English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Spam Test|Spammers change their tune

Anna
Expert
Posted October 19, 06:54  GMT
Tags: Spammer techniques
0
 

Spammers have brought another instrument into their orchestra of tricks – MP3 audio files. This new type of spam is circulating in European mail traffic: a blank message, a classic social engineering message header, and an attached MP3 file. There’s been speculation that this might happen for a while, and although this new development is interesting, we don’t think that MP3 spam is going to have much of a future.

The actual audio file contains a ‘stock spam’ message designed to inflate the price of shares in a certain company. But the spammers have had to make a trade off between making the message as small as possible, and making a comprehensible recording. They’ve misjudged – the quality of the sound file isn’t easy to listen to. Even if a user does bother to listen to the almost 30 seconds of advertising, it’s unlikely that they’ll be persuaded to buy, as listening to a recording, noting the details and then going online is a far longer process than simply clicking on a link in an email.

However, this latest mass mailing demonstrates once again that spammers are still trying new tricks in their continued quest to slip advertising past spam filters and trick unwary users.

Comment      Link

Spam Test|More stock (s)[p]<a>{m}!

Anna
Expert
Posted August 20, 12:16  GMT
Tags: Spammer techniques
0
 

Most recent spammer innovations have centered around "pump and dump spam". This is what spammers were mass-mailing out in those .pdf and .fdf attachments that we've seen recently. And this is the spam that comes in graphics files, with the text often rotated several degrees, and other spammer tricks.

And now we've seen the latest innovation, which really had me scratching my head. This spam is designed for die-hard puzzlers: the spammers have taken a very strange approach – splitting key words, such as 'stock', 'buy' etc. with non-alphabetic characters. The problem is that the plethora of non-letter symbols – curved brackets, asterisks etc. – make it very hard to read the text. In fact, someone would have to be extremely motivated to read such an email all the way through.

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

Chi,na YouT-V <C> [o](r){p}<.>
S,ymbol: [C] <Y> [T](V)

We [h]{a}(v)[e] a`lready (s) <e> <e> (n) CY*TV's m^arket imp.act bef^ore c*l^imbing to {o}(v){e}[r] $2*.00 (w)[i](t)(h) (n)(e) <w> [s]<.>

Pre#ss Re,lease:
Chi^na YouTV^'s C-nBoo (W)(e){b} <s> {i}(t)(e) Ran#ks [N][o][.][1] on Micros`o*ft [L](i){v}(e) Searc#h Engi#ne


...

Of course, spammers are just trying to get round spam filters to deliver their message to end users. But they seem to have forgotten one very simple rule – it's not enough simply to get the spam to the mail box, the user has to read it, too! And who is going to plough their way through a strange message crammed with a variety of brackets and other out of place punctuation marks?

If we take a look at the history of spam evolution, we can see that this isn't something totally new. In 2003, spammers conducted similar experiments, littering their emails with symbols and non-Latin letters, resulting in messages that looked like this:

Vl/\GR/| $0.95 /l)0SE
C|/|L|S $2.00 /|)0SE
}{E|\||C/lL $0.91 /l)()SE
PR()PECl/|GR/\, GLUC()PH/|GR/|GE, V|0} {}{,
CELEBRE}{, |\/|ERl|)l/\, Z()L0FF, P/l}{lL, LlP|T()R
E l\l T E R

The result was almost unreadable emails, which quickly disappeared from the scene. Spammers clearly decided that this wasn't a promising approach. However, either they got some return on their mass-mailings, or what we're seeing now is a new generation of spammers who haven't learnt from the mistakes of the past. We'll see how long this latest wave lasts.

Comment      Link
0
 

This morning I received the following message in my Yandex.ru inbox:

Thank you for using the Yandex.ru national email service!

Recently, many email accounts have been opened for the purpose of sending spam. As a result, we have actively begun to delete these addresses from the server.

