Video Screencast Help
Security Response
Showing posts tagged with Email
Showing posts in English
Samir_Patil | 17 Jun 2011 11:41:34 GMT

This year, Father’s Day will be celebrated on June 19th. Of course, this is an occasion that is used to express feelings towards dads for all of their love and support, often accompanied by the giving of exclusive gifts. Sadly, spammers don’t forget to send out their fake offers to target this special day. Symantec is observing an increase in spam volume related to this event, which is shown in the graph below.

Father’s Day spam can be categorized into hit-and-run spam promoting fake products, e-cards, dating, and gift card spam. Various product promotions are seen to contain products such as cigars, replica watches, wallets, and computer accessories. Once a user clicks on a fake offer, they are directed to a webpage where they are asked to divulge confidential information such as a credit card number, CVV, email address, etc. Below are some examples of this type of...

Mathew Maniyara | 07 Jun 2011 11:49:49 GMT

A couple of months ago, Japan was hit by an earthquake of magnitude 9.0. The earthquake and tsunamis that followed caused severe calamity to the country. Phishers soon responded with their fake donation campaign in the hopes of luring end users. Unfortunately, it seems that the phishers are continuing to use these fake donations as bait in a recent phishing attack we observed.

In a fake donation campaign, phishers spoof the websites of charitable organizations and banks and use those fake sites as bait. This time, they spoofed the German page of a popular payment gateway site with a bogus site that asked for user login credentials. The contents of the page (in German) translated to “Japan needs your help. Support the relief efforts for the earthquake victims. Please donate now.” The message was provided along with a map of Japan that highlighted two cities from the affected region....

Amanda Grady | 02 Jun 2011 17:29:02 GMT

I received reports this week of emails that reference transactions of which the recipients have no knowledge. The  email includes a link for more detail, which then attempts to download a ZIP attachment. Nothing new here; most savvy users would know better than to open an attachment in an unsolicited email.

The interesting thing about this email, however, is that it includes a password previously used by the recipient. Seeing private data in an email like this would definitely raise suspicions that the sender has some kind of connection to the recipient, or worse, has comprised their account details. The ultimate goal for the sender is that the user’s curiosity would be piqued sufficiently to open the attachment which would, of course, deliver the inevitable malware payload.

Symantec detects the file as Trojan.Zbot, also called Zeus, which is a Trojan horse that...

Suyog Sainkar | 02 Jun 2011 17:17:21 GMT

Spam messages promoting pharmaceutical products have been perhaps the most commonly seen spam attacks over the past several years. Pharmaceutical products are deceptively marketed through spam emails employing a variety of obfuscation techniques. Symantec recently observed a pharmaceutical spam campaign abusing the YouTube brand. Similar spam campaigns abusing popular brands have been seen in the past, however, the email volume observed in this particular spam attack has been immense.

Sample From and Subject lines observed in this spam attack are below.

From: YouTube Service <>

Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube

Subject: YouTube Service sent you a message: Best Unrated Videos To Watch

Subject: YouTube Support sent you a message: Your video has been removed due to terms of use violation


Samir_Patil | 26 May 2011 15:21:56 GMT

There has been yet another spam attack on the widely followed game of cricket. Earlier this year, Symantec reported about a spam attack that targeted the Cricket World Cup. It is now time for the Indian Premier League (IPL). With the playoffs in progress and the grand finale just two matches away, it is not surprising to see spammers trying to make the best of it.

We have observed IPL scam, in the wild, promoting an IPL lottery. Were the IPL honchos promoting a sweepstake of this sort?  We did our research and the answer is no.  So, where did this offer come from?  We investigated further and found that it was from a compromised machine from the suburbs of Mumbai, India.

Below is the spam sample:

So what is this scam all about? Our analysis found out that it comes...

Mathew Maniyara | 19 May 2011 15:42:29 GMT

The Income Tax Department of India recently announced that the last date for sending income tax returns for AY 2010-2011 has been extended to July 31, 2011. During 2010, phishers had plotted their phishing scams based on the tax return deadline. As the deadline for tax returns of the current financial year approaches, phishers have returned with their stream of phishing sites.

This time, phishers have spoofed the Reserve Bank of India’s Web site as a ploy for a tax refund scam. The phishing site attempts to lure users by stating that the bank would take full responsibility for depositing the tax refund to the user’s personal bank account. The user is prompted to select the name of the bank and enter their customer ID and password. There is a list of eight banks to...

Eric Park | 18 May 2011 15:41:10 GMT

The unexpected raid and resulting death of Osama Bin Laden shocked the world. As always, spammers were quick to jump on this headline and send a variety of spam messages leveraging the event. The “Fallout from the Death of Osama Bin Laden” section includes samples of some of the spam monitored in different languages.

The effect of the Rustock shutdown from the previous month continued this month. After falling 27.43 percent in March, the average daily spam volume fell another 5.35 percent in April. Compared to a year ago , it is down 65.42 percent. Overall, spam made up 74.81 percent of all messages in April, compared with 74.68 percent in March. Going back a year, the percentage of spam was 89.22 in April 2010.

To find out more, click here to download the May 2011 State of Spam & Phishing Report, which highlights the...

Samir_Patil | 16 May 2011 12:27:17 GMT

Last year, phishers targeted Wikipedia with a large number of spam emails that directed unsuspecting users to a fraudulent Wikipedia website. Currently, we are observing a new spam tactic being used, which targets the Wikipedia name for the promotion of fake pharmaceutical products.

In the last couple of days, we have observed various spam email messages that use a wiki template to promote bogus online pharmacies. The “Subject” line in these attacks has a lot of randomization. The “From” header is either fake or a hijacked ISP account that gives a personalized look to the email.

Below are some subject lines that were observed in the spam samples:

Subject: wWIKIp
Subject: kWIKIx
Subject: yWIKIg
Subject: hWikiPharmacyl
Subject: oWikiPharmacyp
Subject: uWikiPharmacym


In the image shown...

Samir_Patil | 12 May 2011 15:23:38 GMT

Have you ever received an email from an unknown person offering you an exorbitant amount of money and asking for your personal information in return? Well, that is exactly what a “419 scam” is!

419 spam, also known as Nigerian spam, is named after the Nigerian penal code, section 4-1-9. The most common forms of 419 spam are fake business proposals, fake fund transfers, and email lottery winning notifications—all of which include the spammers’ requests for personal information, such as name, account number, phone number, email address, bank details, etc.

419 spam is often seen in English, German, Spanish, and some other European languages, but spammers are now targeting Asian countries because of the increased Internet user base and widespread broadband infrastructure.

For the first time, Symantec has observed 419 spam created in Hindi using Devnagari script. This is a big paradigm shift where 419 spam is concerned. Hindi is a widely...

Sammy Chu | 10 May 2011 19:38:34 GMT

Spamming with dotted decimal URL (a dotted decimal URL refers to the four-byte IP address notation as a sequence of four decimal numbers separated by dots) is one of the most often seen URL-obfuscation techniques employed by spammers. Unfortunately, to the computer, an IP address is just a 32-bit binary number, and a dotted decimal is just one out of the many numeral systems for IP address expression. With this flexibility in interpretation, spammers have developed a new way to obfuscate their URLs; they start converting their dotted decimal URLs into different numeral systems.

Below are some of the IP address numeral system obfuscation techniques Symantec has observed of spammers. (All of the samples below are just different numeral representations of the IP address for

An IP address converted to hexadecimal format. (Hexadecimal is a base-16 numeral system.)