Endpoint Protection

 View Only

Spammers Introduce New Email Internet Headers 

Sep 06, 2010 04:07 PM

Symantec has been tracking a recent phishing email attack that is targeting the users of a number of prominent global banking institutions. In this phishing attack it was observed that the spammers are using meaningless, random email headers—possibly in an attempt to circumvent anti-spam message filters. The spam attack was observed starting in July and is still active.

Let’s first understand what email headers are. Every email message comprises two parts: the message body and the message header. The header can be thought of as the envelope of the message, containing the address of the sender and the recipient, the subject, and other important tracking information. The body contains the actual textual content of the message and file attachments, if any.

Here are some of the most common email header fields:

Received:
Return-Path:
Sender:
X-Mailer:
From:
Date:
To:
Subject:
Message-ID:
MIME-Version:
In-Reply-To:
Content-Type:
Content-Transfer-Encoding:

By default, in most email programs the headers displayed to users when viewing a message are the “From,” “Date,” “To,” and “Subject” lines. Users can choose to view some of the other header lines of an email by adjusting the user settings, if provided by the email program. In the case of spam emails, spammers often forge the information in these and/or other headers in an attempt to circumvent anti-spam filters and at the same time make it difficult to trace the origin of spam messages. 

However, in this recent phishing email attack tracked by Symantec it was observed that the spammers have inserted new email headers, possibly in an attempt to further complicate message filtering. These headers are randomly created in different languages and are similar to “Shakespeare” text seen in the body sections of spam email messages. Some of the header fields also contain abusive language. Here are some examples of this new text:

Alaska: North Pole
and: now im on it again
CACATULE: PROST !!!!!!!!!!!!!!!¬@!!!!!!!!!!!!!! TE-AM GASIT NA!
F: FU[REDACTED]
fanta: blue
fromf: file
fu[REDACTED]: golf5
incread: jiols
increase: ?monney
media: control !!! OR MEDIA CENTER IS :THE SAME FU[REDACTED] :::!:!:!:! TJIN A!!:::::;
POZELE: PWLII:MELE !!!!!! ; <TOATALUMEACAREAMARAMAS> LISHOR ADEVARAT !
stereo: souind
where: are them
X_RETRADATILORRR: HOTMAIL = LOSERS
X-NewYork: capitals
X-Orificiul: an[REDACTED]
x-senzor: remote control


Moreover, as seen above, the spammers have introduced symbols such as “!” and “_” in the headers that are not allowed to be used in a standardized email header format. In this attack the email appears to have come from the user’s financial institution but it is, in fact, a phishing email. There are a few variations that have been observed in this attack. Some of the “From,” “Subject,” and “To” line variations in the phishing attack observed are as below:

From: xxxx.bank.plc@xxxxbankplcsecurity.co.uk
From: xxxx.Banking@xxxx-online-alert.co.uk
Subject: [Important security message]
Subject: [XXXX Banking: Online alert ! ] lukxxxxxx3ws@hotmail.co.uk
To: xxxx_xxxx@openstoragelayer.com






The body of the email in this attack looks more like that of a typical phishing email, even bearing the bank’s logo (removed from the screenshot). The spammers try to instill a sense of urgency by claiming that the communication is an important security message and urging the potential victims to visit the link in the email to update and confirm the required information.

hxxps://xxx.xxxx.co.uk/1/2/XXXXINTEGRATION/CAM10;jsessionid=129911E[removed]WQ_3RCS7Xca[removed]222d?IDV=xxxxxx@xxxx.com

The above link is visible in the email and attempts to disguise the actual phishing link, shown below, which takes the user to a website attempting to acquire the user’s confidential information.

hxxp://xxx.feminoteka.pl/downloads/www-xxxx/co.uk/1-2/xxxxintegration/index.htm

Although this attack was originating from distributed IPs in different countries, the IPs examined were not currently part of any known spam bot networks, suggesting that if they are compromised machines, they are reserved for more specific targeted attacks. Symantec customers can be assured that Symantec’s mail security products (powered by Brightmail technology) block these and other types of phishing email attacks.

----------------------------------

Note: My thanks to Mayur Kulkarni for contributed content.


Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.