Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Dermot Harnett | 09 Jul 2009 17:08:22 GMT

In early June , Symantec reported that the FTC had worked with others to shut down the Internet service provider Pricewert LLC. While this was a good example of how security professionals can work together in the fight against cybercrime, spam volumes remained at a very high level throughout June, averaging 90 percent of all email messages. The recent passing of Michael Jackson and the subsequent public interest is yet another example of how spammers are willing to use any notable event as a cover to distribute their messages.

Click here to download the July 2009 State of Spam Report, which highlights the following trends:

  • Different Faces of Michael Jackson Spam and Malware
  • Fourth of July Holiday Brings Fireworks and More Spam Campaigns
  • Image Spam Update
  • Mass-Mailing Worm in Fake Twitter...
Eric Park | 08 Jul 2009 22:46:20 GMT

With the soaring popularity of social networking sites, it is no surprise that spammers try to take advantage of them. In the past, spammers would register their own accounts and then send unsolicited messages through the social networking site. By default, the site generated automated email to let the user know that there is a new message. While such notifications are technically legitimate, the user would have most likely considered the messages as spam, due to the unsolicited content. For spammers, this technique had a shortcoming—the message sent to the user was from an unknown person/entity.

Recently, Symantec has observed a rise in a newer technique of social networking site abuse. The below example is a legitimate notification from Facebook that informs the user of a new private message:

imagebrowser image

As noted above, the message itself is not spam because there really is a...

Eric Park | 08 Jul 2009 21:54:54 GMT

Spammers are always searching for ways to bypass anti-spam filters. While the “text with tables” technique is not new, it is worth noting because it demonstrates spammers’ creativity, as well as their utilization of existing techniques.

When spammers first used table HTML codes, it began as a simple table with various cells filled in with different colors to render what looked like regular text. This basic technique has since evolved into something more complex—spammers are using a table within a table.

In the example below, the spammer first defines an outer table (137 x 43). Then, each row of the outer table itself is defined as a table. These inner tables feature a unique cell length (defined by COLSPAN) and background colors.

imagebrowser image

Carefully crafted, the above HTML shows this when rendered:


Mayur Kulkarni | 07 Jul 2009 23:08:01 GMT

Spammers seem to believe that they don’t always need to invent new strategies to enter a user’s inbox—they know they can utilize existing tactics with better results. They are now re-using the tactic of attaching HTML files in their spam messages—this time in aid of the 419 spam category. This tactic began with simple phishing attacks, followed by a variation using URL encoding of HTML code, and was also observed in email-harvesting attacks. When we discussed this trend in earlier blogs, we noted that these types of attacks may not be restricted to phishing attacks alone. Actually, we are seeing these attacks extending to other malicious activities.

Presently we are observing 419 spammers making use of HTML attachments in the hopes of reaching a user’s inbox. We have...

Gilou Tenebro | 04 Jul 2009 02:32:02 GMT

W32.Waledac has launched a new spam campaign using a 4th of July theme. Below are some screenshots of sample spam emails with the new theme.

imagebrowser image

imagebrowser image

imagebrowser image

If the unsuspecting user clicks the link in the email, they will be directed to a Web page similar to the following:

imagebrowser image

The page claims to contain a video of a fireworks show for this year’s 4th of July celebration. However, clicking on the "video" actually leads to a W32.Waledac executable. Watch out for spam containing any of the following strings in the subject and body of the email:

  • Fourth of July Fireworks Shows...

Samir_Patil | 01 Jul 2009 19:29:51 GMT

In the United States, Independence Day is a federal holiday celebrated on July 4 that commemorates the adoption of the Declaration of Independence on July 4, 1776, which declared independence from the Kingdom of Great Britain. The day is typically celebrated with fireworks, parades, barbecues, carnivals, and various other public and private events to remember the history and traditions of the United States.

In order to track the prevalence and volume change of Fourth of July spam, we have been supervising the probe network traffic for this type of spam over the past couple of weeks. Surprisingly, it looks as if spammers are less passionate about spawning Independence Day spam this year. The probable reason for this neutrality could be the spam spike related to the death of pop star Michael Jackson.

In the spam samples that are related to Independence Day, we’ve observed messages inviting users to experience the so-called “best 4th of July fireworks display...

Vivian Ho | 01 Jul 2009 00:04:12 GMT

The Internet has gone wild since Michael Jackson, the “King of Pop,” was reported dead on June 25. Symantec Security Response has already blogged about how we observed spammers trying to capitalize on this event in many ways, both with messages including malware, and scams tied to this talented celebrity’s death. We expect that spam and malware will keep coming in, given Michael Jackson’s popularity and following. Recipients should be extra cautious about messages that appear to be related to Jackson’s death, especially any email that comes from an unknown or unexpected source.

The following are some examples of what we have seen circulating:

Sample 1.1

Spammers hide behind a spoofed message, which appears as a rip-off of a familiar social network notification, in an attempt to try to trick recipients to...

Symantec Security Response | 30 Jun 2009 17:33:08 GMT

Symantec Security Response has discovered a mass-mailing worm using Michael Jackson's death as a bait. The worm sends out spam emails with the subject “Remembering Michael Jackson” and an attachment named “Michael songs and” The .zip file contains another file called “MichaelJacksonsongsandpictures.doc.exe,” which is a copy of the worm that is executed on the user’s machine when the file is opened.
Symantec has detection for this worm as W32.Ackantta.F@mm. It is important to keep in mind that W32.Ackantta.F@mm spreads not only through email, but also via removable drives using autorun.inf.
Below is a snapshot of the email that W32.Ackantta.F@mm sends out:

imagebrowser image

Mayur Kulkarni | 30 Jun 2009 17:08:59 GMT

We know that 419 scammers aren’t the least bit concerned with email headers and will continue using free Webmail services to send spam. However, they recognize the fact that most anti-spam filters are using the body characteristics of scam emails to effectively bar these messages from reaching a user’s inbox. So, they feel they must always change their storyline, as far as the message body is concerned anyway. In recent times, spammers have been regularly using text-based attachments (.rtf, .doc, and .txt) in an attempt to evade anti-spam filters. A new tactic observed is the use of URLs, where the actual message is posted on a free Web-hosting site for the recipient to read.

Here is a snapshot of one of these types of URL spam messages:

 imagebrowser image

As shown in the above example, a URL is added at the end of the message. If a user clicks on the URL, they will see the...

Eric Park | 29 Jun 2009 22:30:00 GMT | 0 comments

A typical phishing email message tries to represent (falsely) a single institution. For example, a spammer sends a phishing message, forging the email to appear as if it’s from a financial institution. The recipient is then asked to enter personal information for some fictional reason (for example, “verify your identity”). In an effort to obtain as much information as possible about the unsuspecting user, the spammer usually asks for more information than what is asked at a legitimate website. While a legitimate site may only ask for username and password, a phishing site usually seeks additional information such as a credit card or pin number, mother’s maiden name, and/or a social security number. Once the user hits the “submit” button, the private information is sent into the hands of criminals.

Symantec has recently observed a spam message that is pretending to be from HM Revenue & Customs in the United Kingdom. The message is very...