The Spam Omelette #25

Welcome to the Spam Omelette, BitDefender

Week in review: May 6 – 13

Spam Omelette 25


1. WebMD:
two-week run as top word in spam

Ranking first in our
spam top for two weeks in a row, the word WebMD has been identified by the
BitDefender spam researchers in unsolicited advertisements coming from the
Canadian Pharmacy business. Unlike the previous week spam waves that directed
users to URLs built around the “Pfizer” brand, the fresh message batch sends
those who click on the embedded links to domains composed of the words “new”,
“pharmacy”and “nine”.

WEBMD spam

This type of spam uses
only two distinct mail subjects with multiple variations in the discount
percentage, as seen in the image below:


As usually, all the
hyperlinks included in the mail’s body have been tampered with in order to take
the user to the Canadian Pharmacy website.


2. Canadian
Pharmacy hates PRIVACY

Ranking second in our weekly spam top, the word
PRIVACY has mostly been detected in messages also coming from the Canadian
Privacy business. Impersonating a legitimate newsletter sent by the Health
Central service, the actual message has been tampered with and all embedded
links have been redirected to Canadian Pharmacy website clones.

Privacy Spam Example


3. Awaiting
important MESSAGES? How about some spam instead?

The word MESSAGES has
been identified by the BitDefender researchers in multiple spam waves, this
week’s largest wave of unsolicited mail abusing it is a classical Nigerian /
identity theft scam. Just as usually, the recipient is presented a long and
complex message aimed at gaining their confidence. In order to complete the
picture, the scammer throws in a large amount of money that would be to the
user’s disposal as soon as he / she sends in some ID card / driver’s license
copies to a specific fax number.

Once replied, these
scams can have devastating effects on the conned user, including identity
theft, prejudices to the banking balance and even incidents with the
international law enforcement organizations.

Messages spam example


tips and tricks

As we discussed in our
previous issues of the Spam Omelette, unsubscribe links are often tampered with
to take the user right on the advertised web page, or worse, to an unsubscribe
form where personal data is collected and abusively logged in a spam / identity
theft database.

Unsubscribe spam example

Online medicine
retailers such as Canadian Pharmacy and PowerGain+ are two of the most
important spammers out there that heavily rely on unsubscribe links in order to
deceive their recipients

 Unsubscribe spam

5. Contact
spammers back via MSN

The word MSN ranks last in this week’s issue of
the Spam Omelette, and is frequently used in a less usual spam campaign. The
Japanese spammer advertises the services of an electronics online store,
especially heavily discounted iPhone devices. Orders are taken via two
disposable e-mail addresses  registered
with Yahoo and MSN, respectively.

MSN spam

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.