Spam Spam (What It Do)
Disclaimer: This blog post is in relation to my collection of spam. I am not a spam expert.
The past few weeks have elicited all manner of spam at Teksquisite, and also at Gmail and Yahoo accounts. Spammers often collect email addresses from customer lists, chatrooms, email chain letters, forums, newsgroups, websites, and viruses. Current email accounts that are receiving spam have connections to prior chain mails, forums, and newsgroups. Spam or junk email is almost always unsolicited and unwanted.
“Increasingly, e-mail spam today is sent via “zombie networks”, networks of virus- or worm-infected personal computers in homes and offices around the globe; many modern worms install a backdoor which allows the spammer access to the computer and use it for malicious purposes. This complicates attempts to control the spread of spam, as in many cases the spam doesn’t even originate from the spammer.” –Wikipedia
Most common email spam:
- Chain mail – Gordon Brown Hoax
- Trojans – botnets, bredolab, Pushdo
- Phishing – Please log into your financial account and confirm
- You are a winner – congratulations, lotteries
- Offers – Viagra, educational, OEM software
- Personals – find true love here
- Scam news – generally will contain a link to malware
With an increase in botnet-related spam (mainly Bredolab,) a sharp rise in educational and pharmaceutical/medical spam, and definitely far more activity in the arena of phishing spam regarding financial accounts – you really should pay close attention to what lands in your inbox, because Trojans in the form of zipped files do not always end up in your spam folder.
I find it inconceivable, and somewhat disturbing that I collected almost 900 spam emails last week. This is quite a jump in spam, considering, that during the first week of January spam for all accounts leveled slightly below 300.
Over the past three weeks I have seen a sharp rise in UPS Postal Support email that always contains an attachment “invoice” that is spoofed from some.address@ups.com with signatures such as:
Postal Support RANDOM NAME
UPS Manager, RANDOMNAME
The attachment currently arrives as a ZIP file: 
My advice to you is to KEEP IT ZIPPED AND DELETE IT!
Spam Examples
- Chain Mail: Gordon Brown Virus
Chain mail claiming that if you receive a picture of British Prime Minister, Gordon Brown smiling, your computer will become infected with a virus.
You can read more about this hoax over at Graham Cluley’s Blog.
- Trojans: Trojan.Downloader, Bredolab, Pushdo, Zeus [botnets]
Once the zip file is extracted, an exe file (disguised as an Excel file) downloads Pushdo (a malacious bredolab downloader.) In an article at cnet News, Joe Stewart, director of malware research at SecureWorks stated:
“Pushdo downloads different Trojans onto infected machines and has been used to send spam as part of the Cutwail spambot…”It’s a typical pay-per-install system,” used to distribute banking Trojans, password stealers, ad clickers, and search hijackers”
“For those unfamiliar, Bredolab is a simplified botnet – a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software (”scareware”), Bredolab’s other favorite download is Pushdo.” –Fortinet
Since Pushdo is not written to disk and is memory resident, botnet owners frequently change the code and behaviors of Pushdo, which further makes it difficult to classify variants over time. What I have posted here today, may not be applicable tomorrow!
For a better understanding of Bredolab see You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence by David Sancho, Senior Threat Researcher at Trend Micro.
- Phishing – Please log into your account
- This type of spam requests that you verify your account via a spoofed link where your personal details will be captured for the phishers
- HSBC Bank will never send an email asking you to verify details.
- There are all types of variations in these spoofed emails. If you receive e-mail claiming to be from HSBC, call HSBC at 1-800-975-4722. Follow the instructions regarding fraudulent email here.
- You are a winner – congratulations, lotteries
Never reply to this type of email because you will end up on a global spammer list. Delete it.
- Offers: OEM Software (Original Equipment Manufacturer)
OEM software is NOT FOR RESALE (NFR) and always includes licensing along these lines: “For distribution with a new personal computer only. This software may not be sold independently.” OEM software must be sold with hardware.
Some spam email often links to ebay where you can purchase OEM software. The seller appears compliant with the hardware requirement by advertising to remove hardware from the original system (or so they claim!)
“In accordance with eBay policy, I offer the HDD that came with the system (it currently has bad sectors and is not usable), which I can ship at the buyer’s request.”
Many recent OEM emails that I received are claiming to be a company located at 1100 South State Rd 7, Suite 501 in Margate, FL 33068. Their website is registered to a Russian domain. Thanks to Twitter folks @ChrisMuncy, @dckovar and @Lisa827 for advice on contacting the tax office in order to find out about the building that the business is located in. In this particular case, the City of Margate, Florida was unable to find any records for a business registered at Suite 501 at the above address. They will be sending out a code officer today to inspect the location since they only have four active businesses registered at this building.
Also be sure to stop by SIIA (Software & Information Industry Association) and brush up on
What You Need to Know About OEM and Academic Software.
12 steps to less spam:
- Do not post your email address online in clear text. If you must post it online be sure that your address is munged so that the bots will not see it.
- Never respond to suspicious emails.
- Do not unsubscribe to spam email.
- Do not use your personal email address for public use. Instead, use a disposable email address and set it up to forward messages to your personal email account. If you begin to receive spam in a disposable account –simply delete the disposable account and sign up for a new one.
- Do not open suspicious attachments, links, or images. This could lead to malware downloading on your computer.
- If you are using a software email program (and not a web-based one) be sure to disable the preview pane.
- Use spam-blocking tools and filters.
- If you need to forward email to groups of people use a disposable email address in the TO: field and add all recipients to the BCC: field. This will shield the email address from others as well as from spam harvesters.
- Be sure to have antivirus software installed on your computer, run a full scan every week, and keep it updated! You should run some form of an anti-malware software each week too, such as Malwarebytes.
- When you sign up for something on the web, be sure to uncheck the box that says “YES, I want to be contacted by select third parties concerning products I might be interested in.”
- Be sure to take advantage of reputable and free computer scans such as the firewall leak and ShieldsUP tests over at Gibson Research Corporation.
- Report spammers. Register for free spam reporting service at SpamCop.
If you plan on using this service often, consider making a donation!
Some helpful Links:
If you are a victim of a financial solicitation contact
the Internet Crime Complaint Center
Medical fraudulent claims (devices or products)
Email: webcomplaints@ora.fda.gov
Investment-related email- *Copy headers and forward to:
Email: enforcement@sec.gov
Until next time — stay safe online!
botnet, bredolab, email, harvesting, Malware, phishing, pushdo, spam, spoofing, Trojans, UPS
No Comments