English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0
 

Spammers use all types of tricks to bypass spam filters: adding ‘noise’ to texts, inserting redirects to advertised sites, replacing text with pictures – anything to stop the automatic filter from reading the keywords and blocking the message. Recently, we’ve been seeing a trend to replace Latin characters with similar-looking symbols from other alphabets. This “font kink” is especially typical of phishing messages written in Italian.

Non-Latin characters are inserted in place of similar-looking Latin characters both in the “Subject” field and in the body of the message. Here is an example of what headers obscured with ‘foreign’ symbols look like:

Spam Test|The omnipresent dad

Maria Rubinstein
Kaspersky Lab Expert
Posted April 09, 09:00  GMT
Tags: Spam Letters, Spammer techniques
0
 

Many websites show different text depending on where the user lives. For instance, home pages of some portals show you the news and weather of your region by default, because you are most likely to be interested in this kind of information first of all.

Of course, spammers and fraudsters also make use of this approach.

The following letter, written in Spanish, advertises an easy way to earn money online:

The attached link directs users to times-financials.com, registered in October 2013, according to the information on whois:

“Moscow City dad makes $14,000 per month” – says the title.

From Moscow? Hmmm.

0
 

Spammers are relentless in their attempts to bypass anti-spam filters and confuse recipients of spam. Recently we detected a mass mailing disguised as an automated reply to a request to unsubscribe from a news blog. The authors noted their regret at losing one of their subscribers and asked if the user really wanted to unsubscribe.

 

Phrases like “We regret your decision to unsubscribe” do indeed appear in responses sent following requests to unsubscribe. However, there followed some unusual text in which the senders also regretfully informed the recipient that they had also unsubscribed him from other information mailings on subjects such as:

  • Driving licenses without medical certificates
  • Bankruptcy procedures for legal entities
  • Bank licenses
  • Setting up businesses abroad
  • Real estate with a 50% discount

These are typical spam topics which, in this case, were disguised as information blocks. Why were the messages so suspicious? Because the senders didn’t even mention the name of the blog, site or journal from which the user was supposed to have unsubscribed.

The name of the unsubscribed service wasn’t in the sender’s domain name either – the address contained only one phrase that translates as “driving license right now” (spammers frequently use words related to the topic of the message in new domains), and the messages were sent in the month the domain was created. There were no links to prolong the subscription. It looks like the spammers thought that any interested users would reply to the message and receive a whole variety of spam mailings related to the chosen topic.

An even more insolent mailing stated that for a certain amount of money the spammers would tell the recipient how they found out his/her email address and why the mail box was full of spam messages. The information cost just $3.50. In order to pay for the information, the user had to click a link at the end of the message.

 

The link led to the site called End of Spam where the user could view a full pricelist. For instance, the user could remove his/her email address from spam mailing lists for a $1.50 payment via PayPal. Information on how the spammers found out about the user’s email address cost $3.50. The fraudsters reminded the user to state their email address so that they “know which email address to unsubscribe”.

 

All of the links led to a PayPal page with a set payment document. If the user was already authorized in PayPal system, he/she simply had to press the button “Buy Now” and transfer his/her money to goodness knows where.

Of course, this is unlikely to halt the spam mailings – it’s hard to believe that the senders know all the spammers in the world and can stop their mailings at the request of a user. Besides, after the money transfer, the stream of unsolicited correspondence may even increase after the address is confirmed as being valid and the user’s naivety is noted. In the worst case scenario, the user’s personal data from the money transfer payment could be used.

comments      Link
0.6
 

I have never bought a PlayStation and neither has my colleague Micha-san from Japan - well, in his case, at least not from Brazil. Nonetheless, we both received the same email notification:

0.4
 

    To complement the already mentioned findings, the same cybercriminal’s server contains additional interesting things but before mentioning them, I want to give a little bit more information about the email database used to spam victims to infect them with the Betabot malware.

E-mail database
How big is the list of email addresses to spam victims? It has 8,689,196 different addresses.  It is a very complete database. Even if only 10% of the machines of the people included in this list get infected, cybercriminals would gain more than 800,000 infected PCs!

