Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Vivian Ho | 08 Apr 2009 21:33:07 GMT | 0 comments

While everyone is still in shock from Monday's 6.3-magnitude quake in Italy, spammers are unfortunately capitalizing on this event.

Not long ago, we monitored an inbox burst with a fake news headlines focusing on Hollywood celebrities, popular politicians and current events which spread malware through attachments.

Sample subject lines were:

  • “Britney Spears Overdose”
  • “Lindsay Lohan crashes brand new Lamborghini”
  • “Beijing Olympics cancelled upon the death of China's president”
  • “Obama bows out of presidential race.”

Sample headers and body text:

Sample 1

attachment filename= "never.exe"
From: <xxxxxxxxxx@xxxxxxxxx.xxxx>
Subject: URG

President Bush DEAD! Read attached file!

Sample 2

Dermot Harnett | 08 Apr 2009 21:04:26 GMT | 0 comments

The effects of the shutdown of the McColo Web-hosting company in November 2008 continue to ripple through the spam landscape. While spam levels have yet to reach the highs recorded before McColo was shut down, spam volumes are gradually creeping back up and are at approximately 91 percent of their pre-McColo shutdown levels.
A recent review of spam zombie activity shows that the EMEA region continues to be the leading source of all zombie IP addresses, hosting 45 percent of active zombie computers in March 2009. Brazil, however, at 14 percent owns the dubious honor of being the number one host country for active zombie machines. The distribution of top-level domains (TLDs) in spam URLs also continues to be interesting as the .cn TLD retains its “silver medal” position—34 percent of URLs contain this TLD. The United States (28%) and Brazil (9%) retain their positions as the predominant regions of spam origin. It is also notable that spam continues...

Mayur Kulkarni | 02 Apr 2009 22:41:33 GMT | 0 comments

April Fools’ Day was noted as the expansion date of the Conficker worm, with the possibility of a major threat launch. We have found spam samples attempting to capitalize on the frenzy over Conficker (a.k.a. Downadup), offering the latest in antivirus security software that purportedly protects users from the Conficker threat. Some of these spam messages even use names and images of software much like our own Norton AntiVirus 2009. In the example below, it even mentions the name of one of our Symantec employees frequently cited in the press.

Here is the sample image of the message:

In an attempt to increase financial gain, the product website is made to look like the product is one of our Norton...

Mayur Kulkarni | 02 Apr 2009 12:09:19 GMT | 0 comments

In the past, spoofed news alerts have been used to carry malicious links or attachments. Spammers tap into the curiosity of the reader and attempt to trick them into clicking bad links or opening harmful attachments. This often results in the infection of a victim’s machine, unless it is properly protected by an updated antivirus program and firewall. We are currently monitoring spam attacks that employ the spoofed news alert approach, but contrary to the malicious approach, the news alert spam doesn't contain any URLs or attachments.

With these types of spam attempts, we try to isolate the reasons for such attempts and consider the possible outcomes for spammers using this approach. When we look at the received lines in these messages, we find them originating from diverse geographical locations, suggesting that this may be a botnet attack. So then, why are these messages sent? It may be because the spammers want to confirm the validity of a recipient’s email...

Mayur Kulkarni | 02 Apr 2009 11:45:23 GMT | 0 comments

Spammers have recently adopted a different strategy to lure users into viewing their messages and clicking the links inside them. Typically, spam messages attempt to lure unsuspecting users with an email using a linked phrase, such as “Click this website to know more” or “Open this website to check.” We are monitoring a new approach in attempting to draw in readers to open these links. The hyperlinked text will say something like:

Read my blog to learn how I did it
Just check out <NAME>’s Blog to find out how he did it
Read about it on my blog

It’s common for the subject line of these emails, as well as the sender line, to make reference to some blog. These instances can lure users to open the message, and further check the so-called blog by clicking the embedded URL. However, the links actually redirect to Web pages selling health-related products or money-making...

Takako Yoshida | 31 Mar 2009 18:04:42 GMT | 0 comments

From bank accounts to credit card numbers, personal information is at high risk as spammers are very fond of gathering data that will sell on the underground economy. Therefore, users are advised to be cautious and not expose their information (i.e. don’t submit personal details to questionable sites). So, what would you say if there is a service that protects your personal identification, such as a Social Security number? Would you be interested and want to find out more details? The answer should be “NO” if this offer is from a spammer.

Symantec has recently observed a message that appears to be a direct service promotion from an identity theft protection company, claiming that they can keep Social Security numbers away from risk:

The spam message is attempting to collect personal information,...

Dermot Harnett | 31 Mar 2009 17:00:28 GMT | 0 comments

If you are a resident of the United States and haven’t already filed your tax returns, maybe you should consider reading the following blog post. The countdown to “tax day” (April 15 in the United States) is currently in full swing, with the IRS offering daily tips for filing.

The run-up to tax day in the United States has traditionally become a time when phishing directed towards the IRS becomes more prevalent. As reported in previous Symantec State of Spam reports, spammers continue to attempt to disguise themselves as the IRS, dangling tax refund offers in front of unsuspecting users.

These “offers” are aimed towards recipients who may be unaware that the IRS “does not initiate communication with taxpayers through email.” The purpose of...

Francisco Pardo | 31 Mar 2009 11:55:53 GMT | 0 comments

During hard economic times, people look for ways to save money. Spending money on necessities such as tax preparation is no exception. Recently, spammers have been offering ways to save money on tax preparation as a means to enter a user’s inbox.
Below are some examples of subject lines spammers are using to lure users into opening messages:


File Your Returns Now!
TaxAct Online Home of the Totally Free federal tax return.
Prepare Free Print Free IRS e-file FREE
Click the link below to start your tax return

These messages are not just limited to taxpayers in the United States. Since spammers are part of  international underground corporations, other countries fall victim to spammers’ tactics as well. Our technicians have monitored emails directed to the people of France using the same principle. Here is an example:


Mayur Kulkarni | 24 Mar 2009 22:04:33 GMT | 0 comments

It seems malicious attacks on job seekers were not enough. We are now seeing MMF (Make Money Fast) spam also stepping up to exploit the financial situation. Recent spam related to the recession included fake job offers as well as rejections. Some of the spam offered to help recipients out of the recession by making available financial help within 24 hours or less, without considering their credit ratings.

We will discuss MMF spam in this blog - one of the categories which targets users hit by the recession. This particular technique includes spammers sending plain text e-mails with phone numbers inside the message, enticing the recipients to call and earn easy money. This may not be a new spamming method; however it is the dire situation that spammers are cashing on. Some of the subjects related to ‘recession’ include:


Takako Yoshida | 24 Mar 2009 20:55:43 GMT | 0 comments

As the Internet community continues to pay more attention to the reputation of websites and email senders, spammers are doing their best to hide behind well-established and reputable brands. Social networking sites have for some time now been used by spammers in the spam war. As more and more people become connected through social networking sites, it is not unusual to receive notifications of status update or sharing information from your friends. Symantec has recently observed a number of spam attacks claiming to be messages from various social networking sites.

One recent sample attempted to attract the attention of the recipient by using the following tactics:
1.    Claiming to be from a social networking site
2.    Indicating in the Subject line that message was from a social networking site
3.    The message indicated that the recipient had a personal message.