Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services
It comes as no surprise that as Easter approaches, spammers are taking advantage of the holiday. Though there hasn’t been any noticeable increase in traffic, there have been a few subtle changes to the websites that spammers link to, such as the one below.
This is a common tactic for the people who create these websites, and the spam runs that are developed to send victims there. The main site itself will stay the same, but a key banner in a central location gets updated with a seasonal or topical theme. Below is an example of a banner taken from the same site as the one above, at a time when there were no upcoming seasonal holidays. The below banner is a “standard” offer, rather than a seasonal special, but in reality it is the same offer as the one above, for the same price. All that has changed is the theme.
Any company operating over the web will have a similar setup, whereas to make their website seasonally relevant, all they have to do is replace a single centrally located image and it changes the theme of the whole site. It allows them to make “special offers” to try and entice customers to buy their product. As authors of these pharmaceutical sites, the spammers are no different and use the same tactics to try and encourage people to make a purchase. Here are some more examples, two of which are using a Valentine’s Day theme, and the third taken from a replica goods site using a Christmas theme.
As well as these changes to the usual websites, MessageLabs Intelligence has also intercepted some Easter “e-card” spam emails. These emails tell the recipient that they have “received a 2010 Easter 3D e-Card”. The inclusion of 3D is interesting, as it could be the authors attempting to use the recent surge of interest in 3D media (films, TV, etc) to increase the likelihood of people falling for their scam.
The links that are supposed to allow the recipient to see the fabulous 3D card in reality link to a malicious executable file. Anyone who runs it hoping to see their card will be disappointed, as all they will get is an infected computer.
Something else MessageLabs Intelligence has seen is a little different. The following emails all have links that take the viewer to the same place; a legitimate website for a US-based company.
The fact that these links lead to the same legitimate website could suggest that they are genuine marketing e-mails, but what is unusual about them is that there is a large amount of random text and symbols hidden in the HTML source. Here is a small section of the hidden text in the source.
This kind of random text is often seen in botnet spam, and is known as “poison.” It is a crude attempt to bypass some simple spam filters, and there is no reason for anything like it to be in a legitimate email. We aren’t sure why this spam is leading to a genuine company’s website. It could be an attempt by a rogue third party to make money from affiliate marketing, where a fee is paid by the legitimate company for every visit to their site made by someone coming through a referral e-mail or website advertisement. All we know for certain is that although the end destination is a legitimate business, these e-mails are certainly not legitimate marketing.
As always, be careful of what you receive by e-mail and be particularly cautious when it is linked to an seasonal holiday. Any unsolicited e-mails, or e-mails from unknown sources with attachments should be ignored and deleted. If you receive any unsolicited marketing that interests you, go to your browser and type in the address of the company yourself, rather than click on any links in an e-mail.