Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Spam
Showing posts in English
Spammers Take Advantage of Unicode Normalization to Hide URLs
Francisco Pardo | 03 Aug 2011 19:09:31 GMT | 0 comments

by Francisco Pardo and Nick Johnston

Spammers are never idle when it comes to finding new ways to bypass mail filters—after all, this is crucial to a spammer's success. Recently, we've seen a low but steady number of spam messages in which spammers are replacing certain characters in URLs (which point to spam sites) with Unicode characters that look similar or identical. This is yet another way of obfuscating URLs in an attempt to make it more difficult to analyze them.

To understand how this technique works, a bit of knowledge of the Unicode standard is helpful. As well as specifying a large repertoire of characters, Unicode also provides normalization rules for converting similar and/or equivalent characters to a single form. For example, under various Unicode normalization forms, an encircled number is considered equivalent to the corresponding ordinary number. This latest spammer-led URL obfuscation technique relies on the HTML-rendering...

Read more
Infostealer.Bancos: The Application's Digital Signature Cannot be Verified
Rodrigo Calvo | 28 Jul 2011 14:46:08 GMT | 0 comments

The application's digital signature cannot be verified. Do you want to run the application?

By: Rodrigo Calvo, CISSP
      Sebastian Brenner, CISSP

Infostealer.Bancos is a detection name used by Symantec to identify particular malicious software programs that gather confidential financial information from compromised computers. It first appeared in the summer of 2003 and targeted mainly Brazilian banks. Initially, these Trojans targeted one particular financial institution per variant. However, this method was not always successful. Therefore, in order to increase the success rate, the malware authors began targeting multiple financial institutions per variant. As such, Infostealer.Bancos branched out to include other Latin American banks.

The Old Trick: Social Engineering

Recently, we have received alerts from customers in Latin America regarding email messages containing suspicious...

Read more
Spammers Leverage Amy Winehouse’s Death to Send Virus
Vivian Ho | 25 Jul 2011 19:45:15 GMT | 0 comments

The five-time Grammy award winner Amy Winehouse was found dead in London on July 23rd. Symantec has already observed spammers who are trying to capitalize on related news headlines by sending out malicious threats less than a day after the news was released.

The two samples given below are examples that we have observed. These Portuguese-language attacks use similar spam techniques. All samples are sent from randomized individual email accounts with various subject lines related to the celebrity’s death in an attempt to lure interested readers to open a malicious URL. Immediately after the link is clicked, a pop-up window is shown, which asks users to download a file that is loosely disguised as an image or video file, for example (anything other than an executable).

The file is given a name that is related to the celebrity, and of course isn’t an image or video file, but a malicious binary. Symantec has detected the threats in these samples as...

Read more
A Look Inside Targeted Email Attacks
Shunichi Imano | 15 Jul 2011 10:31:25 GMT | 0 comments

The number of targeted attacks has increased dramatically in recent years. Major companies, government agencies, and political organizations alike have reported being the target of attacks. The rule of the thumb is, the more sensitive the information that an organization handles, the higher the possibility of becoming a victim of such an attack.

Here, we’ll attempt to provide insight on a number of key questions related to targeted attacks, such as where did the malicious email come from, which particular organizations are being targeted, which domains (spoofed or not) sent the email, what kinds of malicious attachments did the emails contain, etc. Our analysis of the data showed that, on average, targeted email attacks are on the rise:

Figure 1. Targeted attacks trend

Origin

For this analysis, we first looked at the origin of the email...

Read more
Phishing Apple’s iDisk
Mathew Maniyara | 14 Jul 2011 10:10:36 GMT | 0 comments

Apple's MobileMe is a collection of online services and software. Among its various services is a file-hosting service called iDisk. Recently, Symantec has recorded phishing sites that spoofed iDisk’s Web page. The phishing sites were hosted on a free Web-hosting site.

So, what’s in this service that interests phishers? The service is based on a paid subscription, with which files of up to 20 GB can be uploaded and shared. Phishers are looking to gain access to this service for free. This is an example of a phishing attack targeting user information for reasons other than financial gain.

The phishing site prompts the user to enter their password for logging in. (In this case, the user ID was already populated on the phishing page.) After the password is entered, the page redirects to the legitimate Web page of Apple MobileMe with an error message for an invalid...

