The Spam Omelette #26

Welcome to this week

Week in Review: May 13-20


Spam Omelette 26

makes a comeback in spam

The word CLICK is now
back as top word in spam messages, after only one week of absence. CLICK has
been identified by the BitDefender spam researchers especially in messages
related to medicine spam. It seems like medicine spammers took a more discrete
approach this week, advertising their products without using their favorite
keywords: WebMD and Canadian Pharmacy.

Click spam

A closer look on the
messages reveal that this week’s spam wave coming from Canadian Pharmacy uses
Russian (.ru) domains in order to perform various redirects to the Canadian
Pharmacy website.

click Spam 2

As usually, the
Canadian Pharmacy spammers take various approaches to make users open the
messages – they add various mail subjects to make the message look as if they
had been sent by friends.

the source of all evil

Ranking second in our
weekly top, the word EMAIL has been identified in multiple spam campaigns
advertising especially Canadian Pharmacy products and online poker casinos.

While Canadian
Pharmacy and its associates are a frequent presence in our weekly spam review,
PokerSavvy made a comeback with the spam wave advertising a new online gambling
tour. All of Poker Savvy’s spam campaigns are handled by Bronto, an allegedly
respectable online marketing company.

Unlike other spam
campaigns that disallow unsubscribing from the mailing list, the footer links
included in the PokerSavvy spam campaigns actually seem to work.

e-mail spam

3. It’s
not NEWS, it’s spam

The word NEWS has been
identified by the BitDefender spam researchers in messages impersonating
legitimate newsletters from Health Media Ventures. However, as the user clicks
on any link embedded into the message, they are redirected to one of the many
Canadian Pharmacy website clones on the web.

News Spam

spammers’ favorite word

Ranking fourth in our
weekly spam top, the word PLEASE is mostly encountered in unsolicited mail
advertising Canadian Pharmacy products. These messages also come disguised as
newsletters and it is really difficult to tell them from legitimate mail,
except for the fact that they feature an inline image and hints at
“pharmaceutical technology” (a buzzword for sexual enhancements). The mail
subject seems sometimes out of place as compared to the rest of the message,
but by the time the user learns it, they have already opened the message.

please spam

Just like the rest of spam
related to drugs, all the links have been tampered with to lead the user on a
Canadian Pharmacy page.

5. No
PRIVACY for the spam victim

This week’s spam top concludes with the word PRIVACY, identified by the BitDefender spam researchers in unsolicited messages impersonating legitimate newsletters from WebMD, an apporach typical to the notorious Canadian Pharmacy business. Unlike other spam templates used this week by Canadian Pharmacy, the template below has been rigged to lead users to Chinese domains.

privacy spam

Needless to say that
the unsubscribe link is not working as it should. Instead, the user can sign up
for extra newsletters coming from Canadian Pharmacy and its affiliates.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.