This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.
As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.
The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.
Second, the image itself is a link to a Twitter account, an attempt to get past link signatures as Twitter is a legitimate site that couldn’t be stopped without stopping a huge amount of perfectly innocent e-mails as well. The Twitter update that it links to is a short message telling people they could earn a certain amount of money per day, and provides a link to follow. A large number of Twitter accounts are used and they seem to be a mixture of hijacked accounts (quite old, and have genuine looking updates) and false accounts set up purely for the purpose of spamming (not very old, only contain spam-like links).
There are a few websites links at the end of the trail and all are similar containing a story explaining how the victim could make large amounts of money for very little effort, then a step by step list of things to do in order to start making this money. The first of which is to fill out a form and give a small “trial” fee. Some of these websites even include a photo of a “happy customer” holding a check for more than $29,000. This tactic attempts to increase the credibility of the scam.
We have also seen this scam being run through hijacked Facebook accounts, where the scammers have used a legitimate Facebook account which does not belong to them to post updates to the account’s ‘friend’ list. These updates contain links to the same Twitter accounts that are used by the e-mails.
Any website or e-mail claiming to have an offer to make easy money that seems too good to be true, almost certainly is. Don’t be fooled!