MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

MX lab intercepted some emails with the subject “Coupe du Monde de la FIFA 2010″ from World Cup <207peugeot@menara.ma> that are obviously spam and here is the body of the email:

bonjour ,

est ce que vous voulez voir les matchs de la coupe gratuitement ?
si oui n’hesiter pas a telecharger ce logiciel :

http://bit.ly/worldcupe

cordialement

=========================================

The message is in the French language but translated it offers you an option to get software to watch the soccer matches of the World Cup for free.

When using the bit.ly URL shortened link we arrive on the FLV web site http://www.flvpro.com/movies/?aff=4749_movies.

While this is all great, a free download of such a tool, getting your message in this format out to the world is not the way to do it. I refer to the use of bit.ly for the URL, no unsubscribe options and no clear indication who has sent this message. Very bad marketing if you ask me.

MX Lab reprted this to bit.ly, which is something we usually do not do but we thought why not, and bit.ly responded within 10 mintes with a reply that the shortened URL is blocked for further use. Thumbs up for such a fast response.

Now, this is completely off topic, but notice the counter ‘Downloaded 2358755 times’ on the web site http://www.flvpro.com/. This is just a Javascript ticker that increases the counter.

<script type="text/javascript">
var num = 2358754;
function IncCounter() {
num = num + 1;   // increment counter by 2
document.getElementById("cntr").innerHTML = num.toLocaleString();
t = setTimeout('IncCounter()', 2000);
// change 1000 to 60000 to update once per minute
}
</script>

When you refresh the page, the counter is back to 2358755.
Very nice marketing!

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

It’s not image based, no ASCII art but the text is constructed and formatted by the character “#”. It didn’t render well in Entourage on Mac so it needs a little work.

Canadian Pharmacy spam

One of the campaigns contains the subject “Michael Jackson dead? NO!!!” and the body content:

Michael Jackson dead? NO!!!
Open attached file and read!!!

The attachment itself appears to be harmless and contains the HTML refresh tag

<meta http-equiv=’Refresh’ content=’0; url=hxxp://addfamous.com/’ />

This will redirect your browser to the Canadian Pharmacy web site.

Email harvesting

Another campaign has the intention to harvest email addresses and is coming from a bogus email account but the reply to is a ***@live.com account. The email claims to have special and confidential information regarding the death of Michael Jackson. A sample of the content:

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secretive to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us

The call-to-action is to reply to this message. When doing so you will confirm the spammer that the email has been received and read and therefore is active.

Malicious spam

This spam email offers a link to a YouTube video but actually sends the recipient to a Trojan Downloader hosted on a compromised web site. The file is Michael.Jackson.videos.scr. When downloaded and executed 3 information-stealing components are downloaded and installed by the malware. One of the files has the name michael.gif and has a very low AV detection rate.

The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

Virus Total permlink and MD5: 664cb28ef710e35dc5b7539eb633abca.

Student Loans

A spam with the subject and the body content “Micheal Jackson History”, notice the wrong spelling of his firstname, leads to hxxp://loansofworld.blogspot.com/. This message was sent through Google Groups.

Contact databases

An email with the subject “Michael Jackson: last farewell from DataForYou” is attracting readers with a subject related to Michael Jackson but instead offers contact databases.

Notice the TinyURL inside the email content to hide a direct link to the web site. TinyURL has already removed the URL but  this example shows that you need to be carefull with URLs in emails where a service like TinyURL is shortening the full URL. Try to use a preview feature first when you don’t trust the source is our recommendation.

Dear Sirs,
in our site you have access, through the cheapest prices you have ever seen,
to a vast database of international Companies, divided by region, province, city or area of activity.

The databases are divided into two broad categories.

Archives of International Companies with E-mai only

The archives are divided by country and include a list of e-mail only.
The archives are in TXT format and they are easy to be used because
this format is the typical one used for data import. You can also find
more than one email, relferring to different people working in the same
structure, for the Companies which have provided them.

International Archives of active domains with MX record only

The archives are divided by size and include a list of domains only.
The archives are in TXT format and they are easy to use because this
format is the typical one used for data iimport. All the domains have
an active MX record; this means that each domain is directly linked
with working email accounts.

Visit our site at
hxxp://tinyurl.com/infinitemail

Don’t lose this incredible opportunity for increment your business.

InfiniteMail

Customer Care

If you no longer want to receive our email reply here:
mailto:remove@mediasch0pping.com

National Survey Panel’s Gift Program

What killed Michael Jackson?

Press here:
hxxp://totjebiok.com/tr.php?72928+*****@*****.com

Tell us. Then complete the program requirements for a FREE 7 album collection of MJ’s solo career.

These guys are using the death of Michael Jackson to attract some people to fill in some information and in return you can receive his albums for free.

MX Lab intercepted spam messages with a Health.com branding. The image below shows us a mailing template with the Health logo, an image for viagra and other pills, along withlinks to Twitter, Facebook and YouTube, opt-out links, privacy policy and the address of Health.com.

Spammer have replaced each of the links with hxxp://www.blackaringo.ru in this campaign that redirects to hxxp://newpharmshappy.com/. This site is from our best friends, who else, the Canadian Pharmacy.

In the Nigerian spam emails they claimed to have a fund in Ghana where a substantional amount of money was blocked after a woman died in a car accident. The small fortune of 35 million Euro could be released with the help and a contribution of the addressee.

The police could arrest the gang after a tip and a thorough investigation of mobile phone conversations.

In this case, the victim is the company Auslogics Software (http://www.auslogics.com/).

When looking at the spam it seems that they offer a whole branch of software products. But in fact this company offers software to speed up your computer, recovery and disc-and registry defrag tools.

The Auslogics logo is embedded with a complete URL directing to the Auslogics Software web site. The other images are taken from the Amazon web site.

Unfourtunatly, or luckely – depends how you look at it, the spammers didn’t complete their homework very well. A small mistake happened and the provided links contain http://{oemurl}/. It seems that the spammers have forgotten to include a real URL or that a content merge failed.

Google Groups spam

The following spam message is using Google Groups again to get the visitor attracted.

Hi!

Feel Better Now!!

hxxp://groups.google.com/xxxxx/robertomrlg860/web/mariana

We’re always here for you!
the past is immutable: forget it, sheep dismantler

This is the Google Groups page:

Following the URL to the Google Groups brings us to a site called Pharmacy Express under the domain hxxp://esmnyx.sg/.

CBS News spam

Another example included a “News Summary” in the header. That image is actually hosted on the CBS News site.

What is remarkable with this spam is that when you look in the message source you’ll find up to 5 different URLs in use, below the Help, Advertise, Terms of Service and other links, that redirect all to the same Canadia Pharmacy web site.

Pizza Hut

Another “victim” in the spam campaigns is Pizza Hut. The “Order Now” button and the “Click for more deals” tab are both images hosted on the Pizza Hut site.

The message source even contains an URL from Pizza Hut going to their special landing page: hxxp://getmore.emailpizzahut.com/****. The URLs also lead to the Canadian Pharmacy.

Power Gain spam

Besides viagra and other pills, techniques and products to increase your manhood are also very popular. This example shows you the latest one.

Do notice that with these campaigns the spam messages contain some footers with unsubscribe links, click your email preferences and so on. With these techniques spammers try to make their messages appear as a valid mailing trying to mislead the readers.