At present, all email accounts with suspicious names - including yours - have been put on a blacklist, and all users are being asked to re-authorize their account using the following link: http://r.yandex.ru/****/yandex/?id=02cfdd227b9735c35a8288f37c020cd2&p=blacklist&mt=0.090866193010010

Once you have completed the re-authorization process, your email address will automatically be removed from the blacklist, because it means you will have confirmed reading this email, which could not happen with a spammer address.

All email addresses that are still on the blacklist as of August 2007 will be deleted from our server, striking a major blow against spammer organizations and improving Yandex.ru email services.

Don’t forget - if you receive an email with advertising content that you did not request, you can report it as spam. The Yandex.ru administration reviews all complaints and will modify its filtering algorithms for new kinds of spam.

Thanks again for using Yandex.ru.

Sincerely,
The Yandex.ru Administration

I was only half awake when I read this and I almost followed the instructions in the email. But common sense prevailed: I suspected something was fishy and I decided to check this out. Turns out I was right: the address shown in the browser’s status bar when you move the cursor over the link is http://r.yandex.ru/..., which actually takes you to a page hosted by the freebie service tu1. ru. If you go directly to the address (by copying it from the browser window), you will find that there is no such site.

If you look deeper, you will find several other minor things that don’t match up:

  • The email is missing at least one comma (according to Russian grammar rules);
  • The email is suspicious in terms of the general rules of formal correspondence, i.e. the style of the email is strange;
  • Why is the email address for “Yandex.ru Administration" postmaster@sharabee.nichost.ru?
  • If you open the link to the so-called “Yandex authorization service”, you’ll see a context ad in the upper right hand corner - an ad which is nowhere to be found on the official Yandex website.

This is a classic example of phishing. Phishing Russian services is still uncommon. As far as I can remember, this is the first mass phishing email using @yandex.ru addresses - at least of the ones that have got around spam filters. This gives phishers an element of surprise, and there's no doubt that they'll manage to harvest numerous passwords, even if their ploy is primitive and poorly thought out (if, for example, there are none of the careless mistakes such as the ones listed above).

It is easy to avoid phishing if you follow some simple rules: always make sure that the domain name of the link is question is authentic. In order to do this, you should not just click on it, but copy and paste it into a new browser window. If you do this, even the slickest phisher tactics used to disguise the real URL won't work.

If you do fall for a phishing ploy and you entered your password on the page they sent the link to, change your password as soon as possible.

Comment      Link

Spam Test|Spammers mock Yeltsin’s death

Anna
Expert
Posted April 26, 13:19  GMT
Tags: Spam Letters
0
 

Yesterday, all of Russia was saying farewell to Boris Yeltisn Russia’s first president. All? Not spammers – they were too busy flooding email traffic with messages that had headers saying “Boris Yeltsin lives”.

Inside, the emails had the following text:

Yeltsin woke up in his coffin!!!
Yeltsin IS NOT DEAD!!!
HE fell into a coma! Everyone is in shock!!!”
{Translation}

The text was naturally followed by a link to read more. Thankfully, in this case the links did not lead to malware.

Spammers are well known for using hot topics as social engineering tools to get naïve users to respond to spam. Deaths or purported deaths of well known figures are a popular topic.

The links in the Yeltsin spam led to a community board where people can ask doctors questions. Many upset victims left angry posts, but the moderators have not responded to date. The point of the spam attack? The target site is a community effort, so unless one of advertisers on the site paid, there really doesn’t seem to have been a real point.

In any case, the spammers have once again demonstrated their lack of respect for basic human values.

Comment      Link

Spam Test|Hearts and flowers and seated massage

Anna
Expert
Posted March 08, 07:30  GMT
Tags: Spam Letters
0
 

Now that we've got 23rd February spam out of the way, the spam for 8th March, International Women's Day, has started flooding in.

It's an important holiday over here, and the spammers are once again fulfilling a public service role by offering a range of gifts: the almost obligatory flowers, candy, jewellery and watches. Interestingly, we're seeing messages offering Rolexes both in Russian and English. I hope no-one is foolish enough to respond to this spam - I would have a hard time looking pleased if someone gave me a fake Rolex.

