these trends and sample attacks in Symantec’s newest State of Spam report.