Chinese spammers are very adaptive to new Internet social mediums that might attract recipients’ interests in order to get Web hits. Spammers have done their research on popular social networking activities and living habits, thus setting up spam traps for possible hits. Recipients often fall for the spammers’ tricks because they may not be aware of updated spam news or phishing alerts.
Recently we observed Chinese spammers sending out moneymaking scams using a popular free micro blogging service. This type of free social networking allows users to send live updates through short text messages or links. In this sample we found that a spammer registered a legitimate user account and then sent out a friend invitation request. All links lead to the same money making promo ads:
Sample 1:
From: Popular social networking <Details removed>
Subject: 兼職工作,全職收入-每月增加2到 5萬 邀請您到 <Details removed> 註冊帳號
Happy Valentine’s Day! Yes, Chinese love birds get to celebrate twice a year with their loved ones. Chinese Valentine’s Day is set to fall this year on July 7th in the lunar calendar—that’s August 26 on the western calendar.
Chinese spammers have been using eventful holidays in the same way that English and European spammers have in order to spread their wares. We have observed spammers sending dating service advertisements and gift service site promotions for the upcoming Chinese holiday. Below you will find some examples of recent Chinese Valentine spam messages.
Sample 1:
Chinese singles often go to the matchmaker temple and pray for luck in love or marriage. People call this matchmaker god “Yue Lao.” We see spammers using this name in email aliases to promote their dating service for this legendary holiday. The advertisement is simply an inserted dating service...
The traditional Chinese Father’s Day is set on August 8—coming from “8/8”, which is pronounced “Pa-Pa” in Chinese. Spammers are offering us a wide array of gift selections, including high tech products, luxury wallets and watches for our hard working dads.
Spammers have a detailed catalog of items and are giving potential buyers a one-year warranty on replica products. They are also offering a special promotion, giving a first time buyer discount on a mass-mailing service.
In the sample below, the spammer claims they are a legitimate shopping site for luxury items:
Based on the lack of coverage in recent weeks, some people may think that the swine flu epidemic has slowed down for a while. However, there have been many reports of deaths caused by swine flu in different countries around the world in the past couple of weeks. The general public is continuing to monitor news of this disease very closely.
Spammers have been swiftly capitalizing on the fear of a pandemic in the fraudulent email they have been sending. We observed spam disguised as if it was sent from a public health agency or media outlet. The spammers are sending viruses embedded in links in the message body, such as in the example below. Users are redirected to the file “information.PDF.exe” if they are enticed to attempt the download of the image. Symantec has detected information.PDF.exe as Downloader.
We’ve observed spam disguised as a legitimate Taiwanese commercial bank sending out credit card promotion email messages that are embedded with an .swf virus link. In this particular attack, recipients are able to see the bank’s image at the top of the email message and promotion notes at the bottom. There is also a large blank space within the promotion message that is designed to make you believe that the credit card promotion content has been lost in transit. Recipients are then instructed to click on the link in case of page display error issues.
This attack is found to be a dictionary/domain attack. Symantec detects the “blog.html” link in the spam email as Trojan.Malscript!html. The blog.html link contains shellcode in the form of a file named sploit.swf, which exploits Adobe AVM2 Scope Stack Corruption Vulnerability (...
We have recently observed Chinese spammers selling personal account cracking software. This is not a typical pirated software promotion, because it already violates privacy law. The observed email promises to teach and help users to break into others’ accounts such as MSN or Yahoo instant messaging clients accounts, email accounts, and all popular social networking accounts.
The Internet has gone wild since Michael Jackson, the “King of Pop,” was reported dead on June 25. Symantec Security Response has already blogged about how we observed spammers trying to capitalize on this event in many ways, both with messages including malware, and scams tied to this talented celebrity’s death. We expect that spam and malware will keep coming in, given Michael Jackson’s popularity and following. Recipients should be extra cautious about messages that appear to be related to Jackson’s death, especially any email that comes from an unknown or unexpected source.
The following are some examples of what we have seen circulating:
Sample 1.1
Spammers hide behind a spoofed message, which appears as a rip-off of a familiar social network notification, in an attempt to try to trick recipients to...
In the last couple of months we’ve seen medical image spam offers resurfacing with regularity. Image spam advertising meds is easy to recognize, with a prominent med promotion image in the body. The subject lines advertise the products’ effectiveness and include noise added in the image attachment to attempt to bypass antispam filters. These are old techniques that are still common in med spam.
Spammers are also developing new tactics to attract visitors. They attempt to play mind tricks on the spam recipients, using warnings that are similar to what might be received from a system admin and personal greetings in subject lines—both attempts to lower recipients’ awareness in order to get their messages read.
We’ve recently observed a round of med spam that is sent in ordinary e-postcard form. In these messages we see that the spammers are using warning-style subject lines in order to try to dupe recipients into thinking they are violating...
Happy Easter! Are you really blessed? Spammers always have favorite holidays. And while they couldn’t join your family for an egg hunt this year, they didn’t forget to send their greetings during Easter week. During the past week we observed fraudulent e-card notifications spoofing a well known Internet e-card service site.
The message contains legitimate From: and Subject: lines, along with a heart-warming Easter message to make up the body content. Spammers used a legitimate-looking pick up notification hyperlink to lure the recipient to click it. However, a PHP URL is embedded into HTML, which actually links users to another URL where malicious code may be downloaded onto their system.
This is a typical spam tactic, but recipients should still be aware of it during this post-holiday season, since the scam still exists. We urge recipients to be aware of this type of greeting to avoid vicious attacks. Most importantly, do not open emails with suspicious...
While everyone is still in shock from Monday's 6.3-magnitude quake in Italy, spammers are unfortunately capitalizing on this event.
Not long ago, we monitored an inbox burst with a fake news headlines focusing on Hollywood celebrities, popular politicians and current events which spread malware through attachments.
Sample subject lines were:
“Britney Spears Overdose”
“Lindsay Lohan crashes brand new Lamborghini”
“Beijing Olympics cancelled upon the death of China's president”
Seminar spam often competes with fake invoice spam for the top position in Chinese language spam. Chinese seminar spam is sent out in a manner that is similar to a legitimate and regular business training course or seminar/presentation invitation.
Like any real seminar, Chinese seminar spam identifies the purpose, location, time, and workshop details. Application fees and contact information are required to access the “offer.” Chinese seminar spam often takes a similar pattern to Chinese language fake invoice spam as outlined in an earlier blog post. We’ve seen Chinese language seminar spam evolve from using plain text, Microsoft Word, PDFs, and graphic attachments in the last five years in varied attempts to bypass antispam filters.
In the past decade, rapid economic growth has been observed in China. Enterprises have expanded their businesses rapidly and business travelers are often required to conduct business across China. All enterprises require employees to file expense reports, which include tax invoices or receipts in order to obtain financial compensation.
In China the tax is issued before the purchase occurs, and one may purchase a tax invoice from a government agency. This is quite different from the United States or European countries where tax is added after the purchase occurs. Tax invoice counterfeiters use spam emails to make offers to sell tax invoices to a business owner at a reduced rate. For this tax evasion service, these invoice counterfeiters will quite often offer a large purchase discount. The service involving selling and issuing fake invoices to help business owners deduct tax expenses has always been the most frequently seen spam in the simplified Chinese language.
