We have been closely monitoring Japanese dating spam for a while now, and have recently identified "adult dating" as one of the most often observed attacks. Adult dating spam has been around for quite some time, but how are spammers using these types of messages to their advantage? Dating spam is often referred to as Sakura. The term Sakura can be described as a group of "fake customers"—women looking for dates through a dating site, systematically trained to attract real customers. The spammer's intent for distributing these adult dating offers is to lure recipients into signing up for fake dating services and/or to harvest active email address accounts. Many of these spam offers are easily identifiable by the randomly generated From lines and erotic Subject lines:
Macau is the only place in China where there is legalized gambling.* In order to gamble legally in China a person would need to spend money on travel and accommodations to get there. Is there a way to avoid the hassle and expenditure of traveling to Macau for those persons that are interested in gambling? Well, it seems that spammers are offering a solution to the Chinese population: gambling online, from the comfort of your home.
Symantec has recently observed what we believe to be the first instance of online casino and sports betting spam using the Chinese language. The layout of the message is very similar to what we frequently see in English-language casino spam. The message asks users to download a number of software packages and register an account. By registering an account, a user automatically becomes eligible for a random amount of free cash or bonus points. This is all a very common occurrence in English-language spam related to gambling. But,...
Symantec has observed an increase in the use of image spam attacks over the past few weeks. Symantec defines image spam as an unsolicited message containing an image in the body.
In August, image spam attacks accounted for approximately 1.6% of total spam. In September we observed that image attacks almost doubled, representing approximately 2.6% of total spam. Over 50% of image attacks observed are English, and the second largest group of messages is Russian. In the first ten days of October, image spam messages have averaged approximately 8.6% of total spam. This is the highest mark to date over the last 90 days. From May of this year up to September, image spam was relatively quiet. As stated above, these numbers have been increasing since mid-September. We have not seen image spam of this volume since February of this year.
Commonly seen image spam messages have included Russian online dating offers, random product offerings with an image opt-out, and the all too...
The trend of spam messages containing URL links to malicious code and/or carrying malicious payloads has dramatically spiked since May of this year. This trend is the focus of our October State of Spam Report, issued today. From June to mid September, the amount of malicious code detected in scanned email messages increased from a tenth of a percent (0.1%) in June to 1.2 % in the middle of September. Now, that doesn’t sound like much, but consider that this represents a 12x increase! The top ten of definitions detected by antivirus rules for this period were led by generic Trojan, Downloader, and Infostealer definitions—making up more than 30% of the malicious code detected.
Also noted in this month’s State of Spam Report is the increase in zombie activity. The report notes that while zombie activity decreased from July to August, it increased more than 100% between August and September. For this period, the EMEA region was the leading source of all zombie IP addresses....
We have observed a fraudulent spam attack masquerading as an email from Symantec. This email is in Portuguese and contains the Symantec logo and coloring, which make it appear as a legitimate email from Symantec. The “From” line is forged to add further credibility. The “Subject” and “From” lines appear as follows:
Needless to say, this is not from Symantec. The body of the message contains text that indicates that the Symantec Security Check System has tested your computer and found “X” number of dangerous imperfections. The email goes on to say that your computer is infected with the virus “Worm@bda.267.” Users are encouraged to click the provided link to download updates to protect their systems from further damage from this worm. Incidentally, there is no such virus as Worm@bda.267.
In August, the "Internet" category of spam showed an increase of nine percent from July and now makes up 27% of all spam messages. This increase is detailed in the Symantec State of Spam Report for September, which will be released today. The escalation of Internet spam can be attributed to the prevalence of malicious code being sent around via spam emails over the past month. It seems that spammers will stop at nothing to deliver their payload-various techniques in spam containing viruses were observed over "the month of the virus." These include the following methods:
Sensationalized "fake" news headlines
Use of seemingly real news headlines
Purported download for the latest version of Internet Explorer
Malware + spam + phishing = The triple security threat for financial institutions
The theme to Flash Gordon is going through my head. You can't hear it, but I can. He's the savior of the universe, king of the impossible, and he'll save ev'ry one of us.
These lyrics seem so appropriate when it comes to all of the .swf (Flash) spam that we're observing. I imagine the spammer looks upon .swf files as saving his spam by ensuring it will bypass filters. Is .swf the "king of the impossible," able to avoid detection? The answer is "no."
What we have observed are spam messages that contain a link to an .swf file. This file is hosted on a popular image hosting site. When clicked, the link redirects to various Web sites and so far we've seen medical supplement and adult-oriented sites as the destination of the redirects.
The .swf attack with the largest volume observed is the German pharmacy attack, with over 300 million instances seen. The body of this message is in German and includes a list of medications that are...
