Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Spam
Showing posts in English
Spammers Mark 10th Anniversary of 9/11
Samir_Patil | 09 Sep 2011 21:50:48 GMT | 0 comments

Thanks to Vivek Krishnamurthi for contributing to this blog.

Every sensitive event is an opportunity to exploit. With this motive in the background, it is not surprising to see spammers exploit 9/11.  With the 10th anniversary of the tragedy just a day away, spammers want to make the best use of this emotionally charged environment. 

Here are two examples of scams that Symantec has noticed in recent days that attempt to exploit the emotional scars left by 9/11:
 
First email example exploiting 9/11
Figure 1: First email example exploiting 9/11
 
 
Second email example exploiting 9/11
Figure 2: Second email example exploiting 9/11
 
The first sample tries to entice...
Read more
Be the First to Snatch the Coveted iPhone 5
Samir_Patil | 07 Sep 2011 00:04:33 GMT | 0 comments

Thanks to Amit Kulkarni for his contributions to this blog.

Since its launch, the Apple iPhone has been on the wish lists of most consumers.  The iPhone 4 has already made an impression in the marketplace, so it is obvious that spammers will make the best of this opportunity.  Symantec observed spam tactics just before the release of iPhone 4 and is expecting an even greater spam volume when iPhone 5 is released to the market.

The next generation of iPhone is expected to hit the market in September and spammers don’t want people to wait until the official release. Below is a sample of spammer hype campaigning to lure people into their trap. As usual, the bait is a survey one has to complete to be eligible to own “this coveted piece of art!”


 
When...

Read more
How Long Will Those Libyan Treasures Last?
Kevin Haley | 31 Aug 2011 03:12:41 GMT | 0 comments

Famous or infamous, when you make news, the scammers pay attention. While we have come to expect the famous and infamous to show up in malware attacks that use spam and SEO poisoning, we shouldn’t be surprised when scammers leverage the spotlight that current events shine on the infamous. As Samir Patil blogged on Monday, the Gaddafi family is showing up in 419 scams. After all, few of us know a real Nigerian prince, but most of us have heard of Gaddafi, know he is in a bit of trouble, and might have the resources to buy his way out of trouble.

I can’t predict how events in Libya will end for the Gaddafi family. But I do predict that they will become very popular not only in 419 scams, but in a variation called the inheritance con.

Like the 419/Spanish prison scam, the inheritance con goes way back. The most famous version is the Drake scam, which started shortly after the...

Read more
Need Your Help with Libyan Treasures
Samir_Patil | 29 Aug 2011 11:44:45 GMT | 0 comments

Scammers love to feast on human weakness.  This time they aim to exploit human ‘need and greed’ to its optimum best. Using recent news is quite common in spam. For example the Libyan uprising, with its rise and fall of Gaddafi, has left a large vacuum with money that is entrapped in the cross fire.  But logically speaking, a third-party mediator is a necessity here (scammers love to highlight that) and who else could be a better person for that role than YOU? So, act immediately! Don’t waste time; give your lucky stars a chance to shine.

We are monitoring different emails from senders alleging Gaddafi’s wife, daughter, and personal guard are moving huge amounts of money out of Libya. Here are scam samples we came across as soon as Tripoli was captured—camouflaged traps for anyone who would allow him- or herself to be ensnared by greed.

Subject: Cooperation - Please Treat Urgently!
Subject...

Read more
A Tale of Horses, True Love, and Greed: A Closer Look at Spam Patterns from Asia
Timothy Lee | 24 Aug 2011 07:04:08 GMT | 0 comments

As you sit down and open Outlook to delete yet another “Satisfy her in bed tonight!” solicitation from Angelina Jolie, do you ever wonder if every spam email on earth looks the same? It is true that certain phrases in spam seems to resurface ad nauseum in every language imaginable, such as “replica watch”, “reloj”, and “ologi”. Ultimately however, just as with customs, food, and clothing, culture and lifestyle dictates people’s behavior and affects how they use computers. Spam works very much like advertising in that it also caters to different groups based on their cultural backgrounds and local trends for maximum scamming benefits. I will highlight an example of spam specific to Asian below to demonstrate how spam from the Far East differs from the typical med and 419 scams seen elsewhere.

