Print | Send on Yahoo! | PDF version | RSS | Filed Under: SPAM REVIEW

The Spam Omelette #5

Welcome to our fifth report on spam messages for the week that ended November 23. Before proceeding any further, please make sure that you are familiar with our spam testing methodology and map generation. This week’s report is dedicated to the Srizbi botnet, which was kind enough to start sending infected Christmas cards to unwary computer users.

 

1. The EMAIL message has it all

This week's favorite word in spam messages is "EMAIL". It has been detected spelled both as "email" and "E-mail", but they both point to the same thing, after all. Spelled as "Email", the word is frequently encountered in Brazilian spam messages advertising telephony and Internet services.

The other instance of the word, spelled as "e-mail", has been detected mostly in messages impersonating Hallmark e-cards. Basically, the spammer perfectly imitates a legitimate message allegedly sent by the greeting card company. All the links included in the message direct users to an infected webpage that automatically triggers a drive-by download. The downloaded binary file is an executable application that installs an IRC bot on the host computer. The bot would immediately add the infected computer to the Srizbi botnet, a network of rogue computers that is mostly responsible for sending fake, infected e-cards.

 

2. CLICK here for extra product spam

Product spam witnessed a significant decrease over the last two weeks, but it is on the rise again, as we are getting closer to the Christmas shopping spree. Deeper analysis revealed that the word "Click" comes in spam messages advertising Rolex kock-offs.

 

 

3. Come visit us, PLEASE

Ranking third on our weekly spam top, the word "please" has been identified mostly in messages associated with the Canadian Pharmacy business. Although the image accompanying the message is unchanged from the previous campaigns, this week's spam wave mentions the recipient's address and even provides a forged link to unsubscribe. This small tweak adds extra legitimacy to a message known as spam.

 

 

 

4. NEW Year, new spam

The word "new" ranks fourth in this week's spam top. BitDefender analysts identified a single type of message abusing the word. This spam campaign advertises luxury replicas ranging from designer bags to watches and jewelry.

 

5. UNSUBSCRIBE here, here and here.

Fake "unsubscribe" links attached to spam messages have become a standard in the spam industry. This kind of links not only that makes the message look legitimate (it usually impersonates a newsletter sent by a respectable company), but also helps spammers to validate the actually used mail addresses in their databases. Unsubscribing from a spam list would also tip the spammer that the end-user has limited security knowledge and might be a potential target for subsequent spam / malware attacks.

Deeper analysis revealed that some e-mails in this type of campaign would often include multiple unsubscribe links. Please note that clicking on any of these links would actually enroll you in other spam campaigns, and you might even receive malicious attachments.

What's new in the spam landscape?

 

Given the fact that winter holidays are only one month ahead, product spam is on the rise. BitDefender expects new spam waves advertising the perfect Christmas gift, along with other security threats. The Srizbi botnet has already started sending forged Christmas e-cards (please note that our spam map already registered the word "card"), which point unwary users to malicious binary files.