The latest twist on virus/malware campaigns pretends to be an email from the Social Security Administration that supposedly contains a copy of your annual statement.
The email arrives with the headers:
Subject: Review your annual Social Security statement
From: ”Social Security Administration” <notification@ssa.gov>Due to possible calculation errors, your annual Social Security statement may contain errors.
Open attached file to review your annual Social Security statement.
Domains are cheap and easy to register, and marketing of otherwise low value domains can be so profitable that spammers simply cannot resist the opportunity.
Our favorite example currently goes by the name of “Arthur Simmons” from “InTrust Domains” but the personal and business aliases this spammer users are no doubt very many indeed.
We’ve seen this spammer send domain sales notices from a variety of email addresses, including:
And that’s just a small sampling. The domains used by this spammer are all recently registered, all redirect to the same spam landing pages, and are all easily disposable and thus likely to change in the near future.
Yahoo has apparently found yet another way to assist spammers.
As if longstanding abuses of Yahoo Groups weren’t enough for the spammed masses to suffer though, their blog site, Yahoo Pulse, is now making life easier and more productive for spammers as well.
The latest emails being spewed throughout the Internet have long and convoluted Subject lines (in an attempt to evade spam filtering) that allude to online sales of medications, such as:
Subject: extraordinary tablets tendered for superb way of life
Subject: supplying exceptional capsule brands for lots of years
Subject: web outlet tremendously suggested for pills purchases
Microsoft, itself a massive spam-enabler, is sending the vast majority of these emails (if not all of them) through hijacked Hotmail accounts abusing it’s mail servers. While the From addresses may or may not be legitimate Hotmail accounts:
From: Boyd Owenby <boydowenbykac@hotmail.com>
From: Stroum Elliff <estroumuel@hotmail.com>
From: Elphonte Stutz <stutzelphoduec@hotmail.com>
The actual sending mails servers most certainly are Microsoft’s:
from col0-omc4-s15.col0.hotmail.com (65.55.34.217)
from col0-omc3-s9.col0.hotmail.com (65.55.34.147)
from snt0-omc1-s27.snt0.hotmail.com ([65.55.90.38])
This weeks most popular virus email variant attempts to use vague to it’s advantage.
Rather than trying to convince you that the emails is an official message from Ebay, Visa, Paypal, Chase or some other well known business, these messages are intentionally non-specific.
Subject lines refer only to some sort of “statement” like:
Subject: Statement of Fees
Subject: Statement of fees 2010
At least one of the larger spam botnets is hard at work these last few days spreading itself via spoofed Amazon.com emails.
For the most part, these frauds do an excellent job of mimicking legitimate Amazon emails.
The arrive with a Subject line of:
From: ”Amazon.com E-mail Subscriptions” <delivers@amazon.com>
Subject: Amazon.com: Please verify your new e-mail address
And the design, layout and attention to detail within the email is quite good:
Click for Larger Image
In another crafty attempt to induce email recipients to voluntarily infect their own computers with a virus the latest campaign spoofs a scanned document email purportedly from a Xerox WorkCentre Pro multi-tasking machine.
The emails arrive from an endless variety of spoofed email From address senders, when they are actually sent from personal computers that have already been infected by this campaign.
The Subject lines of the emails are consistently:
Subject: Scan from a Xerox WorkCentre Pro N 5458581
Subject: Scan from a Xerox WorkCentre Pro $4181035
In order to attempt to evade spam filtering systems, the very last part of the Subject line is a completely random number, so that no two emails will look exactly alike.
If you don’t respect your online identity, nobody else will and before long your in-box will rot and fall off. At least that’s what our mother told us. She also told us to eat our vegetables that we’d go blind if we forwarded email to ourselves.
We usually take what Mom says with a grain of salt.
However, it is true that if you start with a clean (as in “never been used”) address you can keep your in-box mostly spam free for a long time using basic email address hygiene.
Disclaimer: The tips that follow do not help to avoid dictionary campaigns which is why we say mostly spam free. Choosing a longer and/or more obscure address can help with this and an occasional spam from a dictionary campaign is not a big problem as long as you don’t open it, don’t reply and delete it right away.
The best way to prevent email spam is to keep your email address out of the hands of spammers. In order to do this you have to take precautions to ensure both safe web surfing and safe emailing. We’re sure your mother already warned you about the ways of the Internet too, but in case she didn’t, this is probably what she would say.
1. Be Modest With Your Email Address
You may think it’s cool to bare your email address in public but it can only lead to trouble. The web is crawling with address collectors (also known as harvesters) that just want to get into your in-box. Given the chance they will grab your address and have their way with it.
