Phishing attacks jeopardize users’ personal information, including banking credentials. The huge gain that Internet miscreants receive from these attacks drives them to think of newer and more effective bait to phish users’ personal data. To carry out their plans, spammers most commonly abuse new security services/features provided by legitimate companies.
Many financial institutions have already started providing a pin/password generator device (also known as “secret reader”) for their customers to conduct secure online transactions. The device generates random pin codes after a specified interval of time. In a recent phishing attack the fraudsters promoted a similar secret reader.
This fake message claims that a bank has developed a secret reader that generates a password of 10 alphanumeric characters. The message also targets existing customers who are already using this device provided by the bank, and informs them that existing device will...
When we analyzed spam data from the past few years, we observed that holiday seasons spirit up malware spam campaigns using e-cards, video player downloads or ActiveX download attacks. We have found that greeting card or e-card spam are the most common. Due to this reason spammers are employing this technique in other spam campaigns.
When analyzing spam messages from the Symantec Probe Network, we came across an interesting phishing attack where spammers are misrepresenting e-card services.
In this unique phishing attack, a URL for the animated e-card is provided in the message. When the user clicks on this link, an animated video is played in a flash player. Surprisingly, the personal message section is invaded by a typical phishing message.
The greeting card message is shown in the image below:
Scammers based in Nigeria have long been known for using legitimate email formats for spreading infamously fraudulent 419 messages. We have already monitored e-card services, social networking invites, and various other services provided on social networking sites. Yet another example is a calendar service being abused for sending scam messages.
Sadly there is an addition to this list, where the “send link to friend” service is exploited for sending scam messages. Many news websites provide an option to send news links to another person. A text area is also provided to write personalized messages. It is a general tendency of netizens to share important news with friends by forwarding the links along with their comments on the news. In a recent spam attack we monitored a typical 419 scam message injected into the text area of a news article. With this, scammers smartly introduce a scam message in an otherwise very legitimate looking mail.
In last month’s State of Spam report, Symantec discussed the early signs of holiday spam that contained messages related to Halloween and Christmas. In September, researchers at Symantec intercepted multiple attempts by spammers to hijack the subject of Halloween festivities in an attempt at grabbing personal information from email users, as well as selling online meds.
In product promo spam related to Halloween, spammers are offering free gift cards of various denominations towards the purchase of products. Various online surveys are also offered, which claim to give out gift cards with participation. Clicking on these offers takes users to a website where wide a range of their personal information—including email address, postal address, and phone number—is gathered.
Below are various subject lines used in promo messages:
In an attempt to conceal spam messages from anti-spam filters, spammers employ various tactics of ill intent. And for that purpose, spammers use obfuscation and/or spoofing techniques, the misuse of brand names, and many other tactics that make it difficult for content filtering to identify the spam message.
Recently, Symantec observed a spam attack in which homograph spoofing was used so that the spoofed domain name partially or completely resembles the reputable brand domain name. However, before discussing this trend we will first introduce you to terms that may be unfamiliar, such as IDN, Punycode, and homograph spoofing.
IDN
An internationalized domain name (IDN) is a domain name that contains one or more non-ASCII characters. Such domain names could contain characters from non-Latin scripts such as Arabic, Chinese, or Devnagari.
Example:
The domain “ёxample.com” uses “ё”, which is a...
Players and sports fans around the globe are already warming up for some of the major tournaments like EPL, Champions League, and the MLB World Series. Various national soccer leagues across Europe, including the famous EPL and Champions League, are kicking off in August. In the United States, baseball fans are eagerly waiting for the MLB World Series, which is scheduled in October.
During this season spammers are racing to reach millions of mailboxes with fake product promotions and fraudulent content. Recently we’ve come across product offer spam linked to the upcoming busy sports season.
In this particular scam message, spammers are seeking football players’ profiles. Below is an example of a scam message along with headers:
This is not the first time we have monitored scam messages targeting football players. Spammers employ these old...
As excited as I was prior to the release of the sixth film of the Harry Potter series, it proved to be fairly disappointing in terms of the number of spam messages spawned using the book/film title. The latest film, “Harry Potter and the Half-Blood Prince,” was released worldwide on July 15.
We monitored the probe network traffic over the past couple of weeks to track the prevalence and volume of Harry Potter related spam. However, it seems that spammers are less passionate about the idea of using the magic of this tale for their spam campaigns. The recent Harry Potter-related spam that we did see arrived as either Nigerian scams or health-type spam.
One scam message is disguised as an online lottery winning notification. In this fake and non-existent lottery, the name “Potter” is misspelled as “Porter.” Interestingly, the scammer used J. K. Rowling as the name for the online lottery—Rowling is the author of Harry Potter...
How close can they get to you? So close that they can actually talk to you, no matter where in the world they are located? Nigerian 419 scams are not new and have been a nuisance to email users for years. Traditionally, Nigerian scammers have reached out to email users through text-based emails, Word documents, PDF documents, and are increasingly targeteting social networking sites. However, all of these techniques have one thing in common—rubbish stories of a huge money inheritance, kinship, and financial assistance that is communicated via typed messages.