One of the most original gifts offered is fifteen minutes of seated massage, with the masseur coming to the office. It's a nice thought, particularly when we've all been so busy getting ready for the holiday. But once again, I do hope that none of my colleagues or friends get me a gift from a spammer - given the volumes of spam we've been receiving lately, they don't need any encouragement.

Comment      Link

Spam Test|The best a man can get

Anna
Expert
Posted February 22, 12:07  GMT
Tags: Spam Letters
0
 

Over here in Moscow, we didn’t see that much Russian language spam in the run-up to Valentine’s Day. This isn’t really surprising, as 14th February isn't a traditional Russian holiday.

The run-up to Spring does include a couple of major national holidays: 23rd February and 8th March. In Soviet times, the 23rd February was Red Army Day - it's since been renamed 'Defenders of the Fatherland Day', but in practice it's simply a celebration of masculinity, with parties, drinking, and appropriately masculine presents being given by partners and colleagues.
And naturally, the question of what to give is being actively exploited by spammers.

Our spam traps have been inundated with a whole variety of offers: solar torches, mini toolkits, barbeque grills, pens and wallets. So far, so standard. Some spammers, though, are determindly targeting the traditionalists and the military minded by offering tank driving experiences, airplane flights and a whole range of weaponry, including crossbows. Delivery of a crossbow, complete with bolt, is free within Moscow - if you live further out, you’ll have to pay the shipping fees.

It will be interesting to see what the spammers offer for 8th March, which is International Women's Day. Probably nothing as exciting as a crossbow, but we'll keep you posted.

Comment      Link

Spam Test|Forget Amazon, get your books by spam!

Anna
Expert
Posted February 08, 11:42  GMT
Tags: Spam Letters
0
 

Russian Internet users got an unusual surprise recently when they found a book in their mailboxes. The email from the author included links to his site, a selection of his poems, and a message saying "Today you get a book with your spam. Enjoy reading ‘Man with a capital letter’, the first spam book in Russia."

I’m a spam analyst, not a literary critic, but the poems in my mailbox struck me as definitely being of the Moon/June variety.

So instead of analyzing the quality of the writing, I started thinking about a different issue. Is this book really spam in the traditional sense of the word?

If we use the standard definition of spam, then the answer is yes: an unsolicited message that was anonymously mass mailed. ( By anonymously I mean that the mailing was conducted using a zombie network, with no clue as to the original source.) And although the author isn’t exhorting the recipients to actually buy his book, it’s still advertising and it's still PR.

Of course, it's nicer to get poetry by email than to get a message exhorting you to enlarge everything it's possible to enlarge, or to stock up on Viagra for the next hundred years. But if this becomes a trend, where will it end? Users will find themselves buried in unliterary ditties, blueprints from mad inventors, and the political and economic plans of everyone who's ever decided that their country needs a new government.

Like most users, I don’t want to see any of this in my personal mailbox. I want to get mail from friends and relatives. I want to read the books that I choose when I want to read them, not when they get sent to me by email. So sorry, but the place for this book isn’t in my mailbox, or even on my ebookshelf. It belongs with the rest of the spam - in the recycle bin.

Comment      Link

Spam Test|Spam, viruses, and Putin's death

Anna
Expert
Posted October 25, 14:34  GMT
Tags: Spam Letters
0
 

The Russian president is dead! That’s one of the messages we received at the Kaspersky Spam Lab today.

Perhaps it’s not surprising that it turned out to be a classic social engineering technique: arouse the user's curiosity to get him/ her to click on a link contained in an email. Of course, the grammatical errors in the message, which are typical of spam, should be enough to put users on their guard.

However, it seems that there are still enough trusting people out there for such an approach to bear fruit. And today’s mass mailing turned out to be confirmation of the fact that more and more often, virus writers are using spam to circulate their creations.

Subject: ATTENTION !!! President of Russia has dead.