Read more
Don’t Let Spam Score a Goal in your Mailbox
Carlos Mejia | 11 Jul 2011 14:03:17 GMT | 0 comments

It’s been a week since the 2011 edition of the oldest international soccer tournament in the world began, held this year in Argentina. I’m talking about the Copa America. This event is hosted by a South American country every three or four years during the summertime and lasts almost a month. Some say that this tournament is the American equivalent of the UEFA Euro Cup.

South American families and friends hang out together to enjoy the games, and users look for news and the latest results over the Internet. Just as with other important sporting competitions, Symantec has been observing spammers taking advantage of this event to announce multiple unsolicited offers and discounts that are purportedly linked to the soccer tournament.

The spam sample below invites users to visit a Web page that is offering medical equipment. The site also offers more products and discounts that are valid only during the tournament time.

Translation ...

Read more
Your Google+ Invite May be Spam
Samir_Patil | 06 Jul 2011 12:26:09 GMT | 0 comments

We have recently observed a run of spam that is trying to capitalize on the new social networking platform provided by Google, named Google+. The spam samples are similar to other social network spam messages, which are discussed in one of our previous blogs. Currently, Google is trialing their new venture with limited users; therefore, participation is by invitation only. Hence, it is expected that we’ll see bogus Google+ invites distributed as spam in the wild.

The message in this latest spam campaign looks like a legitimate invite from an already registered user, and it provides an invitation link. However, if one takes even a cursory glance at the URL in the status bar, it shows that the link doesn’t relate to Google in any way.
The headers in the spam samples are as follows:

Subject: Welcome to the Google+ project
From: [removed] (Google+) <[removed...

Read more
The Hitman is Back!
Samir_Patil | 05 Jul 2011 12:29:52 GMT | 0 comments

He was seen several years ago. Now, he is back with the name “Don Gunshot”!

Luring people with promises of huge sums of money in return for bogus favors is the classic method adopted by the Nigerian/419 type of spammers. It is one of the oldest forms of spamming; very rudimentary, yet creatively lethal. This revisited scam tactic uses coercion to force people to pay up or else they will (apparently) face dire consequences. From a lighter point of view, however, it is a bit more humorous than scary.


 
The above email is indeed a perfect example of a scammer trying to blackmail someone they don’t know from Adam. The spammer does not know you, but he pretends to have received blood money to kill you. He blackmails you with threats of dire consequences if you even try to whisper the secrets explained in the mail. Forget the police, and if you dare to try and tell...

Read more
Independence Day Offer: Spam Edition
Suyog Sainkar | 30 Jun 2011 17:31:45 GMT | 0 comments

As most all of us will know, the United States’ Independence Day is on the fourth of July, which is only a few days away. Independence Day is commonly associated with fireworks, parades, barbecues, fairs, ceremonies, get togethers, and various other public and private events celebrating the national holiday. Many people also utilize this time for vacation trips, especially if it’s a long July 4th weekend. However, not everyone goes out of town or participates in special events. Some people actually take advantage of the nice holiday weekend to stay at home and catch up on other activities, which may include shopping. Since sales levels are usually lower during holiday weekends, stores and online shopping sites offer lots of exciting deals. In any case, today’s technology makes it possible to shop online from anywhere—even while on a beach vacation, say!

The spammers, as always, have exploited this likelihood and are distributing spam messages...

Read more
The Rise of Chinese Spam
Sammy Chu | 29 Jun 2011 20:36:34 GMT | 0 comments

With our globalized economy, non-English email between international organizations has become the norm for business communication. However, at the same time, non-English spam is also becoming more and more of a problem for national and international enterprises.

For the past several months, Symantec has noticed an increase for Chinese language spam, as shown in the graphic below:


 
What’s interesting about this increase is the resurfacing of a body-obfuscation technique that is being used by Chinese spammers—the technique is called “invisible text.” What is “invisible text,” exactly? Invisible text is the body text that’s the same color as the background; therefore, it is invisible to the human eye.

Below are some samples that Symantec has observed. The first sample is a typical Chinese seminar (training course) promotion spam...

Read more