SPAM REVIEW

The Spam Omelette #29

Welcome to the Spam Omelette, BitDefender

1024×768

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Calibri”,”sans-serif”;}

Week in review: June 3 – 10

Spam Omelette 29

Deeper analysys of this week’s spam stock
reveals that this week’s top five words used in unsolicited messages is
relatively similar to the one we reviewed in the May 27 – June 3 timeframe.
Give the fact that we already described spammers’ techniques, we won’t insist
on that, but rather describe some really interesting additions to the spam
landscape.

 

1. Canadian Pharmacy under disguise

One of the most important and persistant
spammers out there, Canadian Pharmay has taken yet another approach at
delivering their messages straight into users’ inboxes. Already notorious for
impersonating legitimate newsletters such as those coming from WebMD, the new
Canadian Pharmacy templates offer little details on what actually the mail is.
However, as the user clicks on the unsubscribe link or tries to find out more
about the sender, they are presented another clone of the Canadian Pharmacy
website.

Spam

 

2.
Portugese Curriculum Vitae received by mistake

bitdefender detection

 Although this is not qute the newest approach
in spam, the following wave surely is interesting. The message is written in
Portugese and allegedly contains an attached curriculum vitae of a person named
Michele Gomes.

 At a
glance, the recipient is manipulated into believing that the sender misspelled
the e-mail address of the sender. However, the message does not contain any
attachments, but rather a URL to an infected binary. The curriculum.doc keyword
links actually to curricullum.scr, an executable file detected by BitDefender
as Trojan.Heur.A090F1E4B4.

 Once the file is execute, it would connect
remotely to an Internet resource, then try to download and install a
spam-sending bot, among others.

 

 

spam

 

3. Product spam back on track

Mostly active during the holliday shoppinbg
season, product spam has been flying under the radar dropped during the first
half of this year. This week’s surprise comes from Diamond Replicas a
China-based online retailer of knockoff watches. The message’s headers have
been forged to look as if the originating account is the recipient account
itself.

spam

 

What’s new in the spam landscape?

  • German words are back in the spam
    map, thus indicating that spam targeting German-speaking countries is on the
    rise again.
  • Social engineering used as means
    of infection: the curriculum-vitae trick described above relies on users’
    curiosity to trick them into opening the .scr file. More than that, because of
    the fact that the attachment poses as a .doc file, few users would actually
    suspect that it is a malicious executable file.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.