Video Screencast Help
Security Response
Showing posts tagged with Spam
Showing posts in English
Mayur Kulkarni | 18 Dec 2008 15:31:21 GMT | 0 comments

Like so many forms of donations today, contributions to cancer research and treatment can be made online. Unfortunately, any online business or charity can be prone to phishing attacks against unsuspecting users. We have come across messages posing as though they have been sent from a legitimate cancer institute, but with spoofed URLs inside. These spoofed URLs redirect users to fake websites where online donations can be made. When a user enters their email address and password for making payments, an error is shown and they are redirected to the legitimate site. This is common behavior seen with such attacks. The actual intention of these phishing websites is to harvest email addresses and steal confidential information.

Simple preventive measures such as manually typing legitimate URLs directly in the browser can be employed to make your...

Dermot Harnett | 11 Dec 2008 15:13:13 GMT | 0 comments

Webmail phishing was first reported earlier this year, but it has gained a higher profile in recent times. The call to action or general purpose of this attack is to obtain webmail credentials such as passwords and contact list email addresses. A number of different scenarios have been employed by webmail phishers to try and secure this information and have included:

Scenario 1

“We write to bring to your notice that we will be caring out some temporary maintenance on our service due to congestion in all email accounts and we are afraid that during this process email accounts of our customers will be deactivated; but just to avoid your email account from been deactivated and to enable your records remain in our database we advice you provide us with the below information or your email account will be suspended within 48 hours for security reasons.” (sic)

Scenario 2


Dermot Harnett | 09 Dec 2008 21:56:57 GMT | 0 comments

November 2008—what a month! A new U.S. president is elected and spam volumes drop significantly as a hosting company called McColo is shutdown. While both these events were generally welcomed, the new President and the antispam community continue to face tough obstacles in the year ahead.

On November 11, 2008, McColo-hosted systems were shut down based on abuse complaints. As a result, spam volumes dropped dramatically across the world. The Symantec probe network saw a 65 percent drop in traffic when compared to the 24 hours before the shutdown. As November drew to a close, Symantec saw that spam volumes have had various upward spikes and are again creeping upwards. These spikes indicate that a return to normal spam activity is in the works. While the profit motive behind spam continues to exist, spammers will regroup to drive new spam campaigns.

While the McColo shutdown may have brought some cheer to email users during this holiday season, spammers...

Mayur Kulkarni | 02 Dec 2008 17:20:03 GMT | 0 comments

India recently suffered a shocking terrorist attack, with hostage situations in Mumbai involving Indian nationals as well as tourists and travelers from all over the world. Updates on the terrorists’ activity are still being followed closely. Sadly, spammers would never want to miss the chance to capitalize on the fast-spreading news of this tragic incident, using the headlines for their fraudulent emails with product advertisements or malicious links/attachments. Symantec has come across spam messages showing news headlines regarding the Mumbai terror, but the content inside is completely unrelated and is advertising pills.


In the past, we have seen similar methods being used, where topical news headlines are used to lure recipients into opening unsolicited emails. Users are advised not to click on links found in such spam emails. Be wary of...

Amanda Grady | 28 Nov 2008 18:17:57 GMT | 0 comments

In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November. 


As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to ensure comprehensive blocking of...

Mayur Kulkarni | 26 Nov 2008 21:15:22 GMT | 0 comments

You may have come across multilingual translations of your favorite book or a popular movie. It’s a surefire way to extend one’s work to a wider audience. The desire for an extra buck has driven spammers to adapt to similar tactics for their campaigns. Recent messages observed offered a job that included relaying payments between banks. In return, the “recipient” is allowed to retain some percentage of the amount transferred. This is a type of scam which involves the illegal activity of money laundering.


Initial English language spam attacks were followed by an Italian version within a space of ten days. The nature of the spam source (source IPs from different geographical locations) indicated that this attack was carried out through spamming bots.

Sample headers in English:

Subject: Vacancy! –cB
Subject: New Proposal! –aAzs

Sample headers in Italian:


Dylan Morss | 24 Nov 2008 23:45:04 GMT | 0 comments

Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.

In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.

When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “...

Dermot Harnett | 19 Nov 2008 17:21:14 GMT | 0 comments

January to March is traditionally the time when taxpayers in the U.S. become reacquainted with their tax advisers as the mid-April “tax day” deadline looms. Unfortunately, this period has also become a time when phishing directed towards the IRS becomes more prevalent. As reported in the Symantec State of Spam report for April 2008, spammers continued to attempt to disguise themselves as the IRS, dangling an offer of a tax refund to unwitting recipients.
Imagine our surprise when we observed a phishing attack using the IRS brand in November—nearly five months before the next deadline for individual taxpayers. This phishing email indicated that the recipient was eligible to receive a tax refund and directed them to a website where the refund would be processed. The fraudulent site, branded with the IRS logo, is being used as a collection tool for credit card and other personal information.

The spam attack could be trying to take advantage of...

Dermot Harnett | 13 Nov 2008 19:59:49 GMT | 0 comments

The recent shutdown of a San Jose-based Web hosting company named appears to have resulted in a significant short-term drop in spam traffic worldwide. At approximately 21:30 GMT on November 11, 2008, multiple upstream network providers shut down access to hosted systems, based on abuse complaints. One of the results of this action was a quick and dramatic decrease in spam sent worldwide.

The volume change could be measured directly in the Symantec probe network, which saw a 65% drop in traffic when comparing the 24 hours prior to the shutdown to the 24 hours after. It is interesting that shutting down a single hosting company could have such a large impact on overall spam volume, but when you consider that was allegedly hosting a significant number of botnet command-and-control systems, it is not totally surprising. Their IP range has, in the past, been linked with reports of serving up Rustock downloaders and also for...

Dermot Harnett | 13 Nov 2008 15:19:06 GMT | 0 comments

Mark Twain once said, "It's not the size of the dog in the fight, it's the size of the fight in the dog.” And, this idea also seems important when considering image spammers. While image spam has not yet regained the dizzying heights of 2007—when 52% of all spam was image spam—in the last seven days, image spam has hit an average of seven percent of all spam messages. As image spam struggles to find its feet within the overall composition of spam messages, another image spam vector has emerged. By analyzing image spam recorded in the last seven days, Symantec notes that over this period:


•    9.7% of image spam had a message size greater than 100kb
•    48% of image spam had an average size of between 10kb-50kb

In the last 24 hours alone, 28% of image spam had an average message size greater than 100kb: