Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Message Filter
Showing posts in English
Pavlo Prodanchuk | 23 Jul 2012 16:03:01 GMT

Recently, Symantec has observed an increase in .eu domains contained within pharmacy and dating spam messages. The spam emails observed so far are predominantly in the German language. The specific patterns and characteristics demonstrate that the attacks employ a "hit-and-run" technique.

In "hit-and-run" attacks, spammers quickly rotate through the IP addresses and domains that are being used. Unlike 80% of spam attacks, these messages are not sent from botnets of compromised computers, but from mail server IP addresses with a previously unknown reputation.

Recent data obtained from the Symantec Global Intelligence network shows that the number of spam emails that contain .eu domains increased slightly in the first and third week of June. Furthermore, the number of spam emails containing .eu domains written in the German language increased considerably in the last week of June.
 

...

Ben Nahorney | 20 Jul 2012 19:31:45 GMT

Contributor: Andrew Watson

A coordinated effort lead by security researchers at FireEye and Spamhaus has resulted in the takedown of one of the largest spam botnets in the threat landscape. The botnet, known as Grum, was reportedly responsible for close to a third of the world’s spam email traffic.

We’ve been watching the developments carefully here at Symantec and have noticed a decided drop in spam traffic coming from the Grum botnet. Around 5:00 p.m. on July 17, the botnet sent a batch of around 40,000 spam emails. The next hour that number dropped to around 30,000. The next hour 16,000, followed by 11,000. The numbers continued to decline to the point where, yesterday afternoon, the botnet sent only a handful of spam messages.

...

Samir_Patil | 26 Jun 2012 23:04:58 GMT

Last week I was jolted with a mail that says:
 


 

My first reaction was: "Did I ever interview or converse with any such person? Then why am I receiving this email?". I immediately began analyzing the email and found that it is nothing but a variant of a Hitman spam which tries to threaten the user after initiating a conversation and then extorts money in the bargain.

The discussed spam mail is a reply to an email thread which was never received or replied to before. (Although the spam message says that the recipient was part of the email communication sent a few months back.) The email comes with an attachment containing the candidate’s resume. Suprisingly, the attachment has no...

Samir_Patil | 05 Jun 2012 06:46:13 GMT

Contributor: Anand Muralidharan

The 14th edition of the UEFA European Championship is set to begin from June 8th and will be hosted in Poland and Ukraine. Symantec has intercepted a 419 spam attack targeting EURO 2012. Below is a screenshot of the spam mail.

The scam message is attached as a PDF file called UEFA.pdf. This is a typical 419 scam message that says that the reader has won a EURO 2012 Cup promotion lottery. In the rest of the message, the spammers explain in detail how the recipient’s email address reached them and how it was selected as a winner out of huge number of other participants.

Finally, the recipient is asked to send the winning identification numbers by filling in the UEFA EURO 2012 online documentation form, which asks for personal details such as name, address, age, occupation, and phone number. One interesting line in the message says that the...

Mathew Maniyara | 31 May 2012 22:32:49 GMT

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:
 

...

Paresh Joshi | 21 May 2012 11:52:55 GMT

For anti-spam software, it is quite easy to prevent spam by using content-based filters. So spammers come up with different obfuscation techniques to bypass URL-based filters such as inserting “shy characters”, as we have discussed previously. Recently, spammers have been trying to cash-in on the smallest of gaps that they could find in conventional anti-spam technologies. Spammers are now attempting to obfuscate the URLs in spam messages, either by inserting white space characters of varying sizes or by replacing the conventional “.” (dot) character by “。” (An ideographic full-stop, mostly used in Asian languages)

How did they do it? Let’s take a look at both of these techniques.

Using different size white space characters is allowed in HTML. All languages use spaces to separate words. However, the size of the white space characters...

Mathew Maniyara | 17 May 2012 04:10:48 GMT

Co-author: Avdhoot Patil

Phishers have enveloped the globe mimicking brands across a variety of industries and using many languages. From April 2012, phishing attacks in Korean gained momentum, comprising of 0.5 percent of all non-English phishing sites. The increase was in particular targeting banks based in South Korea. The primary motive in these attacks is financial gain, as it is in most phishing attacks. Let’s explore some of the phishing sites we have observed.

In the first example, the phishing site asked for the customer’s name, social security number, cell phone number, account number, account password, and transfer password. After the information was entered, the customer was redirected to a page that asked for the security card serial number. The phishing site then redirected back to the legitimate site.

Figure 1. Phishing site asks for customer...

Eric Park | 14 May 2012 19:19:03 GMT

Symantec has observed an increase in spam messages containing URLs using the country code top-level domain (ccTLD) for India. This chart shows percentage of spam containing .in URLs:

While there were few daily spikes last year, clearly there has been more activity in the last two months.

Looking back at last year, the ccTLD for India (.in) ranked tenth on our TLD distribution list:

...
Rank TLD % of URL Spam
1
Mathew Maniyara | 02 May 2012 21:25:04 GMT

Co-Author: Ayub Khan

Customers of popular email service providers have been a common target for phishers for identity theft purposes. Phishers are constantly devising new phishing bait strategies in the hope of stealing user email adresses and passwords. In April 2012, Symantec observed phishing pages that mimicked popular email services in an attempt to dupe users with attractive storage plans.

Customers were flooded with fake offers of free additional storage space for services such as email, online photo albums, and documents. In the first example, the phishing site was titled “Welcome to New [BRAND NAME] Quota Verification Page”. According to the bogus offer, the additional storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The phishing page boasted that the free additional storage plan will help customers prevent loss of data and the inability to send and receive emails due to exhausted storage space. It also stated that the...

Samir_Patil | 26 Apr 2012 06:46:31 GMT

Symantec is intercepting a resurgence of spam attacks on popular brands. Spam messages that are replicas of the Wikipedia email address confirmation alert are the new vector for the present. The said spam messages pretend to be originating from Wikipedia, and are selling meds, with the following subject line: “Subject: Wikipedia e-mail address confirmation”.

The spoofed Wikipedia page is a ploy to give legitimacy to the sale of meds online. The embedded URL in the message navigates to a fake online pharmacy site that is dressed up as a Wikipedia Web page. Furthermore, to give the email a legitimate look, the spammer has added the recipient’s IP address in the body of the spam mail. Needless to say this IP does not belong to the user.

Figure 1: Part of the spam message

 

...