By Jack M. Germain E-Commerce Times
07/25/08 4:00 AM PT
Spammers and phishers are apparently keeping up well with current events, using the public's interest in the presidential race to lure people into malicious Web sites from which they can install malware and swipe personal info. Also, many spammers have taken to using free hosting sites rather than running their own.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
With the political election season ramping up, spammers are again using news headlines about the candidates to saturate in-boxes. Researchers have uncovered two new spam clusters with subject lines relating to Barack Obama. At certain points, one of these spam runs accounted for up to 18 percent of all spam, according to MessageLabs.
Overall, spam levels for the U.S. in June reached 86 percent of all received mail compared with spam levels at 81.5 percent in the rest of the world. Some U.S. states are more affected than others, according to a recent monthly spam trend report from the company.
Varying socioeconomic factors are affecting the spam rates in certain states. Researchers attribute these higher spam levels to the fact that consumers, employees and businesses do not place as high a priority on IT security as other states do. In addition, residents of these states may be more willing to share personal information via the Internet, increasing their likelihood of being spammed.
"The distribution schemes have remained the same in the last few years. The size and pace of the botnets are getting worse. They are more diversified. One big change is with what is in e-mail and how it is hosted," Matt Sergeant, senior antispam technologist for MessageLabs, told the E-Commerce Times.
Scandalous Lures
In the latest batch of spam mail headers, MessageLabs' researchers uncovered the e-mail subject line, "Scandal rocks Obama as lurid sex video leaked." Numerous variations of that subject line are occurring.
Some of them are sexually charged; others contain insults. Many of the messages contain links to Web sites within the message that are part of the "Porn Tube" family of malware. This is a name given to a family of porn sites that specialize in YouTube-like content, according to MessageLabs.
Many of the URLS (uniform resource locators) have direct links to a file named "video.exe." This file is a well-known virus that will launch widely recognized malware termed "Nuwar," "Zlob" or "Dorf." MessageLabs saw a similar attack in April, spoofing YouTube videos but not being mailed out as links in the same way. Previously, the malware was distributed via user-generated content sites such as blogs and links on comments pages.
"Spammers are now using current news in subject lines. This is actually quite elaborate and interesting. These subject lines are probably template-driven and are probably linked to owners of the Storm Worm," Sergeant said.
The Payload
If a the victim follows the links in the message, he or she is taken to what appears to be a YouTube video with a note at the top informing the user that a new HD codec is required. The message then prompts the user via a dialog box to install an ActiveX object.
Once that dialog box opens, the computer user cannot close it. When canceled, an error is displayed and the dialog box appears again until the user clicks the "OK" button. The executable codec automatically begins downloading and evades many traditional antivirus detection mechanisms.
The second spam cluster contains e-mail purporting to sell watches or pills but claiming to be sent from e-mail addresses like BarackObamaIsMyHomeboy.com, ObamaMail, and, strangely, BarackObamaIsYourNewBicycle.com. The headers in the original e-mail show that the spammers have used these domains to send the mail, according to MessageLabs.
Another strategy involves a batch of spam e-mails advertising hybrid cars. The messages urge recipients to "go green" and save both on price and on fuel costs, according to MessageLabs. The links within the e-mail are set up to collect personal data and e-mail addresses and are unrelated to hybrid cars. Users are led through a series of pages promoting "make money fast" schemes.
Spammers Going Free
One noticeable change in strategy is the use of free hosting sites to find victims to further propagate spam attacks. Spammers are no longer running their own Web sites.
"Spammers are putting links on Google (Nasdaq: GOOG) Docs. This is convenient. Google provides free analytics as well. This adds another layer of hiddenness. The same thing is happening with Microsoft's (Nasdaq: MSFT) free servers," said Sergeant.
Despite the method or the subject line, the spammers' intent remains unchanged. These newest developments are just the latest generation of topical spam, say other antispam experts.
"They try to get people to go to infected sites. We need a solution that protects on both sides," Sven Krasser, director of data mining research at Secure Computing, told the E-Commerce Times.
