Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Use of .avi & .mp3 Extension Leads to Pharmacy Spam

Created: 30 Sep 2013 14:00:20 GMT • Updated: 23 Jan 2014 18:04:03 GMT • Translations available: 日本語
Anand Muralidharan's picture
+1 1 Vote
Login to vote
Symantec has observed a new spam tactic targeting YouTube using .avi and .mp3 extensions in URLs by placing a random YouTube link in the email content. This spam threat is also targeting the pharmaceutical industry, as we have previously observed in this blog: Pharma Spammers Brandjack YouTube.
 
In this new spam threat, users will be redirected to a fake pharmacy website when they click on the links. The following URLs were seen in spam samples using .avi and .mp3 extensions examined by Symantec:
 
http://www.[REMOVED].com/Fox.avi
http://www.[REMOVED].com/Yamamoto.avi
http://www.[REMOVED].vn/Larue.avi 
http://www.[REMOVED].com/McAlear.avi
http://www.[REMOVED].ru/87342.mp3
http://www.[REMOVED].ru/327182.mp3
http://www.[REMOVED].fr/472738.mp3
http://www.[REMOVED].com/165137.mp3
 
figure1.png
Figure 1: Spam email using .avi extension
 
figure2.png
Figure 2: Spam email using .mp3 extension
 
figure3.png
Figure 3: Fake online pharmacy website
 
Below are some of the email subjects used in this latest spam campaign:
  • Subject: Here Comes the Sun 1969
  • Subject: Soldier of Love (Lay Down Your Arms) 1963
  • Subject: For No One 1966
  • Subject: Misery 1963
  • Subject: Lucy in the Sky with Diamonds 1967
  • Subject: From Me to You 1963
  • Subject: Look! I found this!
The domain was found to be registered in Europe and its servers were located in Ukraine. The spam attacks use such file extensions in a YouTube link to bypass the filter and also to fool users who would expect the links to open the appropriate file type.
 
Symantec advises consumers to be cautious with unsolicited or unexpected emails and to update their antispam signatures regularly to prevent personal information from being compromised. We are closely monitoring these spam attacks to ensure that users are aware of the latest threats.