Video Screencast Help
Security Response
Showing posts tagged with Spam
Showing posts in English
Jitender Sarda | 04 Dec 2007 08:00:00 GMT | 0 comments

'Tis the season of exchanging greetings,what with Thanksgiving and Xmas rounding out the year's end.Unfortunately, malicious code writers are on the job trying to exploitthese occasions by sending out mass spam email greeting cards withattractive and fancy links that serve the purpose of downloadingmalicious files to a victim's computer.

These eCards are purportedly sent from a legitimate source and tryto lure the victim to click on the link to view the eCards, which haveunderlying tricks to try and infect the computer. With the Xmas bellsstarting to ring, here is the first incidence where Xmas ecards havestarted doing the rounds. The URL included in the eCards attempts todownload "sos385.tmp" file, which is a downloader.

In this particular sample below, the "From:" header alias isdisplaying an eCard from a well known company; however, it is of coursea spoofed header. The spammer has also deliberately inserted the text "(no worm , no...

Jitender Sarda | 28 Nov 2007 08:00:00 GMT | 0 comments

Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.

The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:

From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [...

Kelly Conley | 15 Nov 2007 08:00:00 GMT | 0 comments

We have recently seen a scam purporting tobe from the China National Offshore Oil Corporation that makes claimsof winning money and a trip to the Beijing Olympics in 2008. The emaillooks like the usual "Winning Notification" lottery emails that are alltoo common. However, the twist is that not only do you "win" money, butyou also win a trip to the 2008 Olympics. This is the first scam thatwe have seen that tries to live off the name of the 2008 Olympics inBeijing.

The China National Oil Corporation is currently a hot stock marketpick and owns a certain portion of valuable crude oil worldwide. Byutilizing this known company to promote a "free" trip to the Olympicsthe scammer is looking to receive a lot of interest on this offer. Andwhat does the spammer hope to receive in return? Valuable personalinformation. Here is a sample of one of the spam emails:

From: XXXXXX@hotmail.com
Subject:...

Kelly Conley | 07 Nov 2007 08:00:00 GMT | 0 comments

Presidential spam? Yes, we have seen it. Asthe race to the Whitehouse builds momentum, one spammer is out thereendorsing his favorite candidate. While there is no evidence that thespam for this particular candidate originates with the candidatehimself, we believe this may be an interesting view into what politicalspam may look like over the course of the next year as the UnitedStates Presidential elections draw nearer. Please have a look at theNovember State of Spam Report to view samples of this type of spam.

A new tactic during the month of October was the inclusion of MP3files to promote pump and dump stock spam. This variation of theclassic pump-and-dump stock is just the most recent technique beingutilized to market these stocks to the masses. A blog was createdearlier in the month regarding this novel type spam attack and can beread ...

Kelly Conley | 06 Nov 2007 08:00:00 GMT | 0 comments

Over the past week we have seen some scamspurporting to be generating from the IRS. The scams are requestingdonations for the wildfires that ravaged the Southern California regionlast week. A portion of the email is below:

From: Internal Revenue Service<61yu9@irs.gov>Subject: Help for California Wildfire Victims

Right now California is asking you for help !
If you chose to take part in our program (initiated by IRS & U.S GOVERNMENT)
click on the link below and make a small contribution.
Together we can rebuild California !

BE HUMAN GET INVOLVED ! BE AMERICAN ! CALIFORNIA NEEDS YOUR HELP !

https://www.irs.gov/help/donate.html

This email is not from the IRS. The link redirectsto a fraudulent Web site created by scam spammers to steal your money.It is unfortunate...

Jitender Sarda | 02 Nov 2007 07:00:00 GMT | 0 comments

Imagine Google’s search engine being exploited for sending spam URLs. Unbelievable? Believe it!

Google is the one of the most widely used search engines on the Webtoday. To make life easier, it supports a few advanced query wordswhich narrow the scope of a search to a great extent. It appears thatspammers have found a way to exploit this facility to direct the enduser to a URL advertising their products or services, using Google’sadvanced search operators.

Recently, we came across few offer spam mails which had the following URL in it:
http://www.google.com/search?hl=en&q=inurl:replica%20intext:%22Perfect+cheap+replica+watches+online.%22&btnI=

A first glance, it appeared to be a “Google search results” link andwe were expecting it to take us to the search results page. However,when...

Jitender Sarda | 18 Oct 2007 07:00:00 GMT | 0 comments

Pump-and-dump stock spam is a classicexample of sophistication and diversity of spam techniques. Recentlythe pump-and-dump spammers have started using mp3 files as a new methodof spreading stock spam.

In the latest observations we’ve seen an mp3 file as an attachmentin the body of an email message – without any content – and the subjectline usually includes “RE:”, “FW:”, or is sometimes just blank. The“From:” address is usually random. Another feature of this newpump-and-dump stock attack is that the mp3 files have random names,such as the following examples:

"ciara.mp3"
“elvis.mp3"
"crazylady.mp3"
"chrisbrown.mp3
“jillscott.mp3"
"crush.mp3"

The average file size is approximately 63.3 kb, with the garbledstock tip lasting for about 30 seconds. The Audio content soundssomething like the below example:

Hello, this is an Investor alert. XXXX Inc. hasannounced it is ready to launch its new XXXX.com...

Ben Nahorney | 18 Oct 2007 07:00:00 GMT | 0 comments

I was recently reminded of a childhood gamemy friends and I used to play in the forests near where I grew up. I’dstand near the edge of the tree line, holding a burlap sack, while myfriends snuck into the underbrush looking for snipes.You had to be really quiet, see, because those critters would scareeasily. You had to have patience too; sometimes you’d be standing therefor hours in your snipe-catching crouch. On more than one occasion itseemed my friends got lost in their hunt, and as dusk turned intoevening, I’d have to head home empty-handed, before my parents startedwondering where I was.

I was a gullible kid.

In much the same way, many people these days are being misled bymessages they receive about threats on their computer. But where theworst that came of our snipe-hunting adventures was wariness of what myfriends would tell me, believing these messages can...

Kelly Conley | 05 Oct 2007 07:00:00 GMT | 0 comments

Are spammers trying their hand at PDF spam again? Symantec hasobserved a small comeback of PDF spam in the early days of October. PDFspam volume was observed at about zero percent at the end of Septemberand is currently at around two percent.

In recent days we’ve seen the emergence of one PDF pump-and-dumpstock attack of which we have seen over 20,000 messages. This attackconsists of highly randomized headers and body. The body contains thetext for the stock being promoted followed by randomized text in the‘Shakespeare’ technique of spamming. This technique is when a spammertakes blocks of texts from existing works and inserts them into thespam message in attempt to avoid anti-spam filters. A sample of thepump-and-dump stock portion of the message follows:


Fearless International (FRLE) $0.19
Fearless International Inc., a luxury performance boat manufacturer,
has been the focus of the media for the last several months in magazine
such...

Kelly Conley | 03 Oct 2007 07:00:00 GMT | 0 comments

With the housing market taking a continued hit in September,in-boxes also took an increased hit as spammers exploited the recentmarket slowdown and subsequent interest rate cut by the Federal Reservein the U.S. As noted in the October State of Spam Report,Symantec has seen a marked increase in spam directed towards homeownersand prospective homeowners offering refinancing, home equity loans, andactual houses. First, the spammer needs to collect personal informationfrom the recipient to evaluate whether they are eligible for an offer.This is information they can turn around and use to their advantage forfurther spamming.

Image spam levels also showed a continued decrease in September; theOctober State of Spam Report notes that seven percent of all spam fallsinto this category. This is a three percent decrease from August....