Beginning on New Year's Eve, January 1, 2012 and continuing earlier into the days following, Symantec Intelligence identified spammers taking advantage of the New Year anniversary, seemingly to entice users into clicking on spam links contained in the email messages.
Further investigation revealed that spammers were compromising legitimate Web servers, leaving the main Web site content intact (to avoid or delay detection) and simply adding a simple PHP script, typically named "HappyNewYear.php", "new-year-link.php" or "new-year.link.php". These scripts simply redirect to a spam pharmaceutical Web site.
Analysis of one of the messages we saw using these links makes the spammers' motives clearer, as can be seen in figure 1, below.
Figure 1: Example spam email containing New Year reference in spam URL
The message uses social engineering techniques to try to entice the recipient to open the link. The "friend_id" parameter in the URL could perhaps suggest that the destination is some kind of social networking Web site.
In addition, around New Year, many Web sites and blogs publish various "top ten" lists of the past year, their predictions for the coming year, so a URL containing the phrase "new year" may seem more relevant and topical, and may increase the likelihood of it being opened.
However, this is just the social engineering element, and the URL redirects (through a compromised machine) to a familiar spammer "My Canadian Pharmacy" Web site, as can be seen in figure 2, below.
Figure 2: Example spam Web site redirected from New Year spam URL
Symantec Intelligence has seen over 10,000 unique domain names compromised with this "new year link" redirect script. It is likely that files called "new-year-link.php" or similar are likely to indicate that the Web server has been compromised; perhaps serving as a timely reminder to ensure all servers are properly patched and updated.
This is just the latest example of spammers using holidays and current events to try to make their mails more appealing. In the run-up to Christmas in 2011, spammers spoofed a number of legitimate retailers, offering Christmas special offers and deals on a variety of products (typically counterfeit watches and drugs). As we've separately covered in the Symantec Intelligence Report and in some of our blogs, 419 or advance fee fraud scammers are also skilled at using notable holidays, anniversaries and current events to their advantage, for example, there was an increase in the number of scams relating to the devastating earthquake in Japan last year, and the "Arab spring" movement, as well as many others.
January 23 also sees the start of Chinese New Year (also referred to as “Spring Festival”) celebrations. With celebrations continuing for several days, it is the most important traditional Chinese holiday, and is also celebrated in many countries and territories with significant Chinese populations. The huge interest in this event (to celebrate the “Year of the Dragon”) means that spammers and malware authors are likely to try to exploit this annual festivity.
Symantec Intelligence also expects to see spammers taking advantage of the fast-approaching Valentine's Day. It is likely that pharmaceutical spammers will take advantage of the day's romantic connotations, typically to promote their erectile dysfunction drugs, while malware authors are likely to use the popular idea of having a secret admirer to lure victims into unwittingly installing malware.
Following Valentine's Day, we also expect to see plenty of spam and malware taking advantage of the upcoming UEFA Euro 2012 football tournament, jointly hosted by Ukraine and Poland. Once UEFA Euro 2012 is over, it's not long until the Summer Olympics in London. Indeed we have already seen many references to the games in 419 or advance fee fraud messages. These messages have included attachments such as "London 2012 Olympic Games.doc", "LONDON 2012 OLYMPIC GAMES RAFFLE PROGRAM.doc", "LONDON OLYMPICS LOTTERY WINNER!.doc," to name but a few examples, such as the one shown in figure 3, below.
Figure 3: Example 419 spam referencing a forthcoming major sporting event
By relating their mails to widely-celebrated holidays and current events with global interest, spammers and malware authors can (at first glance at least) make their messages more interesting, and increase the chance of recipients visiting spam Web sites or becoming infected.
Therefore, as major events draw closer, such as notably St. Valentine’s Day and the London Olympic Games, the social engineering employed by spammers will almost certainly be adapted to take advantage of people’s interest in these events. We expect there to be an increase not only in spam activity relating to these events, but also in scams and 419 frauds as well. With legitimate Web servers being exploited in many of these latest attacks, it is especially important to remain vigilant and ensure that businesses adhere to a best practice for patching and maintaining Web and other potentially vulnerable servers.