Video Screencast Help
Security Response
Showing posts tagged with Spam
Showing posts in English
Vivian Ho | 10 Aug 2009 23:08:13 GMT

The traditional Chinese Father’s Day is set on August 8—coming from “8/8”, which is pronounced “Pa-Pa” in Chinese. Spammers are offering us a wide array of gift selections, including high tech products, luxury wallets and watches for our hard working dads.

Spammers have a detailed catalog of items and are giving potential buyers a one-year warranty on replica products. They are also offering a special promotion, giving a first time buyer discount on a mass-mailing service.

In the sample below, the spammer claims they are a legitimate shopping site for luxury items:

From: "xxxxxxxx代購網" <xxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxxxx>



From: "xxxxxxxxshopping network" <xxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxxxx>

Subject: Pick up a nice gift for your hard working dad.


Mayur Kulkarni | 07 Aug 2009 22:59:15 GMT

In recent months, we have observed different types of legitimate newsletter templates used in pharmacy spam attacks. In order to get users to open these email messages, spammers need to ensure that the subject line (entry point) is always enticing and that the content looks legitimate. So much so that a user may open these emails right away without confirming the sender information.

We start with "discount special" subject lines. These lines are constructed using different combinations of words such as pharmacy, men, health, dear, and sale. These words are usually followed with some discount value (always more than 70 percent). The latest inclusion to the list is one that ends with a country name such as United States, Bulgaria, or Columbia. We have provided some examples of subject lines made with these words (the positions of the words change):

Dear [email address] [date and time with time zone] 80% 0FF on [pharmaceutical company].
RE: Pharmacy...

Vivian Ho | 07 Aug 2009 22:43:58 GMT

Based on the lack of coverage in recent weeks, some people may think that the swine flu epidemic has slowed down for a while. However, there have been many reports of deaths caused by swine flu in different countries around the world in the past couple of weeks. The general public is continuing to monitor news of this disease very closely.

Spammers have been swiftly capitalizing on the fear of a pandemic in the fraudulent email they have been sending. We observed spam disguised as if it was sent from a public health agency or media outlet. The spammers are sending viruses embedded in links in the message body, such as in the example below. Users are redirected to the file “information.PDF.exe” if they are enticed to attempt the download of the image. Symantec has detected information.PDF.exe as Downloader.

From: "Ministério da Saúde" <...

Vivian Ho | 06 Aug 2009 22:10:21 GMT

We’ve observed spam disguised as a legitimate Taiwanese commercial bank sending out credit card promotion email messages that are embedded with an .swf virus link. In this particular attack, recipients are able to see the bank’s image at the top of the email message and promotion notes at the bottom. There is also a large blank space within the promotion message that is designed to make you believe that the credit card promotion content has been lost in transit. Recipients are then instructed to click on the link in case of page display error issues.

This attack is found to be a dictionary/domain attack. Symantec detects the “blog.html” link in the spam email as Trojan.Malscript!html. The blog.html link contains shellcode in the form of a file named sploit.swf, which exploits Adobe AVM2 Scope Stack Corruption Vulnerability (...

Dermot Harnett | 06 Aug 2009 01:39:54 GMT

While overall spam volumes averaged 89 percent of all email messages in July 2009, spam volumes continue to fluctuate. During July 2009 image spam continued to have an impact, reaching 17 percent of all spam during one point in July. Health spam decreased by 17 percent, while product and 419 spam both saw increases of eight and three percent, respectively, month over month. Similar to tabloid magazines, spammers continue to have a fascination about certain celebrities such as President Obama, Michael Jackson, and Emma Watson (from the Harry Potter franchise)—they all featured in spam attacks in July 2009.
Click here to download the August 2009 State of Spam Report, which highlights the following trends:
·         Spammer’s Opinion Poll: President Obama and Michael Jackson...

Vivian Ho | 29 Jul 2009 16:48:10 GMT

We have recently observed Chinese spammers selling personal account cracking software. This is not a typical pirated software promotion, because it already violates privacy law. The observed email promises to teach and help users to break into others’ accounts such as MSN or Yahoo instant messaging clients accounts, email accounts, and all popular social networking accounts.

Sample Header:

From: false <xxxxxxxxxx@xxxxxxxx.xxxxxx>
Subject: ∴帳密破解諮詢∴

Subject: ∴Accounts cracking consultation service∴

imagebrowser image

imagebrowser image

Body Translation:

Professional Accounts cracking consultation service

Services including crack yahoo, msn,...

Mayur Kulkarni | 29 Jul 2009 12:32:06 GMT

Ever dreamt of owning devices that would let you roll like a secret agent from spy movies? Why not? Spammers are offering a solution—not a spy bug to be attached to a phone, but software that once installed on the target phone sends back information on all of the calls, including messages originating from one phone to another.

This proposition offers the option of peeping into someone’s phone to obtain desired information. The spammer claims that the surveillance functions of the target phone (after being installed) can be used to obtain valuable information from people such as your girlfriend, manager, key employees, business partners, etc. The scammers promote that you can track valuable information, which can be compiled by listening to outgoing calls, receiving copies of incoming and outgoing SMS messages, and tracking precise locations of the phone device using GPS satellites.

However, this miraculous spy device requires a few steps in order begin use...

Samir_Patil | 27 Jul 2009 20:13:44 GMT

As excited as I was prior to the release of the sixth film of the Harry Potter series, it proved to be fairly disappointing in terms of the number of spam messages spawned using the book/film title. The latest film, “Harry Potter and the Half-Blood Prince,” was released worldwide on July 15.

We monitored the probe network traffic over the past couple of weeks to track the prevalence and volume of Harry Potter related spam. However, it seems that spammers are less passionate about the idea of using the magic of this tale for their spam campaigns. The recent Harry Potter-related spam that we did see arrived as either Nigerian scams or health-type spam.

One scam message is disguised as an online lottery winning notification. In this fake and non-existent lottery, the name “Potter” is misspelled as “Porter.” Interestingly, the scammer used J. K. Rowling as the name for the online lottery—Rowling is the author of Harry Potter...

Samir_Patil | 27 Jul 2009 19:37:06 GMT

How close can they get to you? So close that they can actually talk to you, no matter where in the world they are located? Nigerian 419 scams are not new and have been a nuisance to email users for years. Traditionally, Nigerian scammers have reached out to email users through text-based emails, Word documents, PDF documents, and are increasingly targeteting social networking sites. However, all of these techniques have one thing in common—rubbish stories of a huge money inheritance, kinship, and financial assistance that is communicated via typed messages.

Spammers are constantly in search of techniques that will allow them to reach users’ inboxes by beating anti-spam filters. Any deceit used is fair game for them. Recently, we noticed one such technique used by spammers to make their way into users’ inboxes exploiting VoIP (voice over IP) services. The spammers are creating fake accounts on sites providing VoIP services and then, using these fake...

Mayur Kulkarni | 23 Jul 2009 19:21:46 GMT

Over the last few months we have been keeping you informed about a rise in the category of image spam. This was mentioned in our April and June 2009 blogs on the topic, which specifically concentrated on how an old spamming method (image spam) is being reintroduced on a wider scale. Spammers have now shifted their focus from image spam attacks to obfuscated URL attacks—again, an old spamming technique. This type of obfuscation includes inserting white spaces and special symbols into the URL string to evade anti-spam filters. For image spam attacks, we have observed lines relating to intimacy in the subject header:

imagebrowser image

Later, we witnessed the same pattern again being used with the obfuscated URL attacks. We can...