Attention!!!
Vladimir Putin has dead. Visit immediately to http://news.bbc.co.uk/go/click/rss/1.0/-/8/hi/russia/********.stm

BBC, BBC World and their respective logos are trade marks of the British Broadcasting Corporation, Logos © 1996

The link in this ‘sensational' message appears to lead to the BBC site - an organization with a worldwide reputation. But if the user clicks on the link, s/he will be sent to a Russian site which has nothing at all to do with the BBC. This is made possible by the use of HTML in the message - although the user sees one link, there's another, invisible link underneath, which leads to a totally different site.

And what's the point? After all, the message isn’t selling anything. Well, according to our virus analysts, when you visit this site, Exploit.JS.ADODB.Stream.o is used to download a Trojan-Downloader (Trojan-Downloader.Win32.Agent.uj) onto your machine. And once a Trojan-Downloader is on your machine, it will probably start downloading other malicious programs...

In other words, curiosity can kill your computer. And put your personal data at risk. So here’s a gentle reminder - spam isn't just a nuisance or an irritation. It's a real cyberthreat.

Comment      Link

Spam Test|An animated August

Anna
Expert
Posted August 30, 14:17  GMT
Tags: Spammer techniques
0
 

We've recently detected yet another new trick being used by spammers.

Spam now isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which will be recognized and displayed by all popular browsers.

Normally, animated spam has between two and four frames; out of these, only one of them actually contains significant information about the goods or service being promoted. The remaining frames simply act as background, or contain other pictorial elements. The main frame is displayed to the user for up to 10 minutes, while the remaining frames will be displayed for mere tenths of a second.

The screenshot on the left shows the main frame of such a message. On the right is an example of one of the remaining frames (the original message contained three frames in all.)

As far as we can tell, at the moment animation is confined to stock spam (e.g. spam which promotes specific stocks). However, there’s nothing to say that this technique won’t become widespread in the future.

Spammers are always developing new technologies in order to evade spam filters. Whether or not animation will make spam more difficult to detect isn't yet clear. It's true that a lot of spam filters don't analyze the actual graphics in spam. The majority of them analyze the message structure, the text content and so on. Animated spam may well cause serious problems for simple filters which operate purely by analyzing text symbols, and which don’t analyze text in graphical form. However, such filters are ill equipped to cope with any type of graphical spam, animated or not.

On the other hand, although animating the message is a novel trick, better spam filters are able to detect and filter out animated spam.

Comment      Link

News|The demise of Blue Security

Anna
Expert
Posted May 19, 15:20  GMT
Tags: Spammer techniques
0
 

There’s been a lot of media interest in the demise of Blue Security, the Israeli company which launched antispam campaigns in 2005. As a spam analyst, I’m also interested in the topic - I think that the criminalization of the Internet in the form of spam, hackers, and virus writers, is often underestimated. Spammers, hackers and virus writers all have access to powerful technologies which pose a threat to Internet users. One example of this was the Blue Security case.

Kaspersky Lab doesn’t have data which lets us draw conclusions about the nationality of a spammer, and this makes it difficult for us to confirm the assertions issued by Blue Security representatives. However, Kaspersky Lab does have samples of threatening spam which was sent to Blue Security users.

It’s interesting that the wording of these samples seem to show the spammers justifying themselves, with the words ‘we don’t want to, but BlueSecurity is forcing us’.

The messages also included threats saying that the targets would effectively be subjected to a DoS attack: ‘you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally. How do you make it stop? Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again’

I don’t think that any spam analyst was really surprised that Blue Security came to a sticky end. Of course, we’re not happy that the spammers appear to have won this round. But destabilizing sites if the site names are mentioned in spam is a very dubious tactic - it’s neither ethical or really legitimate.

I think that the path Blue Security chose was more or less doomed, if not to failure, then at least to causing a lot of Internet users, not just spammers, to react negatively. Why go down this road at all? There are plenty of spam filters available on the market. And ultimately, spammers should be punished by law enforcement bodies in accordance with legislation. In my view, users taking matters into their own hands is an unacceptable form of vigilantism.

Comment      Link