The Spam Omelette #29 – New Spam Techniques Ramping Up

Week in review: June 3 - 10

Deeper analysys of this week's spam stock reveals that this week's top five words used in unsolicited messages is relatively similar to the one we reviewed in the May 27 - June 3 timeframe. Give the fact that we already described spammers' techniques, we won't insist on that, but rather describe some really interesting additions to the spam landscape.

1. Canadian Pharmacy under disguise

One of the most important and persistant spammers out there, Canadian Pharmay has taken yet another approach at delivering their messages straight into users' inboxes. Already notorious for impersonating legitimate newsletters such as those coming from WebMD, the new Canadian Pharmacy templates offer little details on what actually the mail is. However, as the user clicks on the unsubscribe link or tries to find out more about the sender, they are presented another clone of the Canadian Pharmacy website.

2. Portugese Curriculum Vitae received by mistake

 Although this is not qute the newest approach in spam, the following wave surely is interesting. The message is written in Portugese and allegedly contains an attached curriculum vitae of a person named Michele Gomes.

 At a glance, the recipient is manipulated into believing that the sender misspelled the e-mail address of the sender. However, the message does not contain any attachments, but rather a URL to an infected binary. The curriculum.doc keyword links actually to curricullum.scr, an executable file detected by BitDefender as Trojan.Heur.A090F1E4B4.

 Once the file is execute, it would connect remotely to an Internet resource, then try to download and install a spam-sending bot, among others.

3. Product spam back on track

Mostly active during the holliday shoppinbg season, product spam has been flying under the radar dropped during the first half of this year. This week's surprise comes from Diamond Replicas a China-based online retailer of knockoff watches. The message's headers have been forged to look as if the originating account is the recipient account itself.

What's new in the spam landscape?

• German words are back in the spam map, thus indicating that spam targeting German-speaking countries is on the rise again.
• Social engineering used as means of infection: the curriculum-vitae trick described above relies on users' curiosity to trick them into opening the .scr file. More than that, because of the fact that the attachment poses as a .doc file, few users would actually suspect that it is a malicious executable file.