News

Spammers Mine New Ground

• By William Jackson
• November 10, 2008

In hours of the closing of polls, online security companies began reporting a rash of e-mails purportedly coming from news organizations or official government sites containing links to speeches, interviews or other election news. The links actually redirect e-mail recipients to malicious code. MX Logic reported seeing more than 1 million of the messages in the first two hours of their appearance, and Sophos said similar messages represented up to 60 percent of all malicious spam seen in its labs on Nov. 5.

In its most recent State of Spam report, covering October 2008, Symantec Corp. reported that spam averaged a little more than 76 percent of all e-mail detected at the mail gateway with SMTP layer filtering last month. That is up by 6 percentage points from the same month last year, but down from an 80 percent peak in August.

After dropping over the last year, the amount of image spam (e-mails that contain images as the body of the message to avoid having text filtered), began to spike again in October, most of it associated with bank phishing schemes. The United States once again was the No. 1 source of spam last month, originating 29 percent of the worldwide volume. Turkey was in second place with 8 percent.

Less than 12 hours after Obama's Nov. 4 acceptance speech, MX Logic began seeing messages in its spamtraps from spoofed addresses for organizations such as BBC, CNN and USA Today. The subject lines included "Barack Obama Wins," "Election Night Results" and "Fear of a Black President." Links in the messages took recipients to a look-alike news Web site that prompted users to download a file called "adobe_flash9.exe," which actually contains malware.

Websense Inc. Security Lab reported a more targeted Spanish language version of the spam in lower numbers, with the subject line "Nuevo Presidente Afroamericano en EE.UU." It touts a video interview with Obama advisers and contains a link to a file called "BarackObama.exe" which downloads a Trojan horse hosted on a compromised travel site.

The version reported by Sophos prompts you to "watch his amazing speech at November 5!" and supposedly links to a "2008 American Government Official Website," which provides information about current U.S. foreign policy. This also prompts the viewer to update Adobe Flash, which downloads a piece of malware identified as Mal/Behav-027.

Obama-related spam is not new, and his brand outpaced McCain spam during the final month of the campaign by a wide margin, according to several observers.

"One of the new election-related spam attacks observed in October has been dubbed by spammers as a 'Barackumentary,'" said Symantec's State of Spam report. It contained the subject line: "CHANGE for the Worse-Your FREE DVD."

"Spammers offered a free DVD about Barack Obama; however, in order to receive this 'free' video, recipients were asked to provide personal credit card details to the sender," the report said.

Political spam only accounted for 3 percent of the volume detected by Symantec in October, but financial scams accounted for 18 percent. It tied with phony product offers for the second most common type of attack. Offers for Internet services such as Web hosting and design and spamware was No. 1, with 22 percent of the total.

The economic crisis was a major driver for malicious e-mail last month, Symantec reported. "Spammers are swarming around the current economic concerns using it as a vehicle for their spam attacks. The recent economic bailout package and interest rate cuts have allowed spammers to step up their efforts on this type of attack."

One attack was an American variation on the well-known Nigerian fraud. The subject line was "US Treasury Department," and it contained a message claiming to come from U.S. Treasury Secretary Henry Paulson, saying that he had been instructed by the United Nations to "wire a sum of $1m into your Bank Account in a Legal way." But to claim the money the recipient was asked to provide personal details.

Another attack capitalized on the Federal Deposit Insurance Corp.'s high profile in the news recently. An e-mail with the subject "funds wired to your account stolen," purportedly from the FDIC, asks you to check an attached bank statement that contains malware.

With the election behind us, what can we look forward to? "With the 2008 holiday season approaching, spammers are once again taking a seasonal spam angle and using e-mail to tout such wares as pharmaceutical, product and casino spam," Symantec said.

Nothing says "Merry Christmas" like a fake Rolex.