As you sit down and open Outlook to delete yet another “Satisfy her in bed tonight!” solicitation from Angelina Jolie, do you ever wonder if every spam email on earth looks the same? It is true that certain phrases in spam seems to resurface ad nauseum in every language imaginable, such as “replica watch”, “reloj”, and “ologi”. Ultimately however, just as with customs, food, and clothing, culture and lifestyle dictates people’s behavior and affects how they use computers. Spam works very much like advertising in that it also caters to different groups based on their cultural backgrounds and local trends for maximum scamming benefits. I will highlight an example of spam specific to Asian below to demonstrate how spam from the Far East differs from the typical med and 419 scams seen elsewhere.

Keiba (horse racing) scams

Japan has one of the biggest...

In the past few weeks, we have observed an old spam tactic re-emerging. Spammers are again using news feed to populate the subject header of spam messages. This technique has been used in the past in the form of directory harvesting attacks to gather valid email addresses. However, these attacks usually lasted for only one or two weeks, perhaps because their goal of collecting email addresses had served its purpose. This time not only the duration longer, but they have been selective in their news agency—it is only “BBC News” at this time.

Pharmacy-related spam is employing this technique, obviously attempting to get curious readers to open up these emails.  Using different techniques, like interesting news topics in a subject line, may compel users to open a spam email. This indirectly gives spammers a chance to advertise their products and possibly sell them too. In the case of...

by Francisco Pardo and Nick Johnston

Spammers are never idle when it comes to finding new ways to bypass mail filters—after all, this is crucial to a spammer's success. Recently, we've seen a low but steady number of spam messages in which spammers are replacing certain characters in URLs (which point to spam sites) with Unicode characters that look similar or identical. This is yet another way of obfuscating URLs in an attempt to make it more difficult to analyze them.

To understand how this technique works, a bit of knowledge of the Unicode standard is helpful. As well as specifying a large repertoire of characters, Unicode also provides normalization rules for converting similar and/or equivalent characters to a single form. For example, under various Unicode normalization forms, an encircled number is considered equivalent to the corresponding ordinary number. This latest spammer-led URL obfuscation technique relies on the HTML-rendering...

The five-time Grammy award winner Amy Winehouse was found dead in London on July 23rd. Symantec has already observed spammers who are trying to capitalize on related news headlines by sending out malicious threats less than a day after the news was released.

The two samples given below are examples that we have observed. These Portuguese-language attacks use similar spam techniques. All samples are sent from randomized individual email accounts with various subject lines related to the celebrity’s death in an attempt to lure interested readers to open a malicious URL. Immediately after the link is clicked, a pop-up window is shown, which asks users to download a file that is loosely disguised as an image or video file, for example (anything other than an executable).

The file is given a name that is related to the celebrity, and of course isn’t an image or video file, but a malicious binary. Symantec has detected the threats in these samples as...