Cover your email address in public by using obfuscation. Instead of showing off your entire address at social networking sites just hint at it like this:
Anybody that’s worth knowing will understand and you won’t get anywhere near as much attention from undesirables.
If you have a web site of your own you should avoid exposing links to your email address. It is possible to have address links on your site but you have to be careful to hide them from address collectors using a tool like the OnlyMyEmail Encoder.
2. Giving It Away Is Asking For Spam
Promiscuity is dangerous. Everybody wants your email address and most of them have bad intentions. This includes banks, grocery stores, magazines, warranty cards, job applications and especially web sites. They may seem nice but you never know if they’ll spam you or who they’re going to sell the information to.
If you must give an email address to a web site of questionable repute you need protection. Use a disposable email address and cast it aside like a used condom when you’re done.
3. Practice Safe Surfing
Make sure you have up to date anti-virus software with you at all times. You never know when you might need protection. The Internet is full of nasty viruses and malware and current AV software is your best defense against STDs (Sneaky Trojan Downloads).
Lack of money is no excuse. Many anti-virus clinics will provide you with free prophylactic software. Here are a couple of our favorites:
Remember, safe surfing not only protects you, it protects your friends. One virus can infect everyone in your address book. Using prophylactic software also protects you from your friends. Do you really know how careful they are?
4. Be Discrete About Your Partners
If you do engage in email intercourse, don’t let the whole world know who you’ve been emailing with. Learn to use Blind Carbon Copy (Bcc) to make sure you don’t give away your friends’ addresses and encourage your friends to do the same for you.
Do you really want everyone you email with to know about everyone else you email with? Think of your reputation! You’ll feel better knowing that by using Bcc you’re maintaining your privacy and keeping your affairs to yourself.
5. Avoid Strangers With Cheap Pills
Strangers will try to get you to their web sites by enticing you with cheap ED pills, easy diets, cheap watches and porn. Once they get you there they’ll abuse your privacy at best and probably steal your money and infect you with STDs.
It’s much better to ignore offers from strangers entirely and not give them the chance to trick you. Never reply to spam emails and if you can, delete them without opening them. If you do open them, never click on the links inside.
If you value your privacy you will heed the advice above. Take good care of your address and you will be able to enjoy it for a long time. On the other hand, if you lose your innocence you will never be able to get it back. Your address will become jaded and used; passed from spammer to spammer like a worn out penny. Just another victim of spam.
While the dominant Internet email providers (Hotmail, MSN, AOL, Gmail & Yahoo) frequently talk about their commitment to fighting spam, they are actually amazingly inattentive to the rampant spam abuses allowed and enabled by their own systems.
We only occasionally point out examples of how sloppy, permissive and ineffectual these firms are in regards to spam, because thoroughly documenting the spam faults of these enterprises would be a full time job in and of itself.
That said, from time to time the abuses are just so obvious (easy to spot and catch) rampant and perpetual that we can’t help but wonder if they even deploy more than 2 or 3 high-school summer interns to their entire anti-abuse efforts.
We realize that they do all expend effort on filtering inbound spam emails from reaching their own users. Where they are apparently asleep at the wheel is in preventing their systems from being abused by spammers to send out emails and/or to host spam landing pages.
The latest example of such unchecked abuse is the spammers using Yahoo Groups to host and promote online sales of spammed pharmaceuticals (or at least brightly colored pills claiming to be the real thing).
A new variant of the Delivery Status Notification (Failure) – Virus is widely circulating that arrives with a completely random From: sender address and a subject line, such as:
From: ”wafersf25@resourcemining.com” <wafersf25@resourcemining.com>
Subject: The results of your email commandsFrom: ”hackingj@robe.riotinto.com” <hackingj@robe.riotinto.com>
Subject: The results of your email commandsFrom: “smirnoff9@royal-fiesta.com” <smirnoff9@royal-fiesta.com>
Subject: The results of your email commands
Regardless of the random and fictitious sender addresses, the emails are originating from previously infected personal computers from across the globe. A few widely diverse examples include:
We’re seeing a slew of spoofed Delivery Status Notifications that pretend to be “bounced emails” but which are actually attempting to use JavaScript code to cause the recipient’s computer to download viruses to their systems.
The typical example comes with a fairly common Subject/Sender combination:
Subject: Delivery Status Notification (Failure)
From: ”System Administrator” <postmaster@roomswithviews.com>
However the “postmaster@” address will be from a randomly spoofed domain since these emails most likely come from already infected personal computers that are functioning as zombies in a spam bot network. The spoofed domain is never the true sender. For example the one from “postmaster@roomswithviews.com” was actually delivered by:
‘from [109.108.46.163] (helo=isg-109-108-46-163.ivnet.ru) by MailFilter1.onlymyemail.com with esmtp
