HACKER MEDICINE

Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
 

Figure 1. .pw TLD spam message increase
 

Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada. 

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. The top 25 subject lines from .pw URL spam from May 1, 2013 were:

• Subject: For all the moms in your life on Mother’s Day.
• Subject: Tax Relief Notification
• Subject: Remove IRS Tax Penalties
• Subject: Save on the most beautiful bouquets for Mom
• Subject: Reusable K Cup for Keurig or single-brew coffee maker
• Subject: Garden Today says, “By far the easiest hose to use”
• Subject: HOME: Amazingly Strong water hose you can fit anywhere.
• Subject: The LAST water hose you’ll ever need
• Subject: No Hassle Pricing on Ford Vehicles
• Subject: Own a NEW Ford for the Summer
• Subject: May 1st Ford Clearance Event
• Subject: Lasik- Safe, Easy, and Affordable
• Subject: Safe, Easy, and Affordable Lasik
• Subject: We work with the Biggest and Best Brands in Fashion
• Subject: Whos the hottest? Post . Vote . Win
• Subject: Are You and Your Business seen at a global scale?
• Subject: Power your entire House, Pool and more with Solar Energy
• Subject: Most EFFECTIVE way to treat Hypertension
• Subject: Solar power slashes your electric bill in half
• Subject: Global Business Registry for Networking Professionals
• Subject: Finally, an EFFECTIVE fat shredding solution
• Subject: Register with other professionals
• Subject: Easiest Way To Lower Blood Pressure
• Subject: Secret To Lowering Blood Pressure Naturally
• Subject: Refinance Today, Save Tomorrow

In addition to creating anti-spam filters as needed, Symantec has been in contact with Directi and working with the registrar to report and take down the .pw domains associated with spam. Symantec believes that collaborating with the registrar is a more progressive and holistic approach to solving this problem.

For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, he…