Spammers are constantly in search of techniques that will allow them to reach users’ inboxes by beating anti-spam filters. Any deceit used is fair game for them. Recently, we noticed one such technique used by spammers to make their way into users’ inboxes exploiting VoIP (voice over IP) services. The spammers are creating fake accounts on sites providing VoIP services and then, using these fake...
In the United States, Independence Day is a federal holiday celebrated on July 4 that commemorates the adoption of the Declaration of Independence on July 4, 1776, which declared independence from the Kingdom of Great Britain. The day is typically celebrated with fireworks, parades, barbecues, carnivals, and various other public and private events to remember the history and traditions of the United States.
In order to track the prevalence and volume change of Fourth of July spam, we have been supervising the probe network traffic for this type of spam over the past couple of weeks. Surprisingly, it looks as if spammers are less passionate about spawning Independence Day spam this year. The probable reason for this neutrality could be the spam spike related to the death of pop star Michael Jackson.
In the spam samples that are related to Independence Day, we’ve observed messages inviting users to experience the so-called “best 4th of July fireworks display...
Since Father’s Day is just a week away, we at Symantec have been tracking the prevalence of Father’s Day spam during the past two weeks. Father's Day is a day honoring fathers, celebrated on the third Sunday of June in the United States and many other countries. This year it will be celebrated on June 21.
Father’s Day typically involves gift-giving, special dinners, and family-oriented activities. This common knowledge gives spammers an opportunity to promote fake products and come up with lucrative-sounding offers.
The majority of the spam related to Father’s Day that we have observed consisted of Internet offers for special discounts on various products such as PDAs, cigars, and satellite dish-DVRs. Other offers included personalized gift cards, wine makers, premium coffee collections, and e-cards.
The spam messages linked to Father’s Day typically involve words like “Father’s Day,”...
Over the past few weeks we’ve observed an increase in spam emails carrying attachments of various file types, such as jpg, jpeg, png, zip, and rtf. Attachment spam volumes slowly crept upward between May 1 and June 13, 2009.
The main target of image spam is the health spam category, which usually has an embedded jpeg, jpg, or png image promoting ED pills. We’ve observed a spike in spam carrying rich text format (.rtf) attachments between the last week of May 2009 and the early days of June 2009. The email has a blank message body with an attached .rtf file of approximately 360 bytes. This file contains online pharmacy promotional messages and a URL that leads users to an online pharmacy store. These emails use random subject...
Recent news or events that attract human interest always help spammers fuel their spam campaigns, since current and often legitimate headlines are used in spam email to catch users’ attention. The latest activities in South Korea and North Korea are generating interest globally, and spammers are using this news to their advantage. We’ve observed spam samples in which news articles referring to the suicide of former South Korean president Roh Moo-Hyun and the recent nuclear and missile tests conducted by North Korea are misused by spammers in product promotion spam and phishing attacks.
In this typical scam story, the URLs of reputed news agencies reporting on this event are provided at the bottom of the email to gain the trust of recipients. Interested users are requested to communicate only over email. Needless to say, spammers are probing whether or not email accounts are active in order to include them in future spam campaigns, or to employ...
Spammers habitually exploit the reputations of brands for their benefit. As more and more people become connected through social networking sites, it is no surprise that the trust and reputation earned by these websites is misused by spammers. We are monitoring spam attacks this week that try to take advantage of the burgeoning social networking brand Twitter for two spam campaigns: make money fast (MMF) and dating spam.
In the MMF attack, a URL is provided to order a “Risk-Free Twitter Profit Software” kit. When the user clicks on the URL in the promotional email, he or she is redirected to a Web-form that asks for personal information such as name, email, and address. This is followed by another form asking for your credit card number, expiration date, and security code.
Below are some of the subject lines used in this latest MMF spam:
Subject: Twitter Guru Reveals All On Video Subject: Use Twitter to...
Spammers have declared open season on Memorial Day. Observed in the United States on the last Monday of May, Memorial Day memorializes those men and women who lost their lives in American military service. This year, it will celebrated on May 25.
Memorial Day spam made its appearance early last week. These emails mainly contained health-related spam and offers selling Memorial Day flags. Health-related spam has URLs that lead users to open online pharmacy stores. Spam emails linked to Memorial Day flags claim to offer the free home delivery of discounted rate flags. A few other spam samples have injected legitimate news articles related to Memorial Day in the email body as an attempt at obfuscation.
The following are a few of the subject lines used in the Memorial Day spam...
Do you wish to attend finals of the 54th Eurovision Song Contest in Russia? Why not, spammers have made it seem easy to grab those hard to get tickets for the event.
Eurovision is one of the most prestigious annual competitions held among active member countries of the European Broadcasting Union. The competition runs from May 12th-16th with the 16th being the Grand Final.
We've recently come across some Russian spam emails that attempt to sell tickets to the Grand Final. The email even claims to offer free home delivery of the tickets. There is no URL in the message to buy tickets, but instead an obfuscated phone number is provided at the bottom of the email to contact for further communication.
Below are a few of the subjects observed in the recent spam campaign:
