Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Zulfikar Ramzan | 20 Aug 2009 09:21:51 GMT

Recently, Twitter implemented technology to help stem the threat of malicious URLs being propagated though its service. This approach seems to be a great effort on the part of Twitter to prevent attackers from tweeting malicious links.

It appears as if the tool is filtering tweets and comparing any embedded URL to their list of known malicious sites. Trying to determine whether a URL points to a malicious website in a large-scale automated fashion, especially in today’s threat landscape, is a challenging problem. From my perspective, there are a few issues that need to be worked out. Twitter is likely in the nascent stages of addressing these types of issues and we expect they will try to overcome the associated limitations.

To date we've only seen a relatively small number of attack attempts involving malicious URLs on Twitter. URL-shortening services are often at the heart of these types of attacks as bad guys try to take advantage of the system to disguise...

Suyog Sainkar | 19 Aug 2009 23:23:05 GMT

The fraudsters are constantly coming up with innovative ways to deceive innocent users of the Internet. Symantec recently observed an increase in phishing attacks facilitated by spam email messages that are targeted towards a popular email client application. The spam message requests the intended victims to re-configure the email client application by clicking on the link provided in the email. The phishing spam messages previously in circulation had a malicious file attached as a setup for the bogus update.

imagebrowser image

The recent spam email messages, in an attempt to make appear legitimate, also provide a contact number for any queries regarding the update:

“If you have received this message in error, please notify us immediately by calling (310) xxx-6428 and destroy the related message.”

The spam emails have bogus From and Subject headers such as (but not...

Mayur Kulkarni | 14 Aug 2009 23:20:15 GMT

Recently, we reported how HTML attachments were being used in various spam campaigns such as phishing attacks, email harvesting attacks, and 419 scams. Spammers have included a few more file formats, again in an attempt to escape anti-spam filters. As experienced previously with HTML attachments, these new file formats are also getting used in several different spam categories.

In the first example, we discuss the MHT file format attached with phishing emails. When a Web page is saved as a Web archive in Internet Explorer, it gets saved to a Multipurpose Internet Mail Extension HTML format with an MHT extension. Further information can be found here. An attached MHT file works similar to an HTML file and opens a legitimate-looking Web page. This Web page looks exactly like a legitimate bank page, asking for...

Samir_Patil | 13 Aug 2009 21:36:06 GMT

Players and sports fans around the globe are already warming up for some of the major tournaments like EPL, Champions League, and the MLB World Series. Various national soccer leagues across Europe, including the famous EPL and Champions League, are kicking off in August. In the United States, baseball fans are eagerly waiting for the MLB World Series, which is scheduled in October.

During this season spammers are racing to reach millions of mailboxes with fake product promotions and fraudulent content. Recently we’ve come across product offer spam linked to the upcoming busy sports season.

In this particular scam message, spammers are seeking football players’ profiles. Below is an example of a scam message along with headers:

imagebrowser image

This is not the first time we have monitored scam messages targeting football players. Spammers employ these old spam techniques...

Sammy Chu | 12 Aug 2009 22:46:10 GMT

Have you received email messages in the last several weeks with several random words in the subject line, and a random sentence in the message body? If your answer is yes, then you are one of the victims of the ongoing directory harvesting attack (DHA) by spammers. 

The purpose of a DHA is to find valid email addresses on a domain for future spam attacks. During a DHA attack, any addresses for which the recipient’s email server accepts email are considered valid and will be added to the spammer’s address database to include in future spam attacks.   

For example: 

Sample #1:

Subject: land

Those journalists showed them a photograph.

Sample #2:

Subject: okay then

They told her the...

Vivian Ho | 10 Aug 2009 23:08:13 GMT

The traditional Chinese Father’s Day is set on August 8—coming from “8/8”, which is pronounced “Pa-Pa” in Chinese. Spammers are offering us a wide array of gift selections, including high tech products, luxury wallets and watches for our hard working dads.

Spammers have a detailed catalog of items and are giving potential buyers a one-year warranty on replica products. They are also offering a special promotion, giving a first time buyer discount on a mass-mailing service.

In the sample below, the spammer claims they are a legitimate shopping site for luxury items:

From: "xxxxxxxx代購網" <xxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxxxx>



From: "xxxxxxxxshopping network" <xxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxxxx>

Subject: Pick up a nice gift for your hard working dad.


Mayur Kulkarni | 07 Aug 2009 22:59:15 GMT

In recent months, we have observed different types of legitimate newsletter templates used in pharmacy spam attacks. In order to get users to open these email messages, spammers need to ensure that the subject line (entry point) is always enticing and that the content looks legitimate. So much so that a user may open these emails right away without confirming the sender information.

We start with "discount special" subject lines. These lines are constructed using different combinations of words such as pharmacy, men, health, dear, and sale. These words are usually followed with some discount value (always more than 70 percent). The latest inclusion to the list is one that ends with a country name such as United States, Bulgaria, or Columbia. We have provided some examples of subject lines made with these words (the positions of the words change):

Dear [email address] [date and time with time zone] 80% 0FF on [pharmaceutical company].
RE: Pharmacy...

Vivian Ho | 07 Aug 2009 22:43:58 GMT

Based on the lack of coverage in recent weeks, some people may think that the swine flu epidemic has slowed down for a while. However, there have been many reports of deaths caused by swine flu in different countries around the world in the past couple of weeks. The general public is continuing to monitor news of this disease very closely.

Spammers have been swiftly capitalizing on the fear of a pandemic in the fraudulent email they have been sending. We observed spam disguised as if it was sent from a public health agency or media outlet. The spammers are sending viruses embedded in links in the message body, such as in the example below. Users are redirected to the file “information.PDF.exe” if they are enticed to attempt the download of the image. Symantec has detected information.PDF.exe as Downloader.

From: "Ministério da Saúde" <...

Vivian Ho | 06 Aug 2009 22:10:21 GMT

We’ve observed spam disguised as a legitimate Taiwanese commercial bank sending out credit card promotion email messages that are embedded with an .swf virus link. In this particular attack, recipients are able to see the bank’s image at the top of the email message and promotion notes at the bottom. There is also a large blank space within the promotion message that is designed to make you believe that the credit card promotion content has been lost in transit. Recipients are then instructed to click on the link in case of page display error issues.

This attack is found to be a dictionary/domain attack. Symantec detects the “blog.html” link in the spam email as Trojan.Malscript!html. The blog.html link contains shellcode in the form of a file named sploit.swf, which exploits Adobe AVM2 Scope Stack Corruption Vulnerability (...

Dermot Harnett | 06 Aug 2009 01:39:54 GMT

While overall spam volumes averaged 89 percent of all email messages in July 2009, spam volumes continue to fluctuate. During July 2009 image spam continued to have an impact, reaching 17 percent of all spam during one point in July. Health spam decreased by 17 percent, while product and 419 spam both saw increases of eight and three percent, respectively, month over month. Similar to tabloid magazines, spammers continue to have a fascination about certain celebrities such as President Obama, Michael Jackson, and Emma Watson (from the Harry Potter franchise)—they all featured in spam attacks in July 2009.
Click here to download the August 2009 State of Spam Report, which highlights the following trends:
·         Spammer’s Opinion Poll: President Obama and Michael Jackson...