/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
Week in review: May 27 – June 13
1. WebMD back in the tops
The word WebMD is back in the spam tops with
the advent of yet another spam campaign triggered by infamous online medicine
business Canadian Pharmacy. As stated in our previous issues of the Spam
Omelette, please note that the WebMD brand is legitimate and has a strong
however, abuse the WebMD logo and visual identity.
It seems that one of the most important vectors in
the WebMD campaign is a piece of malware called Trojan.Spammer.Tedroo.
Once the Trojan has infected the host, it starts sending unsolicited mail
advertising Canadian Pharmacy products, as well as messages advertising sexy
video clips featuring Angelina Jolie. As
the user visits the hyperlink enclosed in the Angelina Jolie spam mails, they
are prompted to install a fake codec, a binary
file infected with the Tedroo spam bot.
2. No PRIVACY for the spam victim
Ranking second in the weekly spam top, the
word privacy has been identified in multiple spam campaigns mostly focused on
sexual enhancements coming from the same Canadian Pharmacy business. The word
appears in the alleged disclaimer text placed in the message’s footer, a method
of camouflaging spam as legitimate newsletters.
This time, spammers are using a wide range of
message subjects ranging from friendly pieces of advice to what seems to be
business mailings. For instance, BitDefender’s spam analysts have identified
the same template associated with message subjects such as: New Access Cards, Love Movies? Open This!, She Got Blog! Read as well as financial
crisis-specific warnings such as Payment
Time Expired or Our Staff Reduction.
3. UNSUBSCRIBE Tricks: Canadian Pharmacy with multiple faces
This week, Canadian Pharmacy strikes back in
the unsubscribe game with yet another template. The trick itself is extremely
old and still pays off in collecting valid e-mail addresses for further spam
campaigns: as the user clicks on the embedded unsubscribe link, their e-mail
address is validated against a spam database. Next, the user is redirected to a
clone of the Canadian Pharmaacy website.
This specific spam wawe relies on forged mail
headers to look as if it had been sent by the recipient. Since many e-mail
users would often whitelist (add to SafeSenders’ list) e-mails coming from a
specific domain (especially in corporate environments), a spam message
allegedly originating from the same domain as the recipient is highly likely to
land straight in the inbox rather than to be discardes as spam.
4. PLEASE read this, then let me spam you
Ranking fourth in this week’s issue of the
Spam Omelette, the word PLEASE has been identified in messages advertising “a business proposition that is 100% legitimate
and risk free”. Unlike other spam campaigns using similar texts and strategies,
this specific wave does not try to con the user with an advance-fee scam or to
snatch personal information for identity theft. Instead, the spammer only asks
the user to reply if interested – a method of collecting valid e-mail addresses
for subsequent spam campaigns.
5. Spam is always one CLICK away
The word CLICK has been identified by
BitDefender’s spam analysts especially in unsolicited mail coming from online
stores selling prescription-based drugs.
In order to make the user open the message, spammers use strong e-mail
subjects related to day-by-day activities. This particular mail reads