Keiba (horse racing) scams

Japan has one of the biggest...

Read more
Traffic Ticket...or Malicious Attachment?
Sammy Chu | 22 Aug 2011 11:12:33 GMT | 0 comments

In the past we have seen malicious attacks pretending to be shipment notifications from various parcel delivery services. Now the New York State DMV has become the latest “brandjacking” victim for a series of malware attacks.

Here is what the fake message looks like:

Ticket-064-211.zip is the name of the malicious attachment, and it is being identified as a variant of Trojan.FakeAV—one of the most prolific risks seen on the Internet today.  Every day, bogus antivirus and security applications are released and pushed to unsuspecting users through a variety of delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base, but presented with a different name and look, which is achieved through the use of a "...

Read more
News Feeds Abused by Spammers, Again!
Mayur Kulkarni | 22 Aug 2011 10:53:03 GMT | 0 comments

In the past few weeks, we have observed an old spam tactic re-emerging. Spammers are again using news feed to populate the subject header of spam messages. This technique has been used in the past in the form of directory harvesting attacks to gather valid email addresses. However, these attacks usually lasted for only one or two weeks, perhaps because their goal of collecting email addresses had served its purpose. This time not only the duration longer, but they have been selective in their news agency—it is only “BBC News” at this time.

Pharmacy-related spam is employing this technique, obviously attempting to get curious readers to open up these emails.  Using different techniques, like interesting news topics in a subject line, may compel users to open a spam email. This indirectly gives spammers a chance to advertise their products and possibly sell them too. In the case of...

Read more
Global Debt Crises News Drives Pump-and-Dump Stock Scams
Samir_Patil | 10 Aug 2011 23:56:59 GMT | 0 comments

 

Just as they sound, pump-and-dump stocks are promoted (pumped) by their owners in order to inflate the price of the stocks as much as possible so that they may then be sold (dumped) before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. 
 
In a successful campaign, the deluge of spam will help artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to its original low price (which can also be exploited in the market). A well-executed pump-and-dump spam campaign can produce substantial profits for the scammers in a matter of days.
...
Read more
Spammers Take Advantage of Unicode Normalization to Hide URLs
Francisco Pardo | 03 Aug 2011 19:09:31 GMT | 0 comments

by Francisco Pardo and Nick Johnston

Spammers are never idle when it comes to finding new ways to bypass mail filters—after all, this is crucial to a spammer's success. Recently, we've seen a low but steady number of spam messages in which spammers are replacing certain characters in URLs (which point to spam sites) with Unicode characters that look similar or identical. This is yet another way of obfuscating URLs in an attempt to make it more difficult to analyze them.

To understand how this technique works, a bit of knowledge of the Unicode standard is helpful. As well as specifying a large repertoire of characters, Unicode also provides normalization rules for converting similar and/or equivalent characters to a single form. For example, under various Unicode normalization forms, an encircled number is considered equivalent to the corresponding ordinary number. This latest spammer-led URL obfuscation technique relies on the HTML-rendering...

Read more
Infostealer.Bancos: The Application's Digital Signature Cannot be Verified
Rodrigo Calvo | 28 Jul 2011 14:46:08 GMT | 0 comments

The application's digital signature cannot be verified. Do you want to run the application?

By: Rodrigo Calvo, CISSP
      Sebastian Brenner, CISSP

Infostealer.Bancos is a detection name used by Symantec to identify particular malicious software programs that gather confidential financial information from compromised computers. It first appeared in the summer of 2003 and targeted mainly Brazilian banks. Initially, these Trojans targeted one particular financial institution per variant. However, this method was not always successful. Therefore, in order to increase the success rate, the malware authors began targeting multiple financial institutions per variant. As such, Infostealer.Bancos branched out to include other Latin American banks.

The Old Trick: Social Engineering

Recently, we have received alerts from customers in Latin America regarding email messages containing suspicious...

Read more