Solutions Remain Unchanged
Some spam watchers call this new variation the "hybrid mail" approach. The goal is the same: to get spam recipients to click on a link that takes them to an infected web site, Krasser noted.
Spammers win the battle by getting computer users to click on a bad link. It's a numbers game. That hasn't changed, although the tricks have.
"Large volume of mail are involved. It is inevitable that some workers will click on a bad link. All it takes is one computer to exploit a network. Then the spammer gets the inside track," explained Krasser.
Work or Home the Same
Regardless of whether the recipient clicks while logged onto a home network or a business network, the same chain of events begin.
"The infected code changes the DNS (domain name system) at the user's router. So to prevent this from happening users must change their access password," said Krasser.
Most people keep the installed default password. Wireless routers especially have the most potential for being compromised this way, he added.
Continuing Cat-and-Mouse Game
"Spammers [are] trying to stay ahead of the curve. It is really no different than an arms race," suggested Krasser.
For antispam protectors, filtering out each new tweak the spammers create meets with the same end -- the companies update their spam filters. Catching the new twists to old tricks is not much of a challenge.
"A couple of new servers are doing these things. They are using templates so it's easier to catch. We just adjust our filters to keep our customers safe," Dirk Morris, CTO of Untangle, told the E-Commerce Times.
The bad guys are continually trying to do new things that get people to click on an event. It's always interesting to see because they are really getting good at it, he added.
Study: 40 Percent of Web Surfers Using Leaky, Vintage Browsers July 02, 2008
Outdated and unpatched browsers are putting 40 percent of Web surfers at risk, according to a recent study by Google, IBM and Switzerland's Communications Systems Group. Most of the surfers at risk are using outdated Internet Explorer versions.
Related Stories
The Storm Worm's Elaborate Con Game June 11, 2008
Security researchers at Cisco's IronPort say they've pieced together the complex con operation behind the Storm Worm, a persistent Web threat. The botnet's purpose, they say, was essentially to act as a virtual dealer of prescription -- and often bogus -- medication, sometimes enlisting work-from-home employees who thought they were doing legitimate tasks.
MySpace's $230M Victory in Spam Case May Be Hollow May 15, 2008
MySpace won a court award of $230 million against a couple of notorious spammers, but it's probable that the social networking giant won't see a dime of it. Still, it raises the volume in the spam wars, alerting other e-commerce operations to the need to tighten their security -- and giving users another elbow in the ribs over careless clicking.
Cyber-Thieves' New Target: Business Processes April 01, 2008
Webroot conducted a survey of 1,494 e-mail security product decision-makers to explore their views about e-mail related threats and the latest methods to protect business e-mail. Respondents were from both regulated and unregulated companies and organizations in seven countries: Australia, Canada, France, Germany, Japan, the United Kingdom and the United States.
Related News Alerts
More by Jack M. Germain
Microsoft FOSSifies .Net Micro Framework November 18, 2009
Microsoft has declared its .Net Micro framework open source under the Apace 2.0 license. Not all bits of .Net Micro are covered, however. Its TCP/IP stack has been stripped, as has its cryptography libraries. Rights to the TCP/IP stack aren't Redmond's to give, and the cryptography libraries are used outside of the scope of the .Net Micro framework, according to the company.
New Ubuntu OS Features Create Good Karma November 13, 2009
Amidst the OS upgrades from Apple and Microsoft over the last few months, the Linux OS Ubuntu got a version bump of its own. Ubuntu 9.10, or Karmic Koala, is well worth the effort to upgrade, and its developers have made the process easier -- if you're using the full-sized desktop/notebook version. The Remix version, intended for netbooks, caused quite a few headaches.
Samsung Chimes In With Bada Mobile OS November 11, 2009
With Android, iPhone, BlackBerry, WinMo, Symbian, WebOS and plenty other mobile platforms fighting for space, is there room for one more? Samsung believes there is, and it's announced a new open mobile platform called "Bada." The company, which already makes handsets for several existing platforms, says Bada will make app-making easy for developers. The first Bada handset should be out in the first half of 2010.
Headline Feeds
and how it is hosted," Matt Sergeant, senior antispam technologist for MessageLabs, told the E-Commerce Times.
Talkback: 
