Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Recycling Old Spamming Methods and Attacks

Created: 23 Jul 2009 19:21:46 GMT • Updated: 23 Jan 2014 18:33:49 GMT
Mayur Kulkarni's picture
0 0 Votes
Login to vote

Over the last few months we have been keeping you informed about a rise in the category of image spam. This was mentioned in our April and June 2009 blogs on the topic, which specifically concentrated on how an old spamming method (image spam) is being reintroduced on a wider scale. Spammers have now shifted their focus from image spam attacks to obfuscated URL attacks—again, an old spamming technique. This type of obfuscation includes inserting white spaces and special symbols into the URL string to evade anti-spam filters. For image spam attacks, we have observed lines relating to intimacy in the subject header:

imagebrowser image

Later, we witnessed the same pattern again being used with the obfuscated URL attacks. We can call this a transition phase, or change of tactic, from an image spam attack to an obfuscated URL attack. Most of the time, these types of subject lines included words relating to intimacy and had later become quite predictive. So, spammers then simply dropped the intimacy-related subject lines and used legitimate, single worded, non-obfuscated subject lines. However, they introduced the same intimacy-related lines in the mail body (with obfuscations) as shown in examples below:

imagebrowser image

When spammers use single-word, non-obfuscated subject lines they will have many benefits over using intimacy-related subject lines. For instance:

• All legitimate English words
• Thousands of possible English words
• Most importantly, users will least suspect messages with these subject lines

When we compared both attacks (image spam vs. obfuscated URL spam) we found some similarities:

• Intimacy-related subject lines did not change when the transition (or change of tactic) from an image spam attack to the obfuscated URL attack began.
• Pharmacy-selling websites promoted in both campaigns had similar domain naming patterns and in some cases we found the same domains were used in both campaigns.

Notably, the source IPs of all of the messages (for both attacks) are from different geographical locations, indicating a botnet attack. Looking at the similarities above, we can also say that both attacks came from the same botnet.

When we look at both trends, we can make the conclusion that spammers have started to believe in the concept of reusability. For example, they are using the same domains and subject lines, but with different attack styles. Perhaps this reduces the implementation time as well as the need for effectiveness tests. Most importantly, we now know that spammers are not only implementing old spamming techniques but also carrying traces of old attacks in the process. These traces can definitely help us tackle the attacks more effectively. For now, we are monitoring these attacks and keeping a close watch out for possible variations.