The Spam World’s Election Season Blast

With the political election season ramping up, spammers are again using news headlines about the candidates to saturate in-boxes. Researchers have uncovered two new spam clusters with subject lines relating to Barack Obama. At certain points, one of these spam runs accounted for up to 18 percent of all spam, according to MessageLabs.

Overall, spam levels for the U.S. in June reached 86 percent of all received mail compared with spam levels at 81.5 percent in the rest of the world. Some U.S. states are more affected than others, according to a recent monthly spam trend report from the company.

Varying socioeconomic factors are affecting the spam rates in certain states. Researchers attribute these higher spam levels to the fact that consumers, employees and businesses do not place as high a priority on IT security as other states do. In addition, residents of these states may be more willing to share personal information via the Internet, increasing their likelihood of being spammed.

“The distribution schemes have remained the same in the last few years. The size and pace of the botnets are getting worse. They are more diversified. One big change is with what is in e-mail and how it is hosted,” Matt Sergeant, senior antispam technologist for MessageLabs, told the E-Commerce Times.

Scandalous Lures

In the latest batch of spam mail headers, MessageLabs’ researchers uncovered the e-mail subject line, “Scandal rocks Obama as lurid sex video leaked.” Numerous variations of that subject line are occurring.

Some of them are sexually charged; others contain insults. Many of the messages contain links to Web sites within the message that are part of the “Porn Tube” family of malware. This is a name given to a family of porn sites that specialize in YouTube-like content, according to MessageLabs.

Many of the URLS (uniform resource locators) have direct links to a file named “video.exe.” This file is a well-known virus that will launch widely recognized malware termed “Nuwar,” “Zlob” or “Dorf.” MessageLabs saw a similar attack in April, spoofing YouTube videos but not being mailed out as links in the same way. Previously, the malware was distributed via user-generated content sites such as blogs and links on comments pages.

“Spammers are now using current news in subject lines. This is actually quite elaborate and interesting. These subject lines are probably template-driven and are probably linked to owners of the Storm Worm,” Sergeant said.

The Payload

If a the victim follows the links in the message, he or she is taken to what appears to be a YouTube video with a note at the top informing the user that a new HD codec is required. The message then prompts the user via a dialog box to install an ActiveX object.

Once that dialog box opens, the computer user cannot close it. When canceled, an error is displayed and the dialog box appears again until the user clicks the “OK” button. The executable codec automatically begins downloading and evades many traditional antivirus detection mechanisms.

The second spam cluster contains e-mail purporting to sell watches or pills but claiming to be sent from e-mail addresses like BarackObamaIsMyHomeboy.com, ObamaMail, and, strangely, BarackObamaIsYourNewBicycle.com. The headers in the original e-mail show that the spammers have used these domains to send the mail, according to MessageLabs.

Another strategy involves a batch of spam e-mails advertising hybrid cars. The messages urge recipients to “go green” and save both on price and on fuel costs, according to MessageLabs. The links within the e-mail are set up to collect personal data and e-mail addresses and are unrelated to hybrid cars. Users are led through a series of pages promoting “make money fast” schemes.

Spammers Going Free

One noticeable change in strategy is the use of free hosting sites to find victims to further propagate spam attacks. Spammers are no longer running their own Web sites.

“Spammers are putting links on Google Docs. This is convenient. Google provides free analytics as well. This adds another layer of hiddenness. The same thing is happening with Microsoft’s free servers,” said Sergeant.

Despite the method or the subject line, the spammers’ intent remains unchanged. These newest developments are just the latest generation of topical spam, say other antispam experts.

“They try to get people to go to infected sites. We need a solution that protects on both sides,” Sven Krasser, director of data mining research at Secure Computing, told the E-Commerce Times.

Solutions Remain Unchanged

Some spam watchers call this new variation the “hybrid mail” approach. The goal is the same: to get spam recipients to click on a link that takes them to an infected web site, Krasser noted.

Spammers win the battle by getting computer users to click on a bad link. It’s a numbers game. That hasn’t changed, although the tricks have.

“Large volume of mail are involved. It is inevitable that some workers will click on a bad link. All it takes is one computer to exploit a network. Then the spammer gets the inside track,” explained Krasser.

Work or Home the Same

Regardless of whether the recipient clicks while logged onto a home network or a business network, the same chain of events begin.

“The infected code changes the DNS (domain name system) at the user’s router. So to prevent this from happening users must change their access password,” said Krasser.

Most people keep the installed default password. Wireless routers especially have the most potential for being compromised this way, he added.

Continuing Cat-and-Mouse Game

“Spammers [are] trying to stay ahead of the curve. It is really no different than an arms race,” suggested Krasser.

For antispam protectors, filtering out each new tweak the spammers create meets with the same end — the companies update their spam filters. Catching the new twists to old tricks is not much of a challenge.

“A couple of new servers are doing these things. They are using templates so it’s easier to catch. We just adjust our filters to keep our customers safe,” Dirk Morris, CTO of Untangle, told the E-Commerce Times.

The bad guys are continually trying to do new things that get people to click on an event. It’s always interesting to see because they are really getting good at it, he added.