We have recently observed Chinese spammers selling personal account cracking software. This is not a typical pirated software promotion, because it already violates privacy law. The observed email promises to teach and help users to break into others’ accounts such as MSN or Yahoo instant messaging clients accounts, email accounts, and all popular social networking accounts.
Ever dreamt of owning devices that would let you roll like a secret agent from spy movies? Why not? Spammers are offering a solution—not a spy bug to be attached to a phone, but software that once installed on the target phone sends back information on all of the calls, including messages originating from one phone to another.
This proposition offers the option of peeping into someone’s phone to obtain desired information. The spammer claims that the surveillance functions of the target phone (after being installed) can be used to obtain valuable information from people such as your girlfriend, manager, key employees, business partners, etc. The scammers promote that you can track valuable information, which can be compiled by listening to outgoing calls, receiving copies of incoming and outgoing SMS messages, and tracking precise locations of the phone device using GPS satellites.
However, this miraculous spy device requires a few steps in order begin use...
As excited as I was prior to the release of the sixth film of the Harry Potter series, it proved to be fairly disappointing in terms of the number of spam messages spawned using the book/film title. The latest film, “Harry Potter and the Half-Blood Prince,” was released worldwide on July 15.
We monitored the probe network traffic over the past couple of weeks to track the prevalence and volume of Harry Potter related spam. However, it seems that spammers are less passionate about the idea of using the magic of this tale for their spam campaigns. The recent Harry Potter-related spam that we did see arrived as either Nigerian scams or health-type spam.
One scam message is disguised as an online lottery winning notification. In this fake and non-existent lottery, the name “Potter” is misspelled as “Porter.” Interestingly, the scammer used J. K. Rowling as the name for the online lottery—Rowling is the author of Harry Potter...
How close can they get to you? So close that they can actually talk to you, no matter where in the world they are located? Nigerian 419 scams are not new and have been a nuisance to email users for years. Traditionally, Nigerian scammers have reached out to email users through text-based emails, Word documents, PDF documents, and are increasingly targeteting social networking sites. However, all of these techniques have one thing in common—rubbish stories of a huge money inheritance, kinship, and financial assistance that is communicated via typed messages.
Spammers are constantly in search of techniques that will allow them to reach users’ inboxes by beating anti-spam filters. Any deceit used is fair game for them. Recently, we noticed one such technique used by spammers to make their way into users’ inboxes exploiting VoIP (voice over IP) services. The spammers are creating fake accounts on sites providing VoIP services and then, using these fake...
Over the last few months we have been keeping you informed about a rise in the category of image spam. This was mentioned in our April and June 2009 blogs on the topic, which specifically concentrated on how an old spamming method (image spam) is being reintroduced on a wider scale. Spammers have now shifted their focus from image spam attacks to obfuscated URL attacks—again, an old spamming technique. This type of obfuscation includes inserting white spaces and special symbols into the URL string to evade anti-spam filters. For image spam attacks, we have observed lines relating to intimacy in the subject header:
Later, we witnessed the same pattern again being used with the obfuscated URL...
Mysterious stories about Michael Jackson still being alive have been developing on the Internet in the form of websites, discussion forums, as well as some news sites bringing in theories behind such stories. Even spammers do not wish to believe, or perhaps they don’t want to miss the prospect of tricking curious Internet users into opening their messages—particularly targeting those die-hard M.J. fans that would want him to live eternally.
Michael Jackson-related spam and malware campaigns were discussed in detail in our July ’09 State of Spam report. More than three weeks after M.J.’s death have passed and there are continuous spam and malware campaigns still being waged. Spammers still feel confident that they can get users to open messages using Michael Jackson’s death and, now, the “Michael Jackson’s still alive” news.
A few weeks ago, while most people were busy preparing for 4th of July celebrations and looking forward to a long weekend, W32.Waledac launched a new spam campaign. The links in the spam emails led to a website claiming to contain a fireworks video. We have previously seen this malware use popular holidays such as Christmas and Valentine’s Day, so it is not really surprising that it would use Independence Day as well. A screenshot of the 4th of July Waledac website is shown below:
Figure 1. Screenshot of W32.Waledac's 4th of July website
Fake e-card pickup notices are typically used to deliver malware; however, in the past several weeks Symantec has noticed a series of online pharmacy attacks employing the same strategy. To pick up an e-card, the recipient must click on a link in the message. These links take you to the e-card site and display your card. As with an e-card malware attack, the spammer has replaced this link with one of their cleverly crafted URL traps.
