28 Sep A race against the spammers
14 Feb Valentine’s coupon
08 Nov Fake Kaspersky Antivirus
07 Nov Gaddafi’s death in spam
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A few days ago, the latest VBSpam results were published. The testing, conducted by Virus Bulletin in August, saw Kaspersky Linux Mail Security 8.0 detect 99.93% of all the spam messages used in the test. This is a new record for Kaspersky of which we are very proud (if the number of congratulatory emails flying back and forth between us is anything to go by). Eugene Kaspersky also mentioned the result in his blog (http://eugene.kaspersky.com/2012/09/27/kaspersky-server-anti-spam-no-longer-the-underdog-more-top-dog/) – he’s proud of us too :)
Apple fans are eagerly awaiting the arrival of iPhone 5 which is due out today. Each unveiling of an iDevice is accompanied by a global buzz of excitement which usually attracts the attention of spammers: every new iPad or iPhone inevitably becomes the bait in numerous fake lotteries and other fraudulent emails.
However, customers are not only interested in Apple’s devices but also their accessories. This year’s first registered mass mailing dedicated to the new iPhone came from a Chinese company that has decided to fill this niche.
The advertiser, having first apologized for any inconvenience that may be caused by the email, offers users the chance to buy a case for the new iPhone 5 which has not even been officially presented.
Considering the sort of promises that usually appear in spam, one can only wonder why the sender didn’t offer an actual iPhone 5 or, better still, an iPhone 6 (or whatever it’ll be called in 2013? iPhone 5v?).
Summer 2012 will be packed with sporting events. This week sees the Euro 2012 football championship kick off in Poland and Ukraine. The tournament will bring together 16 of Europe’s best teams, and football fans from all over the continent will be watching closely regardless of whether their country qualified for the finals or not. Official ticket sales for Euro 2012 were launched on 12 December 2011, but spammers – rather unusually for them – were in no hurry to exploit the event. The first mailing offering tickets to Euro 2012 was only detected at the beginning of January. Since Ukraine is one of the host countries for Euro 2012, there were lots of messages in Russian and Ukrainian. The afore-mentioned message offering tickets was just one of them.
It may not be in the same league as Christmas and New Year, but with every year Valentine’s Day is being exploited more and more by spammers. In the week before it is celebrated this year Valentine’s spam accounted for 0.3% of all spam.
We registered the first Valentine’s spam as far back as 14 January – a whole month before the holiday itself – and it struck us as being rather unusual.
Like the majority of spam mass mailings exploiting the Valentine’s Day theme, this particular mailing was in English. It is a well-known fact that the lion’s share of English-language spam is distributed via partner programs. (Unlike other parts of the world, the practice of small and medium-sized companies ordering spam mailings or sending out spam themselves is not very popular in the USA and most western European countries.) However, the first Valentine’s spam of the year bucked this trend and had nothing to do with a partner program.
This particular offer for Valentine’s Day gifts made use of coupon services.
As you can see from the screenshot, the recipient is urged to buy a small gift for their loved one making use of a discount, an offer which the company made via the major coupon service Groupon.
Coupon services have proved to be a big success around the world. Every day various websites offer special deals on anything from two to several dozen goods or services.
Groupon is one of the biggest Internet projects of its kind and it’s fairly easy to find its promo campaigns online. The site also informs its subscribers about new deals via email. The company that sent out the first Valentine’s spam detected by Kaspersky Lab used an advert for this major portal, the legitimate Groupon email campaign plus spam advertising.
We’ve already noted that for small companies coupon services are fast becoming a credible alternative to spam advertising. Judge for yourself: the method used to spread adverts is the same – via email, but spam filters don’t block legitimate mailings from major Internet resources. Another important advantage is that the firms that offer coupon services are not breaking the law. The size of the mailing may well be less than a spam mailing that a company could order, but the legitimate mailing is sent out to the relevant region and the recipients are genuinely interested in special offers sent by coupon services. As a result, a targeted, legitimate mailing can be more effective than the typical ‘carpet bombing’ associated with traditional spam.
Coupon services have had a noticeable impact on mail traffic and Internet advertising. They have also affected spam. There are now a number of spam categories associated with coupon services.
The first is that of unsolicited mailings by the services themselves. This category of spam is quite rare – the more serious companies don’t want to tarnish their reputation by being associated with spam. However, some start-ups trying to break in to the market are willing to resort to spam in an attempt to attract subscribers or to allow their platforms to be used for promotions by other companies.
Another category of ‘coupon’ spam is that which simply uses the word “coupons” instead of “discounts” to make goods or services more attractive to users. These spam mailings can offer ‘coupons’ for some of the most unexpected items. For instance, the people behind pharmaceutical spam think nothing of offering a small discount on medications and passing it off as a coupon.
A third category of coupon spam includes things like the Valentine’s spam mentioned above. This involves a company whose offers are already available via a coupon service attempting to reach a wider audience by resorting to spam. As I see it, this approach is counterproductive. The majority of users react negatively to spam, and using it to advertise will only do harm to a company’s reputation. This is especially important as many coupon services rely on the trust of their users. Spam, therefore, can actually work against a coupon service, reducing the effect of a promotion instead of enhancing it.
The potential popularity of coupon services carries with it a specific threat. Users of the services tend to leave some money on their account balance so they can spend it at any time on a deal that takes their fancy. Although the amount of money stored on such accounts may not be very much, it is still likely to attract phishing attacks against the customers of coupon services.
So as not to play into the spammers’ hands, or to avoid falling victim to a phishing attack, when using these coupon services, users need to follow three simple rules:
Coupon services often send purchased coupons as an attachment in an email. If you have not purchased any coupons from the service, there’s a chance that an email attachment might be malicious. If you are not sure whether or not you bought the coupon, you can always check by entering your account. We have not yet detected a malicious attachment disguised as a coupon. Nevertheless, we recommend that users be careful – spammers that participate in partner programs are usually the first to react to new opportunities, including those that involve spreading malicious code. It’s just a matter of time before this type of spam traffic appears.
Over the weekend, someone wrote to us complaining that Kaspersky Lab was sending spam. Naturally, this came as a bit of a surprise, seeing as how we do nothing of the sort; in fact we do quite the reverse: we combat spam. Of course, we wanted to find out why a user had come to the conclusion that Kaspersky Lab was sending spam to them.
The email that the user complained about had all the hallmarks of a typical online scam: behind the nice pictures reminiscent of Kaspersky Lab’s official advertising there was a link that had absolutely nothing in common with the company’s products. The cybercriminals had done a good job: the email not only looked like an official email from Kaspersky Lab but the “From” field was a good imitation as well.
After clicking the link, a user unwittingly ends up on a website with an offer to buy a program called Best Antivirus Online. It has to be said that the image of the “product box” on the web page was not unlike that of Symantec’s signature design – black font against a predominantly yellow background. To buy the program, the user had to enter their credit card details and email address so they could receive further instructions. We followed these step as part of our investigations, but received no more instructions at the email address we specified. It is quite possible that users could have received more instructions on how to download the fake antivirus at the time the spam was active.
This is not the first time cybercriminals have made use of Kaspersky Lab products. We have noticed on several occasions that the distributors of fake antiviruses have tried to make their “product” interfaces similar to those of KIS or KAV. Spammers distributing offers of cheap software often stress in their emails that Kaspersky Lab’s products are available on their sites at bargain prices.
This level of awareness by the cybercriminals is a clear indication that Kaspersky Lab products are popular and trusted. They are taking advantage of users’ trust in Kaspersky Lab as a social engineering tool, hoping that the familiar green design will lull users into a false sense of security and make them click the malicious link.
It should be noted that not only Kaspersky Lab has attracted the attention of malicious users. A week or so ago, we received similar messages that imitated a mailing from Adobe. The link in the message led to a suspicious-looking “pdf reader”. The site’s template was identical to the template used for Best Antivirus Online, only the color scheme was different. In early October, a similar site was linked to emails with offers to download a new version of iTunes dedicated to Steve Jobs. The color scheme then was completely different, but the site template was the same.
At the time the user wrote to us, Kaspersky Lab products detected both the spam messages and the malicious site distributed in them. But we not only urge users to trust our products but to also be vigilant when surfing the net. And remember: no reputable company would send spam messages!
“Nigerian” spammers are extremely quick to react to the world’s hottest news stories. News of the death of former Libyan leader Muammar Gaddafi had barely even broken before a string of emails from the “relatives of the deceased” began to appear.
Gaddafi’s inconsolable relatives would be amazed if they knew how many emails had been sent in their name to Internet users around the world.
Instead of joining in the funeral rites, it looks like Gaddaffi’s sons and daughters, or his wife, his brothers or even friends, have rushed straight to their PCs to write to people all over the world asking for help in spiriting uncountable millions of dollars out of the country.
According to the “Nigerians”, the family of the Libyan leader is worth hundreds of millions of dollars. The emails which fell into my hands cited a minimum figure of $300 million.
Most of these emails purport to come from “Gaddafi’s wife”. The spammers seem to think their heart-rending stories about her hard life in her husband’s family could explain her sudden desire to share his money with her close friends. Or even with distant strangers, depending on the recipient of the email.
She’s not alone, though: an unlikely coalition of “opposition forces”, “lawyers” and “bank clerks who have access to Gaddafi’s accounts” also share the general desire to transfer the Colonel’s money abroad.
“Nigerian” spam is, of course, pure fraud. None of Gaddafi’s wives or even his lawyers will ever send emails to someone they do not know asking for help in getting millions of dollars out of the country and offering an unknown agent the commission for doing so. If a user takes the bait the fraudsters will extort money from him to allegedly cover different “expenses” until no more money is left. One should be realistic about the many offers received via the Internet from an unverified source calling himself Colonel Gaddafi’s son (ALL OF A SUDDEN!).
Below are the screenshots of several “Nigerian letters” sent on behalf of Gaddafi’s family:
After the Pushdo/Cutwail, Bredolab and Rustock botnets were taken offline, the geography of spam sources underwent some major changes. In particular, from September 2010 the US, for a long time the leading spam distributor, began to lose ground. For several months now it hasn’t even made it into the Top 10 leading sources of spam and only occasionally appears at the bottom of the Top 20.
The US and some European countries have been replaced by Asian and Latin American countries. The cybercriminals have clearly established new bases for distributing spam with eight of July’s top 10 spam sources located in Asia and Latin America.
As we mentioned in a previous blog post, every time there is news of global interest, cybercriminals try to exploit that interest for their own malicious purposes. The death of Osama bin Laden was no exception – it was used in spam as well as black hat SEO.
We have detected two spam mailings capitalizing on the news of Bin Laden’s death, both of which were used to distribute malware.
One included a password-protected ZIP archive. The message subject was: “pictures of osama bin laden dead?”
What is strange about the mailing is that the text was taken from a standard spam message which is supposedly sent by a girl who wants to introduce herself to a man and is asking him to have a look at pictures of her that are attached.
At last! What every football fan has been dreaming of. The start of World Cup 2010!
Even if you hate football, you just can’t help but know it’s World Cup time again, and one thing’s for sure, spammers will be doubly aware of it. It’s not that long since our last post dedicated to football-related spam. The Nigerian letters proclaiming lottery wins that we wrote about then have continued unabated – we have received lots of other messages all stating that the recipient has won millions of dollars in a FIFA competition.
One day before it all kicked off, a different kind of mailing appeared with the subject ‘FIFA World Cup South Africa... bad news’. The body of the message tells you to find out more about some “scandal news” that is contained in the attachment.
As you can see, the attachment is an HTML file. We’ve already written much about spammers hijacking the hottest news stories for the exclusive purposes of distributing malware and adverts for Viagra – in this case it is the latter. The HTML file redirects users to a Canadian pharmaceutical site.
Yesterday we received a very enticing email offering users the chance to earn loads of money for just one hour of work per day. Put another way, it was an offer to join a financial pyramid.
The funny thing is that the spammer has obviously not tried to limit the amount of information offered to the user – the message was 7 MB. Normally, spammers try to make their emails as small as possible (usually no more than 5 KB) because it means they can send more of them.
So why are these attachments such ‘heavyweights’? As you may have noticed from the screenshot above, one file is an mp3 and the other has a .doc extension.
The text document contains 18(!) pages that explain in detail the principles behind the financial pyramid. The document stresses that though this “super program” may resemble network marketing, it is actually something completely different. However, one part has been lifted directly out of a well-known book on network marketing. It states: “THE THING IS, THERE IS A SECRET FORMULA BUILT INTO THE PROGRAM WHICH ENSURES 100% SUCCESS FOR ALL PARTICIPANTS IN THE BUSINESS WHICH IS DOWN TO FACTORS THAT ARE SO SUBTLE THAT THE HUMAN BRAIN IS INCAPABLE OF COMPREHENDING THEM. WHAT IS THIS FORMULA? IT’S A SECRET OF THE LEGENDARY CREATOR OF RMI, MIYAMOTO ICHIKAWA.”
The text includes feedback from people who have already taken up the offer, and of course they are delighted with the results. Users are promised earnings of between $100,000 and $1 million within six months.
Like any other pyramid scheme, in order to earn money you need to introduce new people to it. No doubt you can guess the recommended method of finding new ‘clients’? That’s right, spam. 20,000 addresses to start with, with 1000 addresses included when you buy into the program. One can only sympathize with those whose address ends up in the “starter package”.
The potential rewards also explain why an unusually large spam message is used – what’s the point of economizing on traffic if the future’s rosy and promises earnings of $100,000?
The love of things big extends to the audio file as well. It lasts for 43 minutes (!) and is a recording of a seminar for those who have bought into the pyramid.
18 pages and 43 minutes of listening – that’s over an hour’s worth of convincing the user that they shouldn’t miss out on this dubious scheme which is based on nothing more than sending spam. Of course, you could make much better use of your time. The choice is yours!