Last week we saw an interesting series of emails which seemed to indicate a mid-outbreak change of tactic.  The initial series of emails all had banking and account related themes.  The emails indicated that it was necessary to open an attached document file.  The attachments were actually zipped executable Trojan downloaders.

A Virus-Total (www.virustotal.com) scan showed reasonably high detection rates amongst AV vendors (although we gave them a very generous three days).  At this point we would remind readers about the importance of zero-hour detection as provided by certain products.  Updating signature files many hours after an outbreak will not protect users who receive these attached files before the update has been made available and downloaded.  Note the file size – a relatively large 150KB.

Similar account-themed emails continued to appear over the next 2 days – but this time with an embedded link.  The executable file with an almost identical large file size was again categorized as a Trojan downloader.  Here again we tested the file at Virus Total one day after the outbreak (as above – this is lots of time in outbreak terms) and got a 66% detection rate.

The 150KB file size is shown below.

The conclusion for malware distributors: If at first you don’t succeed – send a link…

Well-crafted emails mimicking Amazon order confirmations have been detected in large quantities in the past week.  The Amazon logo and “your account” button actually take image files from the Amazon website.  The email includes twelve links designed to motivate recipients to click:

• More information about an Amazon Visa card
• The ordered items are not shown and are linked
• The identity of “ordered by:” requires a click
• Perhaps intentionally the order amounts do not add up leading a recipient to seek clarification by clicking on the order number
• The header and footer of the message include “your account”, Help department”,  and “amazon.com” links

The links all lead to short-lived websites hosting malicious pdf files.  The pdf file is executed within an iframe and is therefore launched without user approval.  This final aspect highlights the importance of having a Web security solution to protect users.

In the last few weeks we have detected increasing usage of HTML attachments in a variety of message types – all of them attempting to install malware.  These sorts of attachments are generally not blocked by message scanning systems.  In addition they may arouse less suspicion in users than zipped attachments.

In the examples below, the malware is either in the form of a script within the attached HTML or, more traditionally, leads to a website with some form of malicious script:

• Youtube friend invitation – includes Trojan downloader within HTML

• Delivery status notification – includes Trojan downloader within HTML

• Spam “hot news for you” – leads to a pharmacy website with malware script

Recently, our service provider customers have become increasingly vocal about the problem of outbound spam, the spam generated within their own networks. We recently sponsored a survey with Osterman Research asking Web hosting companies, ISPs, and email managed service providers how they manage outbound spam.

As you can see from our beautiful chart – service providers are trying a range of methods to stop outbound spam before it becomes inbound spam in someone else’s network.  The chart is taken from the Osterman research report into outbound spam commissioned by Commtouch available for download here: http://www.commtouch.com/outbound-spam-report

These solutions create other issues such as false positives and blocked legitimate users while missing low volume or regional outbound spam (potentially leading to being blocklisted) as shown in the graphic below.

As always, the key is to find an effective solution that creates the ever desirable win-win solution: You save your IP reputation, your customers are happier, and you can appropriately apportion your resources without the additional volume from the zombies and spammers.

Zombies, compromised accounts, and malicious users are just some of the friendly neighborhood spammers on service providers’ networks. Every piece of spam going in AND getting out is your problem, long before it becomes someone else’s.  Commtouch recently commissioned a survey by Osterman Research to determine the state of the industry with regard to outbound spam.

One key finding is that fighting outbound spam is expensive. Sixty-eight percent of service providers are spending up to $100,000 per year on controlling the problem. Four percent are spending more than $250,000.   Fighting outbound spam is important to your customers, too. Eighty-seven percent believe it is important or extremely important for email providers to actively eliminate zombies – a primary source of outbound spam – from their networks.

The research investigates all aspects of the outbound spam problem and is available for download here:   http://www.commtouch.com/outbound-spam-report

Resolving the outbound spam issue also can help service providers to retain customers: our research found that 56% of end users whose outbound email was blocked because of their providers’ outbound spam problem would switch to a provider that would not block innocent users.

Those frustrated with the on-again-off-again order status conundrum surrounding the launch of the newest iPhone might be tempted to respond to a wave of spam promising free iPhones (see spam sample below).

There are multiple templates for the email but all lead to a website that seems to only need your email address.

