Spam message inside a ZIP file

August 25, 2010 by mxlab Leave a Comment

Spammer often use new techniques in order to deliver the message to the recipient without being catched by email security solutions. Today, one of such spam emails did caught our attention because of the original technique that has been used.

The spam email had the subject “Your wife photos attached”, a very short body content ” Your wife photos” and the attached file rooster.zip.

At first, we thought this was some new email security treath so we investigated the ZIP archive. Once extracted the file rooster.jpg was available. The filename does not end with .exe or the combination of many spaces with at the end .exe so we opened the JPEG and got this spam advertisment for Viagra, Cialis and VPXL.

The instructions, if you are interested, is to go to med242.ru which leads to the web site of the Canadian Pharmacy.

I can understand that spammers try different techniques but this one is, in my humble opinion, not a very good one. What a hassle to read the message.

Filed under Spam Tagged with ,

Flickr welcome message leads to Canadian Pharmacy web site

July 6, 2010 by mxlab Leave a Comment

Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers.

MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

Filed under Spam Tagged with , , ,

Thumbs up for Bit.ly to block shortened URL in “Coupe du Monde de la FIFA 2010″ spam

June 11, 2010 by mxlab Leave a Comment

Emails with regarding FIFA World Cup are going around the world now and persons who have less good intentions are on the lookout to create some mayhem. A recent example is the email “FIFA World Cup South Africa… bad news” but the traditional spam messages are also going around on the internet.

MX lab intercepted some emails with the subject “Coupe du Monde de la FIFA 2010″ from World Cup <207peugeot@menara.ma> that are obviously spam and here is the body of the email:

bonjour ,

est ce que vous voulez voir les matchs de la coupe gratuitement ?
si oui n’hesiter pas a telecharger ce logiciel :

http://bit.ly/worldcupe

cordialement

=========================================

The message is in the French language but translated it offers you an option to get software to watch the soccer matches of the World Cup for free.

When using the bit.ly URL shortened link we arrive on the FLV web site http://www.flvpro.com/movies/?aff=4749_movies.

While this is all great, a free download of such a tool, getting your message in this format out to the world is not the way to do it. I refer to the use of bit.ly for the URL, no unsubscribe options and no clear indication who has sent this message. Very bad marketing if you ask me.

MX Lab reprted this to bit.ly, which is something we usually do not do but we thought why not, and bit.ly responded within 10 mintes with a reply that the shortened URL is blocked for further use. Thumbs up for such a fast response.

Now, this is completely off topic, but notice the counter ‘Downloaded 2358755 times’ on the web site http://www.flvpro.com/. This is just a Javascript ticker that increases the counter.

<script type="text/javascript">
var num = 2358754;
function IncCounter() {
num = num + 1;   // increment counter by 2
document.getElementById("cntr").innerHTML = num.toLocaleString();
t = setTimeout('IncCounter()', 2000);
// change 1000 to 60000 to update once per minute
}
</script>

When you refresh the page, the counter is back to 2358755.
Very nice marketing! ;-)

Filed under Spam Tagged with , , , ,

Web site creator hosts are being abused in spam campaigns

March 6, 2010 by mxlab Leave a Comment

Spammers are not afraid to abuse community sites or blog creators like blogspot.com in their spam campaigns. In some cases, the content is published on these site or a redirect is embedded and forwards the visitor to the web site of their choice offering porn, pills and other stuff.

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.

Filed under Spam Tagged with

Twitter accounts abused by spammers

November 18, 2009 by mxlab 1 Comment

MX Lab detected a spam campaign where Twitter is being abused by spammers to promote online drug stores.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

Filed under Spam Tagged with , , ,

Can a spammer be creative?

October 5, 2009 by mxlab Leave a Comment

Yes, that is the answer we have today. MX Lab detected a nice piece of spam and we didn’t wanted to hold this one back for you.

It’s not image based, no ASCII art but the text is constructed and formatted by the character “#”. It didn’t render well in Entourage on Mac so it needs a little work. ;-)

Filed under Spam Tagged with

Death of Michael Jackson inspires spammers and malware distributors

June 27, 2009 by mxlab 1 Comment

Spammers and malware distributors are trying to take advantage of the death of Michael Jackson by sending out email campaigns with subject and/or body related to Michael Jackson while malware distributors try to infect computers by offering a URL to a site that offers a video of the death of the “King of pop”. Here is a brief overview.

Canadian Pharmacy spam

One of the campaigns contains the subject “Michael Jackson dead? NO!!!” and the body content:

Michael Jackson dead? NO!!!
Open attached file and read!!!

The attachment itself appears to be harmless and contains the HTML refresh tag

<meta http-equiv=’Refresh’ content=’0; url=hxxp://addfamous.com/’ />

This will redirect your browser to the Canadian Pharmacy web site.

