Symantec is observing an increase in spam containing URLs. On May 16, URL spam volume increased by 12% from 84% to 96% and since then the URL spam volume fluctuated between 95% and 99%. That means 95% of the spam messages delivered during this period has one or more URLs in it.
Figure 1. URL spam message volume
During this period, .ru was the most used top-level domain (TLD). As illustrated in Figure 2, it is interesting to note a drop in .ru spam and a simultaneous rise in .com and .pw spam. Over 73% of the URL spam contained the .ru, .com, or .pw TLDs.
Figure 2. Top 3 TLDs distribution (last seven days)
Table 1. Spam volume of top 5 TLDs that contributed to total URL spam
We are observing an increasing use of shortened URLs and free Web domains with the .ru TLD. The spam examples seen are mainly hit-and-run (a.k.a. snowshoe) spam. The call to action URL in the spam message leads to fake offers or online pharmacy stores.
Below are the Subject lines that may be seen in spam emails.
Subject: Ends Today! Buy One, Get One Free
Subject: 48 Hours Only | Free Shipping!
Subject: FREE LIFETIME PASS – WHENEVER YOU WANT
Subject: Are you dreaming about good health?
Subject: Satisfy your girl fully
Subject: Win your lady’s addiction
Subject: Present your women real care
Subject: You need Ukrainian woman with beautiful eyes that are ready to talk to private theme?
Figure 3. URL spam message
This sudden rise in URL spam volume was seen in December 2012 and January this year when holiday season spam and year-end spam was on the rise. Symantec will continue to monitor this uptick in spam containing URLs and will keep our customers protected with additional filters to block these attacks.
Phishers are trying everything they can to improve their chances of harvesting user credentials. They are known for experimenting with different fake social media applications in a desperate move to lure users. Recently, we found a few examples of some…
Natural disasters, like tornadoes and earthquakes, are quite common in the United States of America. Unfortunately, the Oklahoma City suburb of Moore experienced a violent tornado on Monday, May 20, that sadly resulted in dozens of casualties. Spammers…
Late last week, Walmart alerted the public to an email-based scam that used the company’s name (misspelled as “Wallmart”) to illegally gather information about users. The email sported the title “Thanks for your Walmart.com order,” and after confused users clicked on links within the emails, their Walmart accounts were charged. While local police departments and Read more…
Memorial Day is celebrated on May 27 and it is a day for memorializing the men and women who have died in military service for the United States. It is a common practice for cybercriminals to take advantage of events and holidays. This year, various sp…
Contributor: Avdhoot Patil
Celebrity scandals are always popular and phishers are keen on incorporating them into their phishing sites. Recently, we observed a phishing site featuring British singer and actress Rita Ora. The phishing site was hosted on…
In the last few weeks we have observed a drastic increase in “penny stock” spam emails. In 2011 Symantec published a blog entitled Global Debt Crises News Drives Pump-and-Dump Stock Scams, which also dealt with this type of spam.
Penny stocks, also known as cent stocks, are shares in small companies that trade at low prices, often as low as a few cents per share. Penny stocks are a very popular topic used by spammers. The spam emails advertise the cheap shares and state that the company is on the verge of becoming very successful and that the value of the shares will rise significantly. The emails make out that the company is more valuable than it actually is and implies that they have just created some major product or are on the verge of a breakthrough and that the share value is tipped to rise dramatically. The aim is to increase sales of the stock, which in turn raises the value, then the fraudster can sell their penny stocks for significantly more than they paid for them. This stock fraud method is known as “pump and dump.”
We are seeing various spam methods being used in stock spam such as broken words, obfuscation with irrelevant line spaces, and insertion of randomized characters in the header or body of the emails etc.
Figure 1. Penny stock spam emails
Symantec is observing an increase in spam volume related to stock spam, which can be seen in the below graph.
Figure 2:Volume trend of stock spam email
Below are the most frequently observed subject lines in these attacks:
Subject: Stock Picking Contest, Sign Up Today
Subject: “Before The Close” From Standout Stocks!
Subject: A Royal Treat To Start The Week
Subject: Expect More from this Bull
Subject: Explosive Pick Coming
Subject: It Is Our Hot New Trade Alert!
Subject: Its trading levels could be Set to Explode!
Subject: Let`s Do It Again! Tonight We Have Another Breaking Bull!
Subject: This Company Shows Gains
Subject: This Company shows Strength
Subject: What a Fantastic Week! Our Members had the Opportunity to Make Some Serious Gains!
Symantec advises users to be cautious when handling unsolicited or unexpected emails and to update antispam signatures regularly. Symantec is closely monitoring these “pump and dump” spam attacks and will continue monitoring this trend to keep our readers updated.