Unsuspicious HTML email (without attachments) has been and continues to be the dominant format for outgoing malicious spam. In the second quarter of 2009 however, spammers changed their strategy and started sending more plain text and image-based email spam according to IBM’s X-Force Team in the 2009 Mid-Year Trend & Risk Report.
The resurgence of image-based spam is interesting because this style of hacking attempt boomed in 2006-2007, but practically disappeared in 2008. Now that it’s back, there are some distinct trends in the subject, format, and techniques that make blocking these attempts fairly easy for most anti-spam filters.
- Most of the emails advertise pharmaceutical products – drugs, pills, etc
- Only a few of the emails use random pixels, and many have identical binaries
- The messages contain random text below an embedded image
- Most of the spam does not contain links that recipients can click, but they invite the user to visit a .com website that must be manually typed into a browser
- WHOIS information shown on the images reflects domain registrars that are infamous for URL Spam
Despite a recent uptick in spam without links, URL spam (60%) continues to dominate this cyber crime category. In the “old days”, URL spam was hosted on domains registered solely for spam purposes, but the number of spam coming from trusted domains has spiked significantly.
One of the reasons hackers are using trusted domains is obvious – a URL from a legitimate website provides recipients a recognizable and trustworthy link. What you may not realize however is that legitimate/trusted links can help hackers evade anti-spam systems.
This year, the following domains have often been used for spam:
- about.com
- akamaitech.net
- ask.com
- cnn.com
- go.com
- googlegroups.com
- healthcentral.com
- icontact.com
- menshealth.com
- msn.com
- webmd.com
- yahoo.com
What’s next in spam? Researchers speculate that a resurgence of .pdf spam is likely considering the attention PDF documents hav ereceived from the perspective of exploitation. MP3 spam is another likely candidate.
This entry was posted on Friday, September 4th, 2009 at 9:00 am and is filed under Web Hosting. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
