When we analyzed spam data from the past few years, we observed that holiday seasons spirit up malware spam campaigns using e-cards, video player downloads or ActiveX download attacks. We have found that greeting card or e-card spam are the most common. Due to this reason spammers are employing this technique in other spam campaigns.
When analyzing spam messages from the Symantec Probe Network, we came across an interesting phishing attack where spammers are misrepresenting e-card services.
In this unique phishing attack, a URL for the animated e-card is provided in the message. When the user clicks on this link, an animated video is played in a flash player. Surprisingly, the personal message section is invaded by a typical phishing message.
The greeting card message is shown in the image below:
Scammers based in Nigeria have long been known for using legitimate email formats for spreading infamously fraudulent 419 messages. We have already monitored e-card services, social networking invites, and various other services provided on social networking sites. Yet another example is a calendar service being abused for sending scam messages.
Sadly there is an addition to this list, where the “send link to friend” service is exploited for sending scam messages. Many news websites provide an option to send news links to another person. A text area is also provided to write personalized messages. It is a general tendency of netizens to share important news with friends by forwarding the links along with their comments on the news. In a recent spam attack we monitored a typical 419 scam message injected into the text area of a news article. With this, scammers smartly introduce a scam message in an otherwise very legitimate looking mail.
October 2009 saw spam volumes averaging at 87 percent of all email messages, which is consistent with spam volumes observed in August and September 2009, but 10.6% higher than October 2008.
A notable highlight this month is the growth of spam originating from APJ (23% increase of 6% since June 2009) and South America (22% increase of 5% since June 2009) with a corresponding decline in spam originating from EMEA (28% decrease of 6% since June 2009) and North America (20% decrease of 5% since June 2009). This change can be attributed to a number of factors, including spam levels increasing; distribution networks becoming more dynamic as additional broadband connected targets are coming online every day; botnets continuing to jockey for position; and countries such as India, Taiwan, Thailand, and Chile becoming more visible as regions of origin for spam.
With respect to spam categories, Internet spam increased by 7% and now accounts for 39% of all spam messages. This...
Recently, I've been seeing phishing attacks using Web forms attached to emails making the rounds again. This type of phishing isn't so common but is used on occasion, so I want to take this opportunity to remind everyone not to fall for this trick.
Common phishing attacks include emails purporting to be from legitimate entities like financial instituions, auction sites, and SNS sites which include links to Web sites set up by the attacker to steal user information.
In this case, however, the phishing site arrives as an email attachment rather than a link to the site included in the body of the email.
Symantec has always recommended that personal information, especially financial information such as Social Security numbers, credit card numbers, and of course your email address must not be revealed anywhere on the Internet. Many security experts also believe that disclosing an IP address to an unknown person on the Internet is equally dangerous. We also now need to be cautious of not divulging our mobile numbers or date of birth because these bytes of information are also vitally essential, and are considered part of your identity by financial institutions.
We are monitoring a new wave of phishing attacks that is attempting to extract information such as the mobile numbers and/or dates of birth of recipients by using false alerts:
A couple of the Subject lines of these alerts are:
Symantec recently reported a malicious spam campaign against Facebook, which is now accompanied by a phishing attack. These messages look like an official Facebook invite or password reset confirmation mail.
If we place the cursor over the update button in the message, we can actually see the phishing URL in the status bar. If a user clicks on the “Update” button, he or she is redirected to a Facebook look-alike phishing site. Here, users are asked to enter a password to complete the update procedure. Unfortunately, the user’s password will be stolen if they try to log in on this page.
These attacks can be identified by the subject lines listed below:
Facebook account update
New login system
Facebook Update tool
While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.
This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to...
Instant degree spam attacks have become one of the most regular attacks monitored in recent months. In an earlier blog post we listed the top five degrees offered by spammers. The messages guided users to online degree sites where recipients needed to actually earn their degree. On the other hand, with instant degrees there is no effort required—just call the number provided in the message and you can obtain a degree certificate in no time. These plain text messages arrived with a variety of subjects, which are listed below this sample message:
We have listed subject lines in descending order of number of appearances:
Get Your Bachelor's Degree Online
Earn a Bachelor's or Master's Degree Online
Enhance Your Career Tomorrow
Earn a Bachelor's or Master...
Chinese spammers are very adaptive to new Internet social mediums that might attract recipients’ interests in order to get Web hits. Spammers have done their research on popular social networking activities and living habits, thus setting up spam traps for possible hits. Recipients often fall for the spammers’ tricks because they may not be aware of updated spam news or phishing alerts.
Recently we observed Chinese spammers sending out moneymaking scams using a popular free micro blogging service. This type of free social networking allows users to send live updates through short text messages or links. In this sample we found that a spammer registered a legitimate user account and then sent out a friend invitation request. All links lead to the same money making promo ads:
Sample 1:
From: Popular social networking <Details removed>
Subject: 兼職工作,全職收入-每月增加2到 5萬 邀請您到 <Details removed> 註冊帳號
This has been a season of malicious attacks, starting last month when we informed users about an increase in spam containing malware. Coincidentally, we are seeing different methods of luring or scaring recipients to download malicious programs. In the past few weeks we reported spam attacks with malicious links that included MJ’s leaked song spam attack and the hunting the airplane game. In this recently monitored attack, we observed a typical phishing email that encourages users to click and download executable files.
Sample image of the message:
As shown in the above image, a fake FDIC alert warns users of a...
People are always curious about different theories on tragedy, especially those involving airplanes or ship accidents. In fact, even after the Titanic sank decades back, hundreds of books were published and movies developed based on expert views. Malicious software authors use information related to similar tragedies to entice recipients into clicking on virus-laden links. We mentioned one such example of this in our blog last year after the earthquake in China in June 2008.
In a new spam campaign, recipients are lured by contradicting information published by a news agency regarding 9/11 Pentagon damage. Users are encouraged to spot a plane in the pictures, which are included in the email. They are also supplied with a URL link to access more information. This link redirects users to a hijacked website that will point to an HTA file (a program that can be run from an HTML document). When users...
Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully Email Body:
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer...
Last week we observed a new Russian spam trend dealing with phone numbers. We have been monitoring spam samples containing phone numbers in the message body—with or without obfuscation. In one of our March ’09 blog posts, we mentioned the use of phone numbers in the headers as well. The phone numbers in those spam samples weren't obfuscated, but recently we have seen spammers introducing special symbols [+*^] between the numbers found in the headers, as shown in the examples below:
Overall spam volumes averaged at slightly over 86 percent of all email messages in September 2009, which is a decrease of 4 percent since July 2009. However, it is considerably greater than September 2008 when spam levels averaged at 78 percent of all email.
Notable this month is that the percentage of spam containing malware has increased, reaching up to 4.5 percent of all spam at one point. When compared to August 2009, Symantec has observed a nine-fold increase in spam containing malware during September. With respect to spam categories, the main movers were Internet spam, which increased by 3 percent again this month and averaged at 32 percent of all spam; and financial spam, which decreased 3 percent to account for 17 percent of all spam.
Click here to download the October 2009 State of Spam Report, which highlights the following trends:
