Tag Archives: Hosted Mail Security

Last month Symantec posted few blogs (here and here) on an increase in spam messages with .pw URLs.

Since then the volume of URLs with .pw domains has considerably decreased. At the beginning of May the peak volume .pw domains accounted for about 50 percent of all spam URLs. Currently, .pw domains account for less than 2 percent for the last seven days.

Figure 1. .pw TLD appearance in spam messages

The decrease in .pw domains is the result of a close collaboration between Symantec and Directi in reporting and taking down the .pw domains associated with spam.

The latest evidence from the Global Intelligence Network shows that even with such a small presence of former country top-level domains for Palau, .pw spammers don’t give up and start using different tactics. They keep an eye on the latest news from around the world and convert hot news headers into domain names.

One such example is the domain name babykingishere.pw, which was registered on July 24 by a registrant from Panama. The name chosen by spammers was based on the big news from the UK, the birth of future king. While the world is celebrating, spammers have definitely tried to take advantage of the event.

So far, the spam domain was only observed within promotional hit-and-run spam. One of the main characteristics of this type of spam is the use of “throw away” domains, which the babykingishere.pw domain is.

Sample “From” lines taken from observed Hit and Run spam with the babykingishere.pw domain:

• From: “Cable Internet” <CableInternet@babykingishere.pw>
• From: “Medical Billing and Coding Education” <MedicalBillingandCodingEducation@babykingishere.pw>

Figure 2. Sample spam message with links containing the babykingishere.pw domain

Currently, both samples are blocked by Symantec with IP reputation and content filtering. Symantec will continue to monitor .pw domains and any appearance of “Royal Baby” spam.

For the last few months, Symantec has been observing pharmacy related spam attacks where spammers are using the legitimate Google Translate service to avoid anti spam filters. 

Most of the samples received were sent from hijacked email addresses from popular free mail services. 
The majority of the messages’ subject lines were promoting either online pharmacies or well-known  tablets such as Viagra, Cialis and others. Furthermore, in an effort to make the spam immune to filters, several observed subject lines contained randomized non-English characters or words inserted at the beginning or end of the subject line. 

Figure 1. Sample subject lines

The body of the spam message contains a Google Translate link as well as promotional text explaining the advantages of ordering medicines from online websites, there’s even a discount code included for the reader.

Figure 2. Sample spam message

The mechanism of the redirection is quite complex. After clicking the link, Google Translate is meant to get a second address embedded in the link, which then redirects to a pharmacy website.

In our sample the final destination was the following pharmacy site:

• [http://]www.magic-pharm.com

It is worth noting that previously spammers mostly used freewebs or URL shortening services in the second part of the link (redirection link), but recently they’ve taken advantage of country IDN top-level domains, especially Cyrillic .рф domains. In redirection links, Cyrillic domains are represented in Punycode. 

The following is an example of a link as it presented in a spam mail:

• [http://]www.google.com/t%72ans%6C%61%74e_p?hl=%65%6E&u=pnfd.fr.%78n–8%%330%61%66%61f0asd%62%63g.%78n-p1a%69/tipfa6eeAFLSinIMyxPMzA3NDMwMDAEACeKBEI+.aspx

Output from win-1251 decoding:

• [http://]translate.google.com/translate?hl=en&u=http://pnfd.fr.xn--80afaf0asdbcg.xn--p1ai/tipfa6eeAFLSinIMyxPMzA3NDMwMDAEACeKBEI%2520.aspx

With Punycode decoding:

• [http://]translate.google.com/translate?hl=en&u=[http://]pnfd.fr.конггандон.рф/ipf24aeAGzLC8vs0zJMzA3NDQ0NzAEACbKBDs .aspx

Symantec is successfully blocking the majority of variations of Google Translate redirection spam and is closely monitoring for any other inappropriate use of Google Translate services in spam email. This exploit is used in spam campaigns and has not, as yet, been observed being used in the distribution of malware.

For the last few months, Symantec has been observing pharmacy related spam attacks where spammers are using the legitimate Google Translate service to avoid anti spam filters. 

Most of the samples received were sent from hijacked email addresses from popular free mail services. 
The majority of the messages’ subject lines were promoting either online pharmacies or well-known  tablets such as Viagra, Cialis and others. Furthermore, in an effort to make the spam immune to filters, several observed subject lines contained randomized non-English characters or words inserted at the beginning or end of the subject line. 

Figure 1. Sample subject lines

The body of the spam message contains a Google Translate link as well as promotional text explaining the advantages of ordering medicines from online websites, there’s even a discount code included for the reader.

Figure 2. Sample spam message

The mechanism of the redirection is quite complex. After clicking the link, Google Translate is meant to get a second address embedded in the link, which then redirects to a pharmacy website.

In our sample the final destination was the following pharmacy site:

• [http://]www.magic-pharm.com

It is worth noting that previously spammers mostly used freewebs or URL shortening services in the second part of the link (redirection link), but recently they’ve taken advantage of country IDN top-level domains, especially Cyrillic .рф domains. In redirection links, Cyrillic domains are represented in Punycode. 

The following is an example of a link as it presented in a spam mail:

• [http://]www.google.com/t%72ans%6C%61%74e_p?hl=%65%6E&u=pnfd.fr.%78n–8%%330%61%66%61f0asd%62%63g.%78n-p1a%69/tipfa6eeAFLSinIMyxPMzA3NDMwMDAEACeKBEI+.aspx

Output from win-1251 decoding:

• [http://]translate.google.com/translate?hl=en&u=http://pnfd.fr.xn--80afaf0asdbcg.xn--p1ai/tipfa6eeAFLSinIMyxPMzA3NDMwMDAEACeKBEI%2520.aspx

With Punycode decoding:

• [http://]translate.google.com/translate?hl=en&u=[http://]pnfd.fr.конггандон.рф/ipf24aeAGzLC8vs0zJMzA3NDQ0NzAEACbKBDs .aspx

Symantec is successfully blocking the majority of variations of Google Translate redirection spam and is closely monitoring for any other inappropriate use of Google Translate services in spam email. This exploit is used in spam campaigns and has not, as yet, been observed being used in the distribution of malware.