At this point we would normally warn you about this sort of email address harvesting and remind you that Commtouch would have easily classified the email as spam.  However, we decided to follow the trail a wee bit further…

We used a site called oDigger.com that indexes affiliate programs, and did a search for “iPhone”.  See the screenshot below for the page describing this particular program.  An affiliate (in this case our spammer) will receive $1.35 every time someone follows one of the emails, arrives at the page shown above and enters their email (see the line for “Payout”).  This new customer is potentially very valuable as he/she is about to be exposed to multiple pages of additional affiliate advertising – all of them promising that the iPhone 4 is “just one more step away”.

Respondents who enter an email address and hit “continue” will be expected to fill in a detailed form in order to “claim their iPhone”.  There are then 12 (yes… 12) pages of “Step 2 – complete the survey”.  Each completion generates more affiliate revenue.  These are followed by 3 pages of “last steps” that require completion of multiple (at least 9) partner offers (more affiliate revenues).  Although we are very dedicated to probing the workings of spam and Internet marketing we decided we’d earned a coffee break – so we stopped at this point.  Guess we’ll have to wait for AT&T…

In their efforts to convince innocent recipients to part with their hard earned cash, email scammers have created seemingly endless versions of lottery, financial aid, and surprise inheritance stories.  And now these…  Looking for some new scam tales we present:

• The Harry Potter Foundation giving away GBP 250,000 (and they are based in “Potter house”)
• The Facebook Africa Jackpot Promo giving away $800,000 (to “compensate” you for their 6 years)

What will they come up with next!  (watch this space…)

Commtouch labs have received scores of emails targeting twitter users.  The emails have been neatly constructed to include the email address within the email – making them look more genuine.

Recipients are asked to open an attached html file to view their new password.  The website that loads contains a browser exploit.  Not very friendly…

On the eve of the Soccer/football World Cup 2010 in South Africa we spoke to Mr. BuyVi@ GraNow the head of the NGO “WESPAM” (Worldwide Excess Senders of Phony Applications and Mail).  WESPAM claims to represent most of the evil Internet.  Mr. GraNow said, “Events such as the World Cup represent a unique opportunity for the evil underbelly of the Internet.  The opportunities for exploiting public interest are so numerous – pharmacy spam, scams, malware email attachments, SEO poisoning, etc.  We’re dizzy with excitement!”

Mr. GraNow wrote down our email address and promised he would send us further details of the activities planned to coincide with the world’s greatest tournament.  Although he didn’t send any further details we were thrilled to receive notification of a huge World Cup Lottery victory! We have subsequently won the lottery so many times we don’t know what to do with all the money – and each time the email was thoughtfully worded slightly differently:

• ***south africa 2010 fifa world cup lottery promotion****
• ***south africa 2010 fifa world cup lottery promotions***
• ,,,sa 2010 world cup lotto drew;;;;;;;
• claim your fifa world cup football award/ticket
• congratulation! you have won us$1,220,000.00 for soccer world cup 2010 promotional draw
• congratulation!!! for 2010 world cup promotion
• fifa 2010 world cup lottery department
• fifa-mtn world cup team official prize notification
• final notification for south africa fifa 2010 world cup lottery
• south africa 2010 world cup award notification!!!
• south african 2010 fifa world cup lottery award
• south african 2010 world cup bid lottery award
• south african world cup 2010 free lottery draw
• winner – fifa world cup online draw
• world cup bid lottery award
• you have won south africa 2010 world cup lottery
• you have won south africa 2010 world cup lottery computer promotional draw
• your email just won 2010 world cup in south africa & fifa promotion

No – of course it’s not a new product from our favorite tech trend-setters – but it’s not surprising to see the Apple name being used to generate subjects for pharmacy spam messages.  It’s even less surprising to see the new iPad being used to attract curious clickers – especially as the millionth unit was sold.  The iPad spam email (see sample) includes some standard “received from Microsoft” footer text to give the appearance of legitimacy.  Nevertheless, we had to giggle at the irony of “Microsoft” “announcing” the millionth iPad sale.

A further example is this “confirmation” email supposedly received from an Apple store.  The order numbers used in all the samples we analyzed were randomized - apparently to fool content-based anti-spam solutions.  Clicking on “order information” leads you to the friendly folk of the Canadian Pharmacy.