The Spam Omelette #35

Welcome to this week





/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;

Spam omelette 35

1. Privacy beats expectations: it
completely lacks

Ranking first in this week’s
issue of the Spam Omelette, the word PRIVACY has been detected in unsolicited
mail impersonating legitimate newsletters.  Most of these messages feature a Canadian
Pharmacy advertisemen t and make use of social engineering tricks such as
catchy message subjects in order to reach out to recipients.

privacy spam

A second batch of Canadian
Pharmacy spam is using celebrity names in the mail subject, a technique
resembling the Celebrity Gang approach. This week’s celebrity name popping out
from the charts is Avril Lavigne, as shown in the screenshot below.

privacy spam 2

2. On broken UNSUBSCRIBE links

The word UNSUBSCRIBE is also
encountered in spam messages impersonating newsletters. And, since the
technique is old and not quite successful in tricking users anymore, spammers
have added an extra spark of interest by abusing Michael Jackson’s name. This
batch of newsletters claims to provide the 
proof that Michael Jackson had been killed. In order to view the proof,
the user needs to accept the embedded image, which turns to be the same
Canadian Pharmacy ad. As usually, any link embedded into the message (including
the Unsubscribe option) takes the user to a clone website of Canadian Pharmacy.

Unsubscribe spam

3. Email is back on top

Ranking third in our weekly spam top, the word EMAIL has
been detected by the BitDefender spam analysts in a wave of messages allegedly
coming from FedEX. The spam message announces the recipients that they are to
receive a package of significant value but they cannot be reached. In order to
get the parcel on time, they have to fill in a form and send it to a non-FedEX
webmail address. The disclosed information may then be used by scammers for
identity theft or other illegal and damaging activities.

email spam

4. The missing LINK

The word LINK – this week’s newcomer in the Spam Omelette
top – has been detected in a wave of unsolicited mail also advertising Canadian
Pharmacy products. The message itself contains the text Your Link and a URL leading to a compromised webpage. A closer look
on the message reveals that this Canadian Pharmacy campaign makes use of
legitimate domains (which have been broken into) in order to perform the
redirect to the Canadian Pharmacy website.

link spam

In order to bypass Bayesian spam filters, the message
contains a significant amount of text inserted as HTML comments.

5. SUBSCRIBE to spam now!

The word SUBSCRIBE concludes this week’s spam top and has
been identified in multiple waves of unsolicited mail impersonating
newsletters. Although these messages feature distinct mail subjects, they use
the same template with a central image displaying the current Canadian Pharmacy

subscribe spam

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.