SPAM REVIEW

The Spam Omelette #9

Welcome to the ninth issue of the Spam Omelette, our weekly review on spam and the latest industry trends! Before going any further, please make sure that you take a look at our testing and map generation methodology, as explained in our first issue.

Spam omelette 9 Map

This week’s spam
landscape witnessed another major change, a sign that spammers keep on
innovating in order to gain users’ interest and bypass spam filters.

1. MICROSOFT gets in the spam game

It may be seem odd,
but this week’s number one spam word is Microsoft. Interesting enough, spam
messages mentioning the Redmond-based company have nothing in common with the
newly-introduced operating system, Windows 7. BitDefender spam analysts
detected the word in scam messages allegedly coming from Microsoft. The
unsolicited email announces recipients that they have qualified for a special,
yet undisclosed “award”.

Microsoft Spam Image

The poor English
(Microsoft XP Window instead of Windows), combined with an extremely
unfortunate HTML formatting should be enough of a warning that the message is a
scam and should be discarded immediately.

2. PRIVACY?
Where?

Ranking second in our
weekly top, the word Privacy has been detected in quite intrusive messages
advertising cheap replica watches. The unfortunate spammers claim that the
124-bit (? -it was supposed to be 128-bit) encryption algorithms used in
e-banking can prevent friends and relatives from telling the original brand
from a knock-off.

Privacy Spam Image

 

3. Wanna UNSUBSCRIBE? Impossible!

The Unsubscribe trick
has been in use for quite some time now, but it seems to have worked for
spammers, as it is included in almost every unsolicited message received
through BitDefender’s honeypot network. The Unsubscribe link is extremely
useful not only because it adds extra text for image-based spam to bypass
Bayesian filters, but also adds extra legitimacy to an ordinary unsolicited
message. The word has been identified especially in the PowerGain+ medicine
campaign; in fact, the message mimics a legitimate message extremely well and
even includes instructions for users whose email client blocks access to
images.

Unsubscribe Spam Image

The PowerGain+ spam
campaign is extremely aggressive and outpaced the Canadian Pharmacy business in
terms of sent messages this year. Another interesting aspect of the mentioned
spam campaign is the fact that all the received messages have been forged to
look as if they had been sent from the own personal mail address. Shortly put,
the sender’s address is always identical
to the recipient’s one.

4. When
PLEASE
means more spam

The word “PLEASE” has
been identified in only one spam campaign that is part of the advance-fee scam
category. The message informs its recipients that they have been chosen to
receive a large amount of money (US $700,000) collected through donations. As
the user tries to claim the money, they will be required to post a specific sum
into an anonymous account as transaction fees.

Messagio! Spam Image

Please remember: if a
message contains information that sounds too good to be true, it probably is,
and you should discard the message immediately.

5. CANADIAN Pharmacy strikes back in new form

Once known as the
biggest spam source in the world, Canadian Pharmacy slowly shrunk to
disappearance (December 2008 and early 2009, probably affected by the
dissolution of the Storm Botnet), but it now strikes back under a new
moniker:  Canadian Health & Care
Mall. The message count is still diminutive as compared to its predecessor, but
we expect it to grow larger in the following months.

Canadian Spam Image

What’s new in the spam landscape?

Apart from the
“regular” presences in our weekly top, BitDefender antispam analysts identified
yet another kind of spam messages that use social engineering techniques to
steal unwary users’ identities.

Reunion Spam Image

The message announces
the receiver about an alleged class reunion event, but as they try to squeeze
more information from the embedded link, they are presented with a fake login
page asking them to input sensitive personal data.

 

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.