The observed messages appear as if they were sent from some of the more well known online greeting card service providers. However, unlike any legitimate e-card pickup notices, the link will redirect you to an online pharmacy site selling their wares at discount prices.
Here is what the message looks like in an inbox:
A legitimate e-card collection notice will usually provide the name or...
Matrimonial (MM) sites provide a platform for people to search, match and interact with a prospective bride or groom. However, even this service has not been spared by spammers who use fraudulent means to cheat users.
We will be discussing how a simple proposal can turn into a trap and fool a prospective bridegroom into disclosing personal details. We know that most MM sites will permit the delivery of personalized messages only to premium members (paid customers). However, we observed that one of the sites provided this type of membership free of charge—possibly in consideration of the user also availing of its free email service. In all probability, the MM sites may also grant such discounts in order to grow their popularity graph. Obviously, with so much liberty granted, spammers will not wait for an invitation.
This process starts with the so-called “interest” shown in the user’s profile, with familiar dating language being used. The...
Not content to let the Dozer and Koobface guys have all the fun, the Ackannta crew has unleashed another new variant on the unsuspecting masses. Today we saw in our spam traps a new variant of Ackannta that we have added detection for as W32.Ackannta.G@mm. Ackannta is a family of mass-mailing worm that also copies itself to removable drives. It has been noted to use well-known brand names and big news items (such as the recent Michael Jackson story) in email campaigns in the past in order to trick users into opening it.
At this time we are seeing this worm being sent out through emails in low numbers. The emails have the following characteristics:
Subject: Jessica would like to be your friend on hi5!
Body: The email body is written in HTML and is a poorly made copy of the...
In early June , Symantec reported that the FTC had worked with others to shut down the Internet service provider Pricewert LLC. While this was a good example of how security professionals can work together in the fight against cybercrime, spam volumes remained at a very high level throughout June, averaging 90 percent of all email messages. The recent passing of Michael Jackson and the subsequent public interest is yet another example of how spammers are willing to use any notable event as a cover to distribute their messages.
Click here to download the July 2009 State of Spam Report, which highlights the following trends:
Different Faces of Michael Jackson Spam and Malware
Fourth of July Holiday Brings Fireworks and More Spam Campaigns
With the soaring popularity of social networking sites, it is no surprise that spammers try to take advantage of them. In the past, spammers would register their own accounts and then send unsolicited messages through the social networking site. By default, the site generated automated email to let the user know that there is a new message. While such notifications are technically legitimate, the user would have most likely considered the messages as spam, due to the unsolicited content. For spammers, this technique had a shortcoming—the message sent to the user was from an unknown person/entity.
Recently, Symantec has observed a rise in a newer technique of social networking site abuse. The below example is a legitimate notification from Facebook that informs the user of a new private message:
As noted above, the message itself is not spam because...
Spammers are always searching for ways to bypass anti-spam filters. While the “text with tables” technique is not new, it is worth noting because it demonstrates spammers’ creativity, as well as their utilization of existing techniques.
When spammers first used table HTML codes, it began as a simple table with various cells filled in with different colors to render what looked like regular text. This basic technique has since evolved into something more complex—spammers are using a table within a table.
In the example below, the spammer first defines an outer table (137 x 43). Then, each row of the outer table itself is defined as a table. These inner tables feature a unique cell length (defined by COLSPAN) and background colors.
Carefully crafted, the above HTML shows this when rendered:
Spammers seem to believe that they don’t always need to invent new strategies to enter a user’s inbox—they know they can utilize existing tactics with better results. They are now re-using the tactic of attaching HTML files in their spam messages—this time in aid of the 419 spam category. This tactic began with simple phishing attacks, followed by a variation using URL encoding of HTML code, and was also observed in email-harvesting attacks. When we discussed this trend in earlier blogs, we noted that these types of attacks may not be restricted to phishing attacks alone. Actually, we are seeing these attacks extending to other malicious activities.
Presently we are observing 419 spammers making use of HTML attachments in the hopes of reaching a user’s inbox....
W32.Waledac has launched a new spam campaign using a 4th of July theme. Below are some screenshots of sample spam emails with the new theme.
If the unsuspecting user clicks the link in the email, they will be directed to a Web page similar to the following:
The page claims to contain a video of a fireworks show for this year’s 4th of July celebration. However, clicking on the "video" actually leads to a W32.Waledac executable. Watch out for spam containing any of the following strings...