The geographic distribution of the emails is already published here. If we just look at the number of the most interesting domains belonging to governments, educational institutions and such used to spam and to infect, they are still very high numbers:

Domain    number of emails
org            13772
edu            2015
gov            1575
gob            312

0
 

In our practice, we often encounter cases where messages with a malicious attachment are mass-mailed to many addresses at the same time. Recently, though, we saw a series of messages persistently sent to the same email address. Apparently, the attacker’s main goal was to infect that computer – all emails, no matter what their headers were, contained Email-Worm.Win32.NetSky.q. This worm’s characteristic feature is that it spreads via email attachments. After infecting a computer, the worm finds all the email addresses in it and copies itself to them, using specific short phrases and avoiding any email addresses that may be directly associated with IT security providers, such as antivirus companies.

The first message we detected purportedly came from the PayPal payment system. The text in the body of the letter said that there was a bill for the user in the attachment.

 

0.2
 

Introduction
Last week a good friend (@Dkavalanche) mentioned in his twitter account his findings of a Betabot malware which was spammed via fake emails in the name of Carabineros of Chile. It piqued my attention so I dug a little bit and this is what I found:
The original .biz domain used in the malicious campaign was bought by someone allegedly from Panama. It’s a purely malicious domain used exclusively for cybercriminal activity; however, the server itself is hosted in Russia! The same server has several folders and files inside, which we will discuss a little bit later. First, let’s speak about the initial malicious binary spoofed via email and then about other things. I will only focus on the most interesting details.

Denuncia_penal.exe
This is the name of the original binary. Translation to English is the “Criminal complaint”.
The file is compiled with fake information and it claims to be a legitimate tool build by NoVirusThanks, called NPE File Analyzer.

0.2
 

Kaspersky Lab congratulates the royal couple on the birth of their new baby boy and wish them all well for the future. It is truly joyous news that is being celebrated in the UK and in the rest of the world.


However because it is such big news, it didn't take long for malicious elements to misuse it as follows: "The Royal Baby: Live updates" promises an email arriving at our spam traps today. A link named "Watch the hospital-cam" is the contained trap which leads to ... nowhere because it seems that it has already been cleaned. By the looks of it, it may be a compromised legitimate website which got cleaned.

But we are still interested in what the malicious content could be and we didn't need to search for long. Exactly _one_ hit for our web search was shown at the time of writing this article.

0.2
 

“Nigerian” spammers are extremely quick to react to the world’s hottest news stories. News of the death of former Libyan leader Muammar Gaddafi had barely even broken before a string of emails from the “relatives of the deceased” began to appear.

Gaddafi’s inconsolable relatives would be amazed if they knew how many emails had been sent in their name to Internet users around the world.

Instead of joining in the funeral rites, it looks like Gaddaffi’s sons and daughters, or his wife, his brothers or even friends, have rushed straight to their PCs to write to people all over the world asking for help in spiriting uncountable millions of dollars out of the country.

According to the “Nigerians”, the family of the Libyan leader is worth hundreds of millions of dollars. The emails which fell into my hands cited a minimum figure of $300 million.

Most of these emails purport to come from “Gaddafi’s wife”. The spammers seem to think their heart-rending stories about her hard life in her husband’s family could explain her sudden desire to share his money with her close friends. Or even with distant strangers, depending on the recipient of the email.

She’s not alone, though: an unlikely coalition of “opposition forces”, “lawyers” and “bank clerks who have access to Gaddafi’s accounts” also share the general desire to transfer the Colonel’s money abroad.

“Nigerian” spam is, of course, pure fraud. None of Gaddafi’s wives or even his lawyers will ever send emails to someone they do not know asking for help in getting millions of dollars out of the country and offering an unknown agent the commission for doing so. If a user takes the bait the fraudsters will extort money from him to allegedly cover different “expenses” until no more money is left. One should be realistic about the many offers received via the Internet from an unverified source calling himself Colonel Gaddafi’s son (ALL OF A SUDDEN!).

Below are the screenshots of several “Nigerian letters” sent on behalf of Gaddafi’s family:

Comment      Link

Spam Test|Spam and YouTube: a long-term relationship

Darya Gudkova
Kaspersky Lab Expert
Posted September 22, 09:59  GMT
Tags: Spammer techniques, Email
0.1
 

We recently noticed a mass mailing among the general flow of spam that at first glance looked just like the usual “forum” junk mail that appears on forums and bulletin boards, and which are sent as email notifications to users of those forums.