Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Messaging Gateway
Showing posts in English
Mathew Maniyara | 03 Aug 2012 17:36:42 GMT

Co-Author: Avdhoot Patil

Phishers continue to target Indonesian celebrities with adult scams. Phishing attacks on rock star Ahmad Dhani have already been seen. In July 2012, Symantec observed a phishing site that claimed to have an adult video of Indonesian actress and singer Aura Kasih. The phishing site spoofed a social networking brand and was hosted on a free Web hosting site.

The adult scam came in light of a recent scandal surrounding the singer. An adult video, allegedly of Aura Kasih and pop star Nazril Irham, has been circulating recently in Indonesia over the internet and mobile phones. It is rumored that the video started appearing after Nazril Irham’s laptop was stolen.

Phishers created the phishing site with an image of a video link of Aura Kasih. A message in Indonesian on the image prompted users to login to view the video. The message also...

Mathew Maniyara | 25 Jul 2012 21:25:45 GMT

Co-author: Avdhoot Patil

Phishing sites using celebrities as bait are on a rampage. In July 2012, Honey Singh, also known as Yo Yo Honey Singh, a popular Indian rapper, singer, music producer, and actor was featured on phishing sites. Symantec observed several phishing sites that spoofed a social networking brand that claimed to have an application for Honey Singh. The phishing sites were hosted by a free web hosting service.

The phishing sites promoted Honey Singh’s 2011 album, International Villager. A poster of the album's artwork was displayed on the left side of the phishing page and the login form was displayed on the right side. The phishing sites claimed to have an application that enabled users to listen to the Punjabi star's latest songs and videos. As with most applications on social networking sites, the application made a request to the user before allowing access. After a user's login credentials were entered into the phishing...

Pavlo Prodanchuk | 23 Jul 2012 16:03:01 GMT

Recently, Symantec has observed an increase in .eu domains contained within pharmacy and dating spam messages. The spam emails observed so far are predominantly in the German language. The specific patterns and characteristics demonstrate that the attacks employ a "hit-and-run" technique.

In "hit-and-run" attacks, spammers quickly rotate through the IP addresses and domains that are being used. Unlike 80% of spam attacks, these messages are not sent from botnets of compromised computers, but from mail server IP addresses with a previously unknown reputation.

Recent data obtained from the Symantec Global Intelligence network shows that the number of spam emails that contain .eu domains increased slightly in the first and third week of June. Furthermore, the number of spam emails containing .eu domains written in the German language increased considerably in the last week of June.
 

...

Ben Nahorney | 20 Jul 2012 19:31:45 GMT

Contributor: Andrew Watson

A coordinated effort lead by security researchers at FireEye and Spamhaus has resulted in the takedown of one of the largest spam botnets in the threat landscape. The botnet, known as Grum, was reportedly responsible for close to a third of the world’s spam email traffic.

We’ve been watching the developments carefully here at Symantec and have noticed a decided drop in spam traffic coming from the Grum botnet. Around 5:00 p.m. on July 17, the botnet sent a batch of around 40,000 spam emails. The next hour that number dropped to around 30,000. The next hour 16,000, followed by 11,000. The numbers continued to decline to the point where, yesterday afternoon, the botnet sent only a handful of spam messages.

...

Samir_Patil | 26 Jun 2012 23:04:58 GMT

Last week I was jolted with a mail that says:
 


 

My first reaction was: "Did I ever interview or converse with any such person? Then why am I receiving this email?". I immediately began analyzing the email and found that it is nothing but a variant of a Hitman spam which tries to threaten the user after initiating a conversation and then extorts money in the bargain.

The discussed spam mail is a reply to an email thread which was never received or replied to before. (Although the spam message says that the recipient was part of the email communication sent a few months back.) The email comes with an attachment containing the candidate’s resume. Suprisingly, the attachment has no...

Samir_Patil | 05 Jun 2012 06:46:13 GMT

Contributor: Anand Muralidharan

The 14th edition of the UEFA European Championship is set to begin from June 8th and will be hosted in Poland and Ukraine. Symantec has intercepted a 419 spam attack targeting EURO 2012. Below is a screenshot of the spam mail.

The scam message is attached as a PDF file called UEFA.pdf. This is a typical 419 scam message that says that the reader has won a EURO 2012 Cup promotion lottery. In the rest of the message, the spammers explain in detail how the recipient’s email address reached them and how it was selected as a winner out of huge number of other participants.

Finally, the recipient is asked to send the winning identification numbers by filling in the UEFA EURO 2012 online documentation form, which asks for personal details such as name, address, age, occupation, and phone number. One interesting line in the message says that the...

Mathew Maniyara | 31 May 2012 22:32:49 GMT

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:
 

...

Paresh Joshi | 21 May 2012 11:52:55 GMT

For anti-spam software, it is quite easy to prevent spam by using content-based filters. So spammers come up with different obfuscation techniques to bypass URL-based filters such as inserting “shy characters”, as we have discussed previously. Recently, spammers have been trying to cash-in on the smallest of gaps that they could find in conventional anti-spam technologies. Spammers are now attempting to obfuscate the URLs in spam messages, either by inserting white space characters of varying sizes or by replacing the conventional “.” (dot) character by “。” (An ideographic full-stop, mostly used in Asian languages)

How did they do it? Let’s take a look at both of these techniques.

Using different size white space characters is allowed in HTML. All languages use spaces to separate words. However, the size of the white space characters...

Mathew Maniyara | 17 May 2012 04:10:48 GMT

Co-author: Avdhoot Patil

Phishers have enveloped the globe mimicking brands across a variety of industries and using many languages. From April 2012, phishing attacks in Korean gained momentum, comprising of 0.5 percent of all non-English phishing sites. The increase was in particular targeting banks based in South Korea. The primary motive in these attacks is financial gain, as it is in most phishing attacks. Let’s explore some of the phishing sites we have observed.

In the first example, the phishing site asked for the customer’s name, social security number, cell phone number, account number, account password, and transfer password. After the information was entered, the customer was redirected to a page that asked for the security card serial number. The phishing site then redirected back to the legitimate site.

Figure 1. Phishing site asks for customer...

Eric Park | 14 May 2012 19:19:03 GMT

Symantec has observed an increase in spam messages containing URLs using the country code top-level domain (ccTLD) for India. This chart shows percentage of spam containing .in URLs:

While there were few daily spikes last year, clearly there has been more activity in the last two months.

Looking back at last year, the ccTLD for India (.in) ranked tenth on our TLD distribution list:

...
Rank TLD % of URL Spam
1