Email harvesting

Another campaign has the intention to harvest email addresses and is coming from a bogus email account but the reply to is a ***@live.com account. The email claims to have special and confidential information regarding the death of Michael Jackson. A sample of the content:

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secretive to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us

The call-to-action is to reply to this message. When doing so you will confirm the spammer that the email has been received and read and therefore is active.

Malicious spam

This spam email offers a link to a YouTube video but actually sends the recipient to a Trojan Downloader hosted on a compromised web site. The file is Michael.Jackson.videos.scr. When downloaded and executed 3 information-stealing components are downloaded and installed by the malware. One of the files has the name michael.gif and has a very low AV detection rate.

The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

Virus Total permlink and MD5: 664cb28ef710e35dc5b7539eb633abca.

Student Loans

A spam with the subject and the body content “Micheal Jackson History”, notice the wrong spelling of his firstname, leads to hxxp://loansofworld.blogspot.com/. This message was sent through Google Groups.

Contact databases

An email with the subject “Michael Jackson: last farewell from DataForYou” is attracting readers with a subject related to Michael Jackson but instead offers contact databases.

Notice the TinyURL inside the email content to hide a direct link to the web site. TinyURL has already removed the URL but  this example shows that you need to be carefull with URLs in emails where a service like TinyURL is shortening the full URL. Try to use a preview feature first when you don’t trust the source is our recommendation.

Dear Sirs,
in our site you have access, through the cheapest prices you have ever seen,
to a vast database of international Companies, divided by region, province, city or area of activity.

The databases are divided into two broad categories.

Archives of International Companies with E-mai only

The archives are divided by country and include a list of e-mail only.
The archives are in TXT format and they are easy to be used because
this format is the typical one used for data import. You can also find
more than one email, relferring to different people working in the same
structure, for the Companies which have provided them.

International Archives of active domains with MX record only

The archives are divided by size and include a list of domains only.
The archives are in TXT format and they are easy to use because this
format is the typical one used for data iimport. All the domains have
an active MX record; this means that each domain is directly linked
with working email accounts.

Visit our site at
hxxp://tinyurl.com/infinitemail

Don’t lose this incredible opportunity for increment your business.

InfiniteMail

Customer Care

If you no longer want to receive our email reply here:
mailto:remove@mediasch0pping.com

National Survey Panel’s Gift Program

What killed Michael Jackson?

Press here:
hxxp://totjebiok.com/tr.php?72928+*****@*****.com

Tell us. Then complete the program requirements for a FREE 7 album collection of MJ’s solo career.

These guys are using the death of Michael Jackson to attract some people to fill in some information and in return you can receive his albums for free.

Filed under Spam, Viruses Tagged with , , , ,

Health.com branding used in spam

May 19, 2009 by mxlab 1 Comment

A few days earlier we reported that the branding of Auslogics Software was being used in a spam campaign. We now noticed that Health.com has been subject of such abuse.

MX Lab intercepted spam messages with a Health.com branding. The image below shows us a mailing template with the Health logo, an image for viagra and other pills, along withlinks to Twitter, Facebook and YouTube, opt-out links, privacy policy and the address of Health.com.

Spammer have replaced each of the links with hxxp://www.blackaringo.ru in this campaign that redirects to hxxp://newpharmshappy.com/. This site is from our best friends, who else, the Canadian Pharmacy.

Filed under Spam Tagged with , ,

Belgian court condemns 18 persons regarding Nigerean spam

May 18, 2009 by mxlab Leave a Comment

The correctional court of Brugges, Belgium, condems 18 persons with prison sentences from 2 to 6 years for sending out fraudulent spam between Februay 2007 and November 2008.

In the Nigerian spam emails they claimed to have a fund in Ghana where a substantional amount of money was blocked after a woman died in a car accident. The small fortune of 35 million Euro could be released with the help and a contribution of the addressee.

The police could arrest the gang after a tip and a thorough investigation of mobile phone conversations.

Filed under Spam, Various Tagged with , ,

Auslogics Software logo used in spam

May 14, 2009 by mxlab 3 Comments

When spammers send their messages they try to hide their tracks by spoofing the From address in each message. Sometimes using valid domains or even real email addresses. In some cases they also try to gain credibility by using a brand, a logo or any other style of a real company.

In this case, the victim is the company Auslogics Software (http://www.auslogics.com/).

When looking at the spam it seems that they offer a whole branch of software products. But in fact this company offers software to speed up your computer, recovery and disc-and registry defrag tools.

The Auslogics logo is embedded with a complete URL directing to the Auslogics Software web site. The other images are taken from the Amazon web site.

Unfourtunatly, or luckely – depends how you look at it, the spammers didn’t complete their homework very well. A small mistake happened and the provided links contain http://{oemurl}/. It seems that the spammers have forgotten to include a real URL or that a content merge failed.

Filed under Spam Tagged with ,

Older posts