The messages come the spoofed email address <member@linkedin.com> with the authors like:

Fenella  Macdonald via LinkedIn <member@linkedin.com>
Catriona  Bailey via LinkedIn <member@linkedin.com>
Susan  Jones via LinkedIn <member@linkedin.com>
....

Subjects in use:

Can i place your photo on my site?
Can i place your photo on our facebook page?
Can i place your information on our web page?
Can i place your video on our web site?
Can i place your video on my facebook page?
Can i place your contacts on our twitter page?
…..

Example of the email:

The URL in the message point to different web hosts and pages with an redirect HTML:

<html><head><title>Buy Viagra Online – Online Pharmacy</title><style type=”text/css”> a { font-size: 24pt; } </style><script type=”text/javascript”>var a = “hxxp://viagralevitratestosterone.com”;window.location = a;</script></head><body><center><h1>#1 Online Pharmacy</h1><br>Online DrugStore<br><a href=”hxxp://viagralevitratestosterone.com”>Buy Viagra Online</a></center></body></html>

In return, the redirect points to hxxp://viagralevitratestosterone.com.

MX Lab offers it’s zero hour anti virus, managed anti spam and email archiving services at a lower price of € 7 per user per year*, a huge € 2 per user discount, and the great news is that you only need to request a 15 day trial and change your MX records to make use of our service.

Our special promotion price also affects our other services like Email Archiving or the Hosted solutions. Visit our web site for a full pricing overview.

Request your 15 day trial today!

Are you active as an IT solutions provider and want to offer the MX Lab services to your clients? Do not hesitate to contact us and join the MX Lab Partner Program and benefit for the special pricing as well!

* MX Lab offers its services at a special promotion price until 31 December 2011. In order to obtain the promotion you will need to request a 15 day trial and use the trial account by modifying your MX records in order to use the MX Lab service. Each trial that is converted in a subscription at the end of the trial will benefit of the special lower price for one year.

Sent via Google Maps: Brett Lepper sent you: A Maps link
Sent via Google Maps: Brenna Eber sent you: A Maps link
Sent via Google Maps: Theodora Cavitt sent you: A Maps link
…

The subjects start with ‘Sent via Google Maps:’ and end with ‘A Maps link’.
The from email address is spoofed but starts with ‘admin@’ combined with a subdomain address.

Message body examples:

This email was sent to you by a user on Google Maps:

Hi

---

hxxp://gertie8kthv.blogginc.asia/10/8/gertie-bawa.html

The URLs in the message will redirect the user to the website of the Canadian Pharmacy at hxxp://www.bestrxs.com/.

Email messages are sent from no-reply-xxx@finance-magazine.eu, where the XXX stands for random numbers. The domain finance-magazine.eu is from the The European CFO Magazine.

Many different subjects in the French language are being used to get some attraction:

Une offre qou vous ne pouvez pas refuser
Une opportunite unique d’une vie
Faire de l’argent n’a jamais ete aussi facile!
Etes-vous interesse ?
…

This is the email content:

The embedded URLs directs visitors to hxxp://berborso.com/c/8D1DB23B.

On this landing page you will need to fill in your details including your mobile phone number.

When your details are submitted, you’ll receive an SMS with an activation code. This code needs to be filled in again on this webform together with some additional details.

I haven’t filled in my real phone number but I’m pretty sure that this is a complete SMS scam. I wouldn’t be suprised if you receive more SMS messages later on that are credited on your phone bill later on.

This domain name is registered in the Ukraine:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: BERBORSO.COM

Creation Date: 28-Mar-2011
Modification Date: 28-Mar-2011
Expiration Date: 28-Mar-2012

Domain servers in listed order:
ns1.hahray.in
ns2.hahray.in

Registrant:
Son Svan hdgi-domains@gmail.com
WATER STREET 45/54
CHRIST CHURCH, BB17056
BARBADOS
+1.24615566596

Be carefull if you receive offers like this.

update+bscts2qxhedj@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
…

This is the body of the email:

Notice that the Facebook looks are used to disguise the real purpose of the message.

4 different URLs are used in each message with the format: http://www.domainhere.tld/s/h/o/p/ that will redirect you to the Canadian Pharmacy at hxxp://midiclxic.ru/.

The message is sent from a spoofed email addresses like:

Notification-15955 <lwnfc@vowyg2kynvx4.veridomlegal.net>
Notification-07997 <cwujg@fgoorlgaxle7.veridomlegal.net>
…

The body of the email only contains a link to a web site:

http://www-48023.outdomnovolume.net

http://www-35051.outdomnovolume.net

….

