Video Screencast Help
Security Response
Showing posts tagged with Spam
Showing posts in English
Mayur Kulkarni | 28 Apr 2009 10:21:17 GMT | 0 comments

The swine flu outbreak in Mexico and the United States is making news headlines all over the world, with updates coming out in real time from the Centers for Disease Control and Prevention. The scare has spawned a spamming frenzy, like sharks smelling blood in the water. Symantec has been monitoring the spam and is continuing to analyze the underlying intentions of the associated messages. In the past, such current event spam campaigns included sending malicious messages, in which the email user is lured into clicking malicious links that pretend to be a harmless link or a related video. However, this time around it is an email address that the spammers are more interested in collecting—perhaps as part of a harvest for their future campaigns.

One of the samples (shown below) simply informs recipients of the disaster, using linked news headlines from reputable news agencies. Users are asked whether they...

Mayur Kulkarni | 27 Apr 2009 20:18:26 GMT | 0 comments

In an effort to track the prevalence of Mother’s Day spam, we’ve started monitoring recent spam samples and have found that the spammers seem less enthusiastic about Mother’s Day than other events around the world, such as the resurgence of interest in the swine flu. Most of the Mother’s Day-related spam we analyzed consisted of Internet offers providing personalized gifts such as photo frames or jewelry. Others included gift cards, kitchen related products, and the ever-present weight-loss solutions.





Some of the common subject lines are listed below:


Personalized Mothers Day Gifts
Mother's Day Gifts
This is about Mother's Day next month
Microwavable pasta cooker. Mother's Day is near...

Samir_Patil | 20 Apr 2009 18:47:55 GMT | 0 comments

We’ve observed a new malicious spam threat that arrives as an email promoting a free software trial that purportedly can be used to spy on people’s SMS (Short Message Service) messages. The spammers are claiming that this software can be used to snoop around the SMS messages of your partner, or for general SMS spying, and a URL is provided for a download of a 30-day free trial of the software.

Unfortunately the URL leads a user to download an executable file that goes by different names, such as sms.exe, smstrap.exe, and freetrial.exe—all of which are nothing but pieces of malicious code. Symantec security products identify the particular malware served up in this attack as W23.Waledac.

As is common in spam, these messages target human emotions such as fear, jealousy, and suspicion to spread the malware. But, as always,...

Samir_Patil | 15 Apr 2009 19:33:33 GMT | 0 comments

Many anti-spam techniques work by searching for patterns in the header or body of the email message and creating signatures for them. To bypass these filters, the spammer intentionally introduces obfuscation by misspelling certain keywords, inserting random lines, or adding invisible words in the message.

Recently, Symantec has observed dating- and health-related spam messages where the URLs of well-known brands are used to obfuscate the message. The spammer has added URLs varying in number—from 5 to 15 in a single message. These URLs are invisible, since the font color of the URLs is the same color as the background of message. These URLs are actually the “postmaster information” Web page or a “news” Web page of reputable companies.

Some of the subject and legitimate URLs found in the samples are as follows:

Subject: Good Day To You
Subject: OMG your hot we should chat!
Subject: Hey whats up wanna chat?

<a href...

Vivian Ho | 14 Apr 2009 20:09:32 GMT | 0 comments

Happy Easter! Are you really blessed? Spammers always have favorite holidays. And while they couldn’t join your family for an egg hunt this year, they didn’t forget to send their greetings during Easter week. During the past week we observed fraudulent e-card notifications spoofing a well known Internet e-card service site.

The message contains legitimate From: and Subject: lines, along with a heart-warming Easter message to make up the body content. Spammers used a legitimate-looking pick up notification hyperlink to lure the recipient to click it. However, a PHP URL is embedded into HTML, which actually links users to another URL where malicious code may be downloaded onto their system.

This is a typical spam tactic, but recipients should still be aware of it during this post-holiday season, since the scam still exists. We urge recipients to be aware of this type of greeting to avoid vicious attacks. Most importantly, do not open emails with suspicious...

Mayur Kulkarni | 08 Apr 2009 21:46:41 GMT | 0 comments

When trying to solve difficult problems, people examine different approaches and strategies. This includes applying known techniques or variations to deliver favorable results. Though variations can be interesting, using a known method has a better chance of getting results. Spammers are no exeption– they are again trying their hand with image spam, seeking an opportunity to catch some anti-spam filters off-guard and sneak through to reach a user’s inbox.
During the last couple of weeks, we have observed an increase in use of images especially with health-related spam. As seen in the past, we also see different obfuscation techniques being used. This includes adding noise to the image to avoid detection of similar images. Along with images, random texts in the message are also observed - again an attempt to bypass the filters. Currently, we don’t see this old technique of using images interfering with anti-spam effectiveness.


Vivian Ho | 08 Apr 2009 21:33:07 GMT | 0 comments

While everyone is still in shock from Monday's 6.3-magnitude quake in Italy, spammers are unfortunately capitalizing on this event.

Not long ago, we monitored an inbox burst with a fake news headlines focusing on Hollywood celebrities, popular politicians and current events which spread malware through attachments.

Sample subject lines were:

  • “Britney Spears Overdose”
  • “Lindsay Lohan crashes brand new Lamborghini”
  • “Beijing Olympics cancelled upon the death of China's president”
  • “Obama bows out of presidential race.”

Sample headers and body text:

Sample 1

attachment filename= "never.exe"
From: <xxxxxxxxxx@xxxxxxxxx.xxxx>
Subject: URG

President Bush DEAD! Read attached file!

Sample 2

Dermot Harnett | 08 Apr 2009 21:04:26 GMT | 0 comments

The effects of the shutdown of the McColo Web-hosting company in November 2008 continue to ripple through the spam landscape. While spam levels have yet to reach the highs recorded before McColo was shut down, spam volumes are gradually creeping back up and are at approximately 91 percent of their pre-McColo shutdown levels.
A recent review of spam zombie activity shows that the EMEA region continues to be the leading source of all zombie IP addresses, hosting 45 percent of active zombie computers in March 2009. Brazil, however, at 14 percent owns the dubious honor of being the number one host country for active zombie machines. The distribution of top-level domains (TLDs) in spam URLs also continues to be interesting as the .cn TLD retains its “silver medal” position—34 percent of URLs contain this TLD. The United States (28%) and Brazil (9%) retain their positions as the predominant regions of spam origin. It is also notable that spam continues...

Mayur Kulkarni | 02 Apr 2009 22:41:33 GMT | 0 comments

April Fools’ Day was noted as the expansion date of the Conficker worm, with the possibility of a major threat launch. We have found spam samples attempting to capitalize on the frenzy over Conficker (a.k.a. Downadup), offering the latest in antivirus security software that purportedly protects users from the Conficker threat. Some of these spam messages even use names and images of software much like our own Norton AntiVirus 2009. In the example below, it even mentions the name of one of our Symantec employees frequently cited in the press.

Here is the sample image of the message:





In an attempt to increase financial gain, the product...

Mayur Kulkarni | 02 Apr 2009 12:09:19 GMT | 0 comments

In the past, spoofed news alerts have been used to carry malicious links or attachments. Spammers tap into the curiosity of the reader and attempt to trick them into clicking bad links or opening harmful attachments. This often results in the infection of a victim’s machine, unless it is properly protected by an updated antivirus program and firewall. We are currently monitoring spam attacks that employ the spoofed news alert approach, but contrary to the malicious approach, the news alert spam doesn't contain any URLs or attachments.

With these types of spam attempts, we try to isolate the reasons for such attempts and consider the possible outcomes for spammers using this approach. When we look at the received lines in these messages, we find them originating from diverse geographical locations, suggesting that this may be a botnet attack. So then, why are these messages sent? It may be because the spammers want to confirm the validity of a recipient’s email...