17 Nov 2011 11:42 PM
Websense® ThreatSeeker® Network detects millions of spam/malicious email campaigns on a daily basis. Such campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails. Below are the top 5 campaigns that we've seen over the last several days.
Warning: If you see these Subject lines in your mailbox, please don't open an attachment or click on a link. Doing so could be dangerous for the health of your device.
- Order N21560 (numbers vary)
This link redirects to .ru/main.php or .com/main.php URL, which serves the Blackhole exploit kit. These emails are targeting users who just purchased an Adobe CS4 license, which is weird, because version 5.5 is already out. The spammers obviously have not done their research and are behind the times.
- FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE:)
- Fwd: Your Flight Order N125-9487755 (numbers vary)
Users are lured to click on a "CLICK HERE" link, which redirects to another URL serving the Blackhole exploit kit. I guess these types of emails are targeting specific people: a) who have driven a vehicle in New York and b) who have been cited for a speeding violation recently, and of course c) those who are curious, otherwise why would they click on this link?
3. DELIVERY COMPANIES:
- USPS Invoice copy ID46298 (numbers vary)
- FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
- DHL Express Notification for shipment 90176712199 (numbers vary)
Fake emails pretending to be invoices or tracking emails have been around for several years and usually would have an attachment, such as a Trojan like Zeus or SpyEye. Websense Security Labs™ has written several blogs before about similar cases. I just want to point out that such emails are still being sent in bulk and are still being used as a vector to infect end users' computers. The reason why these kinds of emails are still so popular is because the attachments are being repacked for every new campaign; therefore, antivirus products struggle to release new signatures for those and are unable to block them, like in this case. The campaign is known, but VT shows only 8/42 results for an attachment.
This email suggests that the attachment is a patch for WoW (World of Warcraft). Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients. Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked, and also spammers use such techniques to validate an email address.
5. Payment/TAX systems:
- FRAUD ALERT for ACH
- Your Wire Transfer
- Wire transfer rejected
- IRS requires new EIN
- IRS Tax report
This type of email appeared in August-September 2011. We wrote an ACH - blog about it. The screenshot of this email was received today though the date still corresponds back to August. The spam-bot seem to think it's still August!
The malicious spam campaigns listed above have the same recurring themes which spammers don't really change. However, major differences include the following:
- Switching between Attachments and Malicious/Compromised links
- Repacking attachments so they will not be detected by AVs
- Slightly changing the template of the email
Websense Email Security and Websense Web Security solutions protect against this kind of blended threat with ACE, our Advanced Classification Engine.