SPAM REVIEW

The Spam Omelette #58

Welcome to this week

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}

Week in Review: February 17 –
24

Spam Omelette 58 - Spam Review

1. The RIGHTS  to spam you

Ranking first in this week’s
issue of the Spam Omelette, the word RIGHTS is mostly found in messages
advertising Canadian Pharmacy products in a newsletter-like form. The word is
part of the footer disclaimer that also includes a random 5-digit number. Upon
clicking any of the embedded links, the user will be redirected to a clone of
the Canadian Pharmacy website.

The Rights to Spam

2. READING – a dangerous hobby

The word READING is placed second
in the spam top for the last week and has been mostly detected in messages
advertising a wide range of pharmaceuticals, especially sexual enhancement
pills and prescription-based drugs. In order to conceal their identity,
spammers have modified the message headers prior to sending them.

Reading is a dangerous Hobby

3. VIEW your spam online

The word VIEW has been identified
by the BitDefender spam researchers in messages also advertising Canadian
Pharmacy products. The word appears as part of an alternative text to be
displayed when the spam image is blocked by filters. Upon clicking on any
hyperlink included in the message, the user will be redirected to a Canadian
Pharmacy website clone. Interesting enough, this week’s Canadian Pharmacy spam
links forward the user to Canadian Pharmacy websites hosted in Russia, rather
than China, as usually. Even more, it seems that the domain names hosting these
clones are made up of two-word combinations (such as woodyear, lengthgame etc),
rather than of random six-to-eight digit numbers.

VIEW your spam online

4. The BROWSER knows its way

The word BROWSER takes the fourth
place in this week’s issue of the Spam Omelette and is also encountered in
alternate texts displayed to the user when the spam image is blocked by
filters. This specific wave of medicine spam features one centered image
depicting this week’s offering. Unlike conventional image spam, this wave
embeds images hosted on various image sharing websites.

The BROWSER knows its way

5. You can RUN, but you can’t hide from spam

The word RUN concludes this week’s issue of the Spam
Omelette. It has been detected in spam messages advertising online casino
Jackpot games. The message simply includes a link to the online casino, which
is also the relevant part of the spam message. In order to trick Bayesian spam
filters that would actually label a one-link-only message as junk mail,
spammers have added extra text that make no sense after a variable number of
whitespace lines.

You can RUN, but you can't hide from spam

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.