Symantec has observed at least two major social networking sites being spoofed in spam attacks this week. The spam is likely hitching a ride on the back of a recent phishing scam, as discussed on our Norton Protection Blog. The spam emails appear to be official notifications from the social networking sites, with identical subject line formats. The headers of the messages, such as message ID, received lines, and even the custom X-headers have been carefully crafted to closely mimic a legitimate email as closely as possible.
The lure of the emails is the promise of a free mobile phone. There are two different attack vectors being used. In the first variation the user is invited to click directly on a link in the email. In some cases, a free blogging site is used as an intermediary to redirect end users to the ultimate destination URL in order to avoid spam filters. In other cases, as in the example shown below, the spammer has linked directly to a suspicious site.
The domain being utilized was recently registered anonymously via a third party on December 19, 2008, and the site has already been taken down.
In the second variation the user is invited to join a group on the social networking site. In this case the link in the email actually goes to a real group that was created on the social networking site by the spammers. The group then links to a free blogging site as an intermediary to redirect end users to the ultimate destination URL. So far, many of the messages observed are using the same single social networking group. It may be because this was an experiment by the spammers or because the creation of multiple groups associated to multiple accounts could be too time-consuming.
Once the user arrives at the destination URL they are requested to fill out a form collecting personal information. This information can be sold on to marketing companies and/or used in future spam campaigns. Symantec recommends that you do not accept any social networking invitations from names that are unfamiliar to you.