The 5 numbers inside the web site address change with every email but always shows the web site of the Canadian Pharmacy:

The domain outdomnovolume.net is registered a few days ago according to a WHOIS is with the following details:

Domain name: outdomnovolume.net

Registrant Contact:
   Xicheng
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Administrative Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Technical Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Billing Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

DNS:
ns1.dnsfopiq.com
ns2.dnstow.ru

Created: 2011-03-19
Expires: 2012-03-19

The campaigns is send from the spoofed email address “Twitter <twitter-message-RECIPIENT=DOMAIN@postmaster.twitter.com>” where the recipients email address is included in the from address.

An example of the email:

The final destination of the URL:

More information regarding this site can be found at http://spamtrackers.eu/wiki/index.php/US_Drugs.

An example of the email:

The email contains the Twitter logo and a basic lay out. The included URL appears to be leading to the twitter.com site, along with some userid variables to make it appear genuine, but behind the URL we can notice different web site addresses with each email.

The URL leads to the web site of U.S. Drugs where you can buy…. viagra and others. What else?

More information regarding this site can be found at http://spamtrackers.eu/wiki/index.php/US_Drugs.

Very short messages like below are intercepted on our systems:

Avoir la meilleure sexe de votre vie avec ces pilules me demande <hxxp://durl.me/5cogd>

Boostez votre ego et de la longueur de votre facilement avec nous <hxxp://durl.me/5cqkx>

Apprenez à être un mari aimant à votre femme. <hxxp://durl.me/5cmx8>

Juste ce qu’il faut pour augmenter votre taille de tracas d’orgue gratuit <hxxp://durl.me/5ckzd>

Each spam message is having a different shortened URL to avoid detection by intent anaylis. durl.me does offer an API so we are quite sure that the creation of new durl.me URLs is fully automated at the system of the spammer. The site of durl.me is lacking ways to contact the owners or report any abuses and this is a benefit for a spammer.

When following the durl.me URLs we where directed to the web site hxxp://www.entermix.ru/en/

If you can’t stand the offer… Enjoy it!

Some examples of the latest spam campaign for replica watches:

Vervollständigen Sie Ihre Garderobe mit Markennamen Luxus-Accessoires

http://durl.me/4krma

Kommen Sie in unser One-Stop-Shopping-Erlebnis wunderbar, nur einen Klick entfernt.

http://durl.me/4kohn

Obtenez le Tag Heuer SLR Mercedes regarder ici

http://durl.me/4iii7

Obtenez tous vos besoins de luxe sous un même toit, et à 60% de réduction!

http://durl.me/4kpjy

Email not displaying correctly? View in your browser.
Great prices on all watch brands http://redir.ec/39qj

Our web-store of Watch-lones welcomes you!
We have copies of famous chronometer brands for more than affordable prices!
Respect and style will be easier to get!

If you wish to unsubscribe from our mailing list, click here

Assurez-il se passer maintenant avec les prix réelle et exacte des produits de luxe à la recherche.

http://durl.me/4kon6

The URLs in this spam campaign lead to the web site Ultimate Replica

We have seen the usage of URL shorteners emerge at the end of 2010 so it seems that this technique is becoming more popular among spammers. Each spam message has a different shortened URL,  sometimes even processed by different URL shortening services.

While in the first campaigns we noticed some popular URL shorteners like bit.ly being used, the trend is now that other less known URL shortening services are being used. In some cases, the URL shorteners also do not even have a way to report abuses through their web site and I think that the spammers are aware of this.

In the past, we have submitted some shortened URLs to the abuse department of bit.ly for example and we could notice that the URLs where disabled quite fast.

Most of the URL shorteners also have an API available. The API makes it even more easier to integrate an URL shortener service into a botnet or spam campaign. For example, the URL shortener wa.la has a very simple PHP API:

$shortenedurl = file_get_contents(‘http://wa.la/shorten.php?longurl=’ . urlencode(‘http://theurl.to.shorten.com/’));

With a single line, the URL is shortened and usable in a spam campaign. In this case, no account has to be created so the creation of the URL is also anonymous.

Some URL shorteners also have the ability to gather some statistics about the usage of the shortened URL. Spammers can measure certain aspects of the spam campaign they manage.

In  the past, MX Lab warned about URL shorteners and the possible threats you may encounter with them. One major disadvantage is that you are no longer to see the full URL before you click on it with certain URL shortening services. The URL shorteners that spammers use do not have a preview mode like for example bit.ly. So, the recipient will only see the full URL when following the shortened URL.

At this time it is a spam campaign for replica watches, one day it can be a malicious payload, designed to infect your computer.

MX Lab was already pro-actively scanning emails for shortened URLs since a few weeks when we noticed the first campaigns with shortened URLs. When a shortened URL is detected we take this into account when we determine wether the message is spam or not.