The Spam Omelette #35 – On Michael Jackson and FedEX Scams

1. Privacy beats expectations: it completely lacks

Ranking first in this week's issue of the Spam Omelette, the word PRIVACY has been detected in unsolicited mail impersonating legitimate newsletters.  Most of these messages feature a Canadian Pharmacy advertisemen t and make use of social engineering tricks such as catchy message subjects in order to reach out to recipients.

A second batch of Canadian Pharmacy spam is using celebrity names in the mail subject, a technique resembling the Celebrity Gang approach. This week's celebrity name popping out from the charts is Avril Lavigne, as shown in the screenshot below.

2. On broken UNSUBSCRIBE links

The word UNSUBSCRIBE is also encountered in spam messages impersonating newsletters. And, since the technique is old and not quite successful in tricking users anymore, spammers have added an extra spark of interest by abusing Michael Jackson's name. This batch of newsletters claims to provide the  proof that Michael Jackson had been killed. In order to view the proof, the user needs to accept the embedded image, which turns to be the same Canadian Pharmacy ad. As usually, any link embedded into the message (including the Unsubscribe option) takes the user to a clone website of Canadian Pharmacy.

3. Email is back on top

Ranking third in our weekly spam top, the word EMAIL has been detected by the BitDefender spam analysts in a wave of messages allegedly coming from FedEX. The spam message announces the recipients that they are to receive a package of significant value but they cannot be reached. In order to get the parcel on time, they have to fill in a form and send it to a non-FedEX webmail address. The disclosed information may then be used by scammers for identity theft or other illegal and damaging activities.

4. The missing LINK

The word LINK - this week's newcomer in the Spam Omelette top - has been detected in a wave of unsolicited mail also advertising Canadian Pharmacy products. The message itself contains the text Your Link and a URL leading to a compromised webpage. A closer look on the message reveals that this Canadian Pharmacy campaign makes use of legitimate domains (which have been broken into) in order to perform the redirect to the Canadian Pharmacy website.

In order to bypass Bayesian spam filters, the message contains a significant amount of text inserted as HTML comments.

5. SUBSCRIBE to spam now!

The word SUBSCRIBE concludes this week's spam top and has been identified in multiple waves of unsolicited mail impersonating newsletters. Although these messages feature distinct mail subjects, they use the same template with a central image displaying the current Canadian Pharmacy offering.