Article contributed by Emily Liu, Symantec Security Response Technician
Most of the Russian spam emails we usually encounter are about online advertising, product promotion, and training workshops. These spam emails typically are sent out unsolicited from free or hijacked personal email accounts, without opt-out, and have randomized subjects to avoid being caught in spam filters. Despite the use of random subjects, we continue to observe spammers who like to list phone numbers in the email as the only available means of contact instead of direct URL links.
Here is an example of a recent Russian event promotion spam:
Here is the English translation:
Figure 1. Russian-language spam promotion
Are you able to spot any abnormalities in the message? Look closely at the phone numbers at the bottom: Some digits are not written as numbers but instead as letters. Spammers have replaced the numerical digits with look-alike Russian/English characters in the phone number, a technique to avoid spam-detection we will look at below.
To begin, what follows are a few examples of how spammers have employed this method during the past few years. First, here is a simple set of contact phone numbers listed below:
Then, spammers change the phone number by inserting some random symbols between the numbers:
Eventually spammers become more sophisticated and begin to replace numbers with look-alike Russian or English alphabets. Here is a list of characters which resemble numbers in both Russian and English languages:
Figure 2. Russian and English letters which resemble numbers
Using this chart above, and some creativity, the original list of plain phone numbers can be changed to look like this:
Anti-spam technology has been effective in identifying and filtering out these spam patterns over time, which leaves the spammers with no choice but to get even more creative and come out with even better new tricks. In 2010, for instance, we observed spammers were beginning to spell out phone numbers in actual Russian words, as highlighted below:
Figure 3. Russian and English words representing numbers
Using this approach, and the original list of phone numbers we started with, the contact numbers now look even more complicated, as follows:
However, spammer creativity does not end there; they also came up with the idea of replacing area codes with the actual name of the city which it represents. Take the city Moscow, for instance. The area code for Moscow is 495. Therefore, area code 495 will be replaced by the Russian word for Moscow (Москва) or just the abbreviated city name code (MOW/Moc):
And, more recently, we observed yet another way to spoof the digits. In the examples shown above, some digits were spelled out in Russian, but just one digit at a time. Now, the spelling has progressed into double-digits (including two digits, not just one), as shown in the example below:
Figure 4. Examples of double-digit spelling in spam
It’s interesting to observe the tricks spammers often come up with to evade detection by spam filters. Fortunately, all of these tricks discussed above can be caught using the latest technology. As for spammers, they will have to think harder to come up with some new tricks. Symantec intelligence always keeps a vigilant watch over the latest spam trends so we can develop the best strategy in dealing with tricks like the Russian phone number puzzle investigated here.