While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.
This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to...
Instant degree spam attacks have become one of the most regular attacks monitored in recent months. In an earlier blog post we listed the top five degrees offered by spammers. The messages guided users to online degree sites where recipients needed to actually earn their degree. On the other hand, with instant degrees there is no effort required—just call the number provided in the message and you can obtain a degree certificate in no time. These plain text messages arrived with a variety of subjects, which are listed below this sample message:
We have listed subject lines in descending order of number of appearances:
Get Your Bachelor's Degree Online
Earn a Bachelor's or Master's Degree Online
Enhance Your Career Tomorrow
Earn a Bachelor's or Master...
Chinese spammers are very adaptive to new Internet social mediums that might attract recipients’ interests in order to get Web hits. Spammers have done their research on popular social networking activities and living habits, thus setting up spam traps for possible hits. Recipients often fall for the spammers’ tricks because they may not be aware of updated spam news or phishing alerts.
Recently we observed Chinese spammers sending out moneymaking scams using a popular free micro blogging service. This type of free social networking allows users to send live updates through short text messages or links. In this sample we found that a spammer registered a legitimate user account and then sent out a friend invitation request. All links lead to the same money making promo ads:
Sample 1:
From: Popular social networking <Details removed>
Subject: 兼職工作,全職收入-每月增加2到 5萬 邀請您到 <Details removed> 註冊帳號
This has been a season of malicious attacks, starting last month when we informed users about an increase in spam containing malware. Coincidentally, we are seeing different methods of luring or scaring recipients to download malicious programs. In the past few weeks we reported spam attacks with malicious links that included MJ’s leaked song spam attack and the hunting the airplane game. In this recently monitored attack, we observed a typical phishing email that encourages users to click and download executable files.
Sample image of the message:
As shown in the above image, a fake FDIC alert warns users of a...
People are always curious about different theories on tragedy, especially those involving airplanes or ship accidents. In fact, even after the Titanic sank decades back, hundreds of books were published and movies developed based on expert views. Malicious software authors use information related to similar tragedies to entice recipients into clicking on virus-laden links. We mentioned one such example of this in our blog last year after the earthquake in China in June 2008.
In a new spam campaign, recipients are lured by contradicting information published by a news agency regarding 9/11 Pentagon damage. Users are encouraged to spot a plane in the pictures, which are included in the email. They are also supplied with a URL link to access more information. This link redirects users to a hijacked website that will point to an HTA file (a program that can be run from an HTML document). When users...
Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully Email Body:
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer...
Last week we observed a new Russian spam trend dealing with phone numbers. We have been monitoring spam samples containing phone numbers in the message body—with or without obfuscation. In one of our March ’09 blog posts, we mentioned the use of phone numbers in the headers as well. The phone numbers in those spam samples weren't obfuscated, but recently we have seen spammers introducing special symbols [+*^] between the numbers found in the headers, as shown in the examples below:
Overall spam volumes averaged at slightly over 86 percent of all email messages in September 2009, which is a decrease of 4 percent since July 2009. However, it is considerably greater than September 2008 when spam levels averaged at 78 percent of all email.
Notable this month is that the percentage of spam containing malware has increased, reaching up to 4.5 percent of all spam at one point. When compared to August 2009, Symantec has observed a nine-fold increase in spam containing malware during September. With respect to spam categories, the main movers were Internet spam, which increased by 3 percent again this month and averaged at 32 percent of all spam; and financial spam, which decreased 3 percent to account for 17 percent of all spam.
Click here to download the October 2009 State of Spam Report, which highlights the following trends:
In last month’s State of Spam report, Symantec discussed the early signs of holiday spam that contained messages related to Halloween and Christmas. In September, researchers at Symantec intercepted multiple attempts by spammers to hijack the subject of Halloween festivities in an attempt at grabbing personal information from email users, as well as selling online meds.
In product promo spam related to Halloween, spammers are offering free gift cards of various denominations towards the purchase of products. Various online surveys are also offered, which claim to give out gift cards with participation. Clicking on these offers takes users to a website where wide a range of their personal information—including email address, postal address, and phone number—is gathered.
Below are various subject lines used in promo messages:
Online degree spam has been around for years. However, nowadays these spam campaigns aren’t just limited to passing degree certificates (super fast - within days or weeks), but they also focus on directing recipients to specific degrees. For example, it is common knowledge that there is a shortage of qualified nurses in the US—there are many media reports on the subject. When we examined these attacks over the last six months, we found that spam campaigns for nursing degrees placed in the top five degrees promoted by spammers. Similarly, the shortfall of manpower has also been noticed in the field of law enforcement and accordingly, spammers are advertising more on this career option.
The top five degrees advertised through spam are:
1. Police Officer
2. Federal Agent
3. Nursing
4. Culinary Arts
5. Teacher
