The Spam Omelette #28 – The Spam-Sending Trojan

Week in review: May 27 - June 13

1. WebMD back in the tops

The word WebMD is back in the spam tops with the advent of yet another spam campaign triggered by infamous online medicine business Canadian Pharmacy. As stated in our previous issues of the Spam Omelette, please note that the WebMD brand is legitimate and has a strong privacy policy regarding newsletters: the Canadian Pharmacy newsletters, however, abuse the WebMD logo and visual identity.

It seems that one of the most important vectors in the WebMD campaign is a piece of malware called Trojan.Spammer.Tedroo. Once the Trojan has infected the host, it starts sending unsolicited mail advertising Canadian Pharmacy products, as well as messages advertising sexy video  clips featuring Angelina Jolie. As the user visits the hyperlink enclosed in the Angelina Jolie spam mails, they are prompted to install a fake codec, a  binary file infected with the Tedroo spam bot.

2. No PRIVACY  for the spam victim

Ranking second in the weekly spam top, the word privacy has been identified in multiple spam campaigns mostly focused on sexual enhancements coming from the same Canadian Pharmacy business. The word appears in the alleged disclaimer text placed in the message's footer, a method of camouflaging spam as legitimate newsletters.

This time, spammers are using a wide range of message subjects ranging from friendly pieces of advice to what seems to be business mailings. For instance, BitDefender's spam analysts have identified the same template associated with message subjects such as: New Access Cards, Love Movies? Open This!, She Got Blog! Read as well as financial crisis-specific warnings such as Payment Time Expired or Our Staff Reduction.

3. UNSUBSCRIBE Tricks: Canadian Pharmacy with multiple faces

This week, Canadian Pharmacy strikes back in the unsubscribe game with yet another template. The trick itself is extremely old and still pays off in collecting valid e-mail addresses for further spam campaigns: as the user clicks on the embedded unsubscribe link, their e-mail address is validated against a spam database. Next, the user is redirected to a clone of the Canadian Pharmaacy website.

This specific spam wawe relies on forged mail headers to look as if it had been sent by the recipient. Since many e-mail users would often whitelist (add to SafeSenders' list) e-mails coming from a specific domain (especially in corporate environments), a spam message allegedly originating from the same domain as the recipient is highly likely to land straight in the inbox rather than to be discardes as spam.

4. PLEASE read this, then let me spam you

Ranking fourth in this week's issue of the Spam Omelette, the word PLEASE has been identified in messages advertising  "a business proposition that is 100% legitimate and risk free". Unlike other spam campaigns using similar texts and strategies, this specific wave does not try to con the user with an advance-fee scam or to snatch personal information for identity theft. Instead, the spammer only asks the user to reply if interested - a method of collecting valid e-mail addresses for subsequent spam campaigns.

5. Spam is always one CLICK away

The word CLICK has been identified by BitDefender's spam analysts especially in unsolicited mail coming from online stores selling prescription-based drugs.  In order to make the user open the message, spammers use strong e-mail subjects related to day-by-day activities. This particular mail reads  „Your IP activity list" - a direct hint at the recent ISP policy of monitoring network activity and downloads of copyrighted materials.