The Spam Omelette #20

Welcome to this week





/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;

 Week in review: March 26 – April 2

Omelette 20


 are good, especially when crisis strikes

Ranking first in our weekly top we find the word INVESTMENT, an absolute
premiere to Spam Omelette. The word has been identified by the BitDefender spam
researchers in unsolicited messages coming from Canadian Pharmacy via multiple
spam relaying servers.

What’s special in this campaign is the fact that it now concentrates
around a new keyword, namely investment. Old phrases such as “love machine”,
“sex” and “Sex can be endless” have been discarded for a newer, more
down-to-earth approach: the financial crisis and its inherent consequences.

investment spam


The entire message mimics a financial newsletter with legitimate text. However, spammers have
tweaked the original newsletter to display the Canadian Pharmacy logo along
with a list of products and their pricing information, as described below:

investment spam 2

Although the message appears to be better crafted than the previous spam
campaigns and it’s more likely to pass as legitimate to the unwary user, it
still uses subjects that seem a little bit displaced (such as “You passed me
bad money!”), which is totally unrelated to the content itself.


2. Your SUBSCRIPTION to spam never expires

The word SUBSCRIPTION has been identified mostly in spam messages
advertising sexual enhancements, namely penis enlargement pills. Contrary to
the public opinion this spam campaign is not associated with either Canadian
Pharmacy or PowerGain+, but rather with Dr. Maxman’s clinic, one of the many
manufacturers of “natural” sexual enhancements that did not pass the FDA

Subscription spam

The spam message also impersonates a legitimate newsletter allegedly
coming from More than that, unlike in the case of Canadian
Pharmacy, the spam campaign abandons strong mail subjects in favor of some more
ambiguous ones.

Subscription spam 2

The actual spam campaign is based on the image above, linked to one of
the websites selling the product.


3. Product spam is back. Just CLICK here.

We mentioned in our previous reports that spam messages have become
scarcer right after the winter shopping season ended. It seems like this type
of unsolicited mail is back: the word CLICK has been identified by the
BitDefender spam researchers in messages promoting designer bag and wrist watch

Click spam

The new spam wave is part of the old Prestige campaign that stormed
users’ inboxes just before Christmas.


4. EMAIL scams, back online

Ranking fourth in our weekly spam top, the word EMAIL has been detected
in an aggressively-promoted advance-fee fraud scheme that hit users’ inboxes on
April 1st.

Email spam 20

The message allegedly informs unwary users that they are now eligible to
receive 1.5 million in cash, but they would have to provide the “bank” with
their personal identification data. These messages are particularly dangerous
because the personal information users may expose will be used for identity
theft or subsequent phishing schemes.

5. HTML tags and EMPLOYEES

Although extremely visible on this week’s spam map, the word EMPLOYEES
does not physically appear in any of the analyzed messages. They mostly occur
in commented text passed along with image-only spam to trick filters.

What’s new in the spam landscape?

  • Product
    spam is back in business after about three months of absence. Most of the spam
    messages reaching into users’ inboxes are coming from Prestige Replicas.
  • The global
    crisis and its effects on the economy brought crisis-specific spam, based on
    words such as Employees, investments or company. However, they usually don’t
    carry any financial message, but rather act as baits for showing sexual
    enhancing drugs.
  • German
    spam significantly dropped in charts: specific words such as Sie, und, wie, or
    als have now become extremely rare and barely show up on this week’s spam map.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.