The Spam Omelette #44

Welcome to this week

in review: September 23 – 30

Spam map 44

don’t go to college!

Ranking first in this week’s issue of the Spam Omelette, the
word PLEASE has been detected in
multiple spam waves advertising miscellaneous products – from the “regular”
Canadian Pharmacy pills to quick and dirty get-rich schemes or even academic

Although Canadian Pharmacy spam messages abusing the word PLEASE are still flowing, we’ll focus
on a different type of unsolicited mail, namely the diploma spam samples
collected by BitDefender via its network of honeypots.

Please spam

Diploma spam is hardly new around  the block: The user is basically asked to pay
a fee in exchange of a sheet of paper stating that the victim has graduated an
obscure (and most of the times unrecognized) learning institution. However,
this specific spam wave is highly targeted – it includes the recipient’s first
name, which means that spammers behind this business have access to a database
of persons and their associated e-mail addresses (probably purchased on the
black market or even compiled to include users subscribed to miscellaneous
services). Once again, pay extra attention when you are required to sign up for
using a free service!

2. Canadian
Pharmacy disguised as WebMD

Ranking second in this week’s spam top, the word WebMD 
has been detected in messages advertising sexual enhancements from
infamous online webshop Canadian Pharmacy. These messages impersonate a legit
newsletter allegedly signed by WebMD, the online resource on healthcare news.
The newsletter has been partly modified to include a central picture of
Canadian Pharmacy offers. This type of messages are mostly sent by the Tedroo Trojan horse, a spam-sending bot.

Canadian Pharmacy webmd

here. We’ll take care of the rest!

The word CLICK has been detected in multiple spam waves
related to world’s top spammer, the Canadian Pharmacy. Disguised as a sales
confirmation from Walmart, the message features a central image with the
Canadian Pharmacy offering. The spam message also contains a link to
unsubscribe, but clicking it would only take the victim to the webpage-version
of the newsletter.

Click spam

4. TAX
scams lurking in the dark

The 15th of September is usually the day when
United States citizens file the tax return papers for the previous year. Just
like any important event, the tax return day did not go unnoticed for spammers,
who started a malware attack using links to ZBOT infected binary files.

Tax Return Fraud scam

The message allegedly sent by the Internal Revenue Service
asks the victim to review their tax statement by following an embedded link.
However, when clicking the link, the user would actually start downloading an
executable file infected with Zbot, an extremely dangerous piece of malware
with rootkit capabilities. For more information about IRS-related scams, please
visit this

me from spam newsletters

Ranking last in this week’s
issue of the Spam Omelette, the word UNSUBSCRIBE has been detected in
unsolicited mail also coming from Canadian Pharmacy. The message allegedly
allows the user to unsubscribe from the mailing list, but clicking any of the
unsubscribe links would only take the user to a Chinese web domain advertising
sexual enhancements from Canadian Pharmacy.

UNSUBSCRIBE me from spam newsletters

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.