Notice! The virus-spreading spammer doesn't have your baby but is claiming to. In recent emails observed by Symantec, malicious code is being spread by hoax emails claiming to have pictures of your hijacked [sic] baby. The Subject line makes the claim that someone has "hijacked" your baby and the attachment on the message is not a photo, but rather a zip file containing a downloader:
Subject: We have hijacked your baby Content-Type: application/zip; name="photo.zip"
The body will look similar to the following:
"Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later... We has attached photo of your fume"
The email comes with an attached zip file called "photo.zip," which...
In the past few days Symantec has observed virus spam masquerading as news articles regarding the current Georgia-Russia conflict. We felt it was important to blog about this because this particular event is garnering a lot of media attention and holds a very high profile. Because of this, there is an extremely high potential for the spreading of malicious code by spam email using information on this event as a lure.
The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment. The subject line appears to be a legitimate news story about the Russia/Georgia conflict. One subject line that has been seen reads: “Subject: Journalists Shot in Georgia.” A short description of a “news event” related to the Russia-Georgia conflict is contained within the body of the message.
The use of the attention-grabbing subject line seems to be intended as a social engineering tactic to entice recipients to click the link...
As we enter August, Symantec takes note in the State of Spam Report that spammers are continuing to attempt to entice users to open their messages by sensationalizing false news events. Popular targets of this headline or tabloid spam include current public events and figures, such as Obama and McCain.
In July, some of the subject lines observed were:
Beijing Olympics cancelled
Beijing postpones Olympics due to McCain-Dalai Lama meeting
Mccain Says Unsure If Obama A Secret Hippopotamus
Kick-up - Obama speaks in London - video
In the samples observed, the URLs were hosting malicious code (malware). There is a...
The July State of Spam Reportopens with optimistic words from 2004, from one Bill Gates: “Two yearsfrom now, spam will be solved.” While we wish that we could say theoptimistic words came to fruition, the reality is that ithas continued to increase and is now accounting for 80% of all email.Over the past month spammers have shown in a variety of ways how theyare still trying to best antispam filters. Some of the spam attacksseen in June include:
- Hacked personal email account used to scam contacts
John Doe, sitting in his office, was scrolling through email in his inbox when he noticed an email with this subject line:
Mail delivery failed: returning message to sender
John thought to himself, “Message delivery failed? Did my message to Jane get blocked?” He then proceeded to open the message and found that it was an online pharmacy spam message he had allegedly sent. John is initially puzzled because he never sent that message himself. Soon, he realizes that the message is NDR spam.
Symantec has observed a wave of non-delivery receipt (NDR) attacks over the past month. While this technique is certainly not new, a spike in volume was significant enough for us to take a deeper look. A lot of people are confused about these messages. Where do they come from? What is the purpose?
The June State of Spam Report demonstrates that spammers are utilizing current events to their advantage. The economic slowdown has been at the forefront of current event topics for some time, and is indisputably a hot item for spammers. In May, Symantec observed the continued offers by spammers to avoid home foreclosure. Many of these attempts are directed towards harvesting personal information and not towards helping anyone out of a loan crisis.
Other current events being used by spammers to take advantage of the public include rising gas prices, the economic stimulus package, and recent natural disasters. In the wake of rising gas prices, spammers are offering gas from unusual sources, like your water faucet. Free gas cards and other products aimed at creating gas out of other unusual sources are...
As April came to a close, NDR (non-delivery report) spam diminished. In the April State of Spam Report, Symantec reported that NDR spam was 3.7% of all spam observed. Spammers appeared to be playing with the viability of this technique. At this time the numbers of this spam type are down to less than 2%. Symantec has been tracking this spam type over the past couple of months and has provided a graph in the May State of Spam Report that shows the changing volume levels.
However, the loss of momentum with NDR spam does not mean that spammers were resting. This was evidenced by the emergence of "calendar invite" spam in April. The samples observed were "419" or "Nigerian" spam sent with a meeting or calendar invitation attached. While the volume of this emerging spam was low, it does still illustrate the lengths that spammers are willing to go to spread their messages.
"Spear phishing" attacks are also discussed in the latest State of Spam Report...
The April State of Spam Report is out today and its findings show that spam levels bounced even higher, averaging 81 percent of all email in March and peaking at all-time highs of nearly 88 percent. “Bounce” being the operative word, because the new report highlights a marked increase in bounced message spam observed by Symantec. With these particular attacks in March, spammers took advantage of mail transfer agent (MTA) programs by utilizing the practice of backscatter to bounce massive volumes of emails to unsuspecting end users. The majority of the bounces observed were Russian language messages, containing images and text that change regularly, often a few times per day.
Spammers take advantage of MTA programs, which can be configured to send back not only a list of failed recipient addresses and an explanation why each address failed, but also a copy of the original message in its entirety. This practice allows spammers to bounce messages around the Internet,...
