The Spam Omelette #16

Week in review: February 25 - March 4

1. EMAIL still hangs to the top in Canadian Pharmacy scheme

Ranking number one for about four weeks in a row, the word EMAIL has been identified by the BitDefender Spam researchers in spam waves promoting especially Canadian Pharmacy drugs and sexual enhancements. The message comes with a less-common subject, namely "Complaints about your car", in order to increase the recipient's curiosity and make them open up the message.

Just as any "respectable" spam message, the unsolicited mails feature a forged disclaimer mentioning a more or less trustworthy company and a link to unsubscribe.

2. Unsubscribe, take 2

As if it would like to compensate for its long absence from the spam scene, Canadian Pharmacy strikes back this week with yet another spam wave. Coming second in our spam top, the word UNSUBSCRIBE (also associated with the previously-described spam campaign) has been detected in another spam wave emerging from Canadian Pharmacy.

The new template also builds on people's curiosity in order to force them open the message. This specific template announces the user that their password had been changed. Although the message does not exactly state which password had been changed and why, by the time the user realizes that they had been tricked, it's already too late: the advertisement has already reached its target.

3. SERVICE Information: you have been spammed

Ranking third in this week's top, the word SERVCE has been identified in different spam campaigns promoting cheap OEM software as well as natural alternatives for stopping hair loss.

Please note that purchasing OEM  software from such websites is illegal, as this type of licensing only allow users to get discounted software when they buy original hardware such pre-built desktop systems, notebook computers or other peripherals.

The second spam wave abusing the word SERVICE advertises hair loss natural remedies. Just like the Canadian Pharmacy offerings, the spam messages are disguised under allegedly important warnings and pieces of information („Important anti-virus mail info", for instance).

The message is comprised of a single piece and a couple of footer links to make the message look legit.

4. Privacy is dead

As revealed by this week's spam map, the words PRIVACY and Service seem to have been encountered in the same proportion. A closer look in the spam stock revealed that both words are part of the same spam campaign initiated by Canadian Pharmacy.

Although the spam messages feature a couple of changes in terms of sender and subject, the rest of the template is unchanged.

The footer links (even the unsubscribe option) take the user to the same Canadian Pharmacy index page.

5. Your ACCOUNT may be at risk

Ranking last in our weekly top - which has undoubtedly been dominated by erectile dysfunction pills and hair-loss magic potions - the word ACCOUNT has been identified in a phishing attack impersonating account security warnings allegedly coming from May Bank. The message explains potential victims that the bank suffered a severe DDoS attack - a term that's pretty scary for the average Joe - so all the e-banking accounts need re-validating.

How does the scheme work?

Inside the email body, phishers combine links to the bank's website, as well as links to a spoofed page. This way, the user will receive the TAC (Transaction Authorization Code) from the bank itself, but will pass it along with other confidential data to the spoofed webpage.

What's new in the spam landscape?

• German keywords are still visible on the spam map. However, this kind of text is not really used in messages to send information, but it is rather „planted" as invisible HTML comments to trick spam filters.
• Spammers have started to exploit new approaches in order to convince victims open unsolicited messages. Subjects including words such as „password" and „Account" are enough of a lure for average computer users to motivate them into opening unsolicited mail.