In the past month, Symantec has observed a significant increase in spam messages, particularly in languages other than English, promoting online casinos and luxury product replicas. These spam messages are comprised of URL links using either URL-shortening or free Web-hosting services. The URL shorteners and free Web-hosting services used in these spam attacks have not been very commonly used in spam attacks, and they were seen in a large spam attack for the first time.
Leisure-themed spam attacks promoting online casinos were mostly observed in Italian and German and offered a welcome bonus of €1200.
The English translation of the subject and body of the above message in Italian is:
(Using Google translation)
Subject: Playing without investing money, 1200 bonus
Message body: It could not be easier, simply register, deposit and receive a fantastic welcome bonus, then start winning! € 1200 - CLICK AND DOWNLOAD
The English translation of the subject and body of the above message in German is:
(Using Google translation)
Subject: Huge payouts and bonuses in 1200 just today
Message body: Great graphics and the newest Casino Software - Play here and you make an incredible experience.
€ 1200 - TO CLICK AND TO RECEIVE
Sample subject line variations observed in this attack are:
Subject: I miracoli avvengono,1200 al momento della registrazione
Subject: Primavera regalo, 1200 al momento della registrazione
Subject: Giocare senza investire denaro, 1200 di bonus
Subject: Un bonus di 1200 di registrazione
Subject: 1200 di bonus, diamo valore ai nostri client
Subject: Riesige 1200 Boni und Auszahlungen nur heute
The spam attack was launched in the first week of October and was observed to be at its peak on October 6, 2010, as seen in the graph below. The attack was active until the third week of October.
The URLs observed in the body of the spam message were of type:
hxxp://migre.me/1xxc2
hxxp://qurl.com/nxxv4
Using the same URL shorteners, another spam attack promoting fake pharmaceutical products was observed towards the end of October, and was seen active through the first week of November. The messages in the spam attack were mainly observed in German.
The English translation of the subject and body of the above message in German is below.
(Using Google translation)
Subject: I've tried it is more pleasant
Message body: New drug for the men of any age - the steadfast sexual effect and the pleasant price
Using the same template as in the above spam messages, the notorious spammers, ever mindful of significant events and festivals, further launched a spam attack promoting luxury product replicas. The spammers have made every attempt to lure online shoppers into buying these fake products during the holiday seasons of Thanksgiving and Christmas.
The English translation of the subject and body of the above message in Italian is below.
(Using Google translation)
Subject: Interesting jewelry Swiss watches
Message body: Best field in Europe for Swiss watches and luxury gifts. reasonable price and prompt delivery of goods.
To host the Web pages for promoting the fake product offers, the URLs used in this spam attack were observed to be using a wide variety of free Web-hosting services, as seen below.
hxxp://varxxxx285.freewaywebhost.com/yxxxxq.html
hxxp://ilicxxx1155.fcpages.com/wxxxxh.html
hxxp://zorxxxx1339.o-f.com/wxxxxuf.html
hxxp://volixxxx1805.dreamstation.com/puxxxxka.html
hxxp://akaxxx521.100megsfree5.com/usxxxxij.html
hxxp://jokxxxxc.freewebportal.com/exxxxv.html
hxxp://xafxxxehi.maddsites.com/bxxxxxu.html
There was a spike in replica-based spam messages during the second week of November and the spam attack is still active. The product spam campaigns are expected to continue all through the holiday season.
Symantec customers can be assured that Symantec’s mail security products (powered by Brightmail technology) block these and other types of spam email attacks.
Thanks to Paresh Joshi for the spam samples contributed to this blog.