We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).
As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using...
Symantec has always recommended that personal information, especially financial information such as Social Security numbers, credit card numbers, and of course your email address must not be revealed anywhere on the Internet. Many security experts also believe that disclosing an IP address to an unknown person on the Internet is equally dangerous. We also now need to be cautious of not divulging our mobile numbers or date of birth because these bytes of information are also vitally essential, and are considered part of your identity by financial institutions.
We are monitoring a new wave of phishing attacks that is attempting to extract information such as the mobile numbers and/or dates of birth of recipients by using false alerts:
A couple of the Subject lines of these alerts are:
Symantec recently reported a malicious spam campaign against Facebook, which is now accompanied by a phishing attack. These messages look like an official Facebook invite or password reset confirmation mail.
If we place the cursor over the update button in the message, we can actually see the phishing URL in the status bar. If a user clicks on the “Update” button, he or she is redirected to a Facebook look-alike phishing site. Here, users are asked to enter a password to complete the update procedure. Unfortunately, the user’s password will be stolen if they try to log in on this page.
These attacks can be identified by the subject lines listed below:
Facebook account update
New login system
Facebook Update tool
Instant degree spam attacks have become one of the most regular attacks monitored in recent months. In an earlier blog post we listed the top five degrees offered by spammers. The messages guided users to online degree sites where recipients needed to actually earn their degree. On the other hand, with instant degrees there is no effort required—just call the number provided in the message and you can obtain a degree certificate in no time. These plain text messages arrived with a variety of subjects, which are listed below this sample message:
We have listed subject lines in descending order of number of appearances:
Get Your Bachelor's Degree Online
Earn a Bachelor's or Master's Degree Online
Enhance Your Career Tomorrow
Earn a Bachelor's or Master...
This has been a season of malicious attacks, starting last month when we informed users about an increase in spam containing malware. Coincidentally, we are seeing different methods of luring or scaring recipients to download malicious programs. In the past few weeks we reported spam attacks with malicious links that included MJ’s leaked song spam attack and the hunting the airplane game. In this recently monitored attack, we observed a typical phishing email that encourages users to click and download executable files.
Sample image of the message:
As shown in the above image, a fake FDIC alert warns users of a...
People are always curious about different theories on tragedy, especially those involving airplanes or ship accidents. In fact, even after the Titanic sank decades back, hundreds of books were published and movies developed based on expert views. Malicious software authors use information related to similar tragedies to entice recipients into clicking on virus-laden links. We mentioned one such example of this in our blog last year after the earthquake in China in June 2008.
In a new spam campaign, recipients are lured by contradicting information published by a news agency regarding 9/11 Pentagon damage. Users are encouraged to spot a plane in the pictures, which are included in the email. They are also supplied with a URL link to access more information. This link redirects users to a hijacked website that will point to an HTA file (a program that can be run from an HTML document). When users...
Last week we observed a new Russian spam trend dealing with phone numbers. We have been monitoring spam samples containing phone numbers in the message body—with or without obfuscation. In one of our March ’09 blog posts, we mentioned the use of phone numbers in the headers as well. The phone numbers in those spam samples weren't obfuscated, but recently we have seen spammers introducing special symbols [+*^] between the numbers found in the headers, as shown in the examples below:
Online degree spam has been around for years. However, nowadays these spam campaigns aren’t just limited to passing degree certificates (super fast - within days or weeks), but they also focus on directing recipients to specific degrees. For example, it is common knowledge that there is a shortage of qualified nurses in the US—there are many media reports on the subject. When we examined these attacks over the last six months, we found that spam campaigns for nursing degrees placed in the top five degrees promoted by spammers. Similarly, the shortfall of manpower has also been noticed in the field of law enforcement and accordingly, spammers are advertising more on this career option.
The top five degrees advertised through spam are:
1. Police Officer
2. Federal Agent
3. Nursing
4. Culinary Arts
5. Teacher
The Diwali “Festival of Lights” happens in October and is celebrated across India. During this time a large portion of the Indian population will be out shopping and looking for holiday deals. We have started noticing spam messages that offer discounts related to Diwali. Interestingly, spammers are sending the same Internet offers, but in the form of Diwali discounts.
For example, in the spam message selling a database CD of contacts (names, email addresses, ages, phone numbers), “Diwali” is inserted to make it enticing for recipients. As shown in the below sample message, recipients are offered a database CD of 57,000 Indian companies (SMEs).
We also monitored unsolicited offers that we think may ultimately lead to a compilation of opted-out email addresses for the spammers. Most of these spam messages draw email users with cash...
The IRS settlement offers for U.S. taxpayers holding accounts in foreign banks end on September 23, 2009. Using these offers, one can fully disclose and pay their back taxes, interest, and penalties. In return, the IRS will go back and scrutinize only a limited number of tax years, along with lower penalties and no criminal prosecution. Legitimate FAQs on the settlement offered by the IRS can be found here, with additional information found here.
Spammers are using this deadline to expand their network, using malicious attacks and sending fake IRS email notifications to recipients. These emails do not mention the deadline, but they explicitly describe the issue as “Unreported/Underreported income.” Users might possibly panic over the subject line “Notice of Underreported income,” and download the executable “tax-...
Last month we wrote about a spam campaign for mobile spying software (possible malware) that snoops on the phone calls and SMS messages of a person of interest. The most advertised service was spying on your loved one to see if they are having an affair. Of course, spying is not going to help a troubled relationship, so spammers are now providing another solution for distressed lovers. They claim to bring excellent results for solving troubles with loved ones—all without even needing to meet the spammer.
This is another ploy to entice recipients to contact the spammer, reminiscent of the examples in one of our May 2009 blog postings. In the current scenario, a clever message has been drafted to lure troubled lovers into a 419-like trap in order to extract personal information. Also, spammers may use personal...
In our earlier blog posting on obfuscated URL attacks we reported on the transition of image spam attacks to URL-obfuscation attacks, and we also mentioned how resources such as domains and subject lines were being recycled. In this blog post we will be discussing another aspect of the image spam attack, that of message size. We have observed a sudden growth in message sizes during the month of August. Similar jumps in message size were reported on the Symantec Security Response Blogs in November 2008.
After monitoring the messages during the month of August (so far), we came to the following conclusions:
• 9.3% of image spam had a message size greater than 100kb.
• 14.43 % of image spam had an average size of...
Recently, we reported how HTML attachments were being used in various spam campaigns such as phishing attacks, email harvesting attacks, and 419 scams. Spammers have included a few more file formats, again in an attempt to escape anti-spam filters. As experienced previously with HTML attachments, these new file formats are also getting used in several different spam categories.
In the first example, we discuss the MHT file format attached with phishing emails. When a Web page is saved as a Web archive in Internet Explorer, it gets saved to a Multipurpose Internet Mail Extension HTML format with an MHT extension. Further information can be found here. An attached MHT file works similar to an HTML file and opens a legitimate-looking Web page. This Web page looks exactly like a legitimate bank page, asking for critical financial...
In recent months, we have observed different types of legitimate newsletter templates used in pharmacy spam attacks. In order to get users to open these email messages, spammers need to ensure that the subject line (entry point) is always enticing and that the content looks legitimate. So much so that a user may open these emails right away without confirming the sender information.
We start with "discount special" subject lines. These lines are constructed using different combinations of words such as pharmacy, men, health, dear, and sale. These words are usually followed with some discount value (always more than 70 percent). The latest inclusion to the list is one that ends with a country name such as United States, Bulgaria, or Columbia. We have provided some examples of subject lines made with these words (the positions of the words change):
Dear [email address] [date and time with time zone] 80% 0FF on [pharmaceutical company].
RE: Pharmacy...
Ever dreamt of owning devices that would let you roll like a secret agent from spy movies? Why not? Spammers are offering a solution—not a spy bug to be attached to a phone, but software that once installed on the target phone sends back information on all of the calls, including messages originating from one phone to another.
This proposition offers the option of peeping into someone’s phone to obtain desired information. The spammer claims that the surveillance functions of the target phone (after being installed) can be used to obtain valuable information from people such as your girlfriend, manager, key employees, business partners, etc. The scammers promote that you can track valuable information, which can be compiled by listening to outgoing calls, receiving copies of incoming and outgoing SMS messages, and tracking precise locations of the phone device using GPS satellites.
However, this miraculous spy device requires a few steps in order begin use...
