Hackers Use New Phishing Methods

Researchers at a German antivirus vendor Avira caution users about the latest pharma spam campaign which generates e-mails showing characteristics usually related with phishing attacks.

Sorin Mustaca, Manager of International Software Development at Avira, cautions that recently, they have witnessed e-mails that look very much similar to phishing mails but they were actually spam. The spammers attempted to make them appear as authentic as the entity they are faking - such as Amazon, Twitter, Facebook, etc, as per the news by Softpedia on August 17, 2010.

The e-mails come with the subject line "<Full name> has sent user a message on Facebook" and usually contain a picture from meds spam as the text.

If the user sees the header carefully, it can be noticed that except name, there is nothing else from Facebook. It is clearly noticeable that the mails have been sent via a botnet, and they employ the regular link spoofing attempt (wherein the user views facebook, but the real target is something else).

Another noticeable thing in the e-mail is the picture not attached to the mail, but a reference from a site. It appears that the hackers are very confident that their sites are no longer being closed so quickly as they played everything on a single card. The picture is harbored on a similar domain used for hosting the websites of Canadian pharmacy.

Further, the campaign uses a combination of ploys to circumvent conventional spam filters. The mail carries a link which does not take the user to the target website but to an online forum on the famous Yahoo! Groups platform. This forum has an ad, advertising Viagra, which links to the Canadian pharmacy site.

The objective is to dodge spam filters which search the mail content for addresses of famous spam sites. Platforms like Yahoo! Groups are categorized as authentic websites by such filters and thus generally undetected.

Avira checked almost 100 of mails in this group and all of them use the similar domain. Investigation has revealed that all the domains are registered in China by a single registrar who owns 14 thousands other domains.

In addition, Avira reported about similar mail template abuse used to imitate official communications from LinkedIn, YouSendIt, Gmail, ImageShack, My Opera, ShopNBC or Twitter.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 8/24/2010