Posted on behalf of Mathew Nisbet, Malware Data Analyst
Spammers can be quite creative Spammers will try anything to get their spam past your filters and into your inbox. We've seen many tricks involving random text hidden in the body, use of images, a message body with nothing but a link to the main message somewhere on the web. This example is one of the more elaborate (but ultimately futile) attempts that I've seen. Recently we have been seeing a run of emails that pretend to be informing the recipient that they have a number of "unread" or "important" messages waiting for them on a well known social network. Over a 3 day period, between the 24th and 26th of October, we saw roughly 18,500 of these. Since then the volume has dropped to less than 100 per day, but we are still seeing them. The use of a well known social media brand name is the first part of the approach to bypass filters. The message copies the format of common legitimate email subjects and cannot be detected based on a signature related to the subject alone. It is also a piece of social engineering, to try and entice an unsuspecting user into opening the email. On opening the email, you can immediately see that the email has nothing to do with the social network mentioned in the subject line, but is instead spam trying to get people to buy pharmaceuticals
At first glance this looks like image spam (where the "text" is actually part of an image), which is usually an attempt to make it readable by humans but not computers. However, in this case there are no images in the email. If we look at the email with html rendering turned off, the plain text section displays a string of legitimate links to genuine companies (which is most likely an attempt to poison spam filters) followed by seemingly random text. However, if we look at the rendered html again, but this time highlight all the text in the mail, you can see the same, seemingly random, text. This means that the text isn't random at all, but is instead intended to disguise the real text of the email, making it much harder to automatically recognize certain words. The use of html tags to change background and font colors allows the spammers to make only the desired characters visible to humans. To a machine, it still appears as simple text in html format, thus making it very difficult for standard filters to spot words. In this case the use of html also makes what appears to be a green cross image. Spammers can be really creative in their approaches to getting messages through to people. In this case the fact that, aside from a few links, there is no recognizable text in the message, automatically makes it suspicious. More advanced techniques, like contrast analysis, can be used to allow a computer to identify that some letters would not be visible to humans, making it possible for the computer to analyze the real message and stop it from reaching any potential victims.
Deepak, Sorry for the delayed reply. I apparently do not have my notifications set properly. We've seen the same approach.
Best, Daren
Dear Daren,
I would like to share my observation regarding recent receipt of innovating phishing emails too. Previous phishing emails used to carry a hyperlink and message filters use to block it. Now they carry a simple HTML or text file attachment which should be opened and the user need to fill and submit.
The message lands up in my 'Inbox' folder other than 'Junk Mail' because of, I suspect, the above workaround phishing scammers are resorting to. If you want I can forward you a few samples along with the complete internet headers for investigation and analysis too.