The latest twist on virus/malware campaigns pretends to be an email from the Social Security Administration that supposedly contains a copy of your annual statement.
The email arrives with the headers:
Subject: Review your annual Social Security statement
From: ”Social Security Administration” <notification@ssa.gov>Due to possible calculation errors, your annual Social Security statement may contain errors.
Open attached file to review your annual Social Security statement.
Yahoo has apparently found yet another way to assist spammers.
As if longstanding abuses of Yahoo Groups weren’t enough for the spammed masses to suffer though, their blog site, Yahoo Pulse, is now making life easier and more productive for spammers as well.
The latest emails being spewed throughout the Internet have long and convoluted Subject lines (in an attempt to evade spam filtering) that allude to online sales of medications, such as:
Subject: extraordinary tablets tendered for superb way of life
Subject: supplying exceptional capsule brands for lots of years
Subject: web outlet tremendously suggested for pills purchases
Microsoft, itself a massive spam-enabler, is sending the vast majority of these emails (if not all of them) through hijacked Hotmail accounts abusing it’s mail servers. While the From addresses may or may not be legitimate Hotmail accounts:
From: Boyd Owenby <boydowenbykac@hotmail.com>
From: Stroum Elliff <estroumuel@hotmail.com>
From: Elphonte Stutz <stutzelphoduec@hotmail.com>
The actual sending mails servers most certainly are Microsoft’s:
from col0-omc4-s15.col0.hotmail.com (65.55.34.217)
from col0-omc3-s9.col0.hotmail.com (65.55.34.147)
from snt0-omc1-s27.snt0.hotmail.com ([65.55.90.38])
This weeks most popular virus email variant attempts to use vague to it’s advantage.
Rather than trying to convince you that the emails is an official message from Ebay, Visa, Paypal, Chase or some other well known business, these messages are intentionally non-specific.
Subject lines refer only to some sort of “statement” like:
Subject: Statement of Fees
Subject: Statement of fees 2010
At least one of the larger spam botnets is hard at work these last few days spreading itself via spoofed Amazon.com emails.
For the most part, these frauds do an excellent job of mimicking legitimate Amazon emails.
The arrive with a Subject line of:
From: ”Amazon.com E-mail Subscriptions” <delivers@amazon.com>
Subject: Amazon.com: Please verify your new e-mail address
And the design, layout and attention to detail within the email is quite good:
Click for Larger Image
In another crafty attempt to induce email recipients to voluntarily infect their own computers with a virus the latest campaign spoofs a scanned document email purportedly from a Xerox WorkCentre Pro multi-tasking machine.
The emails arrive from an endless variety of spoofed email From address senders, when they are actually sent from personal computers that have already been infected by this campaign.
The Subject lines of the emails are consistently:
Subject: Scan from a Xerox WorkCentre Pro N 5458581
Subject: Scan from a Xerox WorkCentre Pro $4181035
In order to attempt to evade spam filtering systems, the very last part of the Subject line is a completely random number, so that no two emails will look exactly alike.
While the dominant Internet email providers (Hotmail, MSN, AOL, Gmail & Yahoo) frequently talk about their commitment to fighting spam, they are actually amazingly inattentive to the rampant spam abuses allowed and enabled by their own systems.
We only occasionally point out examples of how sloppy, permissive and ineffectual these firms are in regards to spam, because thoroughly documenting the spam faults of these enterprises would be a full time job in and of itself.
That said, from time to time the abuses are just so obvious (easy to spot and catch) rampant and perpetual that we can’t help but wonder if they even deploy more than 2 or 3 high-school summer interns to their entire anti-abuse efforts.
We realize that they do all expend effort on filtering inbound spam emails from reaching their own users. Where they are apparently asleep at the wheel is in preventing their systems from being abused by spammers to send out emails and/or to host spam landing pages.
The latest example of such unchecked abuse is the spammers using Yahoo Groups to host and promote online sales of spammed pharmaceuticals (or at least brightly colored pills claiming to be the real thing).
A new variant of the Delivery Status Notification (Failure) – Virus is widely circulating that arrives with a completely random From: sender address and a subject line, such as:
From: ”wafersf25@resourcemining.com” <wafersf25@resourcemining.com>
Subject: The results of your email commandsFrom: ”hackingj@robe.riotinto.com” <hackingj@robe.riotinto.com>
Subject: The results of your email commandsFrom: “smirnoff9@royal-fiesta.com” <smirnoff9@royal-fiesta.com>
Subject: The results of your email commands
Regardless of the random and fictitious sender addresses, the emails are originating from previously infected personal computers from across the globe. A few widely diverse examples include:
We’re seeing a slew of spoofed Delivery Status Notifications that pretend to be “bounced emails” but which are actually attempting to use JavaScript code to cause the recipient’s computer to download viruses to their systems.
The typical example comes with a fairly common Subject/Sender combination:
Subject: Delivery Status Notification (Failure)
From: ”System Administrator” <postmaster@roomswithviews.com>
However the “postmaster@” address will be from a randomly spoofed domain since these emails most likely come from already infected personal computers that are functioning as zombies in a spam bot network. The spoofed domain is never the true sender. For example the one from “postmaster@roomswithviews.com” was actually delivered by:
‘from [109.108.46.163] (helo=isg-109-108-46-163.ivnet.ru) by MailFilter1.onlymyemail.com with esmtp
In a campaign that’s closely related to the [WordPress.com] Activate – Phishing Fraud we’re now also seeing a large volume of emails claiming to be Wikipedia e-mail address confirmations.
Messages arrive spoofing wikimedia.org senders, such as:
Subject: Wikipedia e-mail address confirmation
From: wiki@wikimedia.org
A screen shot of the fraudulent emails:
Click for Larger Image
A new spam campaign is circulating that is spoofing “WordPress” blog subscriptions.
Emails most commonly arrive as:
Subject: [WordPress.com] Activate http://stephen.wordpress.com/
From: WordPress.com <donotreply@wordpress.com>
Below is a screen shot of an example email:
WordPress Phishing Fraud
