Flickr welcome message leads to Canadian Pharmacy web site

July 6, 2010 by mxlab Leave a Comment

Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers.

MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

Filed under Spam Tagged with , , ,

Spam campaign from Canadian Pharmacy also contains web based threats

February 15, 2010 by mxlab 1 Comment

MX Lab detected several email based threats in a spam campaign from Canadian Pharmacy masked as an order confirmation of Amazon.

The campaign comes from the spoofed email address Customer Support <***.***@service.amazon.com> and has the possible following subjects (*** numbers will vary):

Confirm #***
Confirmation Order #***
Notice #***
Notify #***
Notification #***
Order Confirmation #***
Order Notice #***
Order Notify #***
Order Notification #***

The body of the email:

Your Order S\n:10444064511 Accepted.
Details hxxp://www.klaudiusz.ramtel.pl/afrikaners.html

Thank you.
Amazon.com Customer Support

The campaign is detected yesterday but today we found a few threaths when following the included URLs. One threat was named HTML:iFrame-LZ[Trj] (Avast).

HTML:iFrame-LZ[Trj] is a malicious HTML script that may be downloaded unknowingly by a user when visiting malicious Web sites. The script will make connection to sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

Filed under Malware, Spam, Viruses Tagged with , , ,

Rustock is back online, spam levels rise again

November 25, 2008 by mxlab Leave a Comment

UPDATE, Nov 27th: One of the new CnC servers, ‘sdx3Fs5B.info’ was resolving to 72.233.114.74 at LayeredTech. FireEye sent an abuse notification to LayeredTech when the CnC servers went online and they have pulled out the server.

—————-

Yesterday, Nov 24, 2008, I noticed a sudden spam rise. When checking some samples I found that the ‘Canadian Pharmacy’ spam is back and some new image based spam campaigns have been launched.

But the ‘Canadian Pharmacy’ spam is where we should focus on. These spam campaigns are being sent by Rustock, so the conclusion is that these guys are back online and in business.

With subjects like Obama.s new plan, Food crisis in California or Bush.s last words they try to get their email opened to see the ‘Canadian Pharmacy’ advertisment. URLs, like hxxp://alsi.kugusup.cn or hxxp://ppbka.kugusup.cn will redirect you to hxxp://beautythrow.com/ where the Canadian Pharmacy web site is hosted.

When looking for more information if Rustock is back I found that the Company FireEye Security has posted more details on their blog.

As expected, the bot admins learned from the shut down of McColo. They can now simply change DNS to make sure that their command and control server still can be accessed.

The new Rustock spam campaign is already having an impact on the spam levels. The image below is the graph for one of my domains and you can see the spam level drop when McColo was taken down. The red line is the global spam level.

We have a peak during the weekend, the absence of business emails, and a global spam level between 75% and 85% during the week. Yesterday we had a spam level of 89,4% and at the time of writting this article we are back at 93%. You can see the graph going up again after the re-activation of the Rustock C&C servers.

Filed under Spam Tagged with , , , ,

Canadian Pharmacy spam looks like a mailing

October 1, 2008 by mxlab 1 Comment

Most of the time, spam for viagra and other pills from Canadian Pharmacy doesn’t look so good like this campaign.

Their latest spam campaign is rather nice looking and has some tricks to lure the receiver into their trap with an Unsubscribe link, Manage Subscription links and Privacy policy note.

They also use different domains and change this quite often during the day to avoid detection by intent analysis techniques.

Using one of these links http://www.voiceold.com/memberservices/remove.php?recipient=info@*****.be&SESSID=51706986E9245C just leads you to a web site and gives the response “Not Found”.

I would recommend not doing this because they can easily track your actions on their web site with these links. You will only confirm that your email address is valid by using those links and receive more spam.

Filed under Spam Tagged with , , , , ,