Video Screencast Help
Security Response
Showing posts tagged with Message Filter
Showing posts in English
Eric Park | 20 Mar 2012 18:41:34 GMT

During the past two weeks, Symantec has observed an increase in hit & run spam activities (also known as snowshoe spam) in its Global Intelligence Network. Hit & run spam messages have the following characteristics:

  • Usually originates from IP ranges with neutral reputation
  • Uses a large IP range to dilute the amount of spam sent from each IP address
  • Contains features (such as Subject line, From line, and URLs) which change quickly
  • URL is the call-to-action
  • Often uses large quantity of “throw-away” domains in a single spam campaign

Here is a breakdown of top three products or services promoted by such spam over last week:

Date

#1Spam Promo

...
Ruby Yang | 15 Mar 2012 13:04:04 GMT

Nobody knew about Jeremy Lin a couple of months ago. But now, Linsanity rocks the world. Being a new NBA star, his name has already been mentioned countless times on ESPN, NY Times, and all other sports media.

If you are a fan of Jeremy Lin, you would probably like to collect his No.17 T-shirt, posters, and signature. One thing you would not like to collect is Linsanity junk mail. Unfortunately, spammers are jumping on the bandwagon as well.

As a Taiwanese descendant, Jeremy Lin’s background makes him unique in the NBA. Jeremy Lin inspires not only an enthusiasm for basketball, but also an interest in learning Chinese.  His humbleness and hard work also attract lots of overseas commercial invitations, especially in the Chinese market. In this particular trend, spammers use his fame to promote this Chinese flashcard website.

Lin has claimed that he is in no rush to use his...

Mathew Maniyara | 12 Mar 2012 22:35:45 GMT

Co-Authors: Ashish Diwakar and Avdhoot Patil

Phishers often choose baits with the motive of targeting a large audience. Using popular celebrities as bait is a good example. Phishers understand that choosing celebrities with a large fan base would target the largest audience and supply more duped users. This month phishers are using the same strategy but, instead of targeting a popular celebrity, they associated their phishing site with the popular FC Barcelona football club. FC Barcelona is the world’s second richest football club and has a large fan following. The phishing site, hosted on a free web hosting site, has since been removed and is no longer active. However, though phishing sites are frequently short-lived, internet users should be aware that other phishing sites using this or a similar template could easily be encountered in future.

The phishing site...

Mathew Maniyara | 08 Mar 2012 23:50:37 GMT

Co-Author: Ayub Khan

Phishers regularly introduce new types of fake applications with the motive of improving their chance to harvest user credentials. In February 2012, Symantec observed a phishing site recommending a fake application that allegedly removes “Timeline” profile for Facebook users. The phishing site was hosted on a free web hosting site.

The phishing site embedded the Facebook Timeline promotion video from YouTube, with the claim “Remove Timeline Now”. According to this phishing site, users will have their “Timeline” removed from their Facebook profile and get back their old profile page—only after they enter their login credentials. To make the fake application look more authentic, phishers added that it was protected by an antivirus product with the logo of the antivirus brand placed...

Samir_Patil | 21 Feb 2012 15:24:14 GMT

Thanks to Poonam Keluskar for their assistance with this research.

Maslenitsa (Маслница) is a religious holiday celebrated in Russia and Ukraine during the last week before Lent, i.e. the seventh week before Pascha (Easter). This festival is also known as Pancake week or Butter week. During this week people enjoy the social activities that are forbidden during the prayerful Lenten season, such as partying, dancing etc. This year the Maslenitsa will be celebrated from February 20 to February 26.

We are observing Maslenitsa spam targeting Russian and Ukrainian users that offers attractive tour packages. Similar to other Russian spam messages like online marketing promotions, spammers have provided a phone number to book the carnival package.

Below is a sample of a tour package spam:

Translation:

...

Samir_Patil | 17 Feb 2012 11:43:08 GMT

Thanks to Anand Muralidharan for their assistance with this research.

The world is mourning the loss of another legendary pop singer also known as the queen of pop - Whitney Houston. Spammers are paying homage to the icon with a wicked malware. The malicious email shows a video of the last appearance of the star in a Los Angeles night club and also downloads an executable binary. This file is detected by Symantec Antivirus as WS.Reputation.1.

The email originated from Ireland and targets Portuguese readers. The malicious file is hosted on a hijacked Japanese website. The email subject is randomized by adding random numbers at the end of the subject field.

Here are a few...

Samir_Patil | 08 Feb 2012 17:17:38 GMT

Thanks to Anand Muralidharan for their assistance with this research.

Televison channels across the world are set to be at the 14th International Exhibition and Forum, World Content Show, held Feb 7- 9, 2012, in Russia. The exhibition showcases the latest technologies and trends in the TV and telecommunication industry.

This techno-fair will be attended in large numbers by leading media businesses, and spammers don’t want to miss the opportunity to circulate spam around the event. In a bid to catch the reader’s attention, one such spam email reveals some appealing facts about the event, such as Interactive Elements, Prize Drawings, Performance of Popular Leader/Star, and Colorful Musical Concerts.

Here is an example of this Russian spam observed by Symantec:

Here are the subject...

Samir_Patil | 07 Feb 2012 22:50:40 GMT

At 3 AM, on February 6, 2012, Symantec Security Response observed spam carrying malicious links which target the upcoming tax season. The spam volume spiked between 6 AM and 1 PM, identifying over 200 unique URLs which lead to a Blackhole toolkit.

A Blackhole toolkit compromises the machine by targeting various vulnerabilities on the victim's machine. Symantec protects our customers with multiple-layer protection of antispam, antivirus, and IPS signatures. The payload downloaded from the malicious website is detected as Trojan.Zbot, for instance, and IPS detects this web attack as “Web Attack: Blackhole Toolkit Website 14” and “...

Mayur Kulkarni | 01 Feb 2012 01:13:10 GMT

Nothing can be more enticing than to be chosen for some free goodies—be it mementos, a cash prize, or a ticket to watch a game. It gets even more interesting if you are from a cricket crazy continent and suddenly, out of the blue, you receive an email saying that you are “the chosen one”!

What would you do? At first thought you would pounce on the opportunity, like a jungle tiger does its prey. But hang on a second! What you might be thinking is an opportunity of a lifetime, sadly, is just the opposite. Let me put it bluntly: if you have received such an email, you are "the chosen prey”. And if you decide to reply to it, then you could be in for some big trouble!

Millions of people get scammed every day with such fantastic offers. The sad part of the story is that many get plundered in this game. Scammers put in a lot of planning before sending out such emails. Upcoming events are focused upon, strategies are formalized, and...

Sammy Chu | 30 Jan 2012 20:08:01 GMT

Malware is often embedded in email as compressed attachments (such as .zip, .rar, etc.). Recently, however, Symantec has noticed an increase in malicious email attacks with .htm (HTML) attachments.

Here is what the message looks like in your inbox:

The attack contains a .htm attachment and obfuscated JavaScript is embedded in the coding of the file. The purpose of the JavaScript is to redirect your internet browser to a malware-hosting site in Russia which contains Trojan.Pidief and Trojan.Swifi.

Malicious JavaScript, when injected into an HTML file, can:

  • Exploit browser and plugin vulnerabilities to run arbitrary code
  • Display fake antivirus scans and other fraudulent...