Beginning on New Year's Eve, January 1, 2012 and continuing earlier into the days following, Symantec Intelligence identified spammers taking advantage of the New Year anniversary, seemingly to entice users into clicking on spam links contained in the email messages.
Further investigation revealed that spammers were compromising legitimate Web servers, leaving the main Web site content intact (to avoid or delay detection) and simply adding a simple PHP script, typically named "HappyNewYear.php", "new-year-link.php" or "new-year.link.php". These scripts simply redirect to a spam pharmaceutical Web site.
Analysis of one of the messages we saw using these links makes the spammers' motives clearer, as can be seen in figure 1, below.
Figure 1: Example spam email containing New Year reference in spam URL
The message uses social...