In the past few weeks, we have observed an old spam tactic re-emerging. Spammers are again using news feed to populate the subject header of spam messages. This technique has been used in the past in the form of directory harvesting attacks to gather valid email addresses. However, these attacks usually lasted for only one or two weeks, perhaps because their goal of collecting email addresses had served its purpose. This time not only the duration longer, but they have been selective in their news agency—it is only “BBC News” at this time.
Pharmacy-related spam is employing this technique, obviously attempting to get curious readers to open up these emails. Using different techniques, like interesting news topics in a subject line, may compel users to open a spam email. This indirectly gives spammers a chance to advertise their products and possibly sell them too. In the case of malicious attacks, it is clicking viral links or attachments to compromise and later control the user’s computer.
In this particular trend, It looks like the spammers collect a whole bunch of news items from a specific day of a week (recent attacks suggest Thursdays or Fridays) and rotate these news headlines in the subject headers of the spam emails throughout the rest of the week. Spammers are known for being unpredictable, so it won’t be surprising if they change their ways in this spam campaign as well. For example, sometimes we found them sending updated news as well. Russian domains (.ru top-level domains) and a domain name with “pills” have also been a common feature for this attack.
Here are some sample images of spam messages:
Here are some sample BBC headlines seen in the subject header last week:
- Pakistan shooting soldier to die
- China finds 22 fake Apple stores
- Man missing as tug boat capsizes
- Piracy levels 'soaring' off Benin
- British Gas to end doorstep sales
- Gunman dies at Estonian ministry
Beginning Friday this week, spammers have introduced a new lot of BBC news headlines:
- 'First pre-Roman planned town' found
- A-level passes rise for 29th year
- Afghan roadside bomb 'kills 22'
- Hackers again target transit site
- Trial ordered for Hariri suspects
- Britain in 'last-chance saloon'
We also observed that this is a part of the whole attack so we get to see usual meds subject lines as well.
Symantec has been effectively blocking these attacks from reaching user’s inboxes. However, we would still advise our users to follow best practice guidelines mentioned in our monthly Symantec Intelligence Report.