Video Screencast Help
Security Response
Showing posts tagged with Spam
Showing posts in English
Samir_Patil | 02 Sep 2009 19:41:32 GMT

In an attempt to conceal spam messages from anti-spam filters, spammers employ various tactics of ill intent. And for that purpose, spammers use obfuscation and/or spoofing techniques, the misuse of brand names, and many other tactics that make it difficult for content filtering to identify the spam message.

Recently, Symantec observed a spam attack in which homograph spoofing was used so that the spoofed domain name partially or completely resembles the reputable brand domain name. However, before discussing this trend we will first introduce you to terms that may be unfamiliar, such as IDN, Punycode, and homograph spoofing.


An internationalized domain name (IDN) is a domain name that contains one or more non-ASCII characters. Such domain names could contain characters from non-Latin scripts such as Arabic, Chinese, or Devnagari.

The domain “ё” uses “ё”, which is a...

Mayur Kulkarni | 31 Aug 2009 20:41:15 GMT

Last month we wrote about a spam campaign for mobile spying software (possible malware) that snoops on the phone calls and SMS messages of a person of interest. The most advertised service was spying on your loved one to see if they are having an affair. Of course, spying is not going to help a troubled relationship, so spammers are now providing another solution for distressed lovers. They claim to bring excellent results for solving troubles with loved ones—all without even needing to meet the spammer.

This is another ploy to entice recipients to contact the spammer, reminiscent of the examples in one of our May 2009 blog postings. In the current scenario, a clever message has been drafted to lure troubled lovers into a 419-like trap in order to extract personal information. Also, spammers may use personal...

Mayur Kulkarni | 26 Aug 2009 20:08:00 GMT

In our earlier blog posting on obfuscated URL attacks we reported on the transition of image spam attacks to URL-obfuscation attacks, and we also mentioned how resources such as domains and subject lines were being recycled. In this blog post we will be discussing another aspect of the image spam attack, that of message size. We have observed a sudden growth in message sizes during the month of August. Similar jumps in message size were reported on the Symantec Security Response Blogs in November 2008.  

After monitoring the messages during the month of August (so far), we came to the following conclusions:

•    9.3% of image spam had a message size greater than 100kb.
•    14.43 % of image spam had an average size of...

Takako Yoshida | 26 Aug 2009 19:44:39 GMT

In the past, we have seen spammers use election content in their spam campaigns. So, it comes as no surprise to see spam messages with a catchy subject relating to an upcoming political event. We have observed spammers sending out messages instructing recipients on how to “make money fast” with a subject line referring to the upcoming Lower House election in Japan, which will be held on Aug 30, 2009.

A message guides users to a website where it is said that they can obtain free information on how to make money fast with summer horse racing. However, after a recipient enters their email address for registration they will not receive profitable information but instead a message that has a link for a definitive registration to provide personal information. It is unknown whether the recipients will receive free information after providing their personal data.

Although there is no correlation between an election and summer horse racing, spammers lure people to...

Vivian Ho | 26 Aug 2009 00:48:13 GMT

Happy Valentine’s Day! Yes, Chinese love birds get to celebrate twice a year with their loved ones. Chinese Valentine’s Day is set to fall this year on July 7th in the lunar calendar—that’s August 26 on the western calendar.


Chinese spammers have been using eventful holidays in the same way that English and European spammers have in order to spread their wares. We have observed spammers sending dating service advertisements and gift service site promotions for the upcoming Chinese holiday. Below you will find some examples of recent Chinese Valentine spam messages.

Sample 1:

Chinese singles often go to the matchmaker temple and pray for luck in love or marriage. People call this matchmaker god “Yue Lao.” We see spammers using this name in email aliases to promote their dating service for this legendary holiday. The advertisement is simply an inserted dating service link for users to click on in the body...

Robert Vivas | 24 Aug 2009 22:32:14 GMT

Spammers continue to take advantage of the Internet tools and applications Google provides for free. In the past we have encountered spammers abusing Google Group Pages, Google Maps, Google Search, and Google Docs to host spam content. Recently spammers have started using Google Translate. Google Translate is an excellent tool that enables users to translate any text, Web page, or document, and convert the native text to the specified language requested.

With recent medication spam offer attacks, spammers have discovered a way to exploit the use of Google Translate. Here is one example:

  1. Hijacked URL directory space from a legit domain. In this example they used with the directory path to use as a redirect to host the intended spam domain...
Gilou Tenebro | 24 Aug 2009 09:28:21 GMT

In my previous post, I covered Waledac’s bootstrap mechanisms, armoring methods, and some parts of its communication protocol. Today, I will continue to discuss its communication protocol and how it implements its main functionalities through command-and-control (C&C) messages. I will describe its various tasks and commands, how it downloads components or updates, how it constructs its spam, and lastly how it acts as an infostealer.

Types of task messages

As I mentioned last time, W32.Waledac currently uses nine types of task messages. These messages are mainly used by the malware to distribute spam templates or word lists for its spam campaigns, to send...

Zulfikar Ramzan | 20 Aug 2009 09:21:51 GMT

Recently, Twitter implemented technology to help stem the threat of malicious URLs being propagated though its service. This approach seems to be a great effort on the part of Twitter to prevent attackers from tweeting malicious links.

It appears as if the tool is filtering tweets and comparing any embedded URL to their list of known malicious sites. Trying to determine whether a URL points to a malicious website in a large-scale automated fashion, especially in today’s threat landscape, is a challenging problem. From my perspective, there are a few issues that need to be worked out. Twitter is likely in the nascent stages of addressing these types of issues and we expect they will try to overcome the associated limitations.

To date we've only seen a relatively small number of attack attempts involving malicious URLs on Twitter. URL-shortening services are often at the heart of these types of attacks as bad guys try to take advantage of the system to disguise...

Suyog Sainkar | 19 Aug 2009 23:23:05 GMT

The fraudsters are constantly coming up with innovative ways to deceive innocent users of the Internet. Symantec recently observed an increase in phishing attacks facilitated by spam email messages that are targeted towards a popular email client application. The spam message requests the intended victims to re-configure the email client application by clicking on the link provided in the email. The phishing spam messages previously in circulation had a malicious file attached as a setup for the bogus update.

imagebrowser image

The recent spam email messages, in an attempt to make appear legitimate, also provide a contact number for any queries regarding the update:

“If you have received this message in error, please notify us immediately by calling (310) xxx-6428 and destroy the related message.”

The spam emails have bogus From and Subject headers such as (but not...

Mayur Kulkarni | 14 Aug 2009 23:20:15 GMT

Recently, we reported how HTML attachments were being used in various spam campaigns such as phishing attacks, email harvesting attacks, and 419 scams. Spammers have included a few more file formats, again in an attempt to escape anti-spam filters. As experienced previously with HTML attachments, these new file formats are also getting used in several different spam categories.

In the first example, we discuss the MHT file format attached with phishing emails. When a Web page is saved as a Web archive in Internet Explorer, it gets saved to a Multipurpose Internet Mail Extension HTML format with an MHT extension. Further information can be found here. An attached MHT file works similar to an HTML file and opens a legitimate-looking Web page. This Web page looks exactly like a legitimate bank page, asking for...