Malware City/Blog/

Jan
09
Filed Under:
SPAM REVIEW

The Spam Omelette #8

09 January 2009
Welcome to the first issue of the Spam Omelette for the new year. Before going any further, please make sure that you take a look at our testing and map generation methodology, as explained in our first issue.

 

About_Spam
 
 

 

While the past winter holidays have been relatively calm in terms of malware attacks as compared to the previous years, spammers have already resumed their activity. Before going any further with our weekly top, please note that the generated map displays four disproportionately large words as compared to the rest of the entries.
 
1.    EMAIL everyone
 
This week’s top word is EMAIL. It is encountered in almost every analyzed spam message, as bulk email senders try to make their messages look like newsletters.
 
The vast majority of messages including the word “email” advertise sexual enhancement drugs allegedly obtained from natural ingredients. The advertised products are not part of the Canadian Pharmacy series, although this new campaign is as aggressive as the Canadian business used to be.
 
The spammer uses a wide range of neutral message subjects, such as Re: new year eve invite, Scarlett's home video stolen, or sexually-explicit ones (Massive and engorged or Monster size tool). Also, the message usually claims to be a news alert coming from respectable companies such as Alaska Display, AdsValue and Communications-Pacific Inc.

 

 

 

Email

 

BitDefender antispam analysts detected the word in a second spam campaign that uses phishing techniques to get sensitive information about users’ credit cards. The message looks like it has been  sent by the Visa Mastercard Award Team, a company branch that does not even exist. Its recipients are urged to claim a special 500,000-pound prize, but, in order to be eligible, they have to fill in a form with critical account-related information.

Email_Scam

 

 

2.    Open the mail, PLEASE


Ranking second in our weekly spam analysis, the word PLEASE has been detected in a series of messages closely related to the previously described campaign. However, the spammer has only changed the HTML template in order to prevent antispam filters from catching both campaigns at once.

 

Check_Mail_Please

 

 

Spammers also use generic message subjects for this campaign, in order to prevent the user from labeling these emails as spam.

3.    We need your CLICK

The word CLICK has been detected in a single type of spam messages that ironically advertise sexual enhancement drugs. However, the spam message advertises drugs produced by Max Gentleman, a competitor of both Canadian Pharmacy and PowerGain+.


Click

Another interesting aspect is the fact that the embedded URL takes the user to a compromised sub-domain located on chat.ru that randomly redirects users to different domains hosting Max Gentleman clones. This way, the spammer ensures that the user will still see the page as webhosts suspend certain clones for abusive advertising.

4.    The UNSUBSCRIBE trick

Building on the precarious economy state in the United States, spammers took the opportunity to offer “friendly” loans. However, only US residents are eligible for such mortgage re-financing loans with sky-high interest rates , and even if you opt out and wish to unsubscribe, you would only confirm the spammer that your address is valid and used by a human operator.


Unsubscribe
 
5.    Would you like to RECEIVE some extra money?

Ranking last in our weekly top, the word RECEIVE has been associated with a single spam campaign. The message is a classical Nigerian scam letter that tells the lacrimogenous story of an estranged relative who left the fabulous sum of 3,600,000 pounds to the receiver. The spammer tries to induce some sort of paranoia by mentioning the fact that the Internet is extremely unsafe for such purposes, and instead he would like to receive the necessary papers (written consent of acceptance, copies of identity documents and so on) via snail-mail.
 
Receive_email
 

What's new in the spam landscape?


As the winter holiday season came to an end, product-related spam dropped back to normal. Canadian Pharmacy  spam also became extremely scarce, probably because most of the Srizbi-infected computers that are responsible for relaying such messages have been shut down over the holidays. However, medicine spam made a comeback with massive campaigns from PowerGain+ and Max Gentleman.


 

RELATED INFO:
OTHER SPAM OMELETTE #


Related

19-12-2008 | The Spam Omelette #7

11-12-2008 | The Spam Omelette #6

26-11-2008 | The Spam Omelette #5

19-11-2008 | The Spam Omelette #4

Comment on this

Name:

Email:

Website:

Your email adress will not be published.