Spam messages promoting pharmaceutical products have been perhaps the most commonly seen spam attacks over the past several years. Pharmaceutical products are deceptively marketed through spam emails employing a variety of obfuscation techniques. Symantec recently observed a pharmaceutical spam campaign abusing the YouTube brand. Similar spam campaigns abusing popular brands have been seen in the past, however, the email volume observed in this particular spam attack has been immense.
Sample From and Subject lines observed in this spam attack are below.
From: YouTube Service <firstname.lastname@example.org>
Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube
Subject: YouTube Service sent you a message: Best Unrated Videos To Watch
With these subject lines, the spammers have attempted to instill a sense of curiosity among the recipients. The spam messages either state that the recipient’s video features as a top video on YouTube, or that the recipient’s particular video has been removed due to a terms-of-use violation. The text, accompanied by URL links in the message body, as in most cases, is the call to action in this spam campaign. The included URLs which appear to link to YouTube are in fact spam URLs hosted on a hijacked domain. When clicked, all URLs redirect to a Canadian pharmacy Web page (screenshot below) hosted on a recently created domain owner by the spammer. Some of these domains were found to be registered in Russia and France. The spammer, ironically, has placed a link to report spam which is just another redirect to the same pharmacy Web page. YouTube is obviously NOT behind this spam campaign, nor does it send out any emails that lead to Web pages endorsing such products.
The IP addresses involved in these spam attacks are part of botnets and have been blacklisted for their past involvement in such spam campaigns. It is likely that these messages were sent using multiple botnets to distribute high-volume of spam.
The above spam messages were observed in the Symantec Probe Network on May 24, 2011. Another variant of the spam message having a similar template was observed on May 30, 2011. Symantec Brightmail filters are in place to block these spam attacks. In the first few hours alone, we have blocked over 100,000 spam messages from this attack. At its peak on May 30, 2011, over 800,000 messages were blocked on a single day. The graph below shows how many messages have been blocked from this attack.