Personalized Spam

Posted on behalf of Mathew Nisbet, Malware Data Analyst

Spammers use many tactics to add legitimacy to their emails. One technique used is the personalization of their spam, where the spammer will add text to the email that specifically mentions the recipient, a technique often used in legitimate marketing campaigns.

A legitimate marketing email from a well known company will usually include the recipient’s name. In this case the marketer will likely have access to the users’ personal information because the user has signed up to receive their newsletter or is a previous customer.

For a spammer, obtaining personal information is not so simple. An easy way for them to get a similar effect though, is to simply use the email address to which they are sending. While this is not a name, it can have the same effect by making the email appear it was sent in accordance with a legitimate mailing list, rather than spamming at random. This can be a fairly effective tactic as a lot of websites now use email addresses as usernames.

The body of these spam emails is typically very short. In all the samples MessageLabs Intelligence analyzed, the body appeared as a single line, which was the URL the spammer wanted the recipient to visit. This is fairly common in spam, because the spammer wants to get the recipient to the website as soon as possible. The longer the recipient spends looking at a spam email, the more likely they are to realize it is a scam, or just close the email because it took too long to read. The goal is to make the user curious enough about what is being offered to click the link.

In this particular example, the spammer has also "personalized" the url. This has the double effect of giving just one extra bit of legitimacy to the scam as a whole, but also allows the spammer to track which users are responding. These emails all link to the same "online pharmacy" website, as shown below.

This type of spam comes mostly from the Grum botnet (Grum sent 70% of these emails from January 1 to August 8, 2010), and has made up around 10% of global spam since January 2010, peaking as high as 29% of spam in mid-July.

There has also been some personalised spam from the Cutwail botnet that uses a slightly different technique. Rather than trying to trick the recipient with the users’ own email address, the spammer simply uses the email address from which they are sending (or pretending to send). In this instance the email is pretending to be from a well known file sharing service, telling the recipient that someone has sent them a file.

The principle is the same as before; to try and make the recipient curious. Though before it was to try and make the recipient wonder what was being offered by someone who knows who they are, this time it is to make them wonder what they have been sent by a stranger. In the case of this particular sample what they have been sent is a piece of malware disguised as a document that will infect their computer without them realizing, leaving it open to be controlled by the spammers at will.

This is all just another type of social engineering, as the weakest point in any computer system is not the hardware or the software but the people using it and the criminals know this. Beware of anything that you didn’t specifically ask for, especially from unknown sources, and of course always keep your anti-virus software up to date!