English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Absent-minded spammers

Tatiana Kulikova
Kaspersky Lab Expert
Posted April 09, 13:42  GMT
Tags: Spam Letters, Social Engineering
0.1
 

A large number of scam emails disguised as newsletters sent by the CNN television channel have been detected again. Sensational headlines are used in the messages to grab the attention of recipients (e.g., falling stock indexes, the election of a new Pope etc.). Users are asked to click on the links provided in the messages to get access to the complete versions of the articles. To make them look authentic, the emails also include links to real CNN pages, but of course the link with the main piece of news is fake. It leads to a compromised website which uses JavaScript to redirect the user to a site hosting malware – in this case, the Blackhole exploit kit.

At the same time as the CNN newsletter scam, there has also been an epidemic of scam emails imitating Facebook notifications. In these emails, spammers suggested that users check out new comments on their photos. The mechanism used in the malicious link was the same as in the case described above. The most curious part, though, was that the scammers did not even bother to change the links. While in the former case the link included “cnnbrnews.html” after the domain name, the same ending in the link provided in fake Facebook messages looks out of place.

Unfortunately, this is the only part of the scam where the cybercriminals were careless. Emails containing the malicious links are still being distributed, so be cautious when handling suspicious messages.


2 comments

Oldest first
Threaded view
 

mark117

2013 Apr 09, 21:34
0
 

Spammers

Hi Tatiana Kulikova

Thank you for a great article,
Spammers are the bane of every computer user, i get regular spam e-mails almost on a daily basis,
thank "GOD" for filters that you can put in to place to try to help in the fight against spammers/spambots,
i use the Kaspersky PURE 3.0 blocklists along with the filter rules that i have set up on my live account to trash any and all junk e-mail,
especially the ones that are for "Gambling, Porn, Sex, Drugs," and the like.

I have noticed that there does seem to be a number of cases where the spammers have tried to use legitimate sites to try to lure the unsuspecting public "That's Me You" to our doom and to be infected,

The only advice that i can give to anybody/ /everybody on the internet and whom uses some kind of e-mail service or AntiVirus is,

1: DO NOT OPEN E-MAIL FROM SOMEBODY YOU DO NOT KNOW.
2: ALLWAYS AND I MEAN ALLWAYS CHECK THE LINKS IN THE E-MAIL'S.
And Finally
3: IF IN DOUBT, CHECK IT OUT "THE LINKS OUT".

Safe surfing to everyone out there
Peace Respect
mark117

Reply    

David Bacher

2013 Apr 10, 03:35
0
 

The spammers have been getting lazier for a while, to be honest.

But then, if the e-mail programs understood their users better...

A typical notification URL is going to have a link to view the notification online. That's going to have a path with some long, unique, random identifier on it. There's sometimes going to be the query string that ate Cleveland, as well. All that is just magic to all of us -- if I'm analyzing the URL, I have no way to know if that part of the URL is valid or not.

So what I care about is the base domain, without the subdomain component. Because that's that part that tells me who -- roughly -- is processing the request. If it's a service like Azure or GAE, I still want to see them -- because whoever the subdomain claims to belong to, I've got no way to verify it. And so unless they bother to pay the $0 to set up a CNAME alias and point it at Azure, GAE, etc., there's not a way for me to know if its really them or not.

And so literally -- what I want to see is just the domain name that is servicing the link.

If you look at all those fake e-mails -- that step alone would help considerably. I also don't understand why no AV program is marking links as suspicious if the text matches a domain name pattern, or the text matches a URL pattern, and the href value points someplace unrelated.

That is, if the link has Facebook or Google's domain name as its only content, then you'd expect the HREF to point at one of those two sites. Similarly, if the text is a complete URL or contains a complete URL, you'd expect the href to match -- if not that would be relatively suspicious.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog