Spammer success is dependent on two factors:
- Evading spam filters so the spam message arrives in the recipient inbox
- Crafting messages so that the recipient is enticed to open and perform desired call-to-actions (click on the link, open attachment, etc.)
Spammers walk a fine line to balance these two aspects; relying heavily on one factor and ignoring the other will make the spam campaign fail. For example, spammers can evade spam filters by randomizing the subject and body of the message, however such randomization is likely to be ignored by even the most unsophisticated user as obvious spam. Similarly, crafting stand-out enticing messages to increase the email open rate often results in spam filters blocking the message. Spammers have a tough challenge.
Rising up to meet this challenge, spammers are now hiding the true content from the user more than ever before. While there are still spam campaigns with links to online pharmacies with subject lines mentioning a variety of popular Rx names—can it be more obvious?—more sophisticated spam campaigns now use enticing email content unrelated to the spam. One of the most popular methods is to use current events and news, such as the death of a celebrity or major figure or even a natural disaster. A spam message may look like a legitimate email from a news organization containing an article about current events, but actually links to a spam website. This spam strategy is common for spam messages that spread malware.
To increase the success of the call-to-action, spammers have realized that registering a domain for their spam has become less effective as it was too easy for anti-spam software to simply block that particular domain. To counter anti-spam efforts, spammers may now use hijacked URLs (otherwise legitimate servers hosting spam content without the owner’s knowledge) or URL shorteners that obfuscate the destination as call-to-action.
Let’s take a look at how spammers adapted and changed their content through a six-week period to increase their success in both message delivery and email open rates.
We begin this journey with a message that spoofs a well-known voicemail service brand.
Figure 1. Malicious spam message
Clicking the Play button leads to the following URL:
http://[DOMAIN]/message/i9X8PSVcFk0n0QqhGNTJmh8e3/XSunSgPKMsrzQ7Y7s=/play
Instead of playing the voicemail, malware is actually delivered to the computer.
On December 19 spammers changed their content template from voicemail to a fake delivery failure notification from large retailers. How do we know this as the same attack? There are various clues in the message (including same type of hijacked URLs being used), but most obvious is the mistake the spammer made by using the same header as the first sample, indicating a missed voicemail, while the body of the message indicates a delivery failure notification from a retailer.
Figure 2. Wrong spam email subject reveals single spam campaign
Oops! This was obviously a mistake on the spammer’s part as the content was quickly fixed (in four minutes, or possibly sooner).
Figure 3. Fixed spam email subject
Two additional retailers were also spoofed as part of this particular spam campaign. The structure of the messages remained the same, but the spammers used a variety of hijacked URLs as a call-to-action, which changed the directory paths. This spam campaign hid the spam content in various first directories, but eventually used several directories over time.
Figure 4. Spammer uses various content directory names over time
This spammer preferred to use one particular directory path at a time, and then move on to the next one, rather than distributing the spam across multiple options all at once.
Another change occurred on January 7, when holiday shopping activity had presumably declined. Rather than using fake delivery notification from a large retailer, the spammers switched to spoofing a large utility company.
Figure 5 Spam campaign switches from retailer to utility company spoofing
The spammer made the same mistake once again with an email subject header that indicates a delivery notification from a retailer, but a body message showing an energy utility statement.
Figure 6. Another wrong spam email subject reveals single spam campaign
Oops again! This mistake was soon fixed with a corrected email subject.
Figure 7. Fixed spam email subject
Why did these spammers chose to use utility statements for their spam content? They may be leveraging consumer fear of a large electricity bill due to the Christmas holiday period to make their spam message more enticing to click on. The spam message contains a large bill, and that piques the recipient’s interest enough to make the spam campaign a success.
There was a small spike in retailer-spoofed spam on January 12, well after the utility spam increased in volume. Those messages, while retaining the overall structure of the previous campaigns, dropped the reference to the Christmas holiday.
Figure 8. Post-Christmas delivery notification spam
As the above examples have demonstrated, spammers are always attempting to make their spam messages undetectable by spam filters. They also want to appeal to recipients by pretending the spam contains some legitimate content. In this particular case, clicking on the link leads to a .zip file download containing Trojan.Fakeavlock malware.
There will be more avenues for spammers to entice recipients to click on spam messages as we live more of our lives online. These same spam strategies will continue. Unfortunately, this means that Web users must continue to be on high alert for spam and observe the following best practices to stay protected:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails
- Avoid opening attachments in unsolicited, unexpected, or suspicious emails
- Keep security software up-to-date
- Update antispam